RBI's Initiatives in Payment System and Security Policy* - RBI - Reserve Bank of India
RBI's Initiatives in Payment System and Security Policy*
A.VASUDEVAN |
I am grateful to Prof. Gulati and organizers of the workshop for giving me an opportunity to meet and interact with senior executives of the Reserve Bank of India on matters of importance from the point of view of IT applications in the Reserve Bank of India and in the rest of the financial sector. |
The theme assigned to me for opening the very first innings of the workshop is, in my view, interdisciplinary in character. It is not mere IT-oriented. It is in fact IT plus something more. The 'something more' could be, for want of a better expression, called the 'additionality' and would involve issues relating to organizational dynamics, the very mind-set of persons involved in the processes of change in the management of financial transactions and the work environment. In more concrete terms, one could place the whole theme into six abiding principles in the context of our development policy. These are: the switching over to IT applications, interconnectivity of different strands of activity; the standardization of products, applications and systems; the seamless integration of applications and systems; the system administration; the system monitoring and oversight; and the security in the IT and work environment. Since each of these principles starts with the letter 'S', one could regard them as six "Ss". Each of these principles needs some elaboration. First, let me briefly touch upon what I called the context of development policy in which the six 'Ss' are to be followed. |
Economic growth - a major goal of economic policy - is traditionally considered as determined by (a) the investment rate and (b) the productivity of investment. This is, typically, in the hoary tradition of Harrod-Domar model and is generally followed as an easy recall procedure for economic analysis in most policy-making circles. While the productivity of investment cannot be easily measured, at least in the short run, and can only be an ex post and often derived data, the one which really affects growth is the technical progress to which Nicholas Kaldor and a few other economists alluded to as early as in the fifties of the 20th century. Technical progress represents creativity, and innovativeness and often is reflected in the level of knowledge, research and development activities, and the adaptability of activities to changing conditions (often seen in demand and tastes and preferences). While adaptability is not easy to define, it is very critical and should not be confused with flexibility. It is this aspect to which we refer to here in so far as the overall theme of my address is concerned. |
The switch-over from manual to IT applications in banking is often defended on the ground that it is necessary for improving customer service, and efficiency, and for touching base with international financial entities in respect of cross border transactions. These considerations are undoubtedly important while switching over to IT environment, but there is a more fundamental reason why such a switchover is essential. It is that economic growth, going by the recent literature on financial repression, cannot be raised and sustained without financial diversification and development and without flexibility in financial policies. If this premise is correct, the volume of business will grow and will necessitate switch over from cumbersome manual operations to more reliable, quick operations through IT applications. |
Standardisation of products, applications and systems is necessary for a banking firm and in cases of overseas operations, for the banking industry as well. It eliminates confusion over operalisation of procedures and systems. The staff members working in IT environment could reasonably expect outcomes at the final end of the transactions, once a transaction is put through. The human resources mobility within a firm can also be facilitated if procedures and applications are standardized. Electronic manuals would have to therefore replace manual manuals since such an environment has to be quickly adapted. |
Seamless integration of applications and systems is crucial to avoid glitches and to ensure smooth passage of interrelated transactions over the electronic medium. For a central bank in a developing or emerging economy, it is almost a faith that financial integration should be fostered and rapidly developed. Money, credit, debt and forex markets, to take an example, will grow if the entire clearing, payment and settlement operations are effected in a coordinated manner. |
System administration is vital to ensure proper work flow. A system administrator will be in constant touch with the daily volumes and processes that are followed at different desks so that the work flow is not impeded by shortcuts that some members of staff may resort to with the hope of speeding up the operations. The system administrator dons the role of one who fixes nuts and bolts of the firm. |
System oversight is not possible without monitoring of data about flows of money and instruments through the various stages of operations. It is critical for elimination of irregularities and criminal operations. In recent times, with the sharp increase in derivatives and cross border transactions, payment oversight is being given focused attention by almost all central banks in the industrialized world. In the context of the recent discussions at the international level on standards, codes and transparency practices, supervision of payment systems has to be a part of a central bank's responsibilities. We would have to follow the core principles in payment systems, consistent with our institutional and legal structures. |
Security in IT and work environment is essential to see that the integrity of the financial system is secure and the systemic risks are eliminated. I will have occasion to deal with this aspect little later. |
Let me now take up the Reserve Bank's initiatives in the payments area. I will divide this part of my address into three parts - the institutional mechanisms, the functional initiatives and the efforts at expanding base communication systems. |
Under the institutional mechanisms, let me first state that no payment and settlement system will work unless steps are taken at the organization level (in our case, the Reserve Bank of India) to continually work to develop (a) modern and efficient payment system and (b) policies to make the system function smoothly. Early in 1998, we set up a Payment System Group (PSG) within the Department of Information Technology (DIT) in the Reserve Bank dedicated to various aspects of the payments system. The PSG turned out to be a multi-disciplinary group, with officials drawn from supervision, banking, IT, law, research and statistics and government accounts and systems and procedures. The PSG works, effectively speaking, as a secretariat that reviews the systems abroad, the conditions in which we are placed, and attempts to harmonize the two, so long as such a process is consistent with our objectives of financial policies. But it cannot act on its own. The policy guidance to it flows from a Payment System Advisory Committee (PSAC) consisting of heads of critical Departments within the Reserve Bank and the Regional Directors of some of the critical centres and technologists. It meets once a month and is chaired by the Executive Director, In-Charge of DIT and is serviced by DIT. It reviews the IT developments not only within the Reserve Bank, but also outside, makes recommendations to the Governor/Deputy Governor In-Charge of DIT on matters of policy and gives an agenda of work for PSG. |
There are two other institutional mechanisms through which interactions between the Reserve Bank and commercial banks on IT and payment systems take place. One is the INFINET User Group (members of the INdian FInancial NETwork set up by the Reserve Bank as Closed User Group) which meets once a quarter under the Chairmanship of Executive Director, In-Charge of DIT and the other is the meetings of the Computer Policy and Planning Department (CPPD) Chiefs of commercial banks, whenever needed. These two mechanisms act as good bridges of understanding between the central bank and the commercial banks on IT matters. Such mechanisms will also facilitate standardization, seamless integration and system oversight. A number of members of CPPD and INFINET User Group acted as members of the Working Groups/Informal Groups on Payment Systems as well as on technological upgradation in the banking sector. |
Finally, there is the National Payments Council, the apex body on payments systems under the Chairmanship of the Deputy Governor In-Charge of DIT and members drawn from banks, stock exchange, NBFC and the Reserve Bank. The Council generally meets 3-4 times a year. It has a number of permanent working groups with secretariat provided by DIT and the PSG in DIT. In general, the permanent groups represent the areas of interest of PSG but the difference with PSG lies in the fact that the permanent groups pursue policy-oriented work, while the PSG is involved with the review and analysis of the payment system. The Council's recommendations are passed on to the Governor for consideration. Since it is the apex body in the area of payments, its recommendations assume almost a mandatory character. |
Let me now briefly touch upon the functional tasks that have been undertaken in the Reserve Bank to promote smooth functioning of the payments system. We first focused our attention on cheque processing system and went ahead with replacement of the then existing system with a modern, state-of-the-art MICR cheque processing system that would have enough redundancy, versatility and imaging technology. It can easily handle ECS (credits and debits) and electronic funds transfers. It can also enable other IT related tasks to be performed over its mainframe. The DIT also undertook the task of inventorising the hardware, software, and operating systems throughout the Reserve Bank of India. The year 2000 exercise we undertook in 1999 greatly facilitated this task. We now know as to how to manage changes in respect of both hardware and software at various offices for purposes of standardization, centralization of processes and operations, and security. We then computerized good many operations of the Issue Department of the Reserve Bank, and this has greatly helped us to monitor the stocks of currency at various centres and currency chests and the flows among different destinations. This played an important role in the policy formulation in 1999 about making available enough currency in the context of the year 2000 uncertainties in December 1999. We have taken up the task of computerizing the different aspects of the Banking Department of the Reserve Bank in an integrated way. The Centralised Funds Management System (CFMS) will provide information about the cash balances of banks with the Reserve Bank of India at different centres and will enable the treasury departments of banks to economise on such balances and to plan their market operations. The Real Time Gross Settlement (RTGS) project has begun with an experienced outside consultant to guide in the installation and implementation of the project. The Public Debt Office (PDO) project will deal with securities settlement in a modern and an efficient manner. These three projects are presently being pursued and once they are in place, the payment system in India will be as good as the ones in the industrialized world. Our fifth focus is on the retail end. The ATMs and credit cards supply have attracted our attention since they are highly customer oriented. The smart card standardization has, for example, been rendered possible because of the initiative of the Reserve Bank. |
We have allowed commercial banks to play their part in setting up MICR cheque processing centres whenever the volume of cheques exceeds a certain critical minimum level on a daily basis. At twelve centres other than the four metropolitan cities, commercial banks have set up MICR cheque processing units. They are working well. Some more centres would soon have MICR cheque processing facilities being offered by banks. Wherever possible, the Reserve Bank has extended technical assistance to banks in this new area of their operations. |
The third part of the Reserve Bank's initiatives is in respect of development of satellite-based communication infrastructure. Over 400 VSATs based on such satellite communications have already been operationalised in the country. The hub is located at IDRBT and INFINET based on this infrastructure is being administered and managed by IDRBT. It is expected that this infrastructure will expand. Our plan is to have about 5000 VSATs all over the country in the next couple of years. We would also have terrestrial lines as the supplemental communication infrastructure. |
The operationalisation of INFINET is critically dependent on the messaging systems in place. Structured messaging formats are being worked out in respect of various areas of operations - Government accounts, currency supplies, forex operations, money transfers, etc. - through informal working groups consisting of bankers, officials from the Reserve Bank, the IDRBT personnel, and technologists drawn from outside. Once the formats are ready, and set in place, the payments system will be IT-driven. |
Let me now take up the security policy issue. This is critical and needs to be taken up as a top priority by the banks and by the Reserve Bank. We have undertaken an informal study on this area in the Regional Office at New Delhi with the Regional Director as its member-secretary. The initial outcomes of the study show that there are many areas of concern. The study will be completed soon. |
Security in Payment Systems cannot be addressed in isolation. It requires the integration of work processes, communication linkages and integrated delivery systems and should focus on stability, efficiency and risk control. Yet another prime aspect of concern in a good security policy is the role that human beings have in a secure computerised environment. |
It would be advisable to build security features at the application level in respect of banking oriented products, because of the critical nature of financial data transfer. The financial messages should have the under noted features: |
|
These features boil down essentially to authentication (to verify the identity of the sender of the message to the intended recipient to prevent spoofing or impersonation), authorization (to control the access to specific resources for unauthorized persons), confidentiality (to maintain the secrecy of the content of transmission between the authorised parties), integrity (to ensure that no changes/errors are introduced in the messages during transmission) and non-repudiation (to ensure that an entity cannot later deny the origin and receipt and contents of the communication). |
There are at present a number of security standards available for different financial applications; most of them are internationally accepted and part of the ISO standards. These international standards should be examined and adopted keeping in view the requirements of the Indian banking industry. We have started initial work in this direction by co-ordination with banks, the Indian Banks Association and Bureau of Indian Standards for notifying security standards. A small beginning has been done in respect of SMART card technology for use in the country. |
Perhaps the most widely accepted security tool is encryption. While the technical details of encryption are by now well recognized, there should be, in my view, an appropriate institutional arrangement for key management and authentication. This is normally done through Certification Agencies. For the banking and financial sector, the IDRBT is being identified to function as the Certification Agency. There should also be an institutional arrangement for appropriate assessment of participants of the financial network in terms of their credit-worthiness, financial soundness, etc. These assessments which will provide valuable input to the banking and financial sector would be of value for internal purposes. |
Firewalls are used to implement access control security as well as to provide for user authentication and to ensure data integrity by using encryption. It is important that our security policy design incorporates these, accordingly. Regular reviews of Security Policies and their implementation are also important. Highly secured (e.g., funds related), and non-secured messages are specifically demarcated in the security policy. |
An important issue relates to the security levels of use within the various operating departments in the Reserve Bank. The common level of entry is the use of validation of authorized access (in the form of authorized User-Ids) to be further authenticated by correctness of passwords keyed in by the authorized users. Passwords often become 'passed' words in our context with no change at all in the passwords since passwords tend to be rather fixed for long periods of time. It is absolutely essential that passwords lapse after certain periods of time and new passwords are given. |
Authorisation of users is another activity that needs to be closely regulated and monitored. One of the basic requirements for implementation of security and monitoring thereof at the various departments is the need for system administrators. Most of our offices and departments have the system administration function clubbed to the normal operational functions assigned to a particular officer. The proliferation of networks within an office also acts as a negative factor in implementation of strict security features. |
It is a matter of concern that in the Reserve Bank, the level of security consciousness is not high. There is an imperative need to imbibe a culture of security among all operative functionaries -whether officers or other staff and cutting across administrative gradings. Access to databases in computer systems and to the data contained therein have to be strictly restricted and not available to any but those authorized to make any changes in case of an eventuality for resolving a software lock / malfunction which is a conscious decision by the authorized personnel taken in conjunction with the head of the office concerned. |
Maintenance of audit trails and other appropriate logs is an essential requirement of any sound security policy. Some of the applications in use within the Reserve Bank do not have this feature and it must be ensured that all sensitive applications or applications accessing important data have such features in-built. |
Yet another requirement of security is the integrity of data stored as back-up. |
Proper features such as check-sums, hashing etc., need to be developed so that no unauthorized tampering of data is possible. The entire issue of backup - at offsite and onsite - and the validity thereof both from an operational perspective and from legal requirements have to be analysed in depth and appropriate procedures worked out. |
Change Management is another aspect that needs to be viewed from the security angle. Software (and at times hardware too) undergoes frequent updation and version control and levels of software in use across offices is an issue which needs to be examined in its totality for practicable implementation at all offices / departments. |
Most of the newer application software would have all the essential and desirable features as mandatory part of their architecture. The software that are currently in use would have to be scrutinized from the point of view of conformity to the minimum security requirements. |
The Internal Group on Security Policy which has taken the New Delhi office as the base for study would be bringing out its policy recommendations on all aspects pertaining to security and to address inherent risks which have both financial and non-financial implications. Once these recommendations are accepted, we would have some comfort in that the systemic risks will be largely addressed. |
There is lot more to be done in the months to come in regard to payments system and this can be realized with your concerted co-operation. |
|
|
|
* |
Speech delivered by Dr. A. Vasudevan, Executive Director, Reserve Bank of India, at the Workshop for Regional Directors and Chief General Managers-in-charge at the Institute for Development and Research in Banking Technology (IDRBT), Hyderabad on April 21, 2000. |
Share this page:
Install the RBI mobile application and get quick access to the latest news!
