These concerns can be clubbed into the following:
Operational Risk Issues
The open architecture of the Internet exposes the banks’ systems to decide access through the easy availability of technology. The dependence of banks on third party providers places knowledge of banks’ systems in a public domain and leaves the banks dependent upon relatively small firms which have high turnover of personnel. Further, there is absence of conventional audit trails as also relative anonymity of transactions due to remote access. It is imperative that security and integrity of the transactions are protected so that the potentiality for loss arising out of criminal activities, such as fraud, money laundering, tax evasion etc. and a disruption in delivery systems either by accident or by design, are mitigated. The supervisory responses to manage operational risk matters include issue of appropriate guidance on the risk (including outsourcing risk) control and record maintenance, issue of minimum standards of technology and security appropriate to the conduct of transactional business, extension of ‘know your customer’ rules for transactions on the Internet, and insistence on appropriate and visible disclosure to inform customers of the risks that they face on doing business on the Internet.
Cross Border Issuess
The Internet knows no frontiers, and banks can source deposits from jurisdiction where they are not licensed or supervised or have access to payment systems. Customers can Potentiality Park their funds in jurisdictions where their national authorities have no access to records. The issues of jurisdiction, territoriality and recourse become even more blurred in the case of virtual banks. Cross border issues would also come into play where banks choose to locate their processing centres, records or back up centres in different jurisdictions. While country - specific approaches are being adopted at the national level, the ‘Group on e-banking’ set up by the Basle Committee on Banking Supervision (BCBS) is engaged in bringing about harmonization in approaches at an international level.
Customer Protection and Confidentiality Issues:
The loss of customer confidentiality may pose a reputation risk to banks and the banking system as a whole. Transacting business on the Internet exposes data being sent across the Internet to interception by unauthorized agents, who may then use the data without the approval of the customers. There has also been incidence where glitches have developed in web sites permitting customers to access each other’s accounts. To address these risks, customers need to be educated through adequate disclosures of such risks.
Competitiveness and Profitability Issues
While Internet banking is expected to substantially reduce the cost of doing transactions in the long run, the limited business being done on the Internet has yet to pay for the infrastructure in which banks have invested. This includes the tie up with technology companies in setting up payment gateways, portals and Internet solutions and the alliance with other businesses for cross-selling products. The coming years may however see a scenario where the margins of conventional banks come under pressure because of competition from Internet banking, including virtual banks, which need no infrastructure expenses. These issues have to be kept in mind by supervisors while deciding their approach to e-banking.
Broad Regulatory Frameworks
It would be necessary to extend the existing regulatory framework over banks to Internet banking also. Such an approach would need to take into account the provisions of both the Banking Regulation Act 1949 and the Foreign Exchange Management Act, 1999
Only such banks which are licensed and supervised in India and have a physical presence here should be permitted to offer Internet banking products to residents of India
These products should be restricted to account holders only and should not be offered in other jurisdictions
The services should only offer local currency products and that too by entities who are part of the local currency payment systems.
The ‘in-out’ scenario where customers in cross border jurisdictions are offered banking services by Indian banks (or branches of foreign banks in India) and the ‘out-in’ scenario where Indian residents are offered banking services by banks operating in cross-border jurisdictions are generally not permitted and this approach should be carried over to Internet banking also.
The existing exceptions for limited purposes under FEMA i.e. where resident Indians have been permitted to continue to maintain their accounts with overseas banks etc., would however be permitted transactions
Overseas branches of Indian banks would be permitted to offer Internet banking services to their overseas customers subject to their satisfying, in addition to the host supervisor, the home supervisor in keeping with the supervisory approach outlined in the next section.
This extension of approach would apply to virtual banks as well. Thus, both banks and virtual banks incorporated outside the country and having no physical presence here would not, for the present, be permitted to offer Internet services to Indian depositors.
Recommendations
With the above approach in mind, the Group recommends that the regulatory and supervisory concerns relating to Internet banking can be met in the manner outlined in the following paragraphs.
All banks which propose to offer transactional services on the Internet should obtain an in-principle approval from RBI prior to commencing these services. The application should be accompanied by a note put up to the Board of the bank along with Board resolution passed. The Board note should cover the reasons for the bank choosing to enter into such business, the potential penetration it seeks to achieve, a cost-benefit analysis, a listing of products it seeks to offer, the technology and business partners for the products, and all third party support services and service providers with their track record and agreements with them, and the systems and the skills and capabilities it has in this regard and most materially the systems, controls and procedures it has put or intends to put in place to identify and manage the risks arising out of the proposed ventures. The bank should also enclose a security policy framed in this regard which should cover all the recommendations made in thearlier articles coveringTechnology and Security Standards for Internet Banking and produce a certification from a reputed external auditor who is CISA or otherwise appropriately qualified that the security measures taken by the bank are adequate and meet the requirements and that risk management systems are in place to identify and mitigate the risks arising out of the entire gamut of Internet banking operations.
The RBI could require the bank together with the auditor to hold discussions with the RBI in this regard before granting such approval. After this initial approval is given, the bank would be obliged to inform the RBI of any material changes in web-site content and launch of new products
The assurance about security controls and procedures, which is sought from the specialist external auditors, should be periodically obtained, with the periodicity depending on the risk assessment of the supervisor. Further, banks would also be required to report every breach or failure of the security systems and procedures to RBI, who may decide to subject the failure to an on-site examination or even commission an auditor to do so
The RBI as supervisor would cover the entire risks associated with electronic banking as part of its annual inspections. For this purpose, a checklist could be developed along the lines of those covering general computerized banking featured in the manual developed for inspection of computerized branches. Till such time as the RBI builds up sufficient capability to do this in-house, it is recommended that this function be outsourced to qualified EDP auditors.
The focus of the supervisory approach would mainly be the transactional Internet banking services offered by existing banks as an alternative channel. To some extent the concerns in this regard are the same as those arising out of electronic banking in general. The RBI has issued guidelines in the recent past on the "Risks and Controls in Computers and Telecommunications" which would be applicable equally to Internet banking. Another supervisory focus would be on Record Maintenance and their availability for inspection and audit. Again, RBI has issued guidelines for these "Preservation and Record Maintenance" which need to be updated to include the risks heightened by banking on the net. Broadly, the record preservation and maintenance policy must encompass record keeping, record retention, record media and record location. The key features of this enhancement would be as follows:
The cornerstone of this policy should be security. Access to all bank-related electronic data should be restricted to authorized individuals.
All transactional, financial and managerial data pertaining to the previous financial year must be archived before 1 July of the subsequent financial year.
A senior officer / executive of the Bank possessing appropriate qualifications, education and/or background should be designated in-charge of the archived data. A possible designation could be Archived Data Security Officer.
All access to archived data should be with the authentic (written or by e-mail) approval of this Archived Data Security Officer (ADSO).
The role and responsibilities of the ADSO should be clearly delineated and well publicized within the bank
Data so archived should be on such a platform and using such a technology that future alteration / modification / deletion of the data is not possible, once the data is archived
If the technology and/or platform used for data storage involves compression and/or dis-aggregation of data, banks should have in place adequate software/hardware which will ensure easy restoration of the data as and when required by the bank’s own departments and also by RBI as well as other statutory authorities.
All transactional, financial and managerial data should be available on-line. If, for reasons of paucity of on-line storage, such data (of the current financial year) has been backed-up and removed from on-line storage, it must be available in a format and at a location which ensures that the data can be restored on-line within a maximum of 24 hours from the date and time at which the demand for such data is made by users from within the bank or from RBI or other statutory authorities
Similarly, transactional, financial and managerial data of the previous financial year should be made available within a maximum of 48 hours of the date and time at which such request is made by the bank’s own users or by the RBI and other statutory authorities.
A vulnerability which is accentuated in Internet banking is the reliance upon third party providers and support services and this requires banks to effectively manage the risks of all outsourced activities. In turn the supervisors should have the ability to assess the risks arising out of such liaisons. Direct supervision of the third party by the supervisor is not envisaged. Accordingly, as part of the Internet policy, banks should develop outsourcing guidelines, which mitigate the risks of disruption and defective service. Alternatively, the IBA (Indian Banks Association) or IDRBT (Institute for Development and Research in Banking Technology) could be asked to develop broad guidelines for the use of the banking community.
