Following the global financial crisis, the revamped bank capital regime globally appears to have increased systemic resilience. In the global financial markets, transition to a post LIBOR world remains a work in progress. On the domestic front, the Reserve Bank initiated several policy measures to deepen the G-Sec and Repo markets. In the capital market, higher investment through SIPs in mutual funds remains a bright spot. The Securities and Exchange Board of India (SEBI) has taken several steps to further strengthen the surveillance and integrity of the derivatives, mutual funds and commodity derivatives markets besides enhancing disclosure and transparency standards for credit rating agencies.

The new insolvency and bankruptcy regime, which came into effect in 2016 has been providing a market driven, time-bound process for insolvency resolution of a corporate debtor, thereby helping financial institutions to clean up their balance sheets. Most importantly, it is aiding a paradigm shift in the extant credit culture and discipline.

Pension Fund Regulatory and Development Authority (PFRDA) continues to bring more and more citizens under the pension net. The regulator changed the investment guidelines for the National Pension System (NPS) to limit exposure to Equity Mutual Funds.

With the initiation of the process to identify Domestic Systemically Important Insurers (DSII), implementation of risk-based capital (RBC) & Operationalisation of CERT-Fin, Insurance Regulatory and Development Authority of India (IRDAI) is trying to strengthen the resilience of the Insurance sector.

Engagement with Fintech and Suptech is increasing. The challenge for the regulator is to balance efficiency with prudential measures to mitigate risks to be able to harness the opportunities offered by Fintech.

Section A

International and domestic developments

I. Banks

a) International regulatory and market developments

3.1 The Bank for International Settlements (BIS), in its Annual Economic Report (AER) released in June 2018¹ noted that Basel III capital requirements fortify banks against the risks of failure. Its findings show that the likelihood of a bank suffering distress within a 2-year period falls as its Tier-1 risk-based capital ratio increases and goes down further if a high leverage-based Tier-1 capital ratio is also maintained. The report highlighted the complementary nature of Tier-1 Capital ratio and the leverage ratio-based regulations.

3.2 The AER, however, notes two areas where it feels that more action is needed to increase resilience. The first concerns the link between resilience and regulatory reporting requirements leading to increasing risk of regulatory arbitrage. One such example relates to banks’ ‘window-dressing’ around regulatory reporting dates. The second area of concern, relates to the ‘outlook for bank profitability’. While significant progress has been made in terms of balance sheet and business model adjustments for banks, market valuations for many of them point to continued investor scepticism about their profitability prospects. Such scepticism about the valuation depresses market-based resilience measure such as the market leverage ratio or credit default swap spreads; in other words, investors penalise banks for poor profitability outlook, prompting them not to undermine the importance of maintaining short-term profit projections even if such outcomes are beneficial in the long run.

3.3 The AER also argues that constraints on banks’ internal models are required to prevent the ‘gaming’ of capital requirements and to make risk-weighted asset (RWA) measures more comparable across the sector. A BCBS² study referred to in the report finds that such ‘unwarranted’ variability can be material. The study, which assumes a benchmark capital ratio of 10 per cent shows that two banks with identical banking book assets might report capital ratios that show a difference of up to 4 percentage points (Chart 3.1). Additionally, the study also finds that in many cases, internally modelled risk weights were substantially lower than those under the standardised approach – for corporate exposures, by up to more than 60 per cent (Chart 3.2) and such an observed wedge and associated capital relief are difficult to justify. Such gaming of capital requirements may also have implications for model-based expected credit loss (ECL) estimation under the International Financial Reporting Standards (IFRS).

3.4 Central banks and financial market regulators have set in motion a drive to reform the interest rate benchmarks³. These benchmarks are referenced for a large volume and broad range of financial products and contracts including derivatives, loans and securities. The Financial Stability Board (FSB) has been monitoring progress on three work streams viz., (1) strengthening the inter-bank offer rates (IBORs) by fixing them to a greater number of transactions, (2) identifying appropriate alternative risk-free rates and encouraging derivatives to be referenced to them instead of the IBORs and, (3) having robust fall-back provisions for the contracts referenced to IBORs to reduce financial instability if an IBOR is discontinued.

3.5 About USD 350 trillion worth of contracts across the globe are pegged to LIBOR which is the key interest rate benchmark for several major currencies. Many of the current contracts would extend beyond 2021 (it has been proposed that LIBOR would cease to exist beyond this). The transition to alternative reference rates will involve considerable efforts for users of LIBOR for amending the contracts and updating the systems. Yet, when it comes to such a significant reform, the authorities concerned are not retreating in the matured financial markets.

3.6 On its part, the Federal Reserve (US FED) recently started disseminating three new benchmark rates. One of these, the Secured Overnight Financing Rate (SOFR) is endorsed by the Federal Reserve Bank of New York as an alternative to US Dollar LIBOR (USD-LIBOR). For the British pound, the reformed Sterling Overnight Index Average (SONIA) has been acknowledged as the alternative risk-free rate. Europe is seeking to replace the current euro benchmarks - the Euro Overnight Index Average (EONIA) and the Euro Interbank Offered Rate (EURIBOR) and has proposed a Euro Short-Term Rate (ESTER) as the new risk-free rate. One issue, however, is that while most of the chosen risk-free rates are overnight rates, the LIBOR includes credit risk and is a term rate. Thus, the key challenge is agreeing to a standard methodology for calculating credit and term spreads that can be added to the risk-free rate to construct a fall-back for LIBOR. While the predominant replacement for LIBOR benchmarks are seen to be overnight secured rates, some market participants might prefer term rates as replacements. In any case, a transition may disrupt interest rate swap (IRS) market and valuations. At the same time, the introduction of higher capital charges for illiquid trades as per the forthcoming Fundamental Review of the Trading Book (FRTB)⁴ makes the transition to alternative risk-free rates an expensive task for banks as well.

3.7 India’s position in priority as well as non-priority areas of Financial Stability Board (FSB) has improved compared to the last year as per the 2018 FSB Annual Report to G-20, due to the coordinated efforts of the government and financial sector regulators. The improvement in priority areas are particularly in “compensation”, “transfer/bridge/run-off power for insurers”, and “Over the Counter Derivatives - Trade Reporting and Platform Trading”. As per the latest status of “Implementation Monitoring Network Survey”, India is shown as “Implementation completed in 20 out of 22 recommendations” of non-priority areas of FSB.

3.8 In other major developments, the impending Brexit will limit the access of EU households and corporates to financial services provided in the UK which may have implications for market liquidity and risk premia. Taking into consideration a ‘No-deal Brexit’ scenario, EU financial institutions, counterparties and investors should be preparing for an appropriate action plan.

b) Domestic regulatory and market developments

3.9 The recent developments with regard to IL&FS highlight the complexities that can be associated with financial conglomerate (FC) structures and their oversight (Box 3.1).

3.10 To manage the banking system’s liquidity more efficiently, banks have been allowed an enhanced incremental carve out of 2 per cent taking the total carve-out from Statutory Liquidity Ratio (SLR) holdings to 13 per cent of their net demand and time liabilities (NDTL) with effect from October 1, 2018 under Facility to Avail Liquidity for Liquidity Coverage Ratio (FALLCR). This along with the 2 per cent carve-out available for Marginal Standing Facility (MSF) takes the total carve-out available to 15 per cent of NDTL.

3.11 To enable Non-Banking Financial Companies and Housing Finance Companies develop alternative funding channels, the Reserve Bank has allowed banks to provide partial credit enhancement (PCE) to bonds issued by the systemically important non-deposit taking non-banking financial companies (NBFC-ND-SIs) registered with the Reserve Bank and Housing Finance Companies (HFCs) registered with the National Housing Bank, subject to certain prudential conditions.

3.12 To encourage NBFCs to securitise/assign their eligible assets, it has been decided to relax the minimum holding period (MHP) requirement for originating NBFCs, with respect to loans of original maturity above 5 years, to receipt of repayment of six monthly instalments or two quarterly instalments (as applicable), subject to the NBFCs meeting the minimum retention requirement (MRR).

II. Securities market

Global

3.13 International Organisation of Securities Commissions (IOSCO) issued a final report⁷ on “Retail over-the-counter (OTC) Leveraged Products” which discusses policy measures designed to address the risks posed by retail investors trading in over-the-counter (OTC) leveraged products generally and binary options specifically. Retail investors typically use these products to speculate on short-term price movements in a given financial underlying. The report includes three complementary toolkits containing measures aimed at increasing the protection of retail investors who are offered OTC leveraged products, often on a cross-border basis. The report covers the marketing and sale of rolling-spot forex contracts, contracts for differences (CFDs) and binary options. The toolkits offer guidance on dealing with the risks posed by dealers selling these products, advice for educating investors about the risks of OTC leveraged products, and insight on approaches to enforcement, particularly against unlicensed firms offering these kinds of products.

3.14 FSB in its consultative document⁸ examined the effects of the G20 financial regulatory reforms on the incentives to centrally clear over-the-counter (OTC) derivatives. Centrally clearing standardised OTC derivatives is a pillar of the G20 Leaders’ commitment to reform OTC derivatives markets in response to the global financial crisis. The report infers that the reforms, particularly capital requirements, clearing mandates and margin requirements for non-centrally cleared derivatives are achieving their goals of promoting central clearing, especially for the most systemic market participants. Beyond the systemic core of the derivatives network of CCPs, dealers/clearing service providers and larger, more active clients, the incentives are less strong. Further, an analysis of quantitative and qualitative survey data and market outreach suggests that the treatment of initial margin in the leverage ratio can be a disincentive for banks to offer or expand client clearing services. The report identifies reform areas that are worth considering by the relevant standard-setting bodies (SSBs).

Domestic

3.15 To deepen the corporate bond market, SEBI⁹ has mandated that all listed entities (other than scheduled commercial banks) with an outstanding rating of AA and above and with an outstanding long term borrowing of ₹1 billion or above shall raise not less than 25 per cent of their incremental borrowings by way of issuance of debt securities from FY 2019-20.

III. Insurance market

Domestic

3.16 The number of lives covered by the Individual Health Insurance Business went up from 21 million in FY 2011-12 to 33 million in FY 2017-18. However, the share of the lives covered under individual health insurance to the lives covered under the total Health Insurance Business (group business + government sponsored schemes + individual business) decreased from 10 per cent in FY 2011-12 to 7 per cent in FY 2017-18. On the other hand, the average premium per person has increased from ₹2,377 in FY 2010-11 to ₹4,595 in FY 2017-18 which could be attributed to:

i. increase in average age of individuals covered under health insurance,

ii. increase in premium owing to the innovative products offered by insurers having multiple benefits embedded in the products with relatively higher premium, and

iii. increase in sum insured.

3.17 In terms of claims experience, there is an improvement in insurance claims loss ratio (ICR) at 71 per cent in FY 2017-18. The high ICR coupled with an increase in average premium per person gives an indication that there are ample business opportunities in the market for insurance companies.

3.18 The Insurance Regulatory and Development Authority of India (IRDAI) has started framing draft guidelines for identification of Systemically Important Insurers (SII) for the domestic insurance sector (Domestic Systemically Important Insurers or DSII).

3.19 As per the existing regulations, the required solvency capital to be held by Indian insurers is based on a simple factor-based approach expressed as a percentage of reserves and sum at risk. Insurers are expected to maintain a 150 per cent margin over the insured liabilities. The Risk Based Capital (RBC) approach links the level of required capital with the risks inherent in the underlying business. It represents an amount of capital that a company should hold based on an assessment of risks to protect stakeholders against adverse developments. However, shifting to RBC may require more technical expertise and its related costs. IRDAI has constituted a committee to examine in detail the RBC mechanism and its implementation in Indian insurance market.

3.20 IRDAI issued a comprehensive Information and Cyber Security guidelines for the insurance sector in April 2017 after completing a consultative process with all connected stakeholders. These guidelines are applicable to all insurers. IRDAI is also conducting independent reviews of insurers to assess the status of their compliance with cyber security guidelines. So far, reviews of 55 insures have been completed. Except seven non-life insurers and one life insurer, the rest complied with cyber security guidelines. These insurers have been advised to complete the pending tasks by end-December 2018. IRDAI is taking all necessary steps to ensure that these insurers fully comply with the cyber security guidelines.

IV. Pension funds

Domestic

3.21 The National Pension Scheme (NPS) and Atal Pension Yojana (APY) have both continued to progress in terms of total number of subscribers as well as assets under management (AUM) (Tables 3.1 and 3.2). PFRDA continues its work towards financial inclusion of the unorganised sector and the low income groups by expanding the coverage under APY. As on end-October 2018, 405 banks are registered under APY with the aim to bring more and more citizens under the pension net.

V. The insolvency and bankruptcy regime

3.22 The Insolvency and Bankruptcy Code (Code) 2016 provides for the reorganisation and insolvency resolution of corporate persons, among others, in a time bound manner for maximising the value of assets of such persons to promote entrepreneurship, credit availability and balancing the interests of all stakeholders. It separates the commercial aspects of insolvency resolution from its judicial aspects and empowers the stakeholders of the corporate debtor (CD) and the Adjudicating Authority (AA) to decide matters expeditiously within their respective domains. It provides an incentive-compliant, market driven and a time-bound process for insolvency resolution of a CD. The Code critically depends on financial creditors for its success. As at the end of September 2018, 816 corporate debtors were undergoing the resolution process (Table 3.3).

3.23 About 48 per cent of the admitted corporate insolvency resolution processes are triggered by operational creditors (OC) and about 38 per cent by financial creditors (FC), mostly banks (Table 3.4).

3.24 Of the 1,198 corporates in the resolution process up to September 2018, 112 were closed on appeal or review, 52 resulted in a resolution and 212 yielded liquidations; this is broadly consistent with expectations under the Code in its initial days of implementation. The distribution of 212 corporate debtors ending in liquidation is given in Table 3.5.

3.25 Till September 2018, NCLT ¹⁰ had resolved 50 cases involving admitted claims by FCs aggregating to ₹1249.77 billion. However, the median admitted claim was much lower at ₹0.85 billion and the third quartile of the admitted claim stood at ₹10.51 billion implying that so far significant efforts have been for resolving smaller claims. For claims beyond the third quartile threshold, the average recovery was at 46.66 per cent while the median recovery was 39.53 per cent implying higher recovery in some higher claim cases. For admitted claims by FCs below the third quartile, the average recovery was 36.37 per cent while the median recovery was higher at 53.88 per cent implying a somewhat lower recovery for the higher claims in this cohort. The frequency distribution of FCs recovery rates are given in Chart 3.3.

VI. Recent regulatory initiatives and their rationale

3.26 Some of the recent regulatory initiatives, along with the rationale thereof, are given in Table 3.6.

Section B

Other developments, market practices and supervisory concerns

I. The Financial Stability and Development Council

3.27 Since the publication of the last FSR in June 2018, the Financial Stability and Development Council (FSDC) held one meeting on October 30, 2018 under the chairmanship of the Finance Minister where issues related to the state of the economy, strengthening cyber security in the financial sector including progress made in the setting up of a Computer Emergency Response Team in the Financial Sector (CERT-Fin), issues and challenges of crypto assets/currency, market developments and financial stability implications of the use of RegTech and SupTech by financial firms and regulatory and supervisory authorities, and implementing the recommendations of the Sumit Bose Committee Report on measures, such as, promoting an appropriate disclosure regime for financial distribution costs were discussed. The Council also discussed at length the issue of real interest rates and the current liquidity situation including segmental liquidity position.

II. Fund flows: FPIs and Mutual Funds

3.28 The Mutual Fund (MF) industry is experiencing some volatility due to certain market developments. During April-September 2018, there was a net inflow of ₹458 billion as compared to a net inflow of ₹2,020 billion in April-September 2017. (Table 3.7).

3.29 Notwithstanding the ebbs and flows in aggregate mobilisation of MFs, the Systematic Investment Plans (SIPs) remain a favoured choice for the investors (Chart 3.4). The net folio increase during April-September 2018 over 2017-18 was 2.88 million. Investments through SIPs in mutual funds appear to be relatively more stable from the point of view of sustainability of fund inflows.

3.30 Given the significant churn in MF flows, management of liquidity by MFs assume importance (Box 3.2).

III. Trends in capital raised – debt and equity – emerging issues

a. Credit ratings and framework for their role and accountability

A. Trend in rating movements

3.31 An analysis of the credit ratings of debt issues of listed companies by major Credit Rating Agencies (CRAs) in India shows that there was a surge in the share of downgraded/ suspended companies of two rating agencies during the June and September 2018 quarters (Chart 3.5).

B. Further strengthening of the CRA framework

3.32 In order to further strengthen the rating framework, SEBI, in May 2018, issued guidelines with respect to the process for review of ratings. Pursuant to the circular, based on the representations received from the market participants, further modifications were made to the framework. It was decided that requests by an issuer for review of the rating(s) provided to its instrument(s) will be reviewed by a rating committee of the CRA that will consist of majority of whose members are different from those in the Rating Committee that assigned the earlier rating, and at least one-third of the members will be independent. Further, to make the disclosures more relevant, CRAs were directed to disclose all the ratings which were not accepted by an issuer, on their website, for a period of 12 months from the date of such ratings being disclosed as a non-accepted rating.

3.33 In June 2018 SEBI directed that CRAs may withdraw a rating subject to CRA having (i) rated the instrument continuously for 5 years or 50 per cent of the tenure of the instrument, whichever is higher and (ii) received an undertaking from the issuer that a rating is available on that instrument. Further, at the time of withdrawal, the CRA shall assign a rating to such instrument and issue a press release regarding the rating. Vide SEBI (Credit Rating Agencies) (Amendment) Regulations, 2018, notified on May 30, 2018, SEBI put in place various criteria on enhanced net worth of the CRA, minimum shareholding of the promoter with lock-in requirement, restrictions on cross-holdings among CRAs and restrictions on carrying out any activity other than the rating of securities offered by way of public or rights issue with certain carve-outs.

3.34 SEBI also overhauled the disclosures by CRAs recently. The enhanced disclosures pertain to parent / group/government support, liquidity position (including forward looking measures for non-banks like unutilised credit lines and adequacy of cash flows for servicing maturing debt obligation, etc.). The enhanced disclosure regime significantly enhances the information content of the rating.

C. Primary market issuance trends in FY 2018-19

3.35 During April-September 2018, ₹274.45 billion was raised through 12 public issues in bond market. More than ₹2 trillion was also raised through private placement of corporate bonds during the same period (Chart 3.6). The major issuers of corporate bonds were body corporates and NBFCs accounting for more than 50 per cent of the outstanding corporate bonds as on September 2018 (Chart 3.7a) whereas body corporates and mutual funds were the major subscribers of the same (Chart 3.7b). With regard to equity capital ₹149.70 billion has been raised during April-October 2018 (Chart 3.6).

IV. Commodity Derivatives

(a) Risk Management and Surveillance of Commodity Derivative Markets

3.36 SEBI took over the regulation of commodity derivatives market from September 28, 2015. To streamline and ensure the smooth functioning of commodities futures markets, SEBI has put in place a comprehensive risk management and surveillance framework for National Commodity Derivative Exchanges in October 2015 and prescribed additional risk management norms for commodity National Exchanges in September 2016.

3.37 In 2014, SEBI had issued norms related to the Core Settlement Guarantee Fund, default waterfall, stress testing, back testing etc. for recognised Clearing Corporations. These norms have been made applicable to Clearing Corporations clearing commodity derivatives transactions as well. Inter-alia, Minimum Required Corpus of Core Settlement Guarantee Fund (MRC) for the commodity derivatives segment of any stock exchange has been stipulated at ₹100 million and modified standardised stress testing scenarios and methodology has been prescribed for carrying out daily stress testing for credit risk for commodity derivatives. Risk management framework and product design guidelines were issued for trading in options on commodity futures. At present, Multi Commodity Exchange of India Ltd. (MCX) is offering Options trading in Gold Futures, Crude oil futures, Copper futures, Silver Futures and Zinc futures. The National Commodity & Derivatives Exchange Ltd. (NCDEX) is offering Options trading in Guar Seed futures, Guar Gum futures, Chana futures, Soybean futures and Refined Soy Oil futures.

3.38 In addition, SEBI has been taking various measures to further strengthen the surveillance and integrity of commodity derivatives markets. Some of the important measures taken by SEBI during 2018-19 (up to October 24, 2018) includes: monthly surveillance meetings with commodity exchanges, surprise warehouse visits, visits to physical markets of commodities traded at the exchange, meeting various traders and value chain participants to take their feedback and collect surveillance inputs for further policy measures, inspections of commodity derivatives exchanges, imposition of special margins, Self-Trades Prevention check at permanent account number level by exchanges to restrict wash/ self-trades at exchanges platform, increased penalty (up to 100 per cent of the profit/loss booked) in case of reversal of trades, etc.

(b) Market developments

3.39 As on October 31, 2018, the benchmark indices, MCX COMDEX increased by 6.8 per cent and NCDEX Dhaanya increased by 10.3 per cent over March 31, 2018. During the same period, while the S&P World Commodity Index increased by 5.1 per cent, Thomson Reuters CRB Index decreased by 2.3 per cent (Chart 3.8).

3.40 The total turnover at all the commodity derivative exchanges (futures and options combined) saw a growth of 14.0 per cent during April 2018 - September 2018 as compared to previous six months i.e. October 2017 - March 2018 period. During the period, metal had a share of 38.7 per cent followed by Bullion (including diamond) which had a share of 31.6 per cent. Energy and Agriculture experienced a growth of 20.3 per cent and 9.4 per cent respectively. The total share in turnover of the non-agricultural derivatives was 90.6 per cent during the period while agri-derivatives contributed a share of 9.4 per cent (Chart 3.9).

(c) Unified Stock Exchanges

3.41 The Union budget for FY 2017-18, proposed that the commodities and securities derivatives markets will be further integrated by integrating the participants, brokers, and operational frameworks. This budget announcement was implemented by SEBI in two phases. In Phase-I, integration at the intermediary level and in Phase II a single exchange to operate various segments such as equity, equity derivatives, commodity derivatives, currency derivatives, interest rate futures and debt were enabled. This integration of exchanges with universal trading facilities across securities and commodity derivatives aims at bringing synergy in the functioning of securities and commodities market.

3.42 This is beneficial from the point of view of investors, market participants and the regulator as there are many commonalities between the two markets in terms of trading and settlement mechanism, risk management and redressal of investor grievances. Brokers will also benefit as transaction costs are expected to come down due to competition between exchanges. Further, having a single firm/company for both the markets will result in a single margin account.

3.43 Investors have to pay less and can trade in both equity and commodities through one trading account. In the current scenario traders who are active in both equity and commodity markets have to transfer money to two broker firms/companies, one for equity trading and other for commodities trading. This is a constraint as money transfers between the two markets may be time consuming, requires more working capital and are costly (transfer charges). This may also result in a loss of opportunity especially in a volatile market. The new move will help in expanding the commodity derivatives market while availing the benefits of already developed equity markets.

V. Fintech

3.44 The recent EBA (European Banking Authority) Report¹³ on FinTech strives to provide a balanced analysis of potential prudential risks and opportunities that may arise due to FinTech. It analyses this on the basis of seven major FinTech use cases : biometric authentication using fingerprint recognition, robo-advisory as a way of investment advice, big data and machine learning in credit scoring, use of a distributed ledger technology and smart contracts for trade finance, distributed ledger technology as a means to streamline customer due diligence processes, mobile wallet with the use of near-field communication and outsourcing the core banking/payment system to the public cloud. The EBA report acknowledges the increased operational risk on the part of incumbent institutions because of lack of adequate expertise and cyber-security issues among others. However, it also emphasises a number of opportunities in terms of efficiency gains, cost reduction and improved customer experience.

3.45 BIS in its report¹⁴ analysed the early user experience of Suptech (supervisory technology) (Box 3.3).

VI. Cyber security and data protection

(A) Cyber security preparedness in banks – The Indian scenario

3.46 Over the years, resilience to cyber threats has emerged as a major area of concern in the Indian financial sector, more specifically in the context of banking operations involving critical payment system infrastructure. Over the past few years, several foundational milestones have been accomplished in the area of cyber security in banks ensuring that, the odd attack notwithstanding, the Indian banking system is adequately prepared to deal with a significant majority of cyber threats. Some of the measures taken and the safeguards implemented are:

i. Bank boards (or board-level committees as the case may be) have been encouraged to assign due importance and demonstrate their commitment to cyber security by suitably equipping themselves with sufficient expertise to provide strategic directions; deliberating on cyber security in discussions related to design and implementation of new systems/major changes in existing systems; strengthening the CISO’s office both in terms of a cyber security budget, resources and by periodically reviewing the status of the bank’s cyber security posture.

ii. The baseline expectations from banks in the area of cyber security were outlined in a comprehensive cyber security framework circulated by the Reserve Bank in June 2016. The banks are required to, inter alia, strictly enforce cyber hygiene in their environments (including in third-parties wherever applicable) with respect to password controls; port opening/ closing; network access controls; inventorying of IT assets and ensuring that these are updated with latest patches; instituting appropriate metrics and measures to assess the effectiveness of cyber security-related controls including the functioning of Security Operations Centres; ensuring application and database integrity and confidentiality of sensitive data; and periodically verifying the robustness of the banks’ IT infrastructure by conducting Vulnerability Assessment/Penetration Testing, code reviews, etc. The progress made by banks in the implementation of the measures outlined in the Cyber Security Framework and other regulatory instructions/ advisories is periodically assessed by the CSITE Cell through on-site examinations – both comprehensive and thematic/focused - and through offsite submissions by banks, communicating compliance with specific control measures.

iii. Based on inputs received from market intelligence and government agencies, advisories and alerts are issued to banks, to avoid exploitation of the same vulnerabilities. This ensures that detection and response efforts of one entity feed into the prevention and detection efforts of the others thereby raising the security level of the entire banking system. Further, periodic returns are collected and reviewed to assess the cyber hygiene of the banks on an ongoing basis.

iv. The Reserve Bank and other agencies (like CERT-In and IDRBT) conduct periodic cyber drills for banks to evaluate their detection, response and recovery policies and procedures; and to ensure that they are adequate to contain and remediate breaches and get back to normal operations at the earliest.

3.47 The banking industry as a target of choice for cyber-attacks in India is and will be vulnerable to novel and evolving threats. Recent cyber-attacks have, through their sophistication, necessitated banks to undertake extensive surveillance of their systems and networks on a continuous basis for effective timely threat intelligence. The sheer diversity and increasing complexity of cyber threats has brought about a realisation that a determined, focused and coordinated effort from multiple stakeholders will lead the way to a cyber-threat-resilient banking system.

3.48 The regulators are consistently engaged in supervising their relevant intermediaries on the progress of implementation and robustness of cyber security frameworks. Cyber Security/System audits of the intermediaries are being conducted regularly by competent auditors and the same is being reported to the concerned regulators. Some salient features of the general guidelines issued by various regulators include:

i. Identification of Critical Information Infrastructure (CIIs) and getting them notified in coordination with National Critical Information Infrastructure Protection Centre (NCIIPC).

ii. Adoption of Board approved cyber security policy.

iii. Identification by intermediaries of critical IT assets and documentation of risks associated with such assets.

iv. Reporting of all the cyber incidents to the Indian Computer Emergency Response Team (CERT-In)

v. Periodic reassessment of Information & Cyber Security status.

vi. Conducting the Vulnerability Assessment and Penetration Test (VA/PT) for all public-accessible applications.

vii. Appointment of Chief Information Security Officer (CISO) who will be responsible for designing and enforcing information security (IS) policy.

3.49 SEBI issued detailed guidelines to Market Infrastructure Institutions (MIIs) to set-up their respective Cyber Security Operation Centre (C-SOC) and oversee their operations round the clock by dedicated security analysts. The Cyber Resilience framework has also been extended to Stock Brokers/ Depository Participants. Smaller intermediaries can utilise the services of the Market SOC which is proposed to be set up by MIIs for dedicated cyber security solutions. IRDAI has mandated insurers to establish the SOC at the insurer level for monitoring of network security.

(B) Banking frauds

3.50 Operational risks in the banking sector have assumed significance of late, calling for reforms in governance and Board oversight structures and overhaul of the extant risk culture in banks (see box 3.4). Table 3.8 provides the number and the amount involved in frauds of ₹ 0.1 million and above reported by the banks and FIs during last 5 financial years and in the first half of the FY 2018-19.

3.51 In recent quarters, increasing incidences of frauds reported is accompanied by a marked rise in the number of large frauds (amount ≥ ₹ 0.5 billion (Chart 3.10). The incidence of frauds is analysed here, for the past 6 quarters both with all the reported data and after excluding the outlier cases (amount involved > ₹10 billion¹⁶).

3.52 In terms of the relative share of frauds, PSBs continue to dominate (Chart 3.11).

3.53 Frauds in loans and advances continued to dominate in both PSBs and PVBs, although recent trends point to increasing vulnerabilities in off-balance sheet exposures especially of non-PCA PSBs (Chart 3.12).

3.54 While loans, particularly working capital loans in PSB frauds dominated (Chart 3.13a), as highlighted in the June 2018 FSR, a similar analysis for PVBs indicates that higher fraud incidences relate to term loans (Chart 3.13c).

3.55 Given the relatively high susceptibility of PSBs to operational risk, the relative capitalisation of such banks with regards to operational risk becomes relevant. Chart 3.14 shows the relative share of different bank-groups in frauds (a proxy for realised operational risk) as also their relative share in Operational Risk RWA (i.e., capital dedicated to operational risk). As can be seen in the chart, illustratively, PCA-PSBs contributed to about 36.5 per cent of total frauds over the past four years, but their relative share in total RWAs for Operational risk is much lower at 18.9 per cent. A more judicious alignment of realised operational risk with allocated capital, specifically with regards to PCA-PSBs, is desirable. Additionally, as mentioned in the 17th edition of FSR (June 2018) a ringside assessment of efficacy of audit framework (both internal and external), the internal governance framework, with regard to accountability and credit screening/ oversight is required specifically for PSBs to address the issues arising out of “operational risk” embedded in credit risk.

3.56 In light of the growing incidence of large frauds through off-balance sheet instruments, usage of cross validation of off-balance sheet exposures across banks assume importance. Additionally, the predominance of frauds among PSBs point to possible inadequacy of risk mitigation processes. The assessment and inculcation of appropriate Risk Culture in an organisational milieu assumes importance in this regard. Box 3.4 explores some salient features relating to Risk Culture.

(C) Outsourcing in financial services

3.57 The Reserve Bank had conducted a thematic study on operations of the service centres/business process outsourcing subsidiaries of major foreign banks. The study revealed that outsourcing agencies/ group entities were working as per mandate given to them and no such concerns were observed which may expose banks to reputation risk.

3.58 Some of the concerns/risks observed were:

• The employees in the outsourced agency had the same access rights, both read/write, to the bank’s CBS. Further, it was also observed that user control related activities such as password resetting, access rights to bank’s applications and change request, were handled by the outsourced agency.

• Banks’ Service Level Agreements (SLAs) with their outsourced agencies did not recognise the Reserve Bank’s right to inspect the service provider of the banks and their books and accounts by one or more officers or employees or other persons.

• People risk was elevated on account of a significant amount of cost being incurred on outsourced services.

The deficiencies observed were taken up with the respective banks for rectification.

(D) Storage of payment system data

3.59 To ensure better monitoring it is important to have unconstrained supervisory access to data stored with system/service providers in the payment ecosystem. Acknowledging this need and the growth of digital payments sector in India, the Reserve bank issued directives on storage of payment system data recently. The notification directs all digital payment system providers to ensure that all the data relating to payment systems operated by them are only stored in India. This data should include full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required. Payment system providers are required to do an audit through CERT-IN empanelled auditors by and a compliance report is to be submitted to the Reserve Bank by the end of 2018.

VII. Supervision and enforcement

3.60 During the period July 01, 2017 to June 30, 2018 the Enforcement Department undertook enforcement action against 14 banks (including a payment bank and a small finance bank) and imposed an aggregate penalty of ₹1,024 million. From July 01, 2018 to October 31, 2018, enforcement action was undertaken against seven banks (including a payments bank and a cooperative bank) and an aggregate penalty of ₹142 million was imposed for non-compliance with/contravention of directions on fraud classification and reporting, discipline to be maintained while opening current accounts and reporting to the CRILC platform and RBS; violations of directions/ guidelines issued by the Reserve Bank on know your customer (KYC) norms, Income Recognition & Asset Classification (IRAC) norms; delay in resolution of ATM related grievances; violation of all-inclusive directions and non-compliance with specific direction prohibiting opening of new accounts. Enforcement of regulations pertaining to cooperative banks and non-banking financial companies too has been brought under the Department with effect from October 03, 2018.

VIII. Other developments

3.61 An extensive database of credit information for India that is accessible to all stakeholders helps in enhancing efficiency of the credit market, increase financial inclusion, improve ease of doing business, and help control delinquencies and hence is financial stability inducing. In this regard, the Reserve Bank has initiated steps to set up a wide-based digital Public Credit Registry (PCR) to capture details of all borrowers, including wilful defaulters and also the pending legal suits in order to check financial delinquencies. The PCR will also include data from entities like SEBI, the corporate affairs ministry, Goods and Service Tax Network (GSTN) and the Insolvency and Bankruptcy Board of India (IBBI) to enable the banks and financial institutions to get a 360-degree profile of existing and prospective borrowers on a real-time basis.

3.62 Steps have also been taken to strengthen the financial and regulatory framework in Gujarat International Finance Tec (GIFT) City so as to develop appropriate prudential standards and facilitate orderly development of financial infrastructure.

¹ Available at: https://www.bis.org/publ/arpdf/ar2018e.pdf

² Basel Committee on Banking Supervision

³ Available at: https://www.bis.org/review/r180523b.htm

⁴ Fundamental Review of the Trading Book or FRTB –address Basel 2.5 issues such as capital arbitrage between banking and trading books, and internal risk transfers. It establishes a more objective boundary between the trading book and the banking book, thus eliminating capital arbitrage between the regulatory banking and trading books. FTRB changes the method used to determine market risk capital. Instead of VaR with a 99 per cent confidence level, it uses expected shortfall (ES) with a 97.5 per cent confidence for a better reflection of “tail risk” and capital adequacy during periods of significant financial market stress.]

⁵ Internal capital markets allocate capital to a financial conglomerate’s various subsidiaries based on maximisation of potential expected returns. Access to such markets is also often taken into consideration for credit rating purposes.

⁶ Reform in the financial services industry: Strengthening Practices for a More Stable System, Institute for International Finance, December-2009

⁷ Available at: http://www.iosco.org/publications/?subsection=public_reports

⁸ Available at: http://www.fsb.org/2018/08/incentives-to-centrally-clear-over-the-counter-otc-derivatives/

⁹ Available at: https://www.sebi.gov.in/legal/circulars/nov-2018/fund-raising-by-issuance-of-debt-securities-by-large-entities_41071.html

¹⁰ National Company Law Tribunal

¹¹ The details of the issues addressed in the amendment are available at https://ibbi.gov.in/webadmin/pdf/whatsnew/2018/Oct/CIRPper cent20Amendment-5.10.2018_2018-10-05per cent2023:21:24.pdf.

¹² The MCX India Commodity Index is a composite Index based on the traded futures prices at MCX comprising a basket of contracts of bullion, base metal, energy and agri commodities.

The NCDEX Dhaanya is a value weighted index, based on the prices of the 10 most liquid commodity futures traded on the NCDEX platform.

The S&P World Commodity Index is an investable commodity index of futures contracts traded on exchanges outside the U.S comprising Energy, Agricultural products, Industrial and precious metals.

Thomson Reuters/Core Commodity CRB Index is based on Exchange Traded Futures representing 19 commodities, grouped by liquidity into 4 groups viz. Energy, Agriculture, Livestock and Metals.

¹³ Available at: https://www.eba.europa.eu/-/eba-assesses-risks-and-opportunities-from-fintech-and-its-impact-on-incumbents-business-models

¹⁴ Available at: https://www.bis.org/fsi/publ/insights9.htm

¹⁵ Target 2 is the settlement system for euro payment flows between banks in euro area.

¹⁶ The threshold was chosen as the 99.9 percentile based on data of the past 6 quarters , June 2017-Sept 2018

¹⁷ Adapted from “Risk Culture and Effective Risk Governance”- Edited by Patricia Jackson, Risk Books, September, 2014, https://www.fca.org.uk/publications/discussion-papers/dp18-2-transforming-culture-financial-services.