IT Framework for the HFCs

By Vineet Ojha (finserv@vinodkothari.com)

Over the years, the Housing Finance Company (HFC) sector has grown in size and complexity. As the HFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business Continuity Planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must also be benchmarked to best practices. To enhance the safety, security, efficiency in processes leading to benefits for HFCs and their customers, the National Housing Bank (NHB) has come up with Information Technology Framework for HFCs (“Guidelines”) vide its notification no. NHB/ND/DRS/ Policy Circular No. 90/2017-18 dated June 15, 2018. Guidelines on IT Framework for the HFC sector that are expected to enhance safety, security, efficiency in processes leading to benefits for HFCs and their customers are enclosed.

Applicability

The Guidelines have been categorized into two parts:

  1. Guidelines applicable to all public deposit taking HFCs and HFCs not accepting public deposit with asset size of Rs 100 crore and above, as per the last audited balance sheet are provided in Section-A and
  2. Guidelines applicable to all HFCs not accepting public deposits with asset size below Rs 100 crore are provided in Section-B.

Timelines for Compliance

  • All HFCs may place these Guidelines before their Board, together with a gap analysis vis-a-vis the Guidelines and the proposed action latest by September 30, 2018
  • HFCs falling in Section- A shall be required to comply with the Guidelines by June 30, 2019 and other HFCs by September 30, 2019

Framework for HFCs in Section A

The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing.

IT Governance

IT Governance is an integral part of corporate governance. It involves leadership support, organizational structure and processes to ensure that the HFCs IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management.

Who shall be responsible for the implementation of an effective IT Governance Board of Directors and Executive Management Well-defined roles and responsibilities to enable effective project control
Who are the IT Governance Stakeholders? 1.       Board of Directors,

2.       IT Strategy Committees,

3.       CEOs,

4.       Business Executives,

5.       Chief Information Officers (CIOs),

6.       Chief Technology Officers (CTOs),

7.       IT Steering Committees (operating at an executive level and focusing on priority setting, resource allocation and project tracking),

8.       Chief Risk Officer and Risk Committees

Action Points Formation of an IT Strategy Committee Chairman of the Committee:

An independent director

 

Other Members:

CIO & CTO

 

Frequency of Meeting:

An appropriate frequency with maximum gap of 6 months between two meetings

 

Role of the Committee:

1.       Providing input to other Board committees and Senior Management

2.       Carrying out review and amending the IT strategies in line with the corporate strategies, Board Policy reviews, cyber security arrangements and any other matter related to IT Governance

  1. Approving IT strategy and policy documents and ensuring that the management has put an effective strategic planning process in place;
  2. Ascertaining that management has implemented processes and practices that ensure that the IT delivers value to the business;
  3. Ensuring IT investments represent a balance of risks and benefits and that budgets are acceptable;
  4. Monitoring the method that management uses to determine the IT resources needed to achieve strategic goals and provide high-level direction for sourcing and use of IT resources;
  5. Ensuring proper balance of IT investments for sustaining HFC’s growth and becoming aware about exposure towards IT risks and controls.

IT Policy

Action Points Formulating a Board approved IT policy The policy shall be in line with the organizational objectives

 

Develop an IT organizational structure The structure shall be commensurate with the size, scale and nature of business activities carried out by the HFC

 

Designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations The responsibility of such officer shall be to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.

 

Formulate periodic assessment of the IT training requirements To ensure technical competence at senior/middle level management and to ensure that sufficient, competent and capable human resources are available.

 

Migrate to the IPv6 platform as per National Telecom Policy issued by the Government of India in 2012


Information and Cyber Security

Action Points Formulating a board approved IS Policy The IS Policy shall be based on the following principles:

  1. Confidentiality – Ensuring access to sensitive data to authorized users only.
  2. Integrity – Ensuring accuracy and reliability of information by ensuring that there is no modification without authorization.
  3. Availability – Ensuring that uninterrupted data is available to users when it is needed.
  4. Authenticity – For IS it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine.

 

IS framework must be provided in the IS Policy The IS framework shall be based on the following principles:

 

  1. Identification and Classification of Information Assets.
  2. Segregation of functions and responsibilities relating to system administration, database administration and transaction processing.
  3. Role based Access Control by clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented.
  4. Personnel with privileged access like system administrator, cyber security personnel, etc should be subject to rigorous background check and screening.
  5. Physical Security by creating a secured environment for physical security of IS Assets such as secure location of critical data, restricted access to sensitive areas like data center etc.
  6. For each transaction, there must be at least two individuals (Maker-checker is one of the important principles of authorization in the information systems of financial entities) necessary for its completion as this will reduce the risk of error and will ensure reliability of information.
  7. Incident Management – The IS Policy should define what constitutes an incident. HFCs shall develop and implement processes for preventing, detecting, analysing and responding to information security incidents.
  8. Trails- HFCs shall ensure that audit trails exist for IT assets satisfying its business requirements. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail.
  9. Public Key Infrastructure (PKI) – HFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation.

 

Formulating a board approved cyber-security policy The policy shall elucidate the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk

 

Vulnerability Management Devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy

 

Cyber security preparedness indicators a.       Development of indicators to assess the level of risk/preparedness

b.      Spreading awareness among the stakeholders including employees

 

Cyber Crisis Management Plan (CCMP)should be immediately evolved and should be a part of the overall Board approved strategy The CCMP shall be addressing the following four aspects:

(i) Detection

(ii) Response

(iii) Recovery and

(iv) Containment

Take effective measures to be well prepared to:

1.  prevent cyber-attacks

2. promptly detect any cyber-intrusions

3. face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks

 

Take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc
Sharing of information on cyber-security incidents with RBI HFCs shall put in place a suitable mechanism to report all types of unusual security

incidents to its IT Steering Committee and the Risk Management Committee.

Incidents involving compromise of the IT systems of the HFC such as data breach, data destruction etc. severely affecting the operations of the company shall be reported to the NHB along with the action take thereon by the HFC, within two working days.

Cyber-security awareness among stakeholders / Top Management / Board Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized.

 

Promote, among the customers, vendors, service providers and other relevant stakeholders an understanding of the cyber resilience objectives, and require and ensure appropriate action to support the synchronised implementation and testing.

 

Digital Signatures Consider use of Digital signatures to protect the authenticity and integrity of important electronic documents and also for high value fund transfer.

 

IT Risk Assessment Undertake a comprehensive risk assessment of IT systems at least on a yearly basis and bring to the notice of the Chief Risk Officer (CRO), CIO and the Board and serve as an input for Information Security auditors

 

Finding out the risks present and determining the appropriate level of controls necessary for appropriate mitigation of risks

 

Mobile Financial Services Technology used for mobile services should ensure confidentiality, integrity, authenticity and must provide for end-to end encryption

 

Social Media Risks As Social Media is vulnerable to account takeovers and malware distribution, proper controls, such as encryption and secure connections, should be prevalent to mitigate such risks.

 

Training Conduct an initial and ongoing training and information security awareness programme. HFCs need to maintain an updated status on user training and awareness relating to information security.


IT Operations

Action Points Establish and monitor policies for risk management The Board or Senior Management should take into consideration the risk associated with existing and planned IT operations and the risk tolerance
Identify system deficiencies and defectsat the system design, development and testing phases To ensure that while implementing IT projects there are no systems failure because of poor system design and implementation, as well as inadequate testing
Establish a steering committee The committee shall be consisting of business owners, the development team and other stakeholders to provide oversight and monitoring of the progress of the project, including deliverables to be realized at each phase of the project and milestones to be reached according to the project timetable
Develop a Board approved Change Management Policy and senior management to ensure that the policy is being followed on an ongoing basis The Policy must encompass the following:

  1. prioritizing and responding to change proposals from business,
  2. cost benefit analysis of the changes proposed,
  3. assessing risks associated with the changes proposed,
  4. change implementation, monitoring and reporting.

 

Put in place a good MIS The MIS shall take care of information at all levels in the business including top management and assists the Top Management as well as the business heads in decision making and also to maintain an oversight over operations of various business verticals.
  With robust IT systems in place HFCs may have the following as part

of an effective system generated MIS (indicative list)

a) A dashboard for the Top Management summarising financial position vis-a-vis

targets. It may include information on trend on returns on assets across categories,

major growth business segments, movement of net-worth etc.

b) System enabled identification and classification of NPA as well as generation of

MIS reports in this regard.

c) The MIS should facilitate pricing of products, especially large ticket loans.

d) The MIS should capture regulatory requirements and their compliance.

e) Financial Reports including operating and non-operating revenues and expenses,

cost benefit analysis of segments/verticals, cost of funds, etc. (also regulatory

compliance at transaction level)

f) Reports relating to treasury operations.

g) Fraud analysis- Suspicious transaction analysis, embezzlement, theft or suspected

money laundering, misappropriation of assets, manipulation of financial records

etc. The regulatory requirement of reporting frauds, if any, should be system

driven.

h) Capacity and performance analysis of IT security systems

i) Incident reporting, their impact and steps taken for non -recurrence of such events

in the future.

System driven regulatory/ supervisory returns All regulatory/supervisory returns should be system driven vis-à-vis reporting under ORMIS / regulatory reporting. Further, it is essential that “Read Only” access be provided to NHB Inspectors or persons authorized by it


IS Audit

Action Points Formulate a Policy for Information System Audit (IS Audit) IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc.
Adopt an IS Audit framework duly approved by the Board The framework shall lay down the following:

a.       Responsibilities for compliance/sustenance of compliance, reporting lines, timelines for submission of compliance, authority for accepting compliance should be clearly delineated in the framework.

b.      The framework may provide for an audit-mode access for auditors/ inspecting/ regulatory authorities.

c.       The framework should clearly prescribe the reporting framework

 

Guidance issued by Professional bodies like ISACA, IIA, ICAI in this regard shall be referred. For instance, ICAI has published “Standard on Internal Audit (SIA) 14: Internal Audit in an Information Technology Environment”.

 

Composition of Audit Committee IS Audit may be conducted by an internal team of the HFC. In case of inadequate internal skills, HFCs may appoint an outside agency provided that the outside auditor/agency is empanelled with CERT-In.

 

Coverage of IS Audit Due importance shall be given to compliance of all the applicable legal and statutory requirements

 

Periodicity The periodicity of IS audit should ideally be based on the size and operations of the HFC but may be conducted at least once in two years and be undertaken preferably prior to the statutory audit

 

Reporting As provided in the IS framework, either to the Board or a Committee of the Board viz. Audit Committee of the Board

 

  Rotation of IS Auditors Rotation of IS auditors must be adhered in such a way that an auditor shall not carry out such audit for more than two successive terms if conducted

once in two years or for three successive terms if conducted once a year.

Compliance HFCs’ management is responsible for deciding the appropriate action to be taken in response to reported observations and recommendations during IS Audit

 

Computer-Assisted Audit Techniques (CAATs) To adopt a proper mix of manual techniques and CAATs for conducting IS Audit


Business Continuity Planning

BCP forms a significant part of an organisation’s overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes.

Action Points Formulate and adopt a Board approved BCP Policy To minimise the operational, financial, legal, reputational and other material consequences arising from a disaster
Salient features of the BCP Business Impact Analysis- HFCs shall first identify critical business verticals, locations and shared resources to come up with the detailed Business Impact Analysis. The process will envisage the impact of any unforeseen natural or man-made disasters on the HFC’s business. The entity shall clearly list the business impact areas in order of priority.

 

Recovery strategy/ Contingency Plan- HFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster.

 

Review of BCP Either annually or when significant IT or business changes take place to determine if the entity could be recovered to an acceptable level of business within the timeframe stated in the contingency plan
Put in place necessary backup sites for critical business systems and Data centers


IT Service Outsourcing

Outsourcing of IT related business process can provide an HFC the opportunity to realise valuable strategic and economic benefits.

Action Points Outsourcing of IT related business The terms and conditions governing the contract between the HFC and the Outsourcing service provider should be carefully defined in written agreements and vetted by HFC’s legal counsel on the legal effect and enforceability
To be Noted Provisions of contractual agreement a) Monitoring and Oversight: Provide for continuous monitoring and assessment by the HFCs of the service provider so that any necessary corrective measure can be taken immediately. Outsourcing service provider should have adequate systems and procedures in place to ensure protection of data/application outsourced.

 

b) Access to books and records / Audit and Inspection: This would include:

  1. Ensure that the HFC has the ability to access all books, records and information relevant to the outsourced activity available with the service provider. For technology outsourcing, requisite audit trails and logs for administrative activities should be retained and accessible to the HFC based on approved requests.
  2. Provide the HFC with the right to conduct audits on the service provider whether by its internal or external auditors, or by external specialists appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the HFC.
  3. The contractual agreement may include clauses to allow the National Housing Bank or persons authorized by it to access the HFC’s documents, records of transactions, and other necessary information given to, stored or processed by the service provider within a reasonable time. This includes information maintained in paper and electronic formats.

 

Responsibility for outsourcing Board and senior management are ultimately responsible for ‘outsourcing operations’ and for managing risks inherent in such outsourcing relationships.
Role of IT Strategy committee in respect of outsourced operations
  1. Instituting an appropriate governance mechanism for outsourced processes, comprising of risk based policies and procedures, to effectively identify, measure, monitor and control risks associated with outsourcing in an end to end manner;
  2. Defining approval authorities for outsourcing depending on nature of risks and materiality of outsourcing;
  3. Developing sound and responsive outsourcing risk management policies and procedures commensurate with the nature, scope, and complexity of outsourcing arrangements;
  4. Undertaking a periodic review of outsourcing strategies and all existing material outsourcing arrangements;
  5. Evaluating the risks and materiality of all prospective outsourcing based on the framework developed by the Board;
  6. Periodically reviewing the effectiveness of policies and procedures;
  7. Communicating significant risks in outsourcing to the HFC’s Board on a periodic basis;
  8. Ensuring an independent review and audit in accordance with approved policies and procedures;
  9. Ensuring that contingency plans have been developed and tested adequately;
  10. HFC should ensure that the business continuity preparedness is not adversely compromised on account of outsourcing. HFCs are expected to adopt sound business continuity management practices as issued by NHB and seek proactive assurance that the outsourced service provider maintains readiness and preparedness for business continuity on an ongoing basis.

Framework for HFCs in Section B

HFCs not accepting public deposit with asset size below 100 crore shall have a Board approved Information Technology policy/ Information system policy. This policy may be designed considering the undermentioned basic standards and the same shall be put in place by September 30, 2019.The IT systems shall have:

 

  1. Basic security aspects such as physical/ logical access controls and well defined password policy;
  2. A well-defined user role;
  3. A Maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/ information;
  4. Information Security and Cyber Security;
  5. Requirements as regards Digital Signature Certificates, Mobile Financial Services and
  6. Social Media indicated in para 3.8, 3.10 & 3.11 in the document;
  7. System generated reports for Top Management summarising financial position including operating and non-operating revenues and expenses, cost benefit analysis of segments/verticals, cost of funds, etc.;
  8. Adequacy to file regubtory returns to NHB (ORMIS);
  9. A BCP policy duly approved by the Board ensuring regular oversight of the Board by way of periodic reports (at least once every year);
  10. Arrangement for backup of data with periodic testing.

IT Systems should be progressively scaled up as the size and complexity of HFC’s operations increases.

Actionable for HFCs

RBI had come up with directions on IT framework for NBFCs in 2017 and the same has been replicated and released for HFCs by NHB in 2018. Consequently, the Board of the HFC has to take up the task of preparing the gap analysis before the end of third quarter, accordingly the background work for the same has to be initiated at the earliest.

For applicable HFCs in Section A, the following agenda items may be taken up by the Board in its upcoming meeting:

  1. Prepare a gap analysis between the current status of the IT framework and the guidelines laid down in the Guidelines
  2. Formation of Committees:
    1. IT Strategy Committees and
    2. IT Steering Committees
  3. Policies to the framed and implemented by the Board:
    1. Information Technology Policy
    2. Information Security Policy
    3. Cyber Security Policy
    4. Change Management Policy
    5. Policy for Information System Audit (IS Audit)
    6. Business Continuity Planning Policy
  4. Reporting requirement with NHB to be complied with
  5. Conduct of IS Audit to form an integral part of the Internal Audit system

Conclusion

The need for regulating the financial institutions is essential in the era when majority of the operations are dependent on technology. National Housing Bank’s intention to impose mandatory provisions on the larger NBFCs is to enable their IT systems to be in consonance with their size of operations. HFCs applicable to Sec B are ‘recommended’ to comply with the Guidelines whereas HFCs applicable to Sec A are ‘required’ to comply. Hence, the intentions of NHB for smaller HFCs is not very clear.

The amount of HFCs granted Certificate of Registration (COR) with permission to accept public deposits is 18 as compared to 59 HFCs granted Certificate of Registration (COR) not valid for acceptance of public deposits. The Guidelines require compulsory compliance to a small fraction of HFCs whereas the majority are recommended to comply.

 

1 reply
  1. Abhishak Saxena
    Abhishak Saxena says:

    Hi Would like to understand, for a HFC with less than 100 CR asset, is it mandatory to conduct the IS audit for IT systems? In case internal audit department is not there, can Head of IT fullfill the need of internal IS Audit by asking reports from its junior members?

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *