RBI enlarges net of cyber security controls – now covers ATM switch application service providers
Introduction
Digital transactions and fintech have been the buzz words during the past few years. The Indian government, the regulators and the industry have trained their focus on adopting fintech and digital transactions.
While cashless transactions continue to be driven by fintech, cash continues to have a significant market share in the retail space within the overall payment transactions. It is understood that private sector banks are leading the electronic mode of transactions and PSU banks have an edge in cash transactions at the automated teller machine (ATM) network level.
One key component of banking operations has been transactions undertaken at ATMs and the real time IT network connecting all the ATMs for the seamless execution of transactions by customers. Often these ATMs are exposed to hacking, resulting in fraudulent transactions and data breach.
Every new technology takes time to be perfected and undergoes modifications due to glitches arising during its teething period. In 2016, the debit cards details of several customers were compromised due to a malware injected in ATM network managed by an ATM service provider. There has also been a substantial increase in the number of ATM frauds being reported throughout the country. The Reserve Bank of India (RBI) has at various instances flagged these issues pertaining to ATM frauds to the banks, and asked the banks to improve security measures to prevent ATM frauds.
In this direction, the RBI in its fifth Bi-Monthly Monetary Policy Statement 2019-20 announced its intention to introduce certain cyber security controls for ATM switch application service providers (ASPs) engaged by banks and other regulated entities (RREs) for managing their ATM switch ecosystems.
The RBI realised that the increase in dependency of RREs on ASPs for managing ATMs, exposes the ASPs to the payment system landscapes and associated confidential information, leaving such RREs exposed to cyber security threats. Consequently, the RBI deemed it necessary to formulate and implement certain guidelines to ensure that adequate measures are taken to secure ATMs systems and network.
Recently, the RBI has issued a slew of circulars to strengthen IT systems and frameworks of RREs. The circulars have mandated measures to be undertaken in relation to cyber security primarily to protect customers from cyber frauds, breaches, data leakages, and such other incidents.
With this backdrop, RBI issued a circular DOS.CO/CSITE/BC.4084/31.01.015/2019-20 on 31 December 2019 (Circular) directing all RREs to ensure implementation of cyber security controls by ASPs. The RBI has also stipulated a timeline of 31 March 2020 for RREs to revise their contracts with the ASPs to ensure compliance with these cyber security controls.
Overview of the Circular
The Circular lays down host of cyber security controls to be adopted by ASPs. The RREs will be responsible to ensure that the ASPs abide by this Circular, by appropriately amending the contracts between the RREs and ASPs on or before 31 March 2020.
The above Circular will apply to RREs such as Scheduled Commercial Banks, Regional Rural Banks, Local Area Banks, Primary (Urban) Co-operative Banks, State and Central Co-operative Banks that generally set up ATMs as well as White Label ATM service providers.
Some of the cyber security controls required to be implemented by ASPs as per the Circular are listed below:
Ø |
Setting up mechanisms for preventing access of unauthorised software and/or applications and monitoring them. |
Ø |
Establish appropriate controls for securing the physical location of critical assets and protecting them from natural and man-made threats. |
Ø |
Maintain baseline security measures for all applicable devices (such as databases, networks, security systems etc.). |
Ø |
Follow a documented risk-based strategy for patch, vulnerability and change management. |
Ø |
Implement a centralised authentication and authorisation system for accessing network. |
Ø |
Develop a comprehensive data leakage prevention strategy to safeguard sensitive business and customer information. |
Ø |
Maintain, manage and analyse audit logs pertaining to user actions in a system. |
Ø |
Establish a mechanism for incident response and management. |
Ø |
Create a robust defence against the installation, spread, and execution of malicious code. |
Ø |
Periodically conduct vulnerability assessment and penetration tests on applications, servers and network components. |
Ø |
Arrange for network forensics / forensic investigations, mitigation services on standby. |
Ø |
Comply with the relevant standards applicable to IT ecosystem. |
Comments
These new cyber security norms are similar to those prescribed by the RBI for banks and other regulated entities regarding their IT systems and networks. The RBI vide the Circular has widened its net, by mandating a robust cyber security framework for ASPs, in light of the service providers being increasingly privy to confidential information and exposed to cyber security threats. Implementation of these norms will entail additional time and cost for the ASPs. It will have to be seen whether the timeline of 31 March 2020 would be achieved by the RREs for implementing the Circular.
- Nikhilesh Panchal (Partner), Malav Shah (Principal Associate) and Srijanee Bhattacherjee (Associate)
For any queries please contact: editors@khaitanco.com
We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.
For private circulation only
The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.
© 2024 Khaitan & Co. All rights reserved.
Mumbai
One World Centre
10th, 13th & 14th Floor, Tower 1C
841 Senapati Bapat Marg
Mumbai 400 013, India
Mumbai
One Forbes
3rd & 4th Floors, No. 1
Dr. V. B. Gandhi Marg
Fort, Mumbai 400 001
Delhi NCR (New Delhi)
Ashoka Estate
11th Floor, 1105 & 1106,
24 Barakhamba Road,
New Delhi 110 001, India
Kolkata
Emerald House
1B Old Post Office Street
Kolkata 700 001, India
Bengaluru
Embassy Quest
3rd Floor
45/1 Magrath Road
Bengaluru 560 025, India
Delhi NCR (Noida)
Max Towers,
7th & 8th Floors,
Sector 16B, Noida
Uttar Pradesh 201 301, India
Chennai
8th Floor,
Briley One No.30
Ethiraj Salai
Egmore
Chennai 600 008, India
Singapore
Singapore Land Tower
50 Raffles Place, #34-02A
Singapore 048623
Pune
Raheja Woods
03-108-111, 3 Floor
8, Central Avenue, Kalyani Nagar
Pune - 411 006, India
Gurugram (Satellite Office)
Suite No. 660
Level 6, Wing B,
Two Horizon Center
Golf Course Road, DLF 5
Sector 43, Gurugram
Haryana 122 002, India
Ahmedabad
1506 - 1508, B-Blockr
Navratna Corporate Parkr
Iscon Ambli Road, Ahmedabadr
Gujarat - 380058