Monday, September 17, 2001		Article

RBI guidelines on e-banking
S.C. Dhall

BOTH banks and virtual incorporated outside the country and having no physical presence in India will not, for present, be permitted to offer Internet banking services to the Indian residents.

Overseas branches of the Indian banks will be, however, permitted to offer Internet banking services to their overseas customers subject to their satisfying, in addition to the host supervisor, the home supervisor. The Reserve Bank of India that had set up a Working Group of Internet Banking to examine its different aspects after having accepted the recommendations has issued following guidelines for implementation by commercial banks.Technology and security standardsBanks should designate a network and database administrator with clearly defined roles.

Banks should have a security policy duly approved by the Board of Directors with segregation of duty of security officer/group dealing exclusively with information systems security and information technology division that actually implements the computer systems. Further, information systems auditor should audit the information systems.Banks should introduce logical access controls to data, systems, application software, utilities, telecommunication lines, libraries, system software.At the minimum, banks should use the proxy server type of firewall so that there is no direct connection between the Internet and the bank’s system.Physical access control should be strictly enforced, physical security should cover all information system and sites where they are housed, both against internal and external threat.Bank should have proper infrastructure and schedules for backing up the data. The backed-up data should be periodically tested to ensure recovery without loss of transactions in a time-frame as given but in the bank’s security policy.All applications of banks should have proper record-keeping facilities for legal purposes. It may be necessary to keep all received and sent messages both in encrypted and decrypted form.

Legal issuesEven though request for opening account can be accepted over the Internet, accounts should be opened only after proper introduction and physical verification of the identify of the customer.From a legal perspective, security procedure adopted by banks for authenticating users needs to be recognised by law as a substitute for signature.Under the present regime there is an obligation of banks to maintain secrecy and confidentiality of customers accounts and the risk of banks not meeting this obligation is high on account of several factors.

In Internet banking scenario there is a little scope for the banks to act on stop payment instructions from the customers. Hence, banks should clearly notify to the customers the timeframe and the circumstances in which stop payment instructions could be accepted.The products should be restricted to account-holders and should not be offered in other jurisdictions. The services should only include local currency products.Banks will report to the RBI every breach of failure of security systems and procedure and the latter, at its discretion, may decided to commission special audit, inspection of such banks.Banks must make mandatory disclosures of risks, responsibilities and liabilities of the customers in doing business through the Internet through a disclosure template. The banks should also provide their latest published financial results over the Net.