and financial institutions in India are in the process
of Web-enabling their services in order to offer Internet
banking to its customers. The RBI has drafted certain
Internet banking guidelines that have to be followed
by banks about to venture into online banking. Here's
what banking CIOs need to do. by Soutiman Das Gupta
the new generation of banking in India. Most private
and MNC banks have already setup an elaborate Internet
banking infrastructure. And this exercise has provided
them numerous benefits like:
Greater reach to customers
Quicker time to market
Ability to introduce new products and services quickly
Ability to understand its customers needs
Customers are given access to information easily across
Greater customer loyalty
Multi-national and private sector banks in India have
been very successful in setting up Internet banking
services. This is mainly because these banks already
had a robust automated banking environment on which
they could build the Internet banking infrastructure.
Most multi-national banks already have efficient Internet
banking infrastructures running in other countries which
could be emulated in India. And the private banks, which
are relatively young, did not have to carry the burden
of legacy systems. They merely invested in best-of-breed
Internet banking solutions from the start.
In a fix
Unfortunately nationalized banks have been unable to
evolve as fast as most private sector and MNC banks.
As a result, in many organizations there may be a mix
of automated systems and manual systems, with both systems
running parallel, and using half-baked applications
created by smaller vendors which run in certain departments.
This creates a chaotic scenario. Network management
is a nightmare, the legacy systems may buckle any moment,
new users and locations keep coming up, and there are
also issues of security and consolidation.
This is a typical situation at a usual nationalized
A very large network of branches nationwide growing
Lack of connectivity in remote locations
A very large base of customers increasing fast
75-80 percent automation in main branches with less
automation in remote cities and smaller branches
Large amount of legacy equipment which doesn't integrate
well with other systems
Inefficient and outdated applications in some departments
which are not flexible and don't integrate well with
Slow-to-change mentality of an Indian customer who
is used to dealing with a human teller
Web-enabling banks with such infrastructure and number
of branches nationwide at one go is a near-impossible
task. However each of the challenges can be overcome
with good planning, phased implementation, and lots
of grit on the part of the CIOs.
The RBI steps in
The Reserve Bank of India (RBI) has created a comprehensive
document which lays down number of security-related
guidelines and strategies for banks to follow in order
to offer Internet banking. The guidelines broadly talk
about the types of risks associated with Internet banking,
the technology and security standards, legal issues
involved, and regulatory and supervisory concerns. Any
bank that wants to offer Internet banking must follow
these guidelines and adhere to them as a legal necessity.
Vaidyanathan Iyer, National Manager, eSecurity Business,
Computer Associates provides solutions to banks which
can help them go online. He says, "the guidelines
have been created with a lot of thought regarding the
banking scenario in India. It is at par with international
banking standards and is very comprehensive."
The document broadly categorizes levels of Internet
banking services into three types:
The basic level service in which the banks' websites
disseminate information on different products and
services to customers. It may receive and reply to
customers' queries through e-mail.
Simple transactional websites which allow customers
to submit their instructions, applications for different
services, and queries on their account balances. They
do not permit any fund-based transactions on their
The third level of Internet banking services offered
by fully-transactional websites which allow customers
to operate on their accounts for transfer of funds,
payment of different bills, subscribing to other products
of the bank, and to transact purchase and sale of
The document lays down some of the distinctive features
of Internet banking. They are:
It removes the traditional geographical barriers as
it could reach out to customers of different countries/legal
jurisdiction. This has raised the question of jurisdiction
of law/supervisory system to which such transactions
should be subjected.
It has added a new dimension to different kinds of
risks traditionally associated with banking, heightening
some of them and throwing new risk control challenges.
Security of banking transactions, validity of electronic
contract, customers' privacy, etc., which have all
along been concerns of both bankers and supervisors
have assumed different dimensions given that Internet
is a public domain, not subject to control by any
single authority or group of users.
It poses a strategic risk of loss of business to those
banks who do not respond in time to this new technology,
being the efficient and cost effective delivery.
Securitythe key concern
It's evident from the document and from a general study
of the business case of Internet banking, that security
is perhaps the biggest concern. Connectivity issues
to remote locations is also very important, but the
need to be secure is far more pressing.
The document says that security issues include questions
of adopting internationally accepted state-of-the-art
minimum technology standards for access control, encryption/decryption
(minimum key length), firewalls, verification of digital
signature, and Public Key Infrastructure (PKI).
Concerns in Chapter 5 and 6
The concerns and guidelines about security are discussed
in detail in Chapter 5 and Chapter 6 of the report.
The key components of security concerns are
Authentication: The assurance of identity of
the person in a deal
Authorization: A party doing a transaction
is authorized to do so
Privacy: The confidentiality of data and information
relating to any deal
Data integrity: Assurance that the data has
not been altered
Non-repudiation: A party to the deal cannot
deny that it originated the communication or data
If these areas are not addressed, the bank may suffer
operational risk, reputational risk, legal risk, money
laundering risk, and strategic risk.
Chapter 6 of the report talks about technology and security
standards for Internet banking. It talks about TCP/IP,
the OSI Layers, and application architectures. There
are guidelines for backup and recovery, list of the
different types of attacks and the ways in which they
can compromise a system, like sniffer attacks, DoS,
and e-mail bombs.
Authentication techniques like tokens, biometrics, and
smart cards are described. The concepts of firewalls,
proxy servers, cryptography, digital signatures, certification,
SSL, and PKI are explained in detail. Security tools
like scanners, sniffers, and IDSs are also described.
Physical security is talked about and followed by guidelines
of a security policy and a number of recommendations.
The recommendations talk about access control, isolation
of application servers, security logs (audit trails),
penetration testing, backup and recovery practices,
monitoring against threats, and education.
Comprehensiveness and Indian banks
The RBI guidelines are very exhaustive and extremely
comprehensive. But are Indian banks following the guidelines
accordingly? Experts at Global E-Secure Limited, a security
solutions company say that none of the Indian banks
which offer Internet banking facilities have an IT security
policy as stipulated by the RBI. While banks have been
asked to file monthly reports to show compliance to
the guidelines, most of them have sought time to satisfy
the security policy criterion.
The RBI is insisting on a written document, signed by
the Board of Directors to make the banks aware that
IT security is not just an IT concern, but something
that could affect overall business as well.
The company also says that while these banks do have
security measures, there is no clear-cut program which
incorporates all the aspects of a comprehensive security
policy. Also, some banks do not have straight-through
processing. There is manual intervention, which poses
a great security risk for the customer. In order to
fill such gaps, the security policy guidelines clearly
lay out the areas which should be looked into. To provide
a further check, the RBI is also empowered to audit
the compliance to the policy.
Rajeev Wadhwa, COO, Global E-Secure Limited says, "Following
the release of its guideline, the RBI will also come
out with a policy on similar lines. Hence, it's imperative
that banks immediately act upon the same. The RBI has
asked I-banking and e-trading banks to perform ethical
hacking of their servers and submit their reports. Since
there is no proper ethical hacking policy and methodology
published in the IT-Act nor by the RBI, these banking
organizations have to depend on only security specialists
who have the Service Level Agreement (SLA) and a procedure
A practical approach
IDBI Bank has successfully implemented a robust Internet
banking architecture for its customers. Neeraj Bhai,
the CTO of the bank says, "RBI guidelines are stringent,
but not very difficult to implement if one goes about
in a systematic fashion. The rule which stipulates that
the bank must have a client-level certificate, is somewhat
difficult and expensive to implement in a retail banking
scenario. The guidelines also prescribe certain functions
be authorized at the Board level. This provision has
potential to introduce delays in deployment."
"It is not important to look at which policy is
to be applied first. One has to take a holistic view.
Certain prescriptions of the RBI, like having an information
security policy, are general in nature and not specific
to Internet banking. If an organization is alive to
such issues even before launching Internet banking,
things become simpler. It should be viewed as a cross-functional
project and managed in a controlled fashion. Many banks
make the mistake of believing that all their customers
would be interested in Internet banking and therefore
start enabling the service to all their customers. In
reality most of such 'enabled' customers do not access
the service and the banks end up loading their systems
unnecessarily and spending big sums on sending PIN mailers."
"Like any other product or service, Internet banking
is not a one-time activity. The bank has to persuade
its customers to use the service to achieve cost advantage.
Since many customers do not use Internet banking, the
bank has to enrich its services by additional payment
tie-ups so that customers have more options. In this
case, data security needs to be very thorough."
Banks e-banking Infrastructure
Bank Limited uses the following equipment infrastructure
to address its Internet banking needs:
Application integration with core banking
Scalability tests (desirable but optional)
Server level (mandatory)
Client level (Optional: we did not deploy this)
Intrusion Detection Systems
Subscribing to advisories
Isolation from the main network
IDBI Bank did not undertake services of any systems
integrator. Neeraj Bhai, CTO, IDBI Bank says,
"These services are often offered by multiple
divisions of a company, and these divisions do
not have a good level of coordination among themselves.
It is also advisable to have owners within the
organization who drive the effort."
BS7799 security standard
published in February 1995, BS7799 is a comprehensive
set of information security controls. It is intended
to serve as a single reference point for identifying
a range of controls needed for most situations
where information systems are used. BS7799 was
significantly revised, extended and improved in
May 1999, before being republished as ISO 17799
in Dec 2000.
With BS7799 accreditation and certification schemes
now firmly in place, BS7799 may ultimately become
a benchmark against which all organizations will
be measured. There have even been suggestions
of mandatory inclusion of an organization's BS7799
status within its annual report.
It covers areas like business continuity plans,
system access control, system development and
maintenance, compliance, personnel security, asset
control and classification, and physical and environmental
A time may soon come when the BS7799 standard
will become a necessity for all financial institutions.
Das Gupta can be reached at firstname.lastname@example.org