RBI's master stroke to enhance digital security

The central bank( RBI) on Thurs came out with a Master Direction for internet banking, mobile on payments, card payments, customer protection and grievance redressal mechanism.

Please find below insights from Bharat Panchal, Chief Risk Officer for India, Middle East & Africa for FIS - a Global Fortune 500 company and a leading provider of technology solutions for merchants, banks and capital markets firms globally.

“The regulator has always been concerned about the security of digital transactions and time and again they have came out with guidelines. But Digital Payment Security Controls (DPSC) guidelines is a very big move by the RBI to ensure that there is a uniformity of security controls across the banking ecosystem. This newer framework is a mix of some of the old guidelines and newer controls which makes a very strong control mechanism. The good part is the guidelines cover all payment channels be ATM, net banking, card, mobile, etc. in a well-integrated risk framework. The globally accepted PCI DSS guidelines are now formally mandated for card processing which is a very good move towards card security in overall transaction processing. Upon effective implementation of this guideline, it will surely help to safeguard the IT backbone of the banks, and also will enhance customer’s trust as for the first time the guideline has addressed concerns about digital frauds in detail. Cyberattack and data breaches will continue to happen. However, these guidelines have mandated a mechanism for 24X7 monitoring on such breaches which will help for early detection of such breaches and respond instantly. This will be a great move to equip banks with a strong detect and response mechanism.

However, this will be a challenge for many banks to implement in six months’ timeline. The major reason is not every bank is at par in terms of security framework and necessary infrastructure in place. This may warrant to complete overhaul of their risk management framework. Secondly, this will also increase complexity in compliance requirements. While in many other circulars, RBI has categorically asked to avail CERT-IN empanelled vendors only, the newer guidelines have no such reference. This might lead to some ambiguity on who can help banks to comply with these guidelines.

Further, The guidelines talk more about governance and risk framework and not only on cybersecurity, and overall organizational posture on digital risk. There is no much clarity on internal governance to implement, oversight and improve the control mechanism. While CISO is a designated individual who would be responsible for security, there is a lot more to be done in overall risk management to have enhanced digital risk posture as per the guidelines. Conventional CRO role in banks may not be equipped to absorb so much complex security framework in the integrated risk framework of the bank. Therefore, a need for a role like Chief Digital Risk Officer (CDRO) may require to be created to ensure that these guidelines are implemented in totality as mandated”.

About FIS

FIS is a leading provider of technology solutions for merchants, banks and capital markets firms globally. Our more than 55,000 people are dedicated to advancing the way the world pays, banks and invests by applying our scale, deep expertise and data-driven insights. We help our clients use technology in innovative ways to solve business-critical challenges and deliver superior experiences for their customers. Headquartered in Jacksonville, Florida, FIS is a Fortune 500® company and is a member of Standard & Poor’s 500® Index.