Given the comprehensive remit, the Group decided to address IT issues across multiple dimensions like IT Governance, Information security, IT operations, Information system audit, Cyber fraud, Business Continuity Planning, Customer education and legal issues arising out of the use of IT and provide recommendations in these areas. The Working Group was divided into five Sub-Groups with the undernoted specific focus areas:

• Technology issues – Information security and DR

• IT Governance and IS Audit

• Operational issues – IT operations, BCP, Cyber Fraud

• Legal issues

• Customer Education

Every Sub-Group was expected to cover the entire gamut of issues within their focus area, after taking a holistic view considering a bank’s internal and external factors.

The objective before the sub- groups was to provide a set of guidelines to banks covering the entire gamut of electronic banking which would in part serve as a common minimum standard for all banks to adopt and in other part lay down the best practices which are recommended for adoption by banks in a phased manner for a safer and sounder banking environment. It was felt that there was a need for banks to follow a consistent approach in each focus area, to minimize differing interpretations.

The High Level Group has referred to prior RBI guidelines, various publications, professional standards, research documents and best practices.

The Group adopted the following approach in its work:

a) Conducted a study of existing circulars and guidelines issued by RBI

b) Studied current sources of information relevant to the scope from Indian laws and regulations prevalent and applicable to Banks – Information Technology Act, 2000 and Information Technology (Amendment) Act, 2008

c) Studied standards and reports issued by professional and other international bodies.

d) Perused Guidelines issued by regulators in other countries – the US, EU, UK, Australia, Singapore, Malaysia and practices followed by banks and financial institutions across the world

e) Gained an understanding of the risks arising from emergence of new technologies

f) Benchmarked requirements collated from various sources against current RBI requirements. The requirements are specifically described at each sub-topic level

g) Held meetings to discuss approach and road map

h) Invited presentations from a few Banks to understand the working and practical issues faced by them in the areas under consideration 

i) Documented specific recommendations in this report

j) Discussed the recommendations with a few banks and suitably fine - tuned the report