I would like to thank IDRBT for inviting me to address you on the above topic. I must appreciate IDRBT for choosing this topic for the Seminar and inviting Directors of Indian banks,  as all the issues chosen for the Seminar are very relevant today for banking.

2.  At the outset, I would like to quote Bill Gates who has very rightly summarized the significance of technology in today’s world and I quote “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify its efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency”.

3.  We have traversed a long way from the Industrial revolution to the IT revolution; and banks have benefitted a lot from this technological revolution. Information Technology (IT) is a catalyst for the development of sophisticated products, evolution of better market infrastructure and the implementation of reliable techniques for risk management.  The most significant impact of IT has been the manner in which it has facilitated financial transactions across the globe. Effective use of technology has a multiplier effect on growth and development of the economy. IT plays a fundamental role in banking. By introducing the possibility of online financial transactions, IT in banking has immensely scaled up the level of activity by making services and products easily available at an affordable cost and accessible to an ever increasing set of people. Information and communication technology functions are fundamental to the success and stability of banks as well as in increasing their outreach to the unbanked or underbanked areas of the country with limited ‘brick and mortar’ structures. It is, therefore, necessary that banks prioritise these functions at the highest level.

4.  We have travelled a long way from the era of ‘3-6-3’ banking.  The world of banking is not the same anymore. Financial globalization gathered momentum in the 1970’s with the development of computing power. But along with this technological development came the risks which were manifested in the recent global financial crisis. Banks and financial institutions introduced complex products whose risks were not adequately understood.  With the expertise on these highly complex products being confined to a very small group of specialists, the senior management and the Board of Directors were unable to provide adequate oversight, resulting in governance deficit.  IT is also a highly specialized field and from governance perspective, it is important that Directors of banks have a reasonable grasp of the issues involved so that IT can be used in most optimal way in banks.

5. The topic of the seminar is IT Governance, Technology Management and Data Warehouse/CRM Cyber Security. These issues are very significant to the present times. As banks are investing in technologies to ensure secure and efficient banking channels, it is necessary that a thought is given to adopting appropriate Governance framework, technology management methodologies and foolproof security mechanisms.  Today, I would like to speak on these issues from a central bank’s perspective. My presentation is divided into four main parts based on the topic of the Seminar. The last part would be focused on the IT Vision document for 2011-17 that has been released by the RBI recently. This has a great relevance for the banks as well as for the RBI.

IT Governance

6.  You are all aware that the increased focus on IT Governance has stemmed from the concern for investment in IT infrastructure and the ever-increasing dependence on IT for operating and managing day-to-day business activities. IT Governance focuses on information technology systems, their performance and alignment of technology with business and risk management. With the high rate of technological obsolescence, the need for proper IT governance, particularly in the case of banks, is gaining more prominence. You would agree with me in saying that adoption of IT Governance in banks would result in effective control on, and better utilization of, the huge IT infrastructure created by banks.

7.  In implementing an effective governance structure, organizations, particularly those having significant IT investments, are constrained by certain factors. Common among such inhibiting factors are challenges in aligning the business and IT strategies, need for appropriate and re-engineered business processes and delivery models, lack of project ownership and insufficient risk and resource management. For ensuring better governance there is a need to put in place robust risk management systems encompassing effective infrastructure, information and security policies, incident reporting and business continuity management. These management systems must be subject to regular review and monitoring. 

Relevance to banks

8.  A consistent IT Governance policy provides institutions with tools which ensure that IT investment drives business areas to meet its goals. IT Governance depends strongly on corporate governance and the overall corporate strategy, which means that IT strategy and IT processes should be in consonance with the business goals. In other words it means that IT Governance provides tools to manage IT structures and processes in order to appropriately support the business strategy.

9.  Implementing new IT Governance in banks may be very challenging. For addressing the structural inadequacies in the areas of IT governance, information governance, data governance, information security governance; there is an imperative need to have synergy among these areas.

10.  Adoption of a structured IT Governance framework would enable banks to manage their businesses in a manner that would bring about benefits to their customers as also facilitate the growth of banks in this fiercely competitive world.

11.  A working group constituted by the Reserve Bank has recently (in January 2011) released a report on information security, electronic banking, technology risk management, and cyber frauds. This Report includes a Chapter on IT Governance which can serve as a guiding model for banks. This chapter, inter alia, deals with roles and responsibilities and an organizational framework for implementing IT Governance. It also suggests an organisational structure andelucidates the recommended roles and responsibilities of the personnel involved in implementation of such a structure. In its recently released IT Vision document 2011-17, the Reserve Bank has made certain recommendations with regard to IT Governance, which are extremely relevant for banks as well as the Reserve Bank.

Benefits of IT Governance: Doing more with less

12.  As I have mentioned, banks’ investments in IT are most fruitful when they match technology strategy with business strategy, implement systems in a disciplined way, and balance value creation with increased IT capabilities.

13. In this context of IT investments, Indian banks have an inherent advantage in terms of factor cost (IT labour costs in India are lower than those in Asian or European markets) and distribution strategy (using alternative channels effectively).  This low cost servicing capability can give a competitive edge to the Indian banks seeking to do business outside the country. Use of IT governance can help achieve these objectives.  Thus, the benefits of employing effective IT governance framework are manifold.

Beyond CBS : Next Generation banking

14.  Banks must look beyond Core Banking i.e. transaction processing. They must use risk management techniques effectively. This would not be possible unless the data handling capability in their Core Banking Solution is enhanced. It is now common knowledge that the banking of the future will be that which would be driven by the customers. This would require banks to create value for its customers and evolve a business model, taking into account the profile of existing and targeted customers and their needs vis-a vis the range of products offered. This would enable them to emerge stronger and more competitive. With higher technological and financial awareness, customers today are looking for banks to offer the following:

• More choices in terms of product selection

• Simplified banks’ forms and procedures

• Prompt services and alerts (such as e-mail, SMS etc)

• Transparency of charges and fees

• Complete view of account relationship

15.  Coupled with this, there is an increasing use of alternate channels such as the Internet and mobile devices, by customers. This impact has made the rules, in managing channels and the process of reaching customers, a moving target. Banks would need to re-design their strategies and respond appropriately to the rules as they change. If banks do adopt suitable processes, it would bring about cost savings and, in the long term, more profitable customer relationships.

Customer empowerment

16.  With a view to achieving higher focus of customer service, banks should be conscious of the customer needs and should take care not to cram too many additional features into products making them too complex to understand and use, as this could lead to a decline in customer experience. If customers want a particular service, technology can make it happen. So, the focus for banks should be on knowing and developing viable solutions and services suiting their customers’ demand. Banks would have to balance their service offerings across customer segments and provide a reliable and adequate of information. Learning from the crisis, I urge upon banks to use technology to devise products and processes which are socially “optimal”.

Treading the path carefully

17.  While doing so, banks must also be aware of the fact that data confidentiality is an issue that must be dealt with very carefully. This is an area of concern for banks and their customers. It is true that in the recent years technological advances have been made by banks in providing secured internet technologies to contain hacking and phishing. This has also enabled to put in place strong risk management processes within the bank. This must be continued by the banks not only to minimise financial loss but also, more importantly, to safeguard trust and confidence of their customers. Banks, while designing processes, products and channels, must ensure that banking experience remains easy and simple for their customers. The long term success of any bank cannot be achieved without the development of new business ideas, innovative products and services and focus on retention of customers.

Financial Inclusion and technology

18.  Financial inclusion is high on the agenda for the Reserve Bank as well as banks. Operating cost of providing financial inclusion and charges levied on the users are important dimensions of the process of financial inclusion. Technology has to play an important role in reducing the transaction cost of banking services, particularly in the rural and unbanked areas so as to make financial inclusion a commercially viable proposition for banks. This may come about, for example, if banking service providers are willing to enter into passive infrastructure sharing. The challenge for banks, in the context of financial inclusion, would be to get the technology pieces together and adopt a strategy that is viable and sustainable in the long run.

19.  Major steps have been taken by Reserve Bank of India (RBI), Government of India and banks, to enable financial inclusion of weaker sections of the society. IT is the differential factor in this regard.  The game changers in the realm of financial inclusion i.e. the UID project, mobile banking, hand-held devices, smart cards, business correspondents, routing of payment under government social schemes through banks and micro-finance, are the factors that will take financial inclusion a long way in the country.

Technology Management

20.  Technology includes the use of materials, tools, techniques and sources of power to make life easier or more pleasant and, work, more productive. Whereas science is concerned with ‘how’ and ‘why’ things happen, technology focuses on ‘making’ things happen. Technology influenced human endeavour as soon as people began using tools. It accelerated with the Industrial Revolution and the substitution of machines for animal and human labour. Accelerated technological development has also had costs, in terms of air and water pollution and other undesirable environmental effects.

21.  Another aspect of relevance in the present circumstances is Technology Management. As we are aware, Technology Management is a subset of management discipline that allows organizations to manage their technological resources to create competitive advantage. Each organization has to decide its strategy, possibly, by identifying emerging technologies to suit business and market needs.

22.  The role of the technology management function in an organization is to understand the value of technology for the organization. Continuous development of technology is valuable, as long as there is a value for the customer and, therefore, the technology management function in an organization should be able to guide when to invest on technology development and, more importantly, when to withdraw.

23.  Alternatively, Technology Management can also be defined as the integrated planning, design, optimization, operation and control of technological products, processes and services.  A functional definition of Technology Management could be that it is the management of the use of technology for human advantage.

Technology and innovation

24.  Perhaps the most authoritative input to our understanding of technology is the diffusion of innovations theory developed in the first half of the twentieth century. It suggests that all innovations follow a similar diffusion pattern - best known today in the form of an "s" curve. In broad terms the "s" curve suggests four phases of a technology life cycle - emerging, growing, maturing and aging.

25.  Taken together these concepts provide a foundation for formalizing the approach to managing technology. Technology Management involves optimization – "if things can happen with a needle, there is no need to use a sword". Right choice of technology is what helps organizations to grow faster. "Right Decision at right time is the key to success". Since adoption of newer technology involves cost, one has to be prudent in selection of right technology for the required purpose.

Technology management in banks

26.  Priorities of contemporary bank technology management are dictated by increased competition and the development of the global banking industry. The recent financial crisis has led banks to shift their priorities towards working more on the quality of their loan portfolios and stable sources of funds. Maintenance of the high quality of customer service has become the main focus of the bank technology management.

Data Ware house

27.  Let me tell you a well known story which describes a data warehouse and its benefits. Story goes like this:

"Some market analysts were trying to analyse an elephant with their eyes blindfolded. One touched the tail of an elephant and analysed it as a 'ROPE', another felt the feet of an elephant and analysed it as a 'TREE TRUNK', yet another touched the torso of the elephant and analysed it as a 'BIG STONE'".

28.  This exactly is the situation when one analyses a customer of the bank from only one sub-system. Unless we have the complete profile of a customer from the integrated database, we cannot possibly differentiate between ‘good’ and ‘bad’ customers. Data warehousing technology can make it happen by integrating various sub-systems into a data warehousing framework.

Deep Impact : technology and warehousing

29.  Banks in India have adopted Core Banking Solution and it has helped the customer to carry out 'Anywhere Banking'. The next move forward can be the integration of various systems to create a centralized database consisting of customer information and other data. This concept is what is called "Data Warehousing".  Banks can make use of various tools and techniques to analyse this data for enhancing their businesses. Individual systems help in running the business of banks, but if the banks have to optimize their businesses, they have to invest in Data Warehousing Technology. Many banks in India already have adopted this technology. Reserve Bank of India has also invested in creating its data warehouse which is made available to the general public through the link "Database on Indian Economy: RBI's Data Warehouse" (http://dbie.rbi.org.in).  This is useful for researchers and economists.

Cyber Crime

30.  Another issue that is of relevance in today’s banking is the increasing cybercrime. The capabilities and opportunities provided by the Internet have transformed many business activities, augmenting the speed, ease, and range with which transactions can be conducted, while also lowering many of the costs. Criminals have also discovered that the Internet can provide new opportunities for pursuing unlawful business.  The rapidly growing interconnectivity of IT systems, and the convergence of their technology towards industry-standard hardware and software components and sub-systems, renders   IT systems increasingly vulnerable to malicious attacks.   Strengthening of IT resilience can ensure a prompt action at a modest marginal cost, both in terms of minimising losses and resuming normal operations quickly.

31.     The concept of cyber crime is not radically different from the concept of conventional crime. Both include conduct involving commission or omission, which cause breach of law. While the characteristics of these crimes are different, the motivations of the criminals are much the same.  The advent of the computer has only provided another means and opportunity to such criminals. Speedy prosecution and effective plugging of loop holes in laws can serve as effective measures to counter such crimes.

Implications for Business

32.  The implications of all this for business can be far-reaching. There is a need for major changes in perception about cyber-security and in planning and implementing security measures. These are particularly important if e-commerce is to attain its full potential. Perhaps the most important change required is the change in the mindset.    This has two distinct but overlapping dimensions: security has to be understood in broad rather than narrow terms, and security can no longer be an after-thought. It needs to be part of intelligence, planning, and business strategy.

Making new technologies pay-Cyber security

33.  A major challenge for the banks is in keeping themselves updated with the changes in technology in spite of the fact, that such updation keeps increasing their expenditure on computer security. Computer security measures can be beefed up by using anti-virus software, access control and firewalls and by employing qualified IT or IT-security staff. Additionally, there should be adequate training of staff on computer security. Considering all the factors that militate against computer security of organizations, it is possible that total eradication of computer crimes may not be achieved. It can, however, be reduced through public education, robust law enforcement, compliance using effective security technologies and the establishment of a foolproof framework for the prosecution of computer criminals.

Keeping a check

34.  There are several specific issues that need to be considered carefully to keep incidents of cyber crime at bay. A few illustrative ones are as follows:

1. Recognize that the real problem is crime, not hacking

2. Business intelligence must include criminal intelligence analysis

3. Be vigilant of  money laundering opportunities

4. Develop partnerships and information-sharing arrangements

35. As directors of banks, you have the responsibility of ensuring that there is a robust process for detecting and reporting suspicious transactions and that the methodology   adopted by fraudsters/cyber criminals is thoroughly analysed for taking corrective action.   When such information comes to the notice of the Reserve Bank; measures are taken to disseminate the modus operandi for the benefit of banks.

36. In its Report on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, RBI has dealt with the issue in detail and made specific recommendations for banks to adopt.

Role of Cert-In

37.  You are all aware that Indian Computer Emergency Response Team (CERT-IN), a part of the Ministry of Communications and Technology, GoI has a major role to play in combating cyber crimes. Its roles and functions include incident response and offering recovery procedures and incident tracing. As a proactive approach, it also issues security guidelines and acts as a national repository of, and a referral agency for, cyber intrusions. It also analyses the trends and patterns of intrusion activity and, as a response, it aids the users to prevent recurrences of similar incidents. IDRBT has been nominated as the sectoral CERT for banking and financial sector. I suggest that banks coordinate with IDRBT and make use of this for fighting cyber intrusion.

IT Vision Document 2011-17

38.  Coming to the concluding part of my address, I would like to draw your attention to the RBI’s recently released IT Vision document for 2011-17, the major recommendations of which relate to transforming the RBI into a knowledge organisation, using IT as a strategic resource, improving IT governance and reviewing of IT processes for better alignment between business objectives and IT. The action points that emerge for RBI and banks from this document relate to the following issues:

Focus for RBI

39.  The main recommendation is for the Reserve Bank to transform itself into an information intensive knowledge organisation. Other recommendations include harnessing human resource potential, migrating to enterprise architecture for IT systems and adopting appropriate business process re-engineering. Conformity to internationally accepted standards and usage of business intelligence from data warehouse for optimal Management Information Systems (MIS) with effective Decision Support Systems (DSS) are also recommended.

40.  Improved IT Governance, effective project management, evolution of well defined information policies as well as information security frameworks, better vendor management and outsourcing practices are the other significant recommendations of the document. The document also suggests reviewing of IT processes for better alignment between business objectives and IT.

Focus for banks

41.  The Vision Document sets priorities for commercial banks to move forward from their core banking solutions to enhanced use of IT in areas such as  MIS, regulatory reporting, overall risk management, financial inclusion and customer relationship management. It also dwells on the possible operational risks arising out of adopting technology in the banking sector which could affect financial stability and emphasizes the need for internal controls, risk mitigation systems, fraud detection / prevention and business continuity plans.

42.  Although banks have deployed technology for transaction processing, analytical processing by banks is still in a nascent stage. Banks may work towards reaping benefits of technology in terms of cost reduction, improved customer services and effective flow of information within the banks and to the regulator.  The Reserve bank has drawn up an action plan to implement the recommendations of the Vision document. A High powered Committee has also been constituted in the Reserve Bank which has the responsibility to ensure time bound and effective implementation of these recommendations.

Conclusion

43.  In conclusion, I would like to say that banks need to take a disciplined approach to IT architecture, create standardised platforms, and wring more business value from technology investments. It is here that IT Governance plays a very significant role.    Adoption of appropriate IT solutions for moving towards acquiring information from the customer-centric perspective along with account- or product-centric perspective would place the banks at a competitive advantage. The banking industry relies on technology; to run their systems efficiently, effectively and securely as also to move ahead of its competitors. It is here that methodologies of technology management will play a significant role.   The Data Warehouse solution in banks must be implemented in an iterative manner and to maximise its benefits, it must be used creatively.

44.  Computer crimes cause banks huge financial losses which have an adverse effect on the economy. Most banks have measures in place to manage the occurrence of cyber crimes but based on the fact that technologies advance on a continuous basis, bank managements should try to keep up with these advances in order to efficiently combat computer crimes and reduce them. Lastly, I would urge upon banks to have a look at the recommendations in the IT Vision document and initiate suitable action.

45.  I would conclude by saying that technology is a means for the banks to render better customer service, increase their business and profitability as well as manage risks. The time has come for banks to adopt and adapt appropriate technology.  As Albert Einstein has said “where there is the necessary technical skill to move mountains, there is no need for the faith that moves mountains”. It is with this premise that we need to move forward.

Thank you.

* Comments by Shri Anand Sinha, Deputy Governor, Reserve Bank of India, at the Seminar for Directors of banks on ‘IT Governance, Technology Management and  Data Warehouse/CRM Cyber Security’ organised by IDRBT at Hyderabad on May 13, 2011
Inputs from Dr. Anil K Sharma and Smt. Nikhila Koduri are gratefully acknowledged