RBI Report on Internet Banking

This article is second in the series on Legal Issues in Internet Banking. Access the first article here.

Looking at the IT challenges and information security concerns, RBI introduced guidelines to enhance the governance of IT and institute robust information security measures in the Indian banking sector. Following were the major reasons for introducing the guidelines for the bank:

• Information technology (IT) risk assessment and management were required to be made a part of the risk management framework of a bank.
• Internal audits/information system audits needed to independently provide assurance that IT-related processes and controls were working as intended.
• Given the instances of cyber fraud in banks recently, it was necessary to improve controls and examine the need for pro-active fraud risk assessments and management processes in commercial banks.
• With the increase in transactions in electronic mode, it was also critical to examine the legal implications for banks arising out of cyber laws and steps that were required to be taken to suitably mitigate the legal risks.

The Regulatory and Supervisory concerns in i-banking can be broadly addressed under three broad categories, viz,

• Legal and regulatory issues
• Security and technology issues
• Supervisory and operational issues

Legal issues cover those relating to the jurisdiction of law, the validity of electronic contract including the question of repudiation, gaps in the legal/regulatory environment for electronic commerce. On the question of jurisdiction, the issue is whether to apply the law of the area where access to the Internet has been made or where the transaction has finally taken place. Allied to this is the question of where the income has been generated and who should tax such income. There are still no definite answers to these issues.

The security of i-banking transactions is one of the most important areas of concern for the regulators. Security issues include questions of adopting internationally accepted state-of-the art minimum technology standards for access control, encryption/decryption (minimum key length etc), firewalls, verification of a digital signature, Public Key Infrastructure (PKI), etc. The regulator is equally concerned about the security policy for the banking industry, security awareness, and education.

The supervisory and operational issues include risk control measures, advance warning systems, Information technology audit and re-engineering of operational procedures. The regulator would also be concerned with whether the nature of products and services offered are within the regulatory framework and whether the transactions do not camouflage money-laundering operations.

Taking into account the above-mentioned issues, the creation of a Working Group on Information Security, Electronic Banking, Technology Risk Management and Tackling Cyber Fraud took place. This working group was formed with the following vision to:

• undertake a comprehensive assessment of extant IT and e-banking related guidelines vis-à-vis international guidelines/best practices and suggest suitable recommendations
• suggest recommendations with respect to information security in order to comprehensively provide for a broad framework to mitigate present internal and external threats to banks
• Provide recommendations for effective and comprehensive Information Systems Audit related processes to provide assurance on the level of IT risks in banks
• Suggest scope for enhancement of measures against cyber fraud through preventive and detective mechanisms as part of the fraud risk management framework in banks
• Identify measures to improve business continuity and disaster recovery-related processes in banks
• Assess the impact of legal risks arising out of cyber laws, the need for any specific legislation relating to data protection and privacy and whether there is an Indian equivalent of the Electronic Fund Transfer Act in the US
• Consider scope to enhance customer education measures relating to cyber fraud[1]

1. Risks in E-banking

E-banking improves a bank’s performance and competitiveness so that existing customers can benefit from greater degree of convenience in effecting transactions. However, the banks are facing with different levels of risks and expectations arising from electronic banking as compared to traditional banking services.

Financial institutions have faced difficulties over the years for a multitude of reasons. The major cause of serious banking problems continues to be directly related to lax credit standards for borrowers and counterparties, poor portfolio, risk management that can lead to deterioration in the credit standing of a bank’s counterparties. Banks need to manage the credit risk inherent in the entire portfolio as well as the risk in individual credits or transactions. Banks should also consider the relationships between credit risk and other categories of risks.

Various kinds of risks are involved with e-banking. Some of these risks are discussed below:

1.1 Operational Risk

Due to the introduction of e-banking technology, operational risks are on the rise and should be managed in a proper way. The bank needs to manage these risks in the areas of security, data confidentiality, data system integrity, system availability, and outsourcing. These risks are closely linked to reputation risks and legal risks for banks as if the security breaches than it will have damaging effects on the reputation of the bank which could have legal consequences also. Security constitutes an important part of the operational risk of e-banking. Threats can come from inside and outside the system. It includes “hijacking”, “sniffing” or “spoofing” to retrieve and use confidential consumer information, add customer assets and subtract customer liabilities or interrupt operations.

Human resource management must ensure that personnel involved in maintaining and operating the websites and systems are adequately trained in security practices. In order to have a proper security system, there should be segregation of duties, which means accessing and control should be different. These practices should be regularly tested and reviewed by outside experts. Further, the key to control transaction risk lies in adopting effective policies, procedures, and controls to meet the new risk exposures introduced by e-banking. These controls include division of duties, dual controls, information security controls, processes, tools, expertise, and testing of different methods of e-banking.

1.2 Reputational Risk

Reputational risk is the risk related to the negative opinion of the customers that result in a critical loss of funding of the customers. The reputational risk may arise due to action taken by the bank itself or in response to action of the third parties. This risk mainly arises when the system is not able to perform as expected. This risk may also arise from targeted attacks on banks. For example, a hacker penetrating a bank’s website may alter to intentionally spread the inaccurate information among the customers regarding the bank’s products and services. So, reputational risk is increased through e-banking if the bank fails to deliver secure, accurate and timely services on a consistent basis.

1.3 Legal Risk

Legal risks also arise in e-banking. Banks engaging in electronic banking and electronic money activities can face legal risks with respect to customer disclosures and privacy protection. Customers who have not been adequately informed about their rights and obligations may bring suit against a bank. Failure to provide adequate privacy protection may also subject a bank to regulatory sanctions in some countries. Banks choosing to enhance customer service by linking their internet sites to other sites can also face legal risks. A hacker may use the linked site to defraud a bank customer, and the bank could face litigation from the customer.

1.4 Financial Risk

It is the constant and terrible fear of transaction errors causing a potential monetary loss suffered by customers who perform online transactions. So, it is clear that e-banking is actually lacking the assurance provided in traditional banking and this is due to the fact that online banking is considered as an innovation that is incompatible with consumers’ habits.

1.5 Performance Risk

This is the risk caused due to malfunctioning of online banking websites. Customers are often afraid that a disconnection from the Internet will occur while performing electronic transactions that can lead to “huge” unexpected losses. Internet access is a crucial variable on which the adoption of online banking depends and there is a significant relationship that exists between the speed of internet access and the acceptance of electronic banking.

1.6 Privacy Risk

It refers to the potential loss due to fraud or a hacker compromising the security of an online bank user. This risk is accentuated since the emergence of phishers whose hobby consists of attempting to collect personal information, such as usernames, passwords, and credit card details. They not only lead to users’ monetary loss but also violate users’ privacy.

1.7 Time Risk

It is the time lost; the lateness in receiving the payment or the difficulty of navigation. This can be due to a disorganized website, slow downloadable pages and the long time needed to be a PC-literate.

1.8 Credit Risk

Credit risk is not increased due to loans originated through the e-banking channel. But sometimes the bank may not be able to evaluate the creditworthiness of the customer due to remote banking procedures. However, online loan origination and approval tend to make risk management of lending tasks more difficult and challenging. The banks should always verify the customers’ identity for online credit applications and also the monitoring and controlling of the growth, pricing, underwriting standards and ongoing credit quality of loans originated through e-banking channels.

---

[1] Reserve Bank of India, Report on Internet Banking, available at <https://www.rbi.org.in/SCRIPTs/PublicationReportDetails.aspx?UrlPage=&ID=243>