Thank you very much for inviting me to this inaugural session of the Conference on e-security. With the expansion of IT applications in the Indian banking system, there is a concomitant increase in concerns relating to e-security. It is, therefore, very appropriate and timely that the Indian Banks' Association (IBA) and Manufacturers Association of Information Technology (MAIT) have come together to organize this conference.

The banking sector is one of the leading users of information technology worldwide. The introduction of information technology has transformed banking almost beyond belief in the last decade and a half. Most of all, customers have benefited, as have the banks themselves. There have been very significant gains in the efficiency of banks leading to greater potential for higher profitability and consequent benefit to the economy as a whole.

The Indian software industry is among the leaders in providing software to the leading banks of the world. I think it is correct to say that the new millennium has brought in a much greater pace of absorption of IT in our banks, and in the Reserve Bank of India. What is important is that we must recognise our own strength in IT and leverage it to make it a source of comparative advantage for the financial system as a whole.

It is therefore entirely apposite that these two basic stakeholders in this symbiosis of banking and information technology (IT) have come together to deliberate on an issue of critical significance.

It is now trite to say how the world has changed with IT in the last decade and a half. In my own profession our mode of work has got completely transformed. I remember the time, in the mid 1970s, when I had to stay up nights in the Princeton University Computer Centre to run econometric regressions or to simulate models which I programmed myself in FORTRAN and then wait till the next day to get the

results. Doing economic research was impossible without proximity to a large library and a large computer. Now information is available off the internet and all the computing power you want is in the economist's own home.

The banking sector is no exception to this changing scenario which is sweeping across the world. Most of the banks have already started to feel the impact of the operations of the new banks in the country. The single biggest advantage of these banks is the large scale deployment of IT in their business environment. Their business processes have been architectured around IT Solutions that solve problems as they emerge so that IT has become an integral part of their regular operations.

The changes staring in the face of bankers relate to the fundamental way of banking - which is undergoing a rapid transformation in the world of today. It is widely recognised that the core banking functions alone do not add to the bottom line of banks - value added services are slowly but steadily emerging as a substantial opportunity for banks to exploit. Prime factors necessitating these changes relate to the forces of competition, productivity and efficiency of operations, reduced operating margins and the need for better asset - liability management. With hair-thin profit margins being the order of the day, the solution to this would lie in increasing volumes so as to result in better operating results for banks. This is best achieved by exploiting the benefits of technology which facilitates handling of increased volumes at higher levels of efficiency. It is in this context that there is an imperative need for not mere technology upgradation but also integration of technology with the general way of functioning of banks.

With this backdrop, today I will delve into two related issues - one general and the other specific. The general issue relates to the progress of IT in Indian banking, while the specific issue is the theme of today's lecture, viz., IT in banking in e-security.

What have been the major strides in IT initiatives in banking? Taking a broad brush of history, the initiation of the process can be traced to the mid-1980s with the introduction of mechanised cheque processing using Magnetic Ink Character Recognition (MICR) technology and the efforts towards introduction of networks of computers in bank. These measures have resulted in all banks, including the public sector banks, embracing technology in a large way.

The Reserve Bank of India, as both a supervisor of the banking system as well as a custodian of the payment system, has played a major role in the innovation process of assimilating IT in banking. While a detailed account of this process could be seen as self-congratulatory, in order to put the issues in perspective, let me enumerate a quick run down of the various initiatives that have been taken in this regard.

• Introduction of MICR based cheque clearing and its proliferation to 39 centres as on date, which has resulted in reduced time for realisation of cheques;
• Implementation of safe, secure and quick modes of electronic funds movement for both corporate and retail segments, in the form of Electronic Clearing Service (ECS-Credit and Debit Clearing) and Electronic Funds Transfer (EFT), and the Special Electronic Funds Transfer (SEFT), all of which now cover about 10,000 branches of banks spread across about 200 cities and towns of the country;
• The introduction of the Negotiated Dealing System for screen based trading in Government Securities by RBI regulated institutions;
• The introduction of the Real Time Gross Settlement (RTGS) System for online settlement of inter-bank funds transfers on a transaction-by-transaction basis has been a significant achievement. This has resulted in risk free credit mode of funds settlement. The RTGS system witnesses inter bank transactions amounting to an average of Rs. 5000 crore on a normal working day in Mumbai;
• Introduction of the Online Tax Accounting System (OLTAS), which has facilitated electronic transmission of tax related information from banks to the Tax Information Network (TIN) of the Income Tax Department

All these have been aimed at exploiting the benefits of IT to provide products and information conduits to banks that would enable them in turn to offer better service to their customers. It may also be observed that the recent past has witnessed new concepts such as 'Anywhere Banking' and 'Any Time Banking' being adopted by banks, which are but offshoots of technology implementation by banks. With the introduction of ATMs customers can even go to any networked branch or networked ATMs, and carry out many banking transactions. With e-banking, many activities can be carried out from within the customer's home. Such innovations have had a positive impact on customer service - besides the benefit that is derived by banks in terms of reduced costs of operation.

IT has also resulted in a major attitudinal change revolutionising the concept relating to treatment of customers of banks; with the death of geographical distances, banks need to treat the customer as a customer of the bank and not as a customer of any particular branch. This is now possible thanks to the usage of IT on a large scale whereby centralised data bases are possible in a bank with decentralised access. Another option to achieve this objective is to have clustered solutions in a bank with data of customers residing in these systems. Banks need to constantly look for innovative services which offer customers the convenience of transacting from anywhere, at any time, and using delivery channels that are suitable for them. These are frontiers which would add value to the services offered to customers and at the same time act as a means for increasing the profits for banks too.

One of the most significant areas where IT has had a positive impact is on substitutes for traditional funds movement services. With the advent of electronic banking, electronic funds transfer and other similar products, funds transfers across different constituents is now easily possible - within time frames which would have appeared impossible a few years ago. With networking and inter connection, new challenges are arising related to security, privacy and confidentiality of transactions. Many new players are entering into the arena of funds transfer services and the pride of place enjoyed by bankers is under severe threat. The competition is not just from organisations performing funds transfer services but from other seemingly unrelated channels such as service providers for message transfer, quick delivery of instruments and the like who all facilitate the movement of funds based messages at speeds faster than before.

No innovation is without challenges - IT is no exception to this rule. The most prominent challenge arising from these innovations relates to the concept of security. With the delivery channels relating to funds based services - such as movement of funds electronically between different accounts of customers - taking place with the use of technology, the requirements relating to security also need to undergo metamorphosis at a rapid pace. Various concepts such as digital signatures, certification, storage of information in a secure and tamper-proof manner all assume significance and have to be part of the practices and procedures in the day-to-day functioning of banks of tomorrow. I must hasten to add at this stage that all these would be added requirements and the well established practices of today may also have to not only continue but also co-exist along with the new requirements.

The Reserve Bank of India has taken upon itself the setting up of a safe, secure and efficient communications network for the exclusive use of the banking sector. Named the INFINET (for the Indian Financial Network), this network is already being used by a large number of banks for funds and non-funds based message transfers, and is made available by the Institute for Development and Research in Banking Technology (IDRBT), Hyderabad. INFINET is perhaps among the few networks in the world which uses the latest in technology and security called Public Key Infrastructure - PKI, which is not only state-of-the-art and robust but also well within the legal requirements of the Information Technology Act, 2000.

For all these systems to be effective, there is a need for an effective security policy which would offer a shared vision of how the controls in the workplace should be implemented with the objective of protecting data, information and eventually, the economic value of the organisation. This has to be supplemented by education and training in these areas and reinforced by the actions and concerns of the top management so that a culture of security can be created. These controls have to be supported by surveillance, monitoring and auditing to detect unusual usage patterns and deficiencies. It is here that e-Security gains significance.

Yet another factor which is the driving force behind the use of technology in banking relates to the ever increasing expectations of the customers. Today's customers are more demanding and are also more techno-savvy compared to their counterparts of the yester years. They demand instant, anytime and anywhere banking facilities. Unless the banks recognize this and reorient themselves, they will have no future. It is information technology which enables banks in meeting such high expectations of the customers.

We are at the threshold of a significant change in the way banking in the country is poised to be in the days to come. The future lies not in mere use of technology by banks in the form of computers and related equipment but in the use of networked computing resources.

Both these factors require the usage of Information Systems which not only perform their assigned functions, but also provide for seamless interaction across different segments between the customer of a bank and the banker, after passing through many layers of network based communication and countless number of systems. It is here that the integrity of the message and its safe delivery - without any distortion or change - becomes of paramount significance. E-Security has a definitive and substantive role to play here and all large IT users are now actively and seriously addressing such security concerns.

Traditionally, IT has been providing solutions to banks to take care of their accounting and back office requirements. This has, however, now given way to large scale usage in services aimed at the customer of the banks. IT also facilitates the introduction of new delivery channels - in the form of Automated Teller Machines, Net Banking, Mobile Banking and the like. Further, IT deployment has assumed such high levels that it is no longer possible for banks to manage their IT implementations on a stand alone basis. To leverage the benefit of the IT revolution, banks are increasingly interconnecting their computer systems not only across branches in a city but also to other geographic locations with high-speed network infrastructure, and setting up local area and wide area networks and connecting them to the Internet. As a result, information systems and networks are now exposed to a growing number and a wider variety of threats and vulnerabilities.

The Reserve Bank of India constituted a 'Working Group for Information System Security for the Banking and Financial Sector' in 2001. The Group's recommendations have been the basis for the Information Systems Audit Policy for many banks and other financial entities.

As increasing dependence on information systems develops, the need for such systems to be reliable and secure also becomes more essential. As growing numbers of ordinary citizens use computer networks for banking, shopping, etc., network security is potentially a massive problem. Over the last few years, the need for computer and information system security has become increasingly evident, as web sites are being defaced with greater frequency, more and more denial-of-service attacks are being reported, credit card information is being stolen, there is increased sophistication of hacking tools that are openly available to the public on the Internet, and there is increasing damage being caused by viruses and worms to critical information system resources.

At the organisational level, institutional mechanisms have to be designed in order to review policies, practices, measures, and procedures to review e-security regularly and assess whether these are appropriate to their environment. It would be helpful if organisations share information about threats and vulnerabilities, and implement procedures for rapid and effective co-operation to prevent, detect and respond to security incidents. As new threats and vulnerabilities are continuously discovered there is a strong need for co-operation among organisations and, if necessary, we could also consider cross-border information sharing. We need to understand threats and dangers that could be vulnerable to and the steps that need to be taken to mitigate these vulnerabilities. We need to understand access control systems and methodology, telecommunication and network security, and security management practice. We should be well versed in the area of application and systems development security, cryptography, operations security and physical security.

The banking sector is poised for more challenges in the near future. Customers of banks can now look forward to a large array of new offerings by banks. From an era of mere competition, banks are now cooperating among themselves so that the synergistic benefits are shared among all the players. This would result in the formation of shared payment networks (a few shared ATM networks have already been commissioned by banks), offering payment services beyond the existing time zones. The Reserve Bank is also facilitating new projects such as the Multi Application smart card project which, when implemented, would facilitate transfer of funds using electronic means and in a safe and secure manner across the length and breadth of the country, with reduced dependence on paper currency. The opportunities of e-banking or e-power in general need to be harnessed so that banking is available to all customers in such a manner that they would feel most convenient and if required, without having to visit a branch of a bank. All these will have to be accompanied with a high level of comfort, which again boils down to the issue of e-security.

One of the biggest advantages accruing to banks in the future would be the benefits that arise from the introduction of RTGS. Funds management by treasuries of banks would be helped greatly by RTGS. With almost 70 banks having joined the RTGS system, more large value funds transfers are taking place through this system¹. The implementation of Core Banking solutions by banks is closely related to RTGS too. Core Banking will make anywhere banking a reality for customers of each bank, while RTGS bridges the need for inter-bank funds movement. Thus, the days of depositing a cheque for collection and a long wait for its realisation would soon be a thing of the past for those customers who would opt for electronic movement of funds, using the RTGS system, where the settlement would be on an almost instantaneous basis. Core Banking is already in vogue in many private sector and foreign banks; while its implementation is at different stages amongst the public sector banks.

IT would also facilitate better and more scientific decision making within banks. Information systems now provide decision makers in banks with a great deal of information which, along with historical data and trend analysis, help in the building up of efficient Management Information Systems. This, in turn, would help in better Asset-Liability Management (ALM) which, in today's world of hairline margins is a key requirement for the success of banks in their operational activities. Another benefit which e-banking could provide for relates to Customer Relationship Management (CRM). CRM helps in stratification of customers and evaluating customer needs on a holistic basis which could be paving the way for competitive edge for banks and complete customer care for customers of banks.

¹ As of October 2004 (i.e., around the time the address was going to the Press), 92 banks had joined the RTGS system.

How do we see the future? Not being trained in astrology let me try to track the future in terms of the recent initiatives.

Recognising that paper based cheques would continue to be in use in the country, the RBI has begun to look into ways and means to reduce the time taken for realisation of these cheques. As an effective and implementable model, truncation of cheques is being introduced by the RBI This would facilitate quick realisation of cheques without the actual physical movement of such collection instruments. A pilot project in this regard, has been launched covering the National Capital region of Delhi and its nearby places in the first instance.

Electronic mode of payments are increasingly replacing the traditional paper cheque. It is almost impossible to imagine now how payment settlements were done physically before the electronic age. ECS is now more than 10 years old. The per transaction limit for ECS (Credit) is Rs.5 lakh and for ECS debit it is Rs.1 lakh. The Electronic Funds Transfer (EFT) System was introduced by RBI in 1997. There is currently a maximum limit of Rs.2 crore for individual transactions. The Special EFT system was introduced just a year ago. Each of these systems of electronic transfer of funds is growing at a very rapid pace. These various maximum limits were fixed considering the levels of comfort of banks and for greater acceptability in the initial stages and also because of security considerations.

There is now an increasing demand for expanding the scope of EFT facilities and to provide solutions for faster movement of funds for the capital markets to take care of the requirements of the T+1 settlements. The ECS and EFT systems are now PKI enabled and message transfers take place in a secure environment. This issue is therefore under our active consideration and I am hopeful that we can enhance these limits or eliminate them entirely². As such decisions are taken, the need for a constant upgradation of their security features is obvious.

I am also told that there will be increasing interlinking between internet and intranets of banks. As this connectivity expands there will be greater need for security features that guard against e-contagions spreading, should such unfortunate events take place. Regulators have so far been concerned with contagion in the financial sector resulting from adverse developments in the overall economic environment. We will also now need to be concerned with e-contagion resulting from technology developments. In fact, we will have to make sure that the probability of such events is only an epsilon away from zero.

I have already mentioned the initiation of the OLTAS project. This is related to online transmission of both tax revenue and the connected information. It goes without saying that security in such transactions is of the utmost importance. The electronic data interchange system connected with trade activities facilitating just in time processing is another system that has to be fully secure. Moreover, the success of state level of VAT will also be related to electronic payment system, accounting and related security system.

Other new products such as smart cards and other cards with embedded money will need to be introduced carefully with full security for customer and payment and settlement system alike.

We need to give greater thought to all the issues connected with actual implementation of e-Security. Security is actually not built over any existing block; in today's world it has to be an integral part of the block itself. This is where the need for implementation of e-security from the stage of manufacture - of the hardware, software, during its integration and final implementation - assumes significance. It is heartening to see the confluence of manufacturers and users in this seminar and I am sure that there will be many lessons which we will all carry back home to implement and practice on a regular basis. I request you all to find solutions to the vexing problem of e-security to the best possible extent so that we could prove to the rest of the world that the collective efforts of the suppliers and the users would be the best and the most effective barrier to such security violations. I am very optimistic that this can be an achievable reality.

2 The per transaction limits have been removed with effect from November 1, 2004

* Keynote address by Dr. Rakesh Mohan, the then Deputy Governor, RBI at the Conference on e-Security organised jointly by IBA and MAIT on July 30, 2004 at Mumbai. Dr. Mohan is grateful to Dr. R.B. Barman, R. Gandhi, Dr. A.M. Pedgaonkar, S. Ganesh Kumar and Partha Ray of the Reserve Bank of India for their assistance.