Over the years, RBI has grown in multiple directions and the management of its responsibilities is getting increasingly complicated. The media is obsessed with the monetary policy related functioning of the RBI such as the management of interest rates and liquidity ratios. The discussions on Raghuraman Rajan’s continuation and its impact on the stock markets is an indication of this obsession.
However, one of the areas which the public are interested and what we normally focus through these columns is how RBI manages the security of Banking operations in the technology era. This covers the work of DBOD and the Department of Payment and Settlements.
The perception is that DBOD focussses more on Loans and frauds related to loans where as all the new generation issues such as cards and mobile wallets are directed by the Department of Payments and Settlements. However when we discuss “Frauds”, RBI normally talks of NPAs and Loan related issues as “Frauds” and the Cyber Crime related frauds which we try to focus is normally relegated to the background. This is the reason why RBI does not have a proper statistics of credit card and Phishing related frauds as revealed in many RTI applications.
It appears that the Department of Payment and Settlement focusses on introduction of technology and leaves it to the DBOD to deal with the fraud related issues. The converging point for both is the issue of “Information Security”.
In June 2001, RBI first came up with the Internet Banking Guidelines based on the passage of ITA 2000. Then in April 29, 2011, RBI came up with the GGWG based guidelines on E Banking security which took into account the amendments to ITA 2000 made in 2009 (ITAA 2008) and some data protection elements implemented in 2011.
In the last month or so, there have been some serious activity on Information Security in RBI. First an IT Subsidiary was formed in RBI to take care of Information Security requirements of RBI itself. Probably, this would automatically absorb the activities of the Information Technology Cell of RBI.
Additionally, it has been informed that this subsidiary will also advise the regulated Banks on Information Security requirements.
On June 2, Department of Banking Supervision came up with a comprehensive guideline that revised the June 29, 2011 circular on E Banking Security. This circular did not mention the IT Subsidiary but recognizes existence of a “Cyber Security and Information Technology Examination (CSITE) cell of the Department of Banking Supervision. It is not clear if this is the same as the IT cell which was in existence earlier or is a different monitoring and audit section.
All along, there was one subsidiary institution called IDRBT which was assisting RBI in technology related issues.
Thus we now have an IT Subsidiary, IDRBT and the CSITE Cell as the trinity of institutions being involved in guiding and advising Banks on Information Security.
IDRBT has already issued an Information Security framework, GGWG had issued its own framework and now the Cyber Security framework is the third framework that has been provided by RBI to guide the Banks in information security issues. While the earlier frameworks were more technical in nature, the recent Cyber Security Framework is more in the “Techno Legal Nature” as we normally recognize.
Banks therefore need to negotiate through multiple RBI arms and their guidelines to work on Compliance. This would be a challenge which the CISO s of Banks need to negotiate. Let us not forget that there is also the CERT-IN and several Government agencies which have been empowered under ITA 2000/8 to monitor the activities of the Banks and CISOs need to worry about satisfying the compliance requirements of these entities also.
The Bank CISOs would find it better if there is clarity on what is expected of them and if there is a good coordination between these three institutions.
In fact one wonders if there was really a need for the creation of multiple institutions instead of entrusting IDRBT with the responsibilities that the new IT Subsidiary is expected to discharge but this discussion may be redundant at this point and the two subsidiaries need to work together along with the departments supervising their activities.
I suppose the relative responsibilities of the three institutions would crystalize over time and all the three will find some justification to exist irrespective of the efficiency considerations.
In terms of “Compliance” however, there would be possibilities of some confusion when different guidelines come up from different organizations overlapping in terms of operational issues.
The CISO’s of Banks should through their CISO Forum ensure that there is clarity on the functioning of these three organizations and coordination of their activities so that the Banks are not left not left to handle inter departmental non coordination issues.
I also envisage that soon the Compliance issues will grow beyond the capabilities of the CISOs and every Bank will have to create designated Compliance Officials and the Chief Compliance Officers need to form their own Forum and address some of the issues raised in the recent Cyber Security Framework.
As regards the trinity of Cyber Security institutions that have now come to exist, it would be necessary for them to form a coordination committee amongst themselves so that any instruction/guidance going out from any of them to the Banks carry the approval of all of them.
This “Cyber Security Regulation Coordination Committee for Banking in India” could be the apex body which will be a single point policy formulation entity that could absorb all the problems arising out of the existence of multiple organizations with overlapping functions.
I suggest any of these three entities may take steps to formalize the formation of this committee.
Naavi