The recent Banking frauds in India and abroad have indicated that the security breach not only occurs at the Bank (besides the customer) but more often at the outsourcing partner of the Bank.
Whether the outsource partner is a big name like WIPRO or a relatively unknown company, danger to Bank customers lies in such companies. At least the well nown companies like WIPRO have a reputation to keep and therefore can be expected to take some remedial steps. However the lesser known companies are likely to dither and postpone any security initiative unless they are forced on them.
It is therefore essential for RBI to put its foot down and assume a greater role in the regulation of the Business Associates of Banks.
The Banking Regulations Amendment Act of 2012 (BRA-2012) made an attempt in this direction by inserting a new section 29A into the Banking Regulation Act. This section though is focussed on the financial aspects of the subsidiaries and associates, has the potential to be used by RBI to atleast make preliminary enquiries in such organization who provide outsourced services to the banks.
The new section 29A is reproduced here:
9. After section 29 of the principal Act, the following section shall be inserted, namely:—
‘29A. (1) The Reserve Bank may, at any time, direct a banking company to annex to its financial statements or furnish to it separately, within such time and at such intervals as may be specified by the Reserve Bank, such statements and information relating to the business or affairs of any associate enterprise of the banking company as the Reserve Bank may consider necessary or expedient to obtain for the purpose of this Act.
(2) Notwithstanding anything to the contrary contained in the Companies Act, 1956, the Reserve Bank may, at any time, cause an inspection to be made of any associate enterprise of a banking company and its books of account jointly by one or more of its officers or employees or other persons along with the Board or authority regulating such associate enterprise.
(3) The provisions of sub-sections (2) and (3) of section 35 shall apply mutatis mutandis to the inspection under this section.
Explanation.—”associate enterprise” in relation to a banking company includes an enterprise which—
(i) is a holding company or a subsidiary company of the banking company; or
(ii) is a jont venture of the banking company; or
(iii) is a subsidiary company or a joint venture of the holding company of the banking company; or (iv) controls the composition of the Board of directors or other body
governing the banking company; or
(v) exercises, in the opinion of the Reserve Bank, significant influence on the banking company in taking financial or policy decisions; or
(vi) is able to obtain economic benefits from the activities of the banking company.’.
It may be noted that though one of the principal objectives of this empowerment is for “inspection of financial affairs of subsidiaries”, under clause 29(A) (2) (vi), any Business Associate such as those engaged in card processing or transaction processing can be considered as entities who are obtaining economic benefits from the activities of the Banking company and come under the provisions of this clause. RBI therefore is empowered to seek information as well as conduct inspections.
Such information need not be restricted only to the financial aspects since “Information related fraud Risk” in banks have already been defined as “Operational risk” as defined in Basel II and hence seeking information security related information is within the powers of this section. Similarly, conducting Information Security audits is also within the powers of this section.
It may also be noted that under Section 29A (2) such inspections can be done by the officers of RBI or “other persons”. Hence RBI may seek the assistance of external Information Security auditors to conduct such inspections if it deems fit.
Though the section provides for “Empowerment” rather than a “Mandate”, in the context of companies where a security breach has already been reported, “Mandate” can be implied.
In case IN CERT is conducting its own enquiry, RBI should request that a copy of the report should be shared with them. This could be a good input for RBI to understand the framing of its policies regarding outsourcing of Banking business.
We look forward to how things progress.