In the era of technology, Information Technology (IT) aids plenty of resources to enhance the credit system of the country. Over the years, the Non-Banking Finance Company (NBFC) sector has grown in size and complexity. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must also be benchmarked to best practices. To enhance the safety, security, efficiency in processes leading to benefits for NBFCs and their customers, the Reserve Bank of India (RBI) has come up with the Master Direction – Information Technology Framework for the NBFC Sector (“Directions”) vide it notification no. Master Direction DNBS.PPD.No.04/66.15.001/2016-17 dated June 08, 2017. These Directions have not just laid down a mere statement of good intentions but are largely focusing on implementing several operational requirements.
The directions have been categorized into two parts:
- Directions applicable to all NBFCs with asset size above ₹ 500 crore (Considered Systemically Important) are provided inSection-A and
- Directions for NBFCs with asset size below ₹ 500 crore are provided inSection-B.
Timelines for Compliance
NBFCs- Systemically Important shall comply with the Master Directions by June 30, 2018 and other NBFCs (asset size below ₹ 500 crore) shall comply by September 30, 2018.
NBFCs may have already implemented or may be implementing some of the requirements indicated in the Directions. Therefore, the NBFCs are now required to conduct a formal gap analysis between their current status and stipulations as laid out in the Directions and put in place a time-bound action plan to address the gap and comply with the guidelines laid therein. Such an analysis may be submitted to the Board of the company within six months of the issuance of these directions. Accordingly, NBFCs may place these directions before the Board, together with a gap-analysis vis-a-vis the Master Direction and the proposed action by September 30, 2017.
Section A: Systemically Important NBFCs i.e. with asset size above ₹ 500 crore
The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The broad actions to be undertaken by an NBFC-SI along with the guidelines issued in this regard have been tabulated below for an easy reference:
|Who shall be responsible for the implementation of an effective IT Governance||Board of Directors and Executive Management||Well-defined roles and responsibilities to enable effective project control|
|Who are the IT Governance Stakeholders?||a. Board of Directors,
b. IT Strategy Committees,
d. Business Executives,
e. Chief Information Officers (CIOs),
f. Chief Technology Officers (CTOs),
g. IT Steering Committees
(operating at an executive level and focusing on priority setting, resource allocation and project tracking),
h. Chief Risk Officer and Risk Committees
|Action Points||Formation of an IT Strategy Committee||Chairman of the Committee:
An independent director
CIO & CTO
Frequency of Meeting:
An appropriate frequency with maximum gap of 6 months between two meetings
Role of the Committee:
1. Providing input to other Board committees and Senior Management
2. Carrying out review and amending the IT strategies in line with the corporate strategies, Board Policy reviews, cyber security arrangements and any other matter related to IT Governance
|Action Points||Formulating a Board approved IT policy||The policy shall be in line with the organizational objectives
|Develop an IT organizational structure||The structure shall be commensurate with the size, scale and nature of business activities carried out by the NBFC
|Designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations||The responsibility of such officer shall be to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.
|Formulate periodic assessment of the IT training requirements||To ensure technical competence at senior/middle level management and to ensure that sufficient, competent and capable human resources are available.
|Migrate to the IPv6 platform as per National Telecom Policy issued by the Government of India in 2012
|Action Points||Formulating a board approved IS Policy||The IS Policy shall be based on the following principles:
|IS framework must be provided in the IS Policy||The IS framework shall be based on the following principles:
|Formulating a board approved cyber-security policy||The policy shall elucidate the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk
|Vulnerability Management||Devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy
|Cyber security preparedness indicators||a. Development of indicators to assess the level of risk/preparedness
b. Spreading awareness among the stakeholders including employees
|A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy||The CCMP shall be addressing the following four aspects:
(iii) Recovery and
|Take effective measures to be well prepared to:
1. prevent cyber-attacks
2. promptly detect any cyber-intrusions
3. face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks
|Take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc|
|Sharing of information on cyber-security incidents with RBI||Report all types of unusual security incidents as specified in CSIR Form of Annex I (both the successful as well as the attempted incidents which did not fructify) to the DNBS Central Office, Mumbai.|
|Cyber-security awareness among stakeholders / Top Management / Board||Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized.
|Promote, among the customers, vendors, service providers and other relevant stakeholders an understanding of the cyber resilience objectives, and require and ensure appropriate action to support the synchronised implementation and testing.
|Digital Signatures||Consider use of Digital signatures to protect the authenticity and integrity of important electronic documents and also for high value fund transfer.
|IT Risk Assessment||Undertake a comprehensive risk assessment of IT systems at least on a yearly basis and bring to the notice of the Chief Risk Officer (CRO), CIO and the Board and serve as an input for Information Security auditors
|Finding out the risks present and determining the appropriate level of controls necessary for appropriate mitigation of risks
|Mobile Financial Services||Technology used for mobile services should ensure confidentiality, integrity, authenticity and must provide for end-to end encryption
|Social Media Risks||As Social Media is vulnerable to account takeovers and malware distribution, proper controls, such as encryption and secure connections, should be prevalent to mitigate such risks.
|Training||Conduct an initial and ongoing training and information security awareness programme
|Action Points||Establish and monitor policies for risk management||The Board or Senior Management should take into consideration the risk associated with existing and planned IT operations and the risk tolerance|
|Identify system deficiencies and defects at the system design, development and testing phases||To ensure that while implementing IT projects there are no systems failure because of poor system design and implementation, as well as inadequate testing|
|Establish a steering committee||The committee shall be consisting of business owners, the development team and other stakeholders to provide oversight and monitoring of the progress of the project, including deliverables to be realized at each phase of the project and milestones to be reached according to the project timetable|
|Develop a Board approved Change Management Policy and senior management to ensure that the policy is being followed on an ongoing basis||The Policy must encompass the following:
|Put in place a good MIS||The MIS shall take care of information at all levels in the business including top management and assists the Top Management as well as the business heads in decision making and also to maintain an oversight over operations of various business verticals|
|System driven regulatory/ supervisory returns||There should be seamless integration between MIS system of the NBFC and reporting under COSMOS
|Action Points||Formulate a Policy for Information System Audit (IS Audit)||IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc.|
|Adopt an IS Audit framework duly approved by the Board||The framework shall lay down the following:
a. Responsibilities for compliance/sustenance of compliance, reporting lines, timelines for submission of compliance, authority for accepting compliance should be clearly delineated in the framework.
b. The framework may provide for an audit-mode access for auditors/ inspecting/ regulatory authorities.
c. The framework should clearly prescribe the reporting framework
Guidance issued by Professional bodies like ISACA, IIA, ICAI in this regard shall be referred. For instance, ICAI has published “Standard on Internal Audit (SIA) 14: Internal Audit in an Information Technology Environment”.
|Composition of Audit Committee||An adequately skilled personnel should be there in Audit Committee who can understand the results of the IS Audit
|Coverage of IS Audit||Due importance shall be given to compliance of all the applicable legal and statutory requirements
|Conduct of IS Audit||By an internal team of the NBFC or an outside agency having enough expertise in area of IT/IS audit
|Periodicity||The periodicity of IS audit should ideally be based on the size and operations of the NBFC but may be conducted at least once in a year and be undertaken preferably prior to the statutory audit
|Reporting||As provided in the IS framework, either to the Board or a Committee of the Board viz. Audit Committee of the Board
|Compliance||NBFCs’ management is responsible for deciding the appropriate action to be taken in response to reported observations and recommendations during IS Audit
|Computer-Assisted Audit Techniques (CAATs)||To adopt a proper mix of manual techniques and CAATs for conducting IS Audit
|Action Points||Formulate and adopt a Board approved BCP Policy||To minimise the operational, financial, legal, reputational and other material consequences arising from a disaster|
|Salient features of the BCP||a. Business Impact Analysis- NBFCs shall first identify critical business verticals, locations and shared resources to come up with the detailed Business Impact Analysis. The process will envisage the impact of any unforeseen natural or man-made disasters on the NBFC’s business. The entity shall clearly list the business impact areas in order of priority.
b. Recovery strategy/ Contingency Plan- NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster.
|Functioning of BCP||a. To be monitored by the Board by way of periodic reports.
b. CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness
|Review of BCP||Either annually or when significant IT or business changes take place to determine if the entity could be recovered to an acceptable level of business within the timeframe stated in the contingency plan|
|Put in place necessary backup sites for critical business systems and Data centers|
|Action Points||Outsourcing of IT related business||The terms and conditions governing the contract between the NBFC and the Outsourcing service provider should be carefully defined in written agreements and vetted by NBFC’s legal counsel on the legal effect and enforceability|
|To be Noted||Provisions of contractual agreement||a) Monitoring and Oversight: Provide for continuous monitoring and assessment by the NBFC of the service provider so that any necessary corrective measure can be taken immediately. Outsourcing service provider should have adequate systems and procedures in place to ensure protection of data/application outsourced.
b) Access to books and records / Audit and Inspection: This would include:
|Responsibility for outsourcing||Board and senior management are ultimately responsible for ‘outsourcing operations’ and for managing risks inherent in such outsourcing relationships.|
|Role of IT Strategy committee in respect of outsourced operations||
Section B: NBFCs with asset size below ₹ 500 crore
The RBI has laid down certain recommendations for NBFCs with smaller asset size to develop basic IT systems mainly for maintaining the database. The Action Points for such smaller NBFCs are as follows:
- To have a Board approved Information Technology policy/Information system policy in place by September 30, 2018. The policy may be designed considering the undermentioned basic standards, i.e. the IT systems shall have:
- Basic security aspects such as physical/ logical access controls and well defined password policy;
- A well-defined user role;
- A maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/information;
- Information Security and Cyber Security;
- Requirements as regards Mobile Financial Services, Social Media and Digital Signature Certificates (mentioned in detail above);
- System generated reports for Top Management summarising financial position including operating and non-operating revenues and expenses, cost benefit analysis of segments/verticals, cost of funds, etc.;
- Adequacy to file regulatory returns to RBI (COSMOS Returns);
- A Business Continuity Planning(BCP) policy duly approved by the Board ensuring regular oversight of the Board by way of periodic reports (at least once every year);
- Arrangement for backup of data with periodic testing.
- IT Systems should be progressively scaled up as the size and complexity of NBFC’s operations increases.
As on the date of this Article, there are around 11338 non deposit taking NBFCs registered in our country. Out of the said NBFCs, a small fraction, i.e. aggregating to 239 NBFCs are systemically important. The intention of the regulator to impose mandatory provisions on the larger NBFCs is to enable their IT systems to be in consonance with their size of operations.
However, for the smaller NBFCs the intention of the RBI is not very clear. Though the section laying down the applicable guidelines for smaller NBFCs starts with the word ‘recommendation’, it is pertinent to note that the same has to be put in place by September 30, 2018. The subsequent lines of the Directions state that the NBFC ‘shall’ have a Board approved Information Technology policy/Information system policy, which makes it sound as a mandatory provision. In such a situation where the formulation of the Policy seems mandatory then consequently the implementation also becomes compulsory. Hence, in our view the vague language of the Directions creates a confusion with regard to the nature of the compliance. It is expected that RBI must come up with some clarification in this regard to clear the air of doubt.
In a nutshell
The Board has to take up the task of preparing the gap analysis before the end of third quarter, accordingly the background work for the same has to be initiated at the earliest. For an NBFC-SI, the following agenda items may be taken up by the Board in its upcoming meeting:
- Prepare a gap analysis between the current status of the IT framework and the guidelines laid down in the Directions.
- Formation of Committees:
- IT Strategy Committees and
- IT Steering Committees
- Policies to the framed and implemented by the Board:
- Information Technology Policy
- Information Security Policy
- Cyber Security Policy
- Change Management Policy
- Policy for Information System Audit (IS Audit)
- Business Continuity Planning Policy
- Reporting requirement with RBI to be complied with
- Conduct of IS Audit to form an integral part of the Internal Audit system
by Anita Baid (firstname.lastname@example.org)