Sunday, January 29, 2012

e-Banking Security needs to be stepped up to protect customers

Presently, almost all the banks have introduced core banking facilities and are providing various online transactions.  In the past two or three years, the usage of technology in banks have gone many fold.  

As at the end of 2011, approximately 1.8 crores of credit cards are in circulation and they contribute around 8000 crores of transactions every month.  In the same way, around 26 crores of debit cards are in circulation, creating around 3000 crores of transaction.  Besides, the banks have activated around 6.5 crores of online accounts.  The banks in India, put together transact around 2 lakh crores of rupees every month towards NEFT, ECS, credit and debit card transactions electronically.  

Anticipating such enormous growth, Reserve Bank of India (RBI) set up a Working Group in 2010 under the Chairmanship of Mr G Gopalakrishna, Executive Director of RBI to look into the Information security in banks and suggest measures.  Accordingly, the Working Group submitted its draft report to RBI in Jan 2011.  RBI sought suggestions from the civil society on the report.  After the suggestions were received, the final report was accepted by RBI and they circulated to all the Banks on 29th April 2011, directing the banks to implement the recommendations in a time bound manner.

The Working Group has given 265 recommendations.  Before the end of October 2011, the Banks should have completed the formation of various committees for implementation and for drafting IS Policy.  They should have also completed the gap analysis.

With this background, Cyber Society of India (CySI) jointly with Indian Overseas Bank (IOB) organised a one-day National Seminar on "Banking on e-Security: RBI's Gopalakrishna Working Group" on Friday the 27th Jan 2012 at Chennai.

This is the first time, such a seminar is being organised   anywhere in India, after the publication of report.  A mention has to be made about Mr M Narendra, CMD of IOB, who took the pro-active efforts and arranged to get Mr Gopalakrishna himself to address the participants from different banks and IT industry.

When Cyber Society of India wrote to all the banks about the seminar and requested their participation, excepting few banks like Indian Bank, Canara Bank, Corporation Bank, Maharashtra Bank, UCO Bank, TNSC Bank, SBI, others did not bother even to acknowledge or enquire about this.  Those banks also did not even respond to phone calls. 

Even when CySI wrote personally to few Chairmen, requesting them to participate in the inaugural session, they did not even respond, even after several reminders and phone calls.  

While, organising this event, CySI was able to realise that bankers were not well equipped to address the seminar confidently.  Their knowledge level on this report was also very less. When CySI, requested one of the Bankers to depute their Senior Executive, who is considered an authority on IS Audit, their GMs immediately deputed him to Chennai from Kolkatta.  After the concerned Official boarded the flight, the CMD of the Bank ordered him not to go and speak.  This is the type of 'attitude' of the top management in many banks.  Probably, for every knowledge seeking exercise, they need some 'directions' from the Government or from Regulators.  Only very few Chairmen are pro-active.  

Cyber Society of India has suggested two measures to RBI for consideration.

1.  Presently, banks offer mobile alerts to their customers for their credit card, debit card and online transactions only on request.   Due to lack of awareness, many customers have not availed this facility.  This leads to lot of cyber crimes, causing pressure to police authorities also.  Hence, CySI suggested that mobile alerts should be by 'default' and only if the customers do not want such alert, they should request the bank.

2.  Secondly, IS Audit in the banks are not done effectively. Either they do it themselves or get it done through their own known people.  Since the banks are not insisting on 'digital signatures' for the transactions, they are exposing the customers to greater risk and privacy issues.  Hence, CySI has requested RBI to empanel, qualified IS Auditors and allot the auditors at random directly to the banks.  Such independent reports are to be monitored by RBI.

Mr Gopalakrishna said that he would take up with the appropriate authorities at RBI level for consideration.

While addressing the participants, Mr Gopalakrishna also accepted that the implementation in the first six months was not satisfactory.  Subsequently, when the media persons asked him, he responded that RBI would take it seriously, if the recommendations are not implemented before October 2012.  

The full text of the speech by Mr G Gopalakrishna may be downloaded from the following link:

PodUniversal Edition 146

You may listen to the complete speech of Mr Gopalakrishna (35 minutes).  He covers the important aspects of the report and also the road ahead.

This podcast may also be listened from the following link.

PodUniversal Edition 147

Please listen to the inaugural speech of Mr M Narendra, Chairman and Managing Director, Indian Overseas Bank. (30 minutes).
This podcast may also be listened from the following link.

Related Posts Plugin for WordPress, Blogger...