Banks should ensure adequate investments in technology to address risks, Reserve Bank of India (RBI) deputy governor M K Jain said on March 29 while addressing a gathering at the Centre for Advanced Financial Research and Learning.
The boards of banks must start looking at cyber security as an enterprise-wide risk management issue rather than a pure IT security concern due to its firm-wide implications, Jain said.
The comments assume significance in the backdrop of rising instances of cyber frauds and also frequent technical glitches that plague netbanking services.
To combat rising cyber risks, the central bank has mandated awareness training programmes for boards of directors and senior leadership teams to familiarise them with IT and cybersecurity concepts, Jain said.
In its oversight role, the board needs to oversee the cybersecurity management, including appropriate risk mitigation strategies, systems, processes, and controls, he said.
The board must also examine if the institution has appropriate skills, resources, and approaches to minimise the cyber risk and mitigate any damages, Jain said.
In recent years, the RBI has come down hard banks for IT system lapses. In December 2020, it banned country’s largest private lender HDFC Bank from onboarding new customers and launching new digital products following repeated outages. The ban was lifted earlier this month.
Recently, the RBI barred Paytm payments bank, too, from taking on new customers while ordering an IT audit.
Jain cited lack of investment in technology, shortage of technically qualified personnel and business disruptions as reasons for increased risks.
Audit and corporate governance
In his speech, the deputy governor stressed on the quality of the audit in banks and the need for better compliance to the highest standards of corporate governance.
During its assessment, the RBI found that audit process was unable to capture irregularities. It also found non-coverage of certain areas and a situation where compliance and audit were not collaborating, the deputy governor said.
The appointment and removal of heads of oversight and assurance functions should have stringent barriers and they must be independent of executive management, Jain said.
"Assurance functionaries should not be performing any of the tasks on which they are required to take a view independent of the risk-takers," the deputy governor added.
While good corporate governance is essential for all institutions, these structures and processes are expected to be even more robust for banks."Banks and financial institutions are different from other business entities in many ways. Their business model is very different from other business entities...hence, the governance structures and practices in the banks should prioritise the protection of the interests of their depositors," Jain said.