E-banking in India

Towards online banking

Banks and financial institutions in India are in the process of Web-enabling their services in order to offer Internet banking to its customers. The RBI has drafted certain Internet banking guidelines that have to be followed by banks about to venture into online banking. Here's what banking CIOs need to do. by Soutiman Das Gupta

It's the new generation of banking in India. Most private and MNC banks have already setup an elaborate Internet banking infrastructure. And this exercise has provided them numerous benefits like:

• Greater reach to customers
• Quicker time to market
• Ability to introduce new products and services quickly and successfully
• Ability to understand its customers needs
• Customers are given access to information easily across any location
• Greater customer loyalty

Multi-national and private sector banks in India have been very successful in setting up Internet banking services. This is mainly because these banks already had a robust automated banking environment on which they could build the Internet banking infrastructure. Most multi-national banks already have efficient Internet banking infrastructures running in other countries which could be emulated in India. And the private banks, which are relatively young, did not have to carry the burden of legacy systems. They merely invested in best-of-breed Internet banking solutions from the start.

In a fix
Unfortunately nationalized banks have been unable to evolve as fast as most private sector and MNC banks. As a result, in many organizations there may be a mix of automated systems and manual systems, with both systems running parallel, and using half-baked applications created by smaller vendors which run in certain departments. This creates a chaotic scenario. Network management is a nightmare, the legacy systems may buckle any moment, new users and locations keep coming up, and there are also issues of security and consolidation.

This is a typical situation at a usual nationalized bank:

• A very large network of branches nationwide growing fast
• Lack of connectivity in remote locations
• A very large base of customers increasing fast
• 75-80 percent automation in main branches with less automation in remote cities and smaller branches
• Large amount of legacy equipment which doesn't integrate well with other systems
• Inefficient and outdated applications in some departments which are not flexible and don't integrate well with other applications
• Slow-to-change mentality of an Indian customer who is used to dealing with a human teller

Web-enabling banks with such infrastructure and number of branches nationwide at one go is a near-impossible task. However each of the challenges can be overcome with good planning, phased implementation, and lots of grit on the part of the CIOs.

The RBI steps in
The Reserve Bank of India (RBI) has created a comprehensive document which lays down number of security-related guidelines and strategies for banks to follow in order to offer Internet banking. The guidelines broadly talk about the types of risks associated with Internet banking, the technology and security standards, legal issues involved, and regulatory and supervisory concerns. Any bank that wants to offer Internet banking must follow these guidelines and adhere to them as a legal necessity.

Vaidyanathan Iyer, National Manager, eSecurity Business, Computer Associates provides solutions to banks which can help them go online. He says, "the guidelines have been created with a lot of thought regarding the banking scenario in India. It is at par with international banking standards and is very comprehensive."

Background
The document broadly categorizes levels of Internet banking services into three types:

• The basic level service in which the banks' websites disseminate information on different products and services to customers. It may receive and reply to customers' queries through e-mail.
• Simple transactional websites which allow customers to submit their instructions, applications for different services, and queries on their account balances. They do not permit any fund-based transactions on their accounts.
• The third level of Internet banking services offered by fully-transactional websites which allow customers to operate on their accounts for transfer of funds, payment of different bills, subscribing to other products of the bank, and to transact purchase and sale of securities.

Internet banking
The document lays down some of the distinctive features of Internet banking. They are:

• It removes the traditional geographical barriers as it could reach out to customers of different countries/legal jurisdiction. This has raised the question of jurisdiction of law/supervisory system to which such transactions should be subjected.
• It has added a new dimension to different kinds of risks traditionally associated with banking, heightening some of them and throwing new risk control challenges.
• Security of banking transactions, validity of electronic contract, customers' privacy, etc., which have all along been concerns of both bankers and supervisors have assumed different dimensions given that Internet is a public domain, not subject to control by any single authority or group of users.
• It poses a strategic risk of loss of business to those banks who do not respond in time to this new technology, being the efficient and cost effective delivery.

Security—the key concern
It's evident from the document and from a general study of the business case of Internet banking, that security is perhaps the biggest concern. Connectivity issues to remote locations is also very important, but the need to be secure is far more pressing.

The document says that security issues include questions of adopting internationally accepted state-of-the-art minimum technology standards for access control, encryption/decryption (minimum key length), firewalls, verification of digital signature, and Public Key Infrastructure (PKI).

Concerns in Chapter 5 and 6
The concerns and guidelines about security are discussed in detail in Chapter 5 and Chapter 6 of the report. The key components of security concerns are

• Authentication: The assurance of identity of the person in a deal
• Authorization: A party doing a transaction is authorized to do so
• Privacy: The confidentiality of data and information relating to any deal
• Data integrity: Assurance that the data has not been altered
• Non-repudiation: A party to the deal cannot deny that it originated the communication or data

If these areas are not addressed, the bank may suffer operational risk, reputational risk, legal risk, money laundering risk, and strategic risk.

Chapter 6 of the report talks about technology and security standards for Internet banking. It talks about TCP/IP, the OSI Layers, and application architectures. There are guidelines for backup and recovery, list of the different types of attacks and the ways in which they can compromise a system, like sniffer attacks, DoS, and e-mail bombs.

Authentication techniques like tokens, biometrics, and smart cards are described. The concepts of firewalls, proxy servers, cryptography, digital signatures, certification, SSL, and PKI are explained in detail. Security tools like scanners, sniffers, and IDSs are also described. Physical security is talked about and followed by guidelines of a security policy and a number of recommendations. The recommendations talk about access control, isolation of application servers, security logs (audit trails), penetration testing, backup and recovery practices, monitoring against threats, and education.

Comprehensiveness and Indian banks
The RBI guidelines are very exhaustive and extremely comprehensive. But are Indian banks following the guidelines accordingly? Experts at Global E-Secure Limited, a security solutions company say that none of the Indian banks which offer Internet banking facilities have an IT security policy as stipulated by the RBI. While banks have been asked to file monthly reports to show compliance to the guidelines, most of them have sought time to satisfy the security policy criterion.

The RBI is insisting on a written document, signed by the Board of Directors to make the banks aware that IT security is not just an IT concern, but something that could affect overall business as well.

The company also says that while these banks do have security measures, there is no clear-cut program which incorporates all the aspects of a comprehensive security policy. Also, some banks do not have straight-through processing. There is manual intervention, which poses a great security risk for the customer. In order to fill such gaps, the security policy guidelines clearly lay out the areas which should be looked into. To provide a further check, the RBI is also empowered to audit the compliance to the policy.

Rajeev Wadhwa, COO, Global E-Secure Limited says, "Following the release of its guideline, the RBI will also come out with a policy on similar lines. Hence, it's imperative that banks immediately act upon the same. The RBI has asked I-banking and e-trading banks to perform ethical hacking of their servers and submit their reports. Since there is no proper ethical hacking policy and methodology published in the IT-Act nor by the RBI, these banking organizations have to depend on only security specialists who have the Service Level Agreement (SLA) and a procedure in place."

A practical approach
IDBI Bank has successfully implemented a robust Internet banking architecture for its customers. Neeraj Bhai, the CTO of the bank says, "RBI guidelines are stringent, but not very difficult to implement if one goes about in a systematic fashion. The rule which stipulates that the bank must have a client-level certificate, is somewhat difficult and expensive to implement in a retail banking scenario. The guidelines also prescribe certain functions be authorized at the Board level. This provision has potential to introduce delays in deployment."

"It is not important to look at which policy is to be applied first. One has to take a holistic view. Certain prescriptions of the RBI, like having an information security policy, are general in nature and not specific to Internet banking. If an organization is alive to such issues even before launching Internet banking, things become simpler. It should be viewed as a cross-functional project and managed in a controlled fashion. Many banks make the mistake of believing that all their customers would be interested in Internet banking and therefore start enabling the service to all their customers. In reality most of such 'enabled' customers do not access the service and the banks end up loading their systems unnecessarily and spending big sums on sending PIN mailers."

"Like any other product or service, Internet banking is not a one-time activity. The bank has to persuade its customers to use the service to achieve cost advantage. Since many customers do not use Internet banking, the bank has to enrich its services by additional payment tie-ups so that customers have more options. In this case, data security needs to be very thorough."

IDBI Bank’s e-banking Infrastructure

IDBI Bank Limited uses the following equipment infrastructure to address its Internet banking needs: Hardware Web servers Application servers Database servers Networking equipment Software Systems software Application software Services Application integration with core banking Scalability tests (desirable but optional) Web designing Server sizing Security Firewalls Certification Server level (mandatory) Client level (Optional: we did not deploy this) Intrusion Detection Systems Subscribing to advisories Networking Isolation from the main network Hosting Decision In-house vs IDC IDBI Bank did not undertake services of any systems integrator. Neeraj Bhai, CTO, IDBI Bank says, "These services are often offered by multiple divisions of a company, and these divisions do not have a good level of coordination among themselves. It is also advisable to have owners within the organization who drive the effort."

The BS7799 security standard

First published in February 1995, BS7799 is a comprehensive set of information security controls. It is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used. BS7799 was significantly revised, extended and improved in May 1999, before being republished as ISO 17799 in Dec 2000. With BS7799 accreditation and certification schemes now firmly in place, BS7799 may ultimately become a benchmark against which all organizations will be measured. There have even been suggestions of mandatory inclusion of an organization's BS7799 status within its annual report. It covers areas like business continuity plans, system access control, system development and maintenance, compliance, personnel security, asset control and classification, and physical and environmental security. A time may soon come when the BS7799 standard will become a necessity for all financial institutions.