India: Internet Banking in India

In India, too e-banking has taken roots. A number of banks have set up banking portals allowing their customers to access facilities like obtaining information, querying on their accounts, etc. Soon, still higher level of online services will be made available. Other banks will sooner than later, take to Internet banking.

There is no denying the fact that information technology has been the most rapidly changing industry in India, and the marriage of technology and banking has to occur for India to keep pace with changes in the global scenario. Looking back, the Narasimham Committee deserves mention in that it was instrumental in forcing Indian banks to become competitive. Fleet footed private sector banks, forced the public sector banks to embrace technology and improve their level of customer service. Next, the Khan Committee was highly important in that it recommended the setting up of universal banks. Preference was given to financial institutions, which could provide a whole range of corporate financial solutions under one roof. But most importantly, the Verma Committee recommended the need for greater use of IT even in the weak Public sector banks. Actually, the nationalization of banks back in the 80s is proving to be a major obstacle in bringing about the required technological changes. Nationalization of the banking sector has led to occurrences of pseudo developmental activities for nurturing vote banks, loss of accent on performance and profitability, creation of unions etc to name a few.

The Reserve Bank of India constituted a Working Group to examine different issues relating to e-bankingⁱ and recommend technology, security, legal standards and operational standards keeping in view the international best practices. The Group is headed by the Chief General Manager-in-Charge of the Department of Information Technology and comprised experts from the fields of banking regulation and supervision, commercial banking, law and technology. The Bank also constituted an Operational Group under its Executive Director comprising officers from different disciplines in the bank, who would guide implementation of the recommendations.

The Working Group, as its terms of reference, was to examine different aspects of Internet banking from regulatory and supervisory perspective and recommend appropriate standards for adoption in India,ⁱⁱ particularly with reference to the following:

1. Risks to the organization and banking system, associated with Internet banking and methods of adopting International best practices for managing such risks.

2. Identifying gaps in supervisory and legal framework with reference to the existing banking and financial regulations, IT regulations, tax laws, depositor protection, consumer protection,ⁱⁱⁱ criminal laws, money laundering and other cross border issues and suggesting improvements in them.

3. Identifying international best practices on operational and internal control issues, and suggesting suitable ways for adopting the same in India.

4. Recommending minimum technology and security standards, in conformity with international standards and addressing issues like system vulnerability, digital signature, information system audit etc.

5. Clearing and settlement arrangement for electronic banking and electronic money transfer; linkages between i-banking and e-commerce

6. Any other matter, which the Working Group may think as of relevance to Internet banking in India.

The Group agreed that Internet banking is a part of the electronic banking (e-banking), the main difference being that in i-banking the delivery channel was Internet, a public domain. Although the concerns of e-banking and i-banking have many things in common, the fact that Internet is a public domain called for additional security measures. It was agreed that the Group would primarily focus its attention on I - banking and to the extent there were commonality between i-banking and e-banking, its recommendation would also apply to e-banking. The Group further held that i-banking did not mean any basic change in the nature of banking and the associated risks and returns. All the same, being a public domain and a highly cost effective delivery channel, it does impact both the dimension and magnitude of traditional banking risks. In fact, it adds new kinds of risk to banking. Some of the concerns of the Regulatory Authority in i-banking relate to technology standards including the level of security and uncertainties of legal jurisdiction etc. Its cost effective character provides opportunities for efficient delivery of banking services and higher profitability and a threat to those who fail to harness it.

The Group decided to focus on above three major areas, where supervisory attention was needed. Accordingly, three sub-groups were formed for looking into three specific areas: (i) technology and security aspects, (ii) legal aspects and (iii) regulatory and supervisory issues. The sub-groups could seek help of external experts in the relevant fields, if needed.

The views of the Group were crystallized after several rounds of deliberations of members of both the Working Group and the Operational Group. The reports prepared by the three sub-groups were discussed and assimilated in to this report. The report is presented in nine chapters. Chapter-1, the introductory chapter, gives the background leading to the formation of the Group, its composition, terms of reference and the approach adopted by the Group in finalizing its recommendations.

The basic structure of Internet and its characteristics are described in Chapter-2 in order to explain the nature of concerns addressed in the chapters to follow. Also explained in the chapter is the growth of Internet banking and different products and different e-commerce concepts.

Chapter-3 describes International experience in i-banking, particularly with reference to USA, United Kingdom and other Scandinavian countries, who are pioneers in this form of banking. Chapter- 4 looks at the Indian scenario as it prevails now.

Chapter-5 discusses different types of risks associated with banking in general and i-banking in particular. Emphasis is given on normal risks associated with banking which gets accentuated when the services are delivered through Internet. Risks relating to money laundering and other cross border transactions are discussed.

Technology and security standards are core concerns for Regulatory Authorities in relation to Internet banking. A separate sub-group looked in to these issues, which are discussed in detail in Chapter-6. Emphasis is given on technology and security standards and policy issues rather than on products and technical tools. Another important regulatory concern is the legal environment in which i-banking transactions are carried out. It is of importance to identify gaps in the existing framework and to suggest changes required. The legal sub-group had made a detailed analysis of legal questions involved, which are discussed in Chapter - 7.

Chapter-8 deals with various control measures required to be adopted by banks to manage risks discussed in earlier chapters. Operational aspects like internal control, early detection system, IT audit, technical manpower, etc are also discussed. The impact of i-banking on clearing and settlement arrangements has also been addressed. The sub-group on Regulatory and Supervisory issues had addressed the above questions.

Chapter-9 contains recommendations of the Working Group. Shri S. H. Bhojani had disagreement with some of the observations / recommendations by the Group and a note of dissent is appended as Annexure-1.

For the purpose of this project we will look into the recommendations that the three committees have made.

a. Banks should designate a network and database administrator with clearly defined roles as indicated in the Group's report. Banks should have a security policy duly approved by the Board of Directors. There should be a segregation of duty of Security Officer / Group dealing exclusively with information systems security and Information Technology Division which actually implements the computer systems. Further, Information Systems Auditor will audit the information systems.^iv

b. Banks should introduce logical access controls to data, systems, application software, utilities, telecommunication lines, libraries, system software, etc. Logical access control techniques may include user-ids, passwords, smart cards or other biometric technologies.^v

c. At the minimum, banks should use the proxy server type of firewall so that there is no direct connection between the Internet and the bank's system. It facilitates a high level of control and in-depth monitoring using logging and auditing tools. For sensitive systems, a stateful inspection firewall is recommended which thoroughly inspects all packets of information, and past and present transactions are compared. These generally include a real time security alert.^vi

d. All the systems supporting dial up services through modem on the same LAN as the application server should be isolated to prevent intrusions into the network as this may bypass the proxy server. PKI (Public Key Infrastructure) is the most favoured technology for secure Internet banking services. However, as it is not yet commonly available, banks should use the following alternative system during the transition, until the PKI is put in place:

1. Usage of SSL (Secured Socket Layer), which ensures server authentication and use of client side certificates issued by the banks themselves using a Certificate Server.

2. The use of at least 128-bit SSL for securing browser to web server communications and, in addition, encryption of sensitive data like passwords in transit within the enterprise itself.^vii

e. It is also recommended that all unnecessary services on the application server such as FTP (File Transfer Protocol), telnet should be disabled. The application server should be isolated from the e-mail server. All computer accesses, including messages received, should be logged. Security violations (suspected or attempted) should be reported and follow up action taken should be kept in mind while framing future policy. Banks should acquire tools for monitoring systems and the networks against intrusions and attacks. These tools should be used regularly to avoid security breaches. The banks should review their security infrastructure and security policies regularly and optimize them in the light of their own experiences and changing technologies. They should educate their security personnel and also the end-users on a continuous basis.^viii

f. The information security officer and the information system auditor should undertake periodic penetration tests of the system, which should include:

1. Attempting to guess passwords using password-cracking tools.

2. Search for back door traps in the programs.

3. Attempt to overload the system using DDoS (Distributed Denial of Service) & DoS (Denial of Service) attacks.

4. Check if commonly known holes in the software, especially the browser and the e-mail software exist.

5. The penetration testing may also be carried out by engaging outside experts (often called 'Ethical Hackers').^ix

g. Physical access controls should be strictly enforced. Physical security should cover all the information systems and sites where they are housed, both against internal and external threats. Banks should have proper infrastructure and schedules for backing up data. The backed-up data should be periodically tested to ensure recovery without loss of transactions in a time frame as given out in the bank's security policy. Business continuity should be ensured by setting up disaster recovery sites. These facilities should also be tested periodically.^x

h. All applications of banks should have proper record keeping facilities for legal purposes. It may be necessary to keep all received and sent messages both in encrypted and decrypted form. Security infrastructure should be properly tested before using the systems and applications for normal operations. Banks should upgrade the systems by installing patches released by developers to remove bugs and loopholes, and upgrade to newer versions, which give better security and control.^xi

a. Considering the legal position prevalent, there is an obligation on the part of banks not only to establish the identity but also to make enquiries about integrity and reputation of the prospective customer. Therefore, even though request for opening account can be accepted over Internet, accounts should be opened only after proper introduction and physical verification of the identity of the customer.^xii

b. From a legal perspective, security procedure adopted by banks for authenticating users needs to be recognized by law as a substitute for signature. In India, the Information Technology Act, 2000, in Section 3(2) provides for a particular technology (viz., the asymmetric crypto system and hash function) as a means of authenticating electronic record. Any other method used by banks for authentication should be recognized as a source of legal risk.^xiii

c. Under the present regime there is an obligation on banks to maintain secrecy and confidentiality of customers' accounts. In the Internet banking scenario, the risk of banks not meeting the above obligation is high on account of several factors. Despite all reasonable precautions, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking/ other technological failures. The banks should, therefore, institute adequate risk control measures to manage such risks.^xiv

d. In Internet banking scenario there is very little scope for the banks to act on stop-payment instructions from the customers. Hence, banks should clearly notify to the customers the timeframe and the circumstances in which any stop-payment instructions could be accepted. The Consumer Protection Act, 1986 defines the rights of consumers in India and is applicable to banking services as well. Currently, the rights and liabilities of customers availing of Internet banking services are being determined by bilateral agreements between the banks and customers. Considering the banking practice and rights enjoyed by customers in traditional banking, banks' liability to the customers on account of unauthorized transfer through hacking, denial of service on account of technological failure etc. needs to be assessed and banks providing Internet banking should insure themselves against such risks.^xv

As recommended by the Group, the existing regulatory framework over banks will be extended to Internet banking also. In this regard, it is advised that:

1. Only such banks which are licensed and supervised in India and have a physical presence in India will be permitted to offer Internet banking products to residents of India. Thus, both banks and virtual banks incorporated outside the country and having no physical presence in India will not, for the present, be permitted to offer Internet banking services to Indian residents.

2. The products should be restricted to account holders only and should not be offered in other jurisdictions.

3. The services should only include local currency products.

4. The 'in-out' scenario where customers in cross border jurisdictions are offered banking services by Indian banks (or branches of foreign banks in India) and the 'out-in' scenario where Indian residents are offered banking services by banks operating in cross-border jurisdictions are generally not permitted and this approach will apply to Internet banking also. The existing exceptions for limited purposes under FEMA i.e. where resident Indians have been permitted to continue to maintain their accounts with overseas banks etc., will, however, be permitted.

5. Overseas branches of Indian banks will be permitted to offer Internet banking services to their overseas customers subject to their satisfying, in addition to the host supervisor, the home supervisor.

Given the regulatory approach as above, banks are advised to follow the following instructions:

a. All banks, who propose to offer transactional services on the Internet should obtain prior approval from RBI. Bank's application for such permission should indicate its business plan, analysis of cost and benefit, operational arrangements like technology adopted, business partners, third party service providers and systems and control procedures the bank proposes to adopt for managing risks. The bank should also submit a security policy covering recommendations made in this circular and a certificate from an independent auditor that the minimum requirements prescribed have been met. After the initial approval the banks will be obliged to inform RBI any material changes in the services / products offered by them.^xvi

b. Banks will report to RBI every breach or failure of security systems and procedure and the latter, at its discretion, may decide to commission special audit / inspection of such banks. The guidelines issued by RBI on 'Risks and Controls in Computers and Telecommunications' vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated 4th February 1998 will equally apply to Internet banking. The RBI as supervisor will cover the entire risks associated with electronic banking as a part of its regular inspections of banks.^xvii

c. Banks should develop outsourcing guidelines to manage risks arising out of third party service providers, such as, disruption in service, defective services and personnel of service providers gaining intimate knowledge of banks' systems and misutilizing the same, etc., effectively. With the increasing popularity of e-commerce, it has become necessary to set up 'Inter-bank Payment Gateways' for settlement of such transactions. The protocol for transactions between the customer, the bank and the portal and the framework for setting up of payment gateways as recommended by the Group should be adopted. ^xviii

d. Only institutions who are members of the cheque clearing system in the country will be permitted to participate in Inter-bank payment gateways for Internet payment. Each gateway must nominate a bank as the clearing bank to settle all transactions. Payments effected using credit cards, payments arising out of cross border e-commerce transactions and all intra-bank payments (i.e., transactions involving only one bank) should be excluded for settlement through an inter-bank payment gateway.^xix

e. Inter-bank payment gateways must have capabilities for both net and gross settlement. All settlement should be intra-day and as far as possible, in real time. Connectivity between the gateway and the computer system of the member bank should be achieved using a leased line network (not through Internet) with appropriate data encryption standard. All transactions must be authenticated. Once, the regulatory framework is in place, the transactions should be digitally certified by any licensed certifying agency. SSL / 128 bit encryption must be used as minimum level of security. Reserve Bank may get the security of the entire infrastructure both at the payment gateway's end and the participating institutions' end certified prior to making the facility available for customers use. Bilateral contracts between the payee and payee's bank, the participating banks and service provider and the banks themselves will form the legal basis for such transactions. The rights and obligations of each party must be clearly defined and should be valid in a court of law.^xx

f. Banks must make mandatory disclosures of risks, responsibilities and liabilities of the customers in doing business through Internet through a disclosure template. The banks should also provide their latest published financial results over the net. Hyperlinks from banks' websites, often raise the issue of reputational risk. Such links should not mislead the customers into believing that banks sponsor any particular product or any business unrelated to banking. Hyperlinks from a banks' websites should be confined to only those portals with which they have a payment arrangement or sites of their subsidiaries or principals. Hyperlinks to banks' websites from other portals are normally meant for passing on information relating to purchases made by banks' customers in the portal. Banks must follow the minimum recommended security precautions while dealing with request received from other websites, relating to customers' purchases.^xxi

Compared to banks abroad, Indian banks offering online services still have a long way to go. For online banking to reach a critical mass, there has to be sufficient number of users and the sufficient infrastructure in place. The 'Infinity' product of ICICI Bank Ltd. gets only about 30,000 hits per month, with around 3,000 transactions taking place on the Net per month through this service.^xxii Though various security options like line encryption, branch connection encryption, firewalls, digital certificates, automatic sign-offs, random pop-ups and disaster recovery sites are in place or are being looked at, there is as yet no Certification Authority in India offering Public Key Infrastructure which is absolutely necessary for online banking. The customer can only be assured of a secured conduit for its online activities if an authority certifying digital signatures is in place.

The communication bandwidth available today in India is also not enough to meet the needs of high priority services like online banking and trading. Banks offering online facilities need to have an effective disaster recovery plan along with comprehensive risk management measures. Banks offering online facilities also need to calculate their downtime losses, because even a few minutes of downtime in a week could mean substantial losses. Some banks even today do not have uninterrupted power supply unit or systems to take care of prolonged power breakdown. Proper encryption of data and effective use of passwords are also matters that leave a lot to be desired. Systems and processes have to be put in place to ensure that errors do not take place.^xxiii

Users of Internet Banking Services are required to fill up the application forms online and send a copy of the same by mail or fax to the bank. A contractual agreement is entered into by the customer with the bank for using the Internet banking services. In this way, personal data in the applications forms is being held by the bank providing the service. The contract details are often one-sided, with the bank having the absolute discretion to amend or supplement any of the terms at any time. For these reasons domestic customers for whom other access points such as ATMs, telebanking, personal contact, etc. are available, are often hesitant to use the Internet banking services offered by Indian banks. Internet Banking, as an additional delivery channel, may, therefore, be attractive / appealing as a value added service to domestic customers. Non-resident Indians for whom it is expensive and time consuming to access their bank accounts maintained in India find net banking very convenient and useful.^xxiv

Reserve Bank of India has taken the initiative for facilitating real time funds transfer through the Real Time Gross Settlement (RTGS) System. Under the RTGS system, transmission, processing and settlements of the instructions will be done on a continuous basis. Gross settlement in a real time mode eliminates credit and liquidity risks. Any member of the system will be able to access it through only one specified gateway in order to ensure rigorous access control measures at the user level. The system will have various levels of security, viz., Access security, 128 bit cryptography, firewall, certification etc. Further, Generic Architecture, both domestic and cross border, aimed at providing inter-connectivity across banks has been accepted for implementation by RBI. Following a reference made this year, in the Monetary and Credit Policy statement of the Governor, banks have been advised to develop domestic generic model in their computerization plans to ensure seamless integration. The above-mentioned efforts would enable online banking to become more secure and efficient.

With the process of dematerialisation of shares having gained considerable ground in recent years, banks have assumed the role of depository participants. In addition to customers' deposit accounts, they also maintain demat accounts of their clients. Online trading in equities is being allowed by SEBI. This is another area which banks are keen to get into. HDFC Bank Ltd., has tied up with about 25 equity brokerages for enabling third party transfer of funds and securities through its business-to-business (B2B) portal, 'e-Net'.^xxv Demat account holders with the bank can receive securities directly from the brokers' accounts. The bank has extended its web interface to the software vendors of National Stock Exchange through a tie-up with NSE.IT - the infotech arm of the exchange. The bank functions as the payment bank for enabling funds transfer from its customers' account to brokers' accounts. The bank is also setting up a net broking arm, HDFC Securities, for enabling trading in stocks through the web. The focus on capital market operations through the web is based on the bank's strategy on tapping customers interested in trading in equities through the Internet. Internet banking thus promises to become a popular delivery channel not only for retail banking products but also for online securities trading.^xxvi

From the perspective of banking products and services being offered through Internet, Internet banking is nothing more than traditional banking services delivered through an electronic communication backbone, viz, Internet. But, in the process it has thrown open issues which have ramifications beyond what a new delivery channel would normally envisage and, hence, has compelled regulators world over to take note of this emerging channel. Some of the distinctive features of e-banking are:

1. It removes the traditional geographical barriers as it could reach out to customers of different countries / legal jurisdiction. This has raised the question of jurisdiction of law / supervisory system to which such transactions should be subjected,

2. It has added a new dimension to different kinds of risks traditionally associated with banking, heightening some of them and throwing new risk control challenges,

3. Security of banking transactions, validity of electronic contract, customers' privacy, etc., which have all along been concerns of both bankers and supervisors have assumed different dimensions given that Internet is a public domain, not subject to control by any single authority or group of users,

4. It poses a strategic risk of loss of business to those banks who do not respond in time, to this new technology, being the efficient and cost effective delivery mechanism of banking services,

5. A new form of competition has emerged both from the existing players and new players of the market who are not strictly banks.

The Regulatory and Supervisory concerns in e-banking arise mainly out of the distinctive features outlined above. These concerns can be broadly addressed under three broad categories, viz, (i) Legal and regulatory issues, (ii) Security and technology issues and (iii) Supervisory and operational issues. Legal issues cover those relating to the jurisdiction of law, validity of electronic contract including the question of repudiation, gaps in the legal / regulatory environment for electronic commerce. On the question of jurisdiction the issue is whether to apply the law of the area where access to Internet has been made or where the transaction has finally taken place. Allied to this is the question where the income has been generated and who should tax such income. There are still no definite answers to these issues.

Security of e-banking transactions is one of the most important areas of concerns to the regulators. Security issues include questions of adopting internationally accepted state-of-the art minimum technology standards for access control, encryption / decryption ( minimum key length etc), firewalls, verification of digital signature, Public Key Infrastructure (PKI) etc. The regulator is equally concerned about the security policy for the banking industry, security awareness and education. The supervisory and operational issues include risk control measures, advance warning system, Information technology audit and re-engineering of operational procedures. The regulator would also be concerned with whether the nature of products and services offered are within the regulatory framework and whether the transactions do not camouflage money-laundering operations.

The Central Banks may have its concern about the impact of Internet banking on its monetary and credit policies. As long as Internet is used only as a medium for delivery of banking services and facilitator of normal payment transactions, perhaps, it may not impact monetary policy. However, when it assumes a stage where private sector initiative produces electronic substitution of money like e-cheque, account based cards and digital coins, its likely impact on monetary system can not be overlooked. Even countries where i-banking has been quite developed, its impact on monetary policy has not been significant. In India, such concern, for the present is not addressed as the Internet banking is still in its formative stage.

The world over, central bankers and regulators have been addressing themselves to meet the new challenges thrown open by this form of banking. Several studies have pointed to the fact that the cost of delivery of banking service through Internet is several times less than the traditional delivery methods. This alone is enough reason for banks to flock to Internet and to deliver more and more of their services through Internet and as soon as possible. Not adopting this new technology in time has the risk of banks getting edged out of competition. In such a scenario, the thrust of regulatory thinking has been to ensure that while the banks remain efficient and cost effective, they must be aware of the risks involved and have proper built-in safeguards, machinery and systems to manage the emerging risks. It is not enough for banks to have systems in place, but the systems must be constantly upgraded to changing and well-tested technologies, which is a much bigger challenge. The other aspect is to provide conducive regulatory environment for orderly growth of such form of banking. Central Banks of many countries have put in place broad regulatory framework for e-banking.^xxvii

Today, technology savvy private banks are making the most out of opportunities thrown up by the Internet leaving behind their slow moving public sector counterparts in valuations as well as growth. Now, when one considers the fact that public sector banks dominate the banking landscape in India, one realizes that a lot has to be done and done quickly for India to catch up on E-banking. Presently there are 33 private banks and 43 foreign banks but the 27 public sector banks mop up the bulk of the business. They account for over 84% of the total deposits and over 82% of the total banking advances in India. In the words of Mr. Bandi Ram Prasad, Chief Economist, Indian Banks Associations, "If Indian banking system has to undergo a transformation, then the public sector banks must be in the forefront of the change."^xxviii