The Reserve Bank of India, under its SAARCFINANCE Chair, organised the SAARCFINANCE Governors’ Symposium 2021 on March 2, 2021. The Symposium consisted of two sessions, viz., (i) Inaugural Session with Welcome Remarks by Dr. Michael D Patra, Deputy Governor, Reserve Bank of India, Inaugural Remarks by Mr. Shaktikanta Das, Governor, Reserve Bank of India and Keynote Address by Mr. Jermy Prenio, Senior Advisor, Bank for International Settlement (BIS) and (ii) Panel Discussion, comprising a mix of officials from the SAARC central banks and experts from external institutions, on the topic “Cyber security in Central Banks”. Mr. R. Subramanian, Executive Director, Reserve Bank of India, delivered the closing remarks for the Symposium. The Symposium was attended by Governors, Deputy Governors, Executive Directors and other officials from all the SAARC central banks. On the sidelines of the Symposium, a presentation of the SAARCFINANCE Collaborative Study on “Comparison of Financial Sector Regulatory Regimes in the SAARC Region”, was also made on March 1, 2021.

Welcome remarks by Dr. Michael Patra, Deputy Governor, RBI

Dr. Patra inaugurated the Symposium by extending a warm welcome to all the participants. With the Reserve Bank’s stint as the chair of SAARCFINANCE coming to an end, he looked back at the history of the SAARCFINANCE network, the initiatives and roadmap areas of cooperation undertaken by this forum and the achievements accomplished, particularly those attained in the last year. He also talked about the changing roles of central banks in these changing times. He emphasised that the COVID-19 pandemic has necessitated embracing technology in various areas and with this focus, technology has been kept as an overarching theme of the Symposium.

Inaugural Remarks by Mr. Shaktikanta Das, Governor, RBI

Mr. Shaktikanta Das, Governor, RBI, in his opening remarks underscored the need for effective, creative, and prudent use of technology, in view of major transformations in the Information Technology (IT) functions of central banks. He remarked that Big Data is creating new opportunities for statistical analysis and data dissemination functions by central banks as their supervisory capabilities are getting upgraded. He added that suptech tools could also have important benefits for financial stability by improving surveillance and analytical capabilities and generating real time indicators of risk to support forward-looking supervision and policymaking.

He mentioned that although the rapid growth of data available for regulatory purposes has offered several opportunities for authorities, the use of personal data raises other considerations including the need for adherence to data privacy and data protection standards, and applicable laws and regulations. Governor Das also emphasised the need for proactive and continued alacrity of financial sector firms, regulators and central banks to ward off threats to cyber-security. He highlighted the major initiatives taken by various multilateral organisations and standard-setting bodies to enhance the risk preparedness of financial sector to combat cyber risks. He also talked about cyber-security in India and the adoption of board-approved cyber-security policy by Indian banks.

Keynote Address by Mr. Jermy Prenio, Senior Advisor, BIS

Mr. Jermy Prenio, in his keynote address, remarked that central banks have, for a long time, been using technology-leveraged tools to carry out their supervisory functions and making data processes more efficient. He explained that these tools have evolved hand-in-hand with advances in technology and described the generations of central banking technologies in the areas of data collection, processing, storage, analytics and visualisation.

He stated that suptech can broadly be found in two areas - data collection (reporting, virtual assistance, data management) and data analytics (market surveillance, misconduct analytics, microprudential and macroprudential supervision). Data analytics, with its focus on artificial intelligence and machine learning, to ease analysis of large volumes of data and to deal with supervisory issues which cannot be detected with traditional analytical tools, has been receiving a lot of attention. However, the use of data analytics tools hinges on the availability of good quality data. The importance of data has also been highlighted in the current pandemic, with central banks having to rely on data to monitor the financial health of their supervised entities, due to limited on-site inspection across jurisdictions. The current scenario underscores the importance of having more efficient and effective data collection practices, which will enable efficient monitoring of supervised entities. He also described the various innovations that are being carried out in the regulatory reporting process in the areas of standardisation, reporting, transmission and access of data.

Mr. Prenio emphasised that there exists a need to collaborate on the issues relating to better using the suptech tools to ensure data standardisation and data interoperability, especially in the cross-border context. He elaborated on the various probable use-cases, where the potentials of suptech can be utilised and how various uses of suptech can lessen the burden of regulated entities also, besides enhancing effectiveness of supervision. He stressed the need to have a holistic strategy for embedding suptech tools in the organization and developing tools that are grounded in reality while at the same time allowing the experimentation with innovative solutions. This could be facilitated by fostering a culture of innovation in the organisation, developing the potential of supervisory staff and by means of peer-learning among the central banks.

He concluded that the adoption of suptech should be guided by its need, with the objective of making the processes simpler and taking into consideration its effect on supervised entities, especially the smaller ones. The keynote address was followed by a question-answer session.

The second session of the Symposium was a Panel Discussion on the topic ‘Cyber Security in Central Banks’. The panel consisted of Mr. Debdulal Roy, Executive Director, Bangladesh Bank; Mr. Vasantha Alwis, Director, Information Technology Department, Central Bank of Sri Lanka; Mr. H Krishnamurthy, Retired Chief Research Scientist, Indian Institute of Science (IISc) and Member, RBI’s Standing Committee on Cyber Security; Mr. Siddharth Vishwanath, Partner, Cyber Security, PricewaterhouseCoopers (PwC) India and Mr. T. K Rajan, CGM, Department of Supervision. Mr. Deepak Kumar, CGM-in-C, Department of Information Technology moderated the session. The panelists touched upon various aspects of cyber security, including definition of cyber risks, reporting of cyber incidents, strategies to strengthen cyber resilience. All the panelists agreed that security is only as strong as the weakest link; however, they recognised the importance of exercising prudence in cyber security, so as to not curb digital innovation.

Mr. Deepak Kumar started the session by giving a brief background about the various aspects of cybersecurity including means to achieve cyber resilience and what constitutes cyber risks and cyber incidents. He discussed the three-pillar cyber security strategy given by the BIS of – (i) minimizing the attack surface (ii) advanced threat detection and (iii) cyber security operations. He also gave a brief overview of the information security risk management system and the policies adopted by central bankers to mitigate cyber risks for strengthening operational resilience. He emphasised the need to maintain a balance between exercising prudence and becoming excessively obsessed while implementing cyber security and also recognizing the fact that security is only as strong as its weakest link.

The panel discussion commenced with a narrative of cybersecurity from the point of view of central banks. Mr. Debdual Roy shared the experience of Bangladesh Bank with cyber threats and the cyber security measures adopted by them. He added that people, processes and technology are the three important points of cybersecurity framework. Mr. Vasantha Alwis remarked that central banks framing cyber security policies should be guided by the confidentiality, integrity and availability of information. The most critical IT and people aspects of the bank should be identified and ICT controls should be adopted accordingly. He also recommended the implementation of a live document on cyber security guidelines, for the staff of the central banks, and to provide them with general training and refresher courses. Prof. Krishnamurthy, who is also a member of the Reserve Bank’s Standing Committee on Cyber Security, stated that technology solutions today need to address robustness and security aspects in addition to performance, scalability and availability. He highlighted the Reserve Bank’s role in ensuring timely inputs and directions to the banking system. He stated that in the data governance framework, data secrecy, privacy and localisation are of utmost concern to the central banks. Cyber security implementation requires an ecosystem approach, covering policy framework, implementation guidelines, identifying controls, and establishing an effective audit of the system followed by proactive monitoring and management. Mr. Siddharth Vishwanath, PwC, recognized the importance of periodic review of the cyber security framework and of adoption of the global best practices. He suggested the use of artificial intelligence to generate automatic alerts in the likelihood of breach in the network system. He also discussed the current work-from-home scenario during the pandemic and the need to establish ‘secure remote access’ and ‘perimeter-less security’. Mr. T K Rajan highlighted the contrast between managing cyber security in central banks vis-à-vis that in a commercial bank. Central banks are on the radar of state as well as non-state cyber attacks primarily because of the news value, potential for higher rewards and systemic consequences for the entire financial sector of the country. For commercial banks, credit risk continues to be the highest risk; however, cyber risk comes a close second. A central bank has to balance the constant trade-off between having more controls to reduce the vulnerability of attacks on one hand and customer convenience on the other hand. He also talked about the role of Chief Information Security Officer (CISO) and the measures taken by the Reserve Bank to empower the CISO in regulated entities were also mentioned.

It emerged that building a culture of cyber security in the institution is of paramount importance. Reserve Bank of India has been running certification programs for the top management, senior management and boards of the commercial banks. Mr. Vishwanath highlighted the need of breaking up audience into three cohorts for training programs – the management; general users; and IT admin of the organisation. He emphasised the importance of ‘tone at the top’ for achieving cyber security goals. Mr. Alwis stated that there is an acute shortage of right talent in the cyber security domain, and experts are in high demand as well as expensive. He highlighted that the Central Bank of Sri Lanka has created an institutional arrangement for collaboration on cyber security with mandatory sharing of information on cyber incidents.

Initiating the Q&A Session which followed the panel discussion, Dr. Mohua Roy, Adviser-in-Charge, International Department mentioned that the standard practice in international organisations like the IMF of regularly sensitizing all the staff and officers, including the top management, by making it compulsory for them to take periodic (halfyearly/quarterly) tutorials on information security could be adopted in the SAARC central banks as well. Multiple questions were raised by the audience and addressed by the panellists on areas such as, remote access security, trainings, talent sourcing, international cooperation on cybercrimes, geography-specific cyber-security needs.

Mr. R. Subramanian, Executive Director, in his closing remarks thanked all the Governors, Deputy Governors, collaborative study researchers, keynote speaker Mr. Jeremy Prenio, the panelists and other SAARCFINANCE participants for their participation in the Governors’ Symposium. He commended the strong resolve of all central banks, for remaining committed, even in the times of crisis and conveyed his best wishes to the Maldives Monetary Authority for taking over the SAARCFINANCE Chair from April 1, 2021.

The SAARCFINANCE Collaborative Study on “Comparison of Financial Sector Regulatory Regimes in the SAARC Region” was jointly presented by Mr. BHPK Thilakaweera and Mr. J N Dhantanarayana, the researchers from Central Bank of Sri Lanka and Dr. Nishita Raje, from the Reserve Bank of India. The study looked at the reforms undertaken in the SAARC countries to promote competition in the financial sector, development of payment and settlement systems and strengthening of regulations and the variation in nature, intensity and progress of these reforms in the member countries.

The presentation made a comparison of financial sector regulations introduced so far and the different dynamics across different jurisdictions in the SAARC region. It focused on the variation in the nature, intensity and success of the regulations across the SAARC region. The study observed that voluntary regulatory co-operation and forums like the SAARCFINANCE initiative, have helped in achieving a high standard of regulation and financial integration, thereby leading to sustainable economic growth in the region. The data used for the study are based on a SAARC member countries survey on financial sector reforms, IMF Macroprudential Survey and the Bank Regulation and Supervision Survey conducted by World Bank (2019).

With the South Asian region heading towards high standards of integration, it is imperative that macroprudential policy will be subjected to a range of potential cross-border effects. These policies may lead to both positive and negative externalities through risk management and undesirable spillovers to other jurisdictions, respectively. Additionally, the availability of granular cross-sectional and time series data, especially for the corporate and household sector, remains a challenge for member countries. The coordinated regulatory regime can further be strengthened through sharing of technical know-how in the areas of macroprudential surveillance. Achieving training synergies and knowledge sharing of best practices between member countries can also help in making available a large pool of skilled professionals working in the area of financial sector regulation. The setting up of regulatory sand boxes within the region and the subsequent launch of successful products by the regional entrepreneurs will help in promoting innovation and enable the SAARC region to become a mass incubator for fintech products.

At the end of the presentation, the floor was opened for discussion. The researchers answered questions on the implementation status of Risk Based Supervision (RBS), adoption of the International Financial Reporting Standards 9 (IFRS 9), implementation of the Countercyclical Capital Buffer and efficacy of macroprudential policies. The discussion was closed with the suggestion of updating the study with post COVID -19 measures relating to financial sector regulations.