“Basel II focusses more on operational risk”

Basel II compliance involves a strict focus on operational risk, which is why information security comes into the picture. Jeffrey Hoo, Services & Management Systems Field Director, Regional Product Marketing, Asia Pacific, Symantec, discusses the details of Basel II compliance in a conversation with Anil Patrick R

Are information security and Basel II related concepts?

The difference between Basel I and Basel II is that the latter focusses more on operational risk. This emphasis is not present in Basel I, which focusses more on credit risks.

When operational risk was introduced in January 2001, banks were still focussing on credit risk. This means that they understand how to set policies right to comply with credit risk management requirements, but not operational risk. Operational risk brings into the picture day-to-day operational processes and how you conduct your business. Banks are overwhelmed, and they are still trying to understand the big picture vis-à-vis operational risk.

This is why banks need to divide it into more manageable units in different areas to make it easier for addressing risk. Information security is only one part of the operational risk that they need to address.

How is the information security aspect dealt with in Basel II?

At first glance there are only 10 principles that talk about information security risk with respect to operational risk. Yet these are thick chapters of Basel II which have significant impact on the entire Basel II accord since almost every banking system used today relies on computers.

Whether it is credit risk or human resources or business units not related to information technology, computers are used. These have to interact with each other by means of connectivity, internal or external. In addition to these, there are added security risks due to e-commerce, Internet banking, etc.

Technology reaches more than just the business units discussed in Basel II. The fact is that these systems use electronic forms and rely on computers to do business; these put all business units at risk. This is the role of information security in Basel II.

IT plays a role in all channels whether it is ATMs, net banking or core banking systems. Will banks have to change existing security infrastructure or policies to comply with Basel II?

I cannot comment on Indian banks because I do not represent them. But I can provide some aspects based on our research and observations from interactions with Indian banks.

It looks like Indian banks are more familiar with the credit risk type of compliance than the information security aspect of operational risk. They are not able to piece together the inter-operability between information security risk and operational risk. They feel that these two are the same—they are not.

In a Basel II template which talks about how banks should set up a risk management environment, it actually mentions that banks should conduct an internal audit regularly to ensure the absence of loopholes and non-compliances with policies. It seems that Indian banks were not able to separate the internal auditing of systems and the people who are actually managing day-to-day operations of security systems.

My guess at this point of time is that Indian banks are still not putting sufficient emphasis on security. They are looking at all other aspects related to credit risk and operational risk, but information security is under-addressed. They are not able to piece things together for a holistic approach. They are approaching it part by part, and several times they might not be able to connect well from these principles to the general credit risk.

If a bank wants to go the Basel II way, where does it start?

First of all, we need to be specific. If a bank wants to go the Basel II way, it is a very complex process.

If you specify information security, first of all you need to understand the security position with respect to Basel II. There are 10 principles which talk about how banks should set up risk management environments.

The first portion is meant for corporate directors who have to be aware and approve the systems that have to be in place. Then come senior staff who manage day-to-day operations. These are the two sides that have to be taken care of. Then there are other processes that have to be defined by Basel II in that area.

The second part of Basel II relates to regulators. For example, what should regulators do in their country when it comes to corporate governance? This includes checking banks to ensure that they have the system in place and do external audits. In India’s case, that would be the RBI.

The last part deals with the market. This is about people like you and me who have to be sure that proper credit systems are in place to safeguard our money. By this I mean that there are sufficient safeguards in the form of security technologies, people and processes in place to ensure that my money is not being transferred by hackers to their accounts.

These are the three portions in the 10 principles that address the risk management environment. Once you understand these right, you need to figure out how to translate these guidelines into a multi-tech process. This process has to be more precise in order to manage all the risks associated with an organisation’s business units.

Although the process varies for different banks, is there a typical timeframe within which a bank can become Basel II compliant?

First of all, no one today can give the correct answer since this a learning phase for all banks. But a path has been defined and agreed upon in 2001.

If you are doing business with international banks, they are all subject to Basel II compliance. I think that compliance is an ongoing process. Let’s say that you are compliant to Basel II today. But what if there is a merger or acquisition or if there is a system upgrade? The moment you touch the systems, whether small or big, you alter your security posture and become non-compliant. So compliance is an ongoing process.

Are there any best practices in place for organisations to get a jump start?

You don’t have to search the entire library to find such best practices. There are already a set of best practices in place in the form of ISO 17799. This gives you details of all the best practices that are in place to prepare various infrastructure systems.

Do you think Indian banks will be able to comply with Basel II by the new deadline?

I’m not surprised that the deadlines have been shifted. From the last research I have done, it is now March 2007, according to the release from the Reserve Bank of India.

I do not know if this is achievable. We cannot say that Indian banks will be Basel II compliant by then unless the banks look at information security seriously and at its role in the entire Basel II accord. That can be achieved only by looking at all business units at different levels.

anilpatrick@networkmagazineindia.com