All banks, which propose to offer transactional services on the Internet should obtain approval from RBI prior to commencing these services. Bank’s application for such permission should indicate its business plan, analysis of cost and benefit, operational arrangements like technology adopted, business partners and third party service providers and systems and control procedures the bank proposes to adopt for managing risks, etc. The bank should also submit a security policy covering recommendations made in chapter-6 of this report and a certificate from an independent auditor that the minimum requirements prescribed there have been met. After the initial approval the banks will be obliged to inform RBI any material changes in the services / products offered by them.
RBI may require banks to periodically obtain certificates from specialist external auditors certifying their security control and procedures. The banks will report to RBI every breach or failure of security systems and procedure and the latter, at its discretion, may decide to commission special audit / inspection of such banks.
To a large extent the supervisory concerns on Internet banking are the same as those of electronic banking in general. The guidelines issued by RBI on ‘Risks and Controls in Computers and Telecommunications’ will equally apply to Internet banking. The RBI as supervisor would cover the entire risks associated with electronic banking as a part of its regular inspections of banks and develop the requisite expertise for such inspections. Till such capability is built up, RBI may outsource this function to qualified EDP auditors.
Record maintenance and their availability for inspection and audit is a major supervisory focus. RBI’s guidelines on ‘Preservation and Record Maintenance’ will need to be updated to include risks heightened by banking on the net. The enhancements will include access to electronic record only by authorized officials, regular archiving of data, a sufficiently senior officer to be in charge of archived data with well defined responsibilities, use of proper software platform and tools to prevent unauthorized alteration of archived data, availability of data on-line, etc. If not available on-line, the system should be capable of making available the data for the same financial year within 24 hours and past data within a period of maximum 48 hours.
Banks should develop outsourcing guidelines to manage effectively, risks arising out of third party service providers such as risks of disruption in service, defective services and personnel of service providers gaining intimate knowledge of banks’ systems and misutilizing the same, etc. Alternatively, IBA or IDBRT may develop broad guidelines for use of the banking community.
With the increasing popularity of e-commerce, i.e, buying and selling over the Internet, it has become imperative to set up ‘Inter-bank Payment Gateways’ for settlement of such transactions. The Group have suggested a protocol for transactions between the customer, the bank and the portal and have recommended a framework for setting up of payment gateways. In their capacity as regulator of banks and payment systems of the country, the RBI should formulate norms for eligibility of an institution to set up a payment gateway and the eligible institution should seek RBI’s approval for setting up the same
Only institutions who are members of the cheque clearing system in the country may be permitted to participate in Inter-bank payment gateways for Internet payment. Each gateway must nominate a bank as the clearing bank to settle all transactions. Only direct debits and credits to accounts maintained with the participating banks by parties to an e-commerce transaction may be routed through a payment gateway. Payments effected using credit cards, payments arising out of cross border e-commerce transactions and all intra-bank payments (i.e., transactions involving only one bank) should be excluded for settlement through an inter-bank payment gateway
Inter-bank payment gateways must have capabilities for both net and gross settlement. All settlement should be intra-day and as far as possible, in real time. It must be obligatory for payment gateways to maintain complete trace of any payment transaction covering such details like date and time of origin of transaction, payee, payer and a unique transaction reference number (TRN).
Connectivity between the gateway and the computer system of the member bank should be achieved using a leased line network (not through Internet) with appropriate data encryption standard. All transactions must be authenticated using user-id and password. Once, the regulatory framework is in place, the transactions should be digitally certified by any licensed certifying agency. SSL / 128 bit encryption must be used as minimum level of security. Adequate firewalls and related security measures must be taken to ensure privacy to the participating institutions in a payment gateway. Internationally accepted standards such as ISO8583 must be used for transmitting payment and settlement messages over the network.
The RBI may have a panel of auditors who will be required to certify the security of the entire infrastructure both at the payment gateway end and the participating institutions end prior to making the facility available for customers use
The credit risk associated with each payment transaction will be on the payee bank. The legal basis for such transactions and settlement will be the bilateral contracts between the payee and payee’s bank, the participating banks and service provider and the banks themselves. The rights and obligations of each party must be clearly stated in the mandate and should be valid in a court of law.
It will be necessary to make customers aware of risks inherent in doing business over the Internet. This requirement will be met by making mandatory disclosures of risks, responsibilities and liabilities to the customers through a disclosure template. The banks should also provide their latest published financial results over the net
Hyperlinks from banks’ websites, often raise the issue of reputational risk. Such links should not mislead the customers in to believing that they sponsor any particular product or any business unrelated to banking. Hence, hyperlinks from a banks’ websites should be confined to only those portals with which they have a payment arrangement or sites of their subsidiaries or principals. Hyperlinks to banks’ website from different portals are normally meant to pass information pertaining to purchases made by banks customers in the portal. Banks must follow the minimum recommended security precautions while dealing with such request, which includes customer authentication through user-id and password, independent confirmation of transaction by the customer and authorizing payment, use of SSL and 128 bit encryption for all communication both with the portal and customer browser terminal, etc
On the question of additional capital charge on banks, which undertake Internet banking, the group held the view that standards have not yet been developed for measuring additional capital charge for operational risk. However, this requirement could be covered as the RBI moves towards risk based supervision
The applicability of various existing laws and banking practices to e-banking is not tested and is still in the process of evolving, both in India and abroad. With rapid changes in technology and innovation in the field of e-banking, there is a need for constant review of different laws relating to banking and commerce. The Group, therefore, recommends that the Reserve Bank of India may constitute a multi disciplinary high level standing committee to review the legal and technological requirements of e-banking on continual basis and recommend appropriate measures as and when necessary
The regulatory and supervisory framework for e-banking is continuing to evolve and the regulatory authorities all over the world recognize the need for cooperative approach in this area. The Basle Committee for Banking Supervision (BCBS) has constituted an Electronic Banking Group (EBG) to develop guiding principles for the prudent risk management of e-banking activities. This Working Group, therefore, recommends that the Reserve Bank of India should maintain close contact with regulating / supervisory authorities of different countries as well as with the Electronic Banking Group of BCBS and review its regulatory framework in keeping with developments elsewhere in the world.
