The Reserve Bank of India (RBI) has set up a subsidiary to take care of its information technology (IT) requirements including cyber security needs of the central bank and its regulated entities. Nand Kumar Saravade has been appointed as its chief executive effective 1 June 2016. Following is the notification from RBI dated 16 May 2016 –
“Reserve Bank of India (RBI), a statutory organization established under the RBI Act, 1934 is in the process of setting up of an Information Technology (IT) subsidiary to take care of the IT requirements including the cyber security needs of the Reserve Bank and its regulated entities.
The IT subsidiary would focus on IT and cyber security (including related research) of the financial sector and assist in IT systems audit and assessment of the RBI regulated entities; advise, implement and manage internal or system-wide IT projects (both the existing the new) of the Reserve Bank as mutually decided between the Reserve Bank and the subsidiary.
The IT subsidiary would act as a catalyst for innovation, big systems and new ideas apart from having the capability to guide the regulated entities in the IT areas of their operations as also for the RBI’s IT related functions and initiatives. Given the need for inter-operability and cross-institutional cooperation, the entity would be expected to be effectively participating in setting up of standards to strengthen Reserve Bank’s role as regulator. The entity shall have Advisory Committees to provide guidance on cyber security, current and futuristic requirements of entities regulated by the Reserve Bank, particularly from the regulatory and supervisory perspectives, and to the Reserve Bank on its IT systems and its projects. The subsidiary would report periodically to apex level committees of the Reserve Bank including the Board for Financial Supervision, the Board for Payment and Settlement Systems and the IT Sub-committee of the Board, and RBI’s Central Board of Directors as required.”
Moneylife readers are familiar with Mr Saravade. Moneylife Foundation organised a seminar of Cyber Security and Privacy in July 2015 with Mr Saravade and this writer as speakers. Mr Saravade is an ex-IPS officer with specialization in cybercrimes and forensics. Prior to RBI, he was CEO of Data Security Council of India. Prior to that, he worked with Citi, ICICI, NASSCOM and CBI. The new RBI subsidiary will have four verticals –
1. Cyber Security
2. Research and Innovation including collaboration with other institutions including IDRBT, Hyderabad
3. IT Systems Audit and Assessment of RBI regulated entities
4. IT Project Management including Support and Advisory Services
As the entity will be subsidiary, it cannot have regulatory functions, which RBI departments like Department of Banking Operations and Development (DBOD), Department of Banking Supervision (DBS) and Urban Banks Department (UBD) are performing. This is also clear from the notification, which says – “the entity would be expected to be effectively participating in setting up of standards to strengthen Reserve Bank’s role as regulator”.
The constitution of the new subsidiary is also not clear whether it will be registered under societies act or companies act, or any other act. RBI already has an IT subsidiary as Institute for Development & Research in Banking Technology (IDRBT) in Hyderabad, registered as a society, whose main functions are (a) to maintain Infinet, which connect all banks for National Electronic Funds Transfer (NEFT) and Real-time gross settlement systems (RTGS) on closed user group ( CUG ) basis; (b) provide digital signatures to banking and financial institutions (FI) under the name IDRBT- Certifying Authority (IDBRT-CA) and (c) IT related training to bankers. It is yet to be formalised and seen, what relationship and synergy will exist between new subsidiary with RBI IT department, DBOD, DBS, UBD and IDRBT. One reason to create a subsidiary is to have non-bureaucratic policies, processes, procedures and compensation, which may not be possible as a department of RBI.
The subsidiary will cater to cyber security needs to RBI and all its regulated entities. That means all banks and FIs will be covered. It is good news to bank customers and also to bankers that RBI is waking up to the potential of good, bad, ugly, nasty and hostile usage of Information and Cyber Technology, especially after some recent high profile cybercrime incidents such as involving Bangladesh Bank and The Society for Worldwide Interbank Financial Telecommunication (SWIFT). The same was later replicated at many other banks.
A lot needs to be done to secure our national critical IT infrastructure. The current spate of hacking, SWIFT attack, ransomware, card frauds, Phishing attacks, ATM heists, security holes in network and applications need to be addressed asap. With schemes like JanDhan Yojna, RuPay cards, DBTL, Aadhaar, mobile banking, payment banks, PM Suraksha and Jivan Jyoti Bima Yojna. A lot of new crimes will be introduced in Indian banking environment. Bank customers will have lot of expectations from Mr Saravade. RBI should give him a free hand.
(Dr Rakesh Goyal is an Engineer, PGDM from IIMB and PhD is Cyber Security with many cyber security certifications. He is MD of Sysman Computers Private Limited and Director General of Center for Research and Prevention of Computer Crimes. He can be contacted at [email protected].