Directions on IT Framework for the NBFC Sector – RBI keen on implementing several operational requirements, by Anita Baid

/0 Comments/in /by

In the era of technology, Information Technology (IT) aids plenty of resources to enhance the credit system of the country. Over the years, the Non-Banking Finance Company (NBFC) sector has grown in size and complexity. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must also be benchmarked to best practices. To enhance the safety, security, efficiency in processes leading to benefits for NBFCs and their customers, the Reserve Bank of India (RBI) has come up with the Master Direction – Information Technology Framework for the NBFC Sector (“Directions”) vide it notification no. Master Direction DNBS.PPD.No.04/66.15.001/2016-17 dated June 08, 2017. These Directions have not just laid down a mere statement of good intentions but are largely focusing on implementing several operational requirements.

Applicability

The directions have been categorized into two parts:

  1. Directions applicable to all NBFCs with asset size above ₹ 500 crore (Considered Systemically Important) are provided inSection-A and
  2. Directions for NBFCs with asset size below ₹ 500 crore are provided inSection-B.

Timelines for Compliance

NBFCs- Systemically Important shall comply with the Master Directions by June 30, 2018 and other NBFCs (asset size below ₹ 500 crore) shall comply by September 30, 2018.

NBFCs may have already implemented or may be implementing some of the requirements indicated in the Directions. Therefore, the NBFCs are now required to conduct a formal gap analysis between their current status and stipulations as laid out in the Directions and put in place a time-bound action plan to address the gap and comply with the guidelines laid therein. Such an analysis may be submitted to the Board of the company within six months of the issuance of these directions. Accordingly, NBFCs may place these directions before the Board, together with a gap-analysis vis-a-vis the Master Direction and the proposed action by September 30, 2017.

Section A: Systemically Important NBFCs i.e. with asset size above ₹ 500 crore

The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The broad actions to be undertaken by an NBFC-SI along with the guidelines issued in this regard have been tabulated below for an easy reference:

IT Governance
Who shall be responsible for the implementation of an effective IT Governance Board of Directors and Executive Management Well-defined roles and responsibilities to enable effective project control
Who are the IT Governance Stakeholders? a.       Board of Directors,

b.      IT Strategy Committees,

c.       CEOs,

d.      Business Executives,

e.       Chief Information Officers (CIOs),

f.       Chief Technology Officers (CTOs),

g.      IT Steering Committees

(operating at an executive level and focusing on priority setting, resource allocation and project tracking),

h.      Chief Risk Officer and Risk Committees
Action Points Formation of an IT Strategy Committee Chairman of the Committee:

An independent director

 

Other Members:

CIO & CTO

 

Frequency of Meeting:

An appropriate frequency with maximum gap of 6 months between two meetings

 

Role of the Committee:

1.       Providing input to other Board committees and Senior Management

2.       Carrying out review and amending the IT strategies in line with the corporate strategies, Board Policy reviews, cyber security arrangements and any other matter related to IT Governance

  1. Approving IT strategy and policy documents and ensuring that the management has put an effective strategic planning process in place;
  2. Ascertaining that management has implemented processes and practices that ensure that the IT delivers value to the business;
  3. Ensuring IT investments represent a balance of risks and benefits and that budgets are acceptable;
  4. Monitoring the method that management uses to determine the IT resources needed to achieve strategic goals and provide high-level direction for sourcing and use of IT resources;
  5. Ensuring proper balance of IT investments for sustaining NBFC’s growth and becoming aware about exposure towards IT risks and controls.

IT Policy
Action Points Formulating a Board approved IT policy The policy shall be in line with the organizational objectives

 
Develop an IT organizational structure The structure shall be commensurate with the size, scale and nature of business activities carried out by the NBFC

 
Designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations The responsibility of such officer shall be to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.

 
Formulate periodic assessment of the IT training requirements To ensure technical competence at senior/middle level management and to ensure that sufficient, competent and capable human resources are available.

 
Migrate to the IPv6 platform as per National Telecom Policy issued by the Government of India in 2012[1]

 

Information and Cyber Security
Action Points Formulating a board approved IS Policy The IS Policy shall be based on the following principles:

  1. Confidentiality – Ensuring access to sensitive data to authorized users only.
  2. Integrity – Ensuring accuracy and reliability of information by ensuring that there is no modification without authorization.
  3. Availability – Ensuring that uninterrupted data is available to users when it is needed.
  4. Authenticity – For IS it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine.

 
IS framework must be provided in the IS Policy The IS framework shall be based on the following principles:

 

  1. Identification and Classification of Information Assets.
  2. Segregation of functions and responsibilities relating to system administration, database administration and transaction processing.
  3. Role based Access Control by clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented.
  4. Personnel with privileged access like system administrator, cyber security personnel, etc should be subject to rigorous background check and screening.
  5. Physical Security by creating a secured environment for physical security of IS Assets such as secure location of critical data, restricted access to sensitive areas like data center etc.
  6. For each transaction, there must be at least two individuals (Maker-checker is one of the important principles of authorization in the information systems of financial entities) necessary for its completion as this will reduce the risk of error and will ensure reliability of information.
  7. Incident Management – The IS Policy should define what constitutes an incident. NBFCs shall develop and implement processes for preventing, detecting, analysing and responding to information security incidents.
  8. Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail.
  9. Public Key Infrastructure (PKI) – NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation.

 
Formulating a board approved cyber-security policy The policy shall elucidate the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk

 
Vulnerability Management Devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy

 
Cyber security preparedness indicators a.       Development of indicators to assess the level of risk/preparedness

b.      Spreading awareness among the stakeholders including employees

 
A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy The CCMP shall be addressing the following four aspects:

(i) Detection

(ii) Response

(iii) Recovery and

(iv) Containment

 
Take effective measures to be well prepared to:

1.  prevent cyber-attacks

2. promptly detect any cyber-intrusions

3. face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks

 

 Take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc
Sharing of information on cyber-security incidents with RBI Report all types of unusual security incidents as specified in CSIR Form of Annex I (both the successful as well as the attempted incidents which did not fructify) to the DNBS Central Office, Mumbai.
Cyber-security awareness among stakeholders / Top Management / Board Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized.

 
Promote, among the customers, vendors, service providers and other relevant stakeholders an understanding of the cyber resilience objectives, and require and ensure appropriate action to support the synchronised implementation and testing.

 
Digital Signatures Consider use of Digital signatures to protect the authenticity and integrity of important electronic documents and also for high value fund transfer.

 
IT Risk Assessment Undertake a comprehensive risk assessment of IT systems at least on a yearly basis and bring to the notice of the Chief Risk Officer (CRO), CIO and the Board and serve as an input for Information Security auditors

 
Finding out the risks present and determining the appropriate level of controls necessary for appropriate mitigation of risks

 
Mobile Financial Services Technology used for mobile services should ensure confidentiality, integrity, authenticity and must provide for end-to end encryption

 
Social Media Risks As Social Media is vulnerable to account takeovers and malware distribution, proper controls, such as encryption and secure connections, should be prevalent to mitigate such risks.

 
Training Conduct an initial and ongoing training and information security awareness programme

 

IT Operations
Action Points Establish and monitor policies for risk management The Board or Senior Management should take into consideration the risk associated with existing and planned IT operations and the risk tolerance
Identify system deficiencies and defects at the system design, development and testing phases To ensure that while implementing IT projects there are no systems failure because of poor system design and implementation, as well as inadequate testing
Establish a steering committee The committee shall be consisting of business owners, the development team and other stakeholders to provide oversight and monitoring of the progress of the project, including deliverables to be realized at each phase of the project and milestones to be reached according to the project timetable
Develop a Board approved Change Management Policy and senior management to ensure that the policy is being followed on an ongoing basis The Policy must encompass the following:

  1. prioritizing and responding to change proposals from business,
  2. cost benefit analysis of the changes proposed,
  3. assessing risks associated with the changes proposed,
  4. change implementation, monitoring and reporting.

 
Put in place a good MIS The MIS shall take care of information at all levels in the business including top management and assists the Top Management as well as the business heads in decision making and also to maintain an oversight over operations of various business verticals
System driven regulatory/ supervisory returns There should be seamless integration between MIS system of the NBFC and reporting under COSMOS

 

IS Audit
Action Points Formulate a Policy for Information System Audit (IS Audit) IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc.
Adopt an IS Audit framework duly approved by the Board The framework shall lay down the following:

a.       Responsibilities for compliance/sustenance of compliance, reporting lines, timelines for submission of compliance, authority for accepting compliance should be clearly delineated in the framework.

b.      The framework may provide for an audit-mode access for auditors/ inspecting/ regulatory authorities.

c.       The framework should clearly prescribe the reporting framework

 

Guidance issued by Professional bodies like ISACA, IIA, ICAI in this regard shall be referred. For instance, ICAI has published “Standard on Internal Audit (SIA) 14: Internal Audit in an Information Technology Environment”.

 
Composition of Audit Committee An adequately skilled personnel  should be there in Audit Committee who can understand the results of the IS Audit

 
Coverage of IS Audit Due importance shall be given to compliance of all the applicable legal and statutory requirements

 
Conduct of IS Audit By an internal team of the NBFC or an outside agency having enough expertise in area of IT/IS audit

 
Periodicity The periodicity of IS audit should ideally be based on the size and operations of the NBFC but may be conducted at least once in a year and be undertaken preferably prior to the statutory audit

 
Reporting As provided in the IS framework, either to the Board or a Committee of the Board viz. Audit Committee of the Board

 
Compliance NBFCs’ management is responsible for deciding the appropriate action to be taken in response to reported observations and recommendations during IS Audit

 
Computer-Assisted Audit Techniques (CAATs) To adopt a proper mix of manual techniques and CAATs for conducting IS Audit

 

Business Continuity Planning
Action Points Formulate and adopt a Board approved BCP Policy To minimise the operational, financial, legal, reputational and other material consequences arising from a disaster
Salient features of the BCP a.       Business Impact Analysis- NBFCs shall first identify critical business verticals, locations and shared resources to come up with the detailed Business Impact Analysis. The process will envisage the impact of any unforeseen natural or man-made disasters on the NBFC’s business. The entity shall clearly list the business impact areas in order of priority.

 

b.      Recovery strategy/ Contingency Plan- NBFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster.

 
Functioning of BCP a.       To be monitored by the Board by way of periodic reports.

b.      CIO shall be responsible for formulation, review and monitoring of BCP to ensure continued effectiveness
Review of BCP Either annually or when significant IT or business changes take place to determine if the entity could be recovered to an acceptable level of business within the timeframe stated in the contingency plan
Put in place necessary backup sites for critical business systems and Data centers

IT Services Outsourcing
Action Points Outsourcing of IT related business The terms and conditions governing the contract between the NBFC and the Outsourcing service provider should be carefully defined in written agreements and vetted by NBFC’s legal counsel on the legal effect and enforceability
To be Noted Provisions of contractual agreement a) Monitoring and Oversight: Provide for continuous monitoring and assessment by the NBFC of the service provider so that any necessary corrective measure can be taken immediately. Outsourcing service provider should have adequate systems and procedures in place to ensure protection of data/application outsourced.

 

b) Access to books and records / Audit and Inspection: This would include:

  1. Ensure that the NBFC has the ability to access all books, records and information relevant to the outsourced activity available with the service provider. For technology outsourcing, requisite audit trails and logs for administrative activities should be retained and accessible to the NBFC based on approved requests.
  2. Provide the NBFC with the right to conduct audits on the service provider whether by its internal or external auditors, or by external specialists appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the NBFC.
  3. The contractual agreement may include clauses to allow the Reserve Bank of India or persons authorized by it to access the NBFC’s documents, records of transactions, and other necessary information given to, stored or processed by the service provider within a reasonable time. This includes information maintained in paper and electronic formats.

 
Responsibility for outsourcing Board and senior management are ultimately responsible for ‘outsourcing operations’ and for managing risks inherent in such outsourcing relationships.
Role of IT Strategy committee in respect of outsourced operations
  1. Instituting an appropriate governance mechanism for outsourced processes, comprising of risk based policies and procedures, to effectively identify, measure, monitor and control risks associated with outsourcing in an end to end manner;
  2. Defining approval authorities for outsourcing depending on nature of risks and materiality of outsourcing;
  3. Developing sound and responsive outsourcing risk management policies and procedures commensurate with the nature, scope, and complexity of outsourcing arrangements;
  4. Undertaking a periodic review of outsourcing strategies and all existing material outsourcing arrangements;
  5. Evaluating the risks and materiality of all prospective outsourcing based on the framework developed by the Board;
  6. Periodically reviewing the effectiveness of policies and procedures;
  7. Communicating significant risks in outsourcing to the NBFC’s Board on a periodic basis;
  8. Ensuring an independent review and audit in accordance with approved policies and procedures;
  9. Ensuring that contingency plans have been developed and tested adequately;
  10. NBFC should ensure that the business continuity preparedness is not adversely compromised on account of outsourcing. NBFCs are expected to adopt sound business continuity management practices as issued by RBI and seek proactive assurance that the outsourced service provider maintains readiness and preparedness for business continuity on an ongoing basis.

 

Section B: NBFCs with asset size below ₹ 500 crore

The RBI has laid down certain recommendations for NBFCs with smaller asset size to develop basic IT systems mainly for maintaining the database. The Action Points for such smaller NBFCs are as follows:

  1. To have a Board approved Information Technology policy/Information system policy in place by September 30, 2018. The policy may be designed considering the undermentioned basic standards, i.e. the IT systems shall have:
    1. Basic security aspects such as physical/ logical access controls and well defined password policy;
    2. A well-defined user role;
    3. A maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/information;
    4. Information Security and Cyber Security;
    5. Requirements as regards Mobile Financial Services, Social Media and Digital Signature Certificates (mentioned in detail above);
    6. System generated reports for Top Management summarising financial position including operating and non-operating revenues and expenses, cost benefit analysis of segments/verticals, cost of funds, etc.;
    7. Adequacy to file regulatory returns to RBI (COSMOS Returns);
    8. A Business Continuity Planning(BCP) policy duly approved by the Board ensuring regular oversight of the Board by way of periodic reports (at least once every year);
    9. Arrangement for backup of data with periodic testing.
  2. IT Systems should be progressively scaled up as the size and complexity of NBFC’s operations increases.

Conclusion

As on the date of this Article, there are around 11338 non deposit taking NBFCs registered in our country. Out of the said NBFCs, a small fraction, i.e. aggregating to 239 NBFCs are systemically important[2]. The intention of the regulator to impose mandatory provisions on the larger NBFCs is to enable their IT systems to be in consonance with their size of operations.

However, for the smaller NBFCs the intention of the RBI is not very clear. Though the section laying down the applicable guidelines for smaller NBFCs starts with the word ‘recommendation’, it is pertinent to note that the same has to be put in place by September 30, 2018. The subsequent lines of the Directions state that the NBFC ‘shall’ have a Board approved Information Technology policy/Information system policy, which makes it sound as a mandatory provision. In such a situation where the formulation of the Policy seems mandatory then consequently the implementation also becomes compulsory. Hence, in our view the vague language of the Directions creates a confusion with regard to the nature of the compliance. It is expected that RBI must come up with some clarification in this regard to clear the air of doubt.

In a nutshell

The Board has to take up the task of preparing the gap analysis before the end of third quarter, accordingly the background work for the same has to be initiated at the earliest. For an NBFC-SI, the following agenda items may be taken up by the Board in its upcoming meeting:

  1. Prepare a gap analysis between the current status of the IT framework and the guidelines laid down in the Directions.
  2. Formation of Committees:
    1. IT Strategy Committees and
    2. IT Steering Committees
  1. Policies to the framed and implemented by the Board:
    1. Information Technology Policy
    2. Information Security Policy
    3. Cyber Security Policy
    4. Change Management Policy
    5. Policy for Information System Audit (IS Audit)
    6. Business Continuity Planning Policy
  2. Reporting requirement with RBI to be complied with
  3. Conduct of IS Audit to form an integral part of the Internal Audit system

[1] (As per Circular DNBS(Inf.).CC.No 309/24.01.022/2012-13 November 08, 2012)

[2] https://rbi.org.in/Scripts/BS_NBFCList.aspx– Data as on 08.06.2017

by Anita Baid (anita@vinodkothari.com)

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *