RBI says “Smart Authentication”
Over the years the way we bank has undergone massive improvements. The advancements of information technology and mobile computing in this digital era has been the catalyst in the metamorphosis of the banking and financial sector.
RBI has always been wary of the fact that when technology opens various avenues for a customer to transact with ease, the same avenues get open for the wrong doers. To keep the malicious actors at bay and to keep the system trustworthy, RBI from time to time has circulated cyber security guidelines for Banks, NBFCs as well as UCBs.
Below are a few Circulars related to Cyber Security from RBI:-
1) Working Group on Information Security (DBS.CO.ITC.BC.№6 /31.02.008/2010–11)
2) Cyber Security Framework in Banks (DBS.CO/CSITE/BC.11/33.01.001/2015–16)
3) Master Direction-IT Framework (DNBS.PPD.№04/66.15.001/2016–17)
4) Basic Cyber Security Framework for UCBs (DCBS.CO.PCB.Cir.№1/18.01.000/2018–19)
5) Master Direction on Digital Payment Security Controls (18th Feb 21)
There has been a lot of emphasis regarding the earlier circulars in recent times. For now, we will focus on the latest released guidelines from RBI which is Master Direction on Digital Payment Security Controls.
Digital Payments Security Controls
RBI/2020–21/74, DoS.CO.CSITE.SEC.№1852/31.01.015/2020–21
Overview
This is the latest set of guidelines released by RBI as on date. This master direction encompasses all financial entities which are leveraging the digital platform for payments. Below are the entities which fall under the purview of this master direction:-
· Scheduled Commercial Banks (excluding Regional Rural Banks)
· Small Finance Banks
· Payments Banks
· Credit card issuing NBFCs
In this circular, RBI has managed to touch all aspects pertaining to the “Digital Payments Platform” and suggests the various controls that should be in place to mitigate the security risks.
The security controls are classified into the below buckets:-
What’s new?
RBI has re-iterated the importance of few baseline security controls from their earlier circulars related to Governance, Internet Security, Application Security and others. But, they have also brought forward one crucial security aspect of Digital Payments which is “Fraud Controls”.
The use of Digital Payments have increased exponentially since the corona period. With this growth, we have also seen an increase in the cases related to Fraud committed. It can be as simple as tricking a customer to inadvertently transfer money to the fraudster through social engineering or as sophisticated as to siphon off cash from multiple ATMs at the same time.
To mitigate this risk head-on, RBI has explicitly called for “Smart Authentication”.
What does it mean? It simply means that the Digital Platform must have the intelligent to detect and restrict fraudulent transactions. Before moving ahead, we must first understand a few types of “Fraudulent transactions”. Which are:-
· Geo-Velocity: A customer logs-in to the “Digital Platform” at this moment from Mumbai (say). And in a couple of minutes, he logs-in from New York.
· Risky Geography: A customer tries to login from a Blacklisted Country or IP.
· Risky Device: A login attempt from a jailbroken/rooted device.
· Abnormal Time: A customer tries to login at an unusual time like (say) 2am.
· Abnormal Transaction: A customer tries to transfer a very high amount of cash than usual or transfer multiple times in a day than usual.
The above are just a few examples which can be related to “Fraudulent Access” as well as “Fraudulent Transactions”. The “Payments Platform” should be smart enough to block or challenge the user for additional authentication like OTP etc. when such login attempts or transactions are initiated.
It is time for us to go back to our drawing boards to check how to enable “Smart Authentication” to curb the frauds and eventually the financial losses. If already enabled, check if it configured appropriately to serve the intended purpose.
Conclusion
The security guidelines, circulars from RBI provide us the framework on which we can assess our current security posture and can identify the required security controls of plug the gaps and strengthen the overall security.
Appendix
Below is a consolidated version of RBI’s recommended security controls as part of the Master Direction on Digital Payment Security Controls. You may use it to assess your current security compliance.
