On Thursday RBI has issued a Master Direction for internet banking, mobile on payments, card payments, customer protection and grievance redressal mechanism.
Below are the insights from Bharat Panchal, Chief Risk Officer for India, Middle East & Africa for FIS.
RBI’s master stroke to enhance digital security
“The regulator has always been concerned about the security of digital transactions and time and again they have came out with guidelines. But Digital Payment Security Controls (DPSC) guidelines is a very big move by the RBI to ensure that there is a uniformity of security controls across the banking ecosystem. This newer framework is a mix of some of the old guidelines and newer controls which makes a very strong control mechanism. The good part is the guidelines cover all payment channels be ATM, net banking, card, mobile, etc. in a well-integrated risk framework. The globally accepted PCI DSS guidelines are now formally mandated for card processing which is a very good move towards card security in overall transaction processing. Upon effective implementation of this guideline, it will surely help to safeguard the IT backbone of the banks, and also will enhance customer’s trust as for the first time the guideline has addressed concerns about digital frauds in detail. Cyberattack and data breaches will continue to happen. However, these guidelines have mandated a mechanism for 24X7 monitoring on such breaches which will help for early detection of such breaches and respond instantly. This will be a great move to equip banks with a strong detect and response mechanism.
However, this will be a challenge for many banks to implement in six months’ timeline. The major reason is not every bank is at par in terms of security framework and necessary infrastructure in place. This may warrant to complete overhaul of their risk management framework. Secondly, this will also increase complexity in compliance requirements. While in many other circulars, RBI has categorically asked to avail CERT-IN empanelled vendors only, the newer guidelines have no such reference. This might lead to some ambiguity on who can help banks to comply with these guidelines.
Further, The guidelines talk more about governance and risk framework and not only on cybersecurity, and overall organizational posture on digital risk. There is no much clarity on internal governance to implement, oversight and improve the control mechanism. While CISO is a designated individual who would be responsible for security, there is a lot more to be done in overall risk management to have enhanced digital risk posture as per the guidelines. Conventional CRO role in banks may not be equipped to absorb so much complex security framework in the integrated risk framework of the bank. Therefore, a need for a role like Chief Digital Risk Officer (CDRO) may require to be created to ensure that these guidelines are implemented in totality as mandated”.