RBI compliance

In the past decade, with the increased technology adoption by Banks, the complexities within the IT environment have given rise to considerable technology related risks requiring effective management. This led the Banks to implement an Internal Control framework, based on various standards and its own control requirements and the current RBI guidelines.

As a result, Bank’s management and RBI, need an assurance on the effectiveness of internal controls implemented and expect the Information System Audit to provide an independent and objective view of the extent to which the risks are managed.

As a consequence, the nature of Audit process has undergone a major transformation and Information System audits are gaining importance as key processes are automated or enabled by technology. Hence, there is a need for banks to re-assess the Information System Audit processes and ensure that Information System Audit objectives are effectively met.

The scope of IS Audit includes:

The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The Board has to take up the task of preparing the gap analysis before the end of third quarter; accordingly the background work for this has to be initiated at the earliest.

For an NBFC-SI, the following agenda items may be taken up by the Board in its upcoming meeting:

The RBI has laid down certain recommendations for NBFCs with smaller asset size to develop basic IT systems mainly for maintaining the database. The Action Points for such smaller NBFCs are as follows:

With the increased inclination of people towards cashless transactions, the concerns over the security of customer’s data and the responsibility of the service providers accountable for facilitating such transactions has increasedconsiderably. Keeping in mind the interest of common people and the risks they would subject themselves to while availing the facilities of virtual transaction methods, the Reserve Bank of India has laid down a framework for the payment system providers so that the customers can rely on the proper and risk-free transaction methods.

 Reserve Bank of India is responsible for controlling the Banking Payment and Settlement System in India under Payment Settlement Act 2007. Accordingly, RBI provides a certificate of authorization to any company setting up and operating a payment system in India. In order to remain authorized, a payment company must comply with stipulated RBI requirements to ensure that the technology deployed to operate the payment system is safe, secure and efficient, and as per the approved process flow. An RBI PSS audit evaluates security and controls, hardware, operating systems, applications, access controls, and disaster recovery, among other aspects.

The systems included under this procedure are Electronic Clearing Service Credit, Electronic Clearing Service Debit, Electronic Funds Transfer, Regional Electronic Clearing Service, Real Time Gross Settlement System, Pre-paid Payments System, Mobile Banking System.

After the revolution of digitization of payments in India, the use of alternate modes of payment, specifically e-wallets has gained momentum. Keeping in mind the interest of common people and the risks they would subject themselves to while availing the facilities of virtual transaction methods, the Reserve Bank of India has laid down a framework for the Payment Instrument Providers so that the customers can rely on the proper and risk-free transaction methods.

It is mandated from RBI that “All authorised entities/banks issuing PPIs (Prepaid Payment Instruments) in the country are advised to carry out a special audit by the empanelled auditors of Indian Computer Emergency Response Team (CERT-In) on a priority basis and take immediate steps thereafter to comply with the findings of the audit report. The scope of the System Audit includes evaluation of the hardware structure, operating systems and critical applications, security and controls in place.”

Need for PPI audit:

RBI vide notification dated December 9th, 2016 mandated all Prepaid Payment Instruments issuers or organisations applying for PPI license to undergo a special audit.

PPI Technical Security Audit helps the PPI issuers by providing them with the necessary recommendations needed to strengthen their security posture. On December 9th, 2016, RBI made this audit compulsory and it was done to prevent cyber-attacks and encourage people to take up digital transactions. If your organization uses Prepaid Payment Instrument, you need to undertake this audit and protect your company’s valuable assets.

PPIs are payment instruments that facilitate purchase of goods and services, including financial services, remittance facilities, etc., against the value stored on such instruments. PPIs that can be issued in the country are classified under three types viz. (i) Closed System PPIs, (ii) Semi-closed System PPIs, and (iii) Open System PPIs.

Closed System PPIs: These PPIs are issued by an entity for facilitating the purchase of goods and services from that entity only and do not permit cash withdrawal. As these instruments cannot be used for payments or settlement for third party services, the issuance and operation of such instruments is not classified as payment systems requiring approval / authorisation by the RBI.

Semi-closed System PPIs: These PPIs are used for purchase of goods and services, including financial services, remittance facilities, etc., at a group of clearly identified merchant locations / establishments which have a specific contract with the issuer (or contract through a payment aggregator / payment gateway) to accept the PPIs as payment instruments. These instruments do not permit cash withdrawal, irrespective of whether they are issued by banks or non-banks.

Open System PPIs: These PPIs are issued only by banks and are used at any merchant for purchase of goods and services, including financial services, remittance facilities, etc. Banks issuing such PPIs shall also facilitate cash withdrawal at ATMs / Point of Sale (PoS) / Business Correspondents (BCs).

Cyber Security in banks involves measures to protect the computer assets, information and networks from unauthorised users and preparedness to business continuity and Disaster Recovery. It encompasses Information Security, Application Security and Network Security and Disaster Recovery.

The impact of a cyberattack on banks can be devastating in various ways which include financial loss, critical data loss, business disruption/loss, dip in brand image, legal battles, regulatory penalties etc. As the banks moved from branch banking to anywhere 24×7 banking, they were required to expose a segment of their network to the customers accessing their web based, mobile based applications like Internet banking and Mobile banking.

 Some of the common threats faced by the Banks are Malware, Ransomware, Phishing, Spear Phishing/Whaling, SQL injection Attack, Cross site Scripting, Denial of Service (DoS), Social Engineering, Website Defacement etc.

 Banks are exposed and susceptible to various types of cybercrime and online frauds. Cyber criminals have become more sophisticated and organised and they are continuously carrying attacks in volume, frequency and severity. Malware perpetrators are inventing and inflicting various types of malware attacks. Distributed Denial of Service (DDOS) activity is ever increasing and evolving as they are using IOT (Internet of Things) devices as platform to conduct such attacks.

Banks have strengthened their perimeter security by managing or outsourcing Security Operation Centres and the following tools are used: