IT Framework for the HFCs
By Vineet Ojha (finserv@vinodkothari.com)
Over the years, the Housing Finance Company (HFC) sector has grown in size and complexity. As the HFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business Continuity Planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must also be benchmarked to best practices. To enhance the safety, security, efficiency in processes leading to benefits for HFCs and their customers, the National Housing Bank (NHB) has come up with Information Technology Framework for HFCs (“Guidelines”) vide its notification no. NHB/ND/DRS/ Policy Circular No. 90/2017-18 dated June 15, 2018. Guidelines on IT Framework for the HFC sector that are expected to enhance safety, security, efficiency in processes leading to benefits for HFCs and their customers are enclosed.
Applicability
The Guidelines have been categorized into two parts:
- Guidelines applicable to all public deposit taking HFCs and HFCs not accepting public deposit with asset size of Rs 100 crore and above, as per the last audited balance sheet are provided in Section-A and
- Guidelines applicable to all HFCs not accepting public deposits with asset size below Rs 100 crore are provided in Section-B.
Timelines for Compliance
- All HFCs may place these Guidelines before their Board, together with a gap analysis vis-a-vis the Guidelines and the proposed action latest by September 30, 2018
- HFCs falling in Section- A shall be required to comply with the Guidelines by June 30, 2019 and other HFCs by September 30, 2019
Framework for HFCs in Section A
The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing.
IT Governance
IT Governance is an integral part of corporate governance. It involves leadership support, organizational structure and processes to ensure that the HFCs IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management.
Who shall be responsible for the implementation of an effective IT Governance | Board of Directors and Executive Management | Well-defined roles and responsibilities to enable effective project control |
Who are the IT Governance Stakeholders? | 1. Board of Directors, 2. IT Strategy Committees, 3. CEOs, 4. Business Executives, 5. Chief Information Officers (CIOs), 6. Chief Technology Officers (CTOs), 7. IT Steering Committees (operating at an executive level and focusing on priority setting, resource allocation and project tracking), 8. Chief Risk Officer and Risk Committees | |
Action Points | Formation of an IT Strategy Committee | Chairman of the Committee: An independent director
Other Members: CIO & CTO
Frequency of Meeting: An appropriate frequency with maximum gap of 6 months between two meetings
Role of the Committee: 1. Providing input to other Board committees and Senior Management 2. Carrying out review and amending the IT strategies in line with the corporate strategies, Board Policy reviews, cyber security arrangements and any other matter related to IT Governance
|
IT Policy
Action Points | Formulating a Board approved IT policy | The policy shall be in line with the organizational objectives
|
Develop an IT organizational structure | The structure shall be commensurate with the size, scale and nature of business activities carried out by the HFC
| |
Designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations | The responsibility of such officer shall be to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.
| |
Formulate periodic assessment of the IT training requirements | To ensure technical competence at senior/middle level management and to ensure that sufficient, competent and capable human resources are available.
| |
Migrate to the IPv6 platform as per National Telecom Policy issued by the Government of India in 2012 |
Information and Cyber Security
Action Points | Formulating a board approved IS Policy | The IS Policy shall be based on the following principles:
|
IS framework must be provided in the IS Policy | The IS framework shall be based on the following principles:
| |
Formulating a board approved cyber-security policy | The policy shall elucidate the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk
| |
Vulnerability Management | Devise a strategy for managing and eliminating vulnerabilities and such strategy may clearly be communicated in the Cyber Security policy
| |
Cyber security preparedness indicators | a. Development of indicators to assess the level of risk/preparedness b. Spreading awareness among the stakeholders including employees
| |
A Cyber Crisis Management Plan (CCMP)should be immediately evolved and should be a part of the overall Board approved strategy | The CCMP shall be addressing the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment | |
Take effective measures to be well prepared to: 1. prevent cyber-attacks 2. promptly detect any cyber-intrusions 3. face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks
| Take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc | |
Sharing of information on cyber-security incidents with RBI | HFCs shall put in place a suitable mechanism to report all types of unusual security incidents to its IT Steering Committee and the Risk Management Committee. Incidents involving compromise of the IT systems of the HFC such as data breach, data destruction etc. severely affecting the operations of the company shall be reported to the NHB along with the action take thereon by the HFC, within two working days. | |
Cyber-security awareness among stakeholders / Top Management / Board | Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized.
| |
Promote, among the customers, vendors, service providers and other relevant stakeholders an understanding of the cyber resilience objectives, and require and ensure appropriate action to support the synchronised implementation and testing.
| ||
Digital Signatures | Consider use of Digital signatures to protect the authenticity and integrity of important electronic documents and also for high value fund transfer.
| |
IT Risk Assessment | Undertake a comprehensive risk assessment of IT systems at least on a yearly basis and bring to the notice of the Chief Risk Officer (CRO), CIO and the Board and serve as an input for Information Security auditors
| |
Finding out the risks present and determining the appropriate level of controls necessary for appropriate mitigation of risks
| ||
Mobile Financial Services | Technology used for mobile services should ensure confidentiality, integrity, authenticity and must provide for end-to end encryption
| |
Social Media Risks | As Social Media is vulnerable to account takeovers and malware distribution, proper controls, such as encryption and secure connections, should be prevalent to mitigate such risks.
| |
Training | Conduct an initial and ongoing training and information security awareness programme. HFCs need to maintain an updated status on user training and awareness relating to information security. |
IT Operations
Action Points | Establish and monitor policies for risk management | The Board or Senior Management should take into consideration the risk associated with existing and planned IT operations and the risk tolerance |
Identify system deficiencies and defectsat the system design, development and testing phases | To ensure that while implementing IT projects there are no systems failure because of poor system design and implementation, as well as inadequate testing | |
Establish a steering committee | The committee shall be consisting of business owners, the development team and other stakeholders to provide oversight and monitoring of the progress of the project, including deliverables to be realized at each phase of the project and milestones to be reached according to the project timetable | |
Develop a Board approved Change Management Policy and senior management to ensure that the policy is being followed on an ongoing basis | The Policy must encompass the following:
| |
Put in place a good MIS | The MIS shall take care of information at all levels in the business including top management and assists the Top Management as well as the business heads in decision making and also to maintain an oversight over operations of various business verticals. | |
With robust IT systems in place | HFCs may have the following as part of an effective system generated MIS (indicative list) a) A dashboard for the Top Management summarising financial position vis-a-vis targets. It may include information on trend on returns on assets across categories, major growth business segments, movement of net-worth etc. b) System enabled identification and classification of NPA as well as generation of MIS reports in this regard. c) The MIS should facilitate pricing of products, especially large ticket loans. d) The MIS should capture regulatory requirements and their compliance. e) Financial Reports including operating and non-operating revenues and expenses, cost benefit analysis of segments/verticals, cost of funds, etc. (also regulatory compliance at transaction level) f) Reports relating to treasury operations. g) Fraud analysis- Suspicious transaction analysis, embezzlement, theft or suspected money laundering, misappropriation of assets, manipulation of financial records etc. The regulatory requirement of reporting frauds, if any, should be system driven. h) Capacity and performance analysis of IT security systems i) Incident reporting, their impact and steps taken for non -recurrence of such events in the future. | |
System driven regulatory/ supervisory returns | All regulatory/supervisory returns should be system driven vis-à-vis reporting under ORMIS / regulatory reporting. Further, it is essential that “Read Only” access be provided to NHB Inspectors or persons authorized by it |
IS Audit
Action Points | Formulate a Policy for Information System Audit (IS Audit) | IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc. |
Adopt an IS Audit framework duly approved by the Board | The framework shall lay down the following: a. Responsibilities for compliance/sustenance of compliance, reporting lines, timelines for submission of compliance, authority for accepting compliance should be clearly delineated in the framework. b. The framework may provide for an audit-mode access for auditors/ inspecting/ regulatory authorities. c. The framework should clearly prescribe the reporting framework
Guidance issued by Professional bodies like ISACA, IIA, ICAI in this regard shall be referred. For instance, ICAI has published “Standard on Internal Audit (SIA) 14: Internal Audit in an Information Technology Environment”.
| |
Composition of Audit Committee | IS Audit may be conducted by an internal team of the HFC. In case of inadequate internal skills, HFCs may appoint an outside agency provided that the outside auditor/agency is empanelled with CERT-In.
| |
Coverage of IS Audit | Due importance shall be given to compliance of all the applicable legal and statutory requirements
| |
Periodicity | The periodicity of IS audit should ideally be based on the size and operations of the HFC but may be conducted at least once in two years and be undertaken preferably prior to the statutory audit
| |
Reporting | As provided in the IS framework, either to the Board or a Committee of the Board viz. Audit Committee of the Board
| |
Rotation of IS Auditors | Rotation of IS auditors must be adhered in such a way that an auditor shall not carry out such audit for more than two successive terms if conducted once in two years or for three successive terms if conducted once a year. | |
Compliance | HFCs’ management is responsible for deciding the appropriate action to be taken in response to reported observations and recommendations during IS Audit
| |
Computer-Assisted Audit Techniques (CAATs) | To adopt a proper mix of manual techniques and CAATs for conducting IS Audit |
Business Continuity Planning
BCP forms a significant part of an organisation’s overall Business Continuity Management plan, which includes policies, standards and procedures to ensure continuity, resumption and recovery of critical business processes.
Action Points | Formulate and adopt a Board approved BCP Policy | To minimise the operational, financial, legal, reputational and other material consequences arising from a disaster |
Salient features of the BCP | Business Impact Analysis- HFCs shall first identify critical business verticals, locations and shared resources to come up with the detailed Business Impact Analysis. The process will envisage the impact of any unforeseen natural or man-made disasters on the HFC’s business. The entity shall clearly list the business impact areas in order of priority.
Recovery strategy/ Contingency Plan- HFCs shall try to fully understand the vulnerabilities associated with interrelationships between various systems, departments and business processes. The BCP should come up with the probabilities of various failure scenarios. Evaluation of various options should be done for recovery and the most cost-effective, practical strategy should be selected to minimize losses in case of a disaster.
| |
Review of BCP | Either annually or when significant IT or business changes take place to determine if the entity could be recovered to an acceptable level of business within the timeframe stated in the contingency plan | |
Put in place necessary backup sites for critical business systems and Data centers |
IT Service Outsourcing
Outsourcing of IT related business process can provide an HFC the opportunity to realise valuable strategic and economic benefits.
Action Points | Outsourcing of IT related business | The terms and conditions governing the contract between the HFC and the Outsourcing service provider should be carefully defined in written agreements and vetted by HFC’s legal counsel on the legal effect and enforceability |
To be Noted | Provisions of contractual agreement | a) Monitoring and Oversight: Provide for continuous monitoring and assessment by the HFCs of the service provider so that any necessary corrective measure can be taken immediately. Outsourcing service provider should have adequate systems and procedures in place to ensure protection of data/application outsourced.
b) Access to books and records / Audit and Inspection: This would include:
|
Responsibility for outsourcing | Board and senior management are ultimately responsible for ‘outsourcing operations’ and for managing risks inherent in such outsourcing relationships. | |
Role of IT Strategy committee in respect of outsourced operations |
|
Framework for HFCs in Section B
HFCs not accepting public deposit with asset size below 100 crore shall have a Board approved Information Technology policy/ Information system policy. This policy may be designed considering the undermentioned basic standards and the same shall be put in place by September 30, 2019.The IT systems shall have:
- Basic security aspects such as physical/ logical access controls and well defined password policy;
- A well-defined user role;
- A Maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/ information;
- Information Security and Cyber Security;
- Requirements as regards Digital Signature Certificates, Mobile Financial Services and
- Social Media indicated in para 3.8, 3.10 & 3.11 in the document;
- System generated reports for Top Management summarising financial position including operating and non-operating revenues and expenses, cost benefit analysis of segments/verticals, cost of funds, etc.;
- Adequacy to file regubtory returns to NHB (ORMIS);
- A BCP policy duly approved by the Board ensuring regular oversight of the Board by way of periodic reports (at least once every year);
- Arrangement for backup of data with periodic testing.
IT Systems should be progressively scaled up as the size and complexity of HFC’s operations increases.
Actionable for HFCs
RBI had come up with directions on IT framework for NBFCs in 2017 and the same has been replicated and released for HFCs by NHB in 2018. Consequently, the Board of the HFC has to take up the task of preparing the gap analysis before the end of third quarter, accordingly the background work for the same has to be initiated at the earliest.
For applicable HFCs in Section A, the following agenda items may be taken up by the Board in its upcoming meeting:
- Prepare a gap analysis between the current status of the IT framework and the guidelines laid down in the Guidelines
- Formation of Committees:
- IT Strategy Committees and
- IT Steering Committees
- Policies to the framed and implemented by the Board:
- Information Technology Policy
- Information Security Policy
- Cyber Security Policy
- Change Management Policy
- Policy for Information System Audit (IS Audit)
- Business Continuity Planning Policy
- Reporting requirement with NHB to be complied with
- Conduct of IS Audit to form an integral part of the Internal Audit system
Conclusion
The need for regulating the financial institutions is essential in the era when majority of the operations are dependent on technology. National Housing Bank’s intention to impose mandatory provisions on the larger NBFCs is to enable their IT systems to be in consonance with their size of operations. HFCs applicable to Sec B are ‘recommended’ to comply with the Guidelines whereas HFCs applicable to Sec A are ‘required’ to comply. Hence, the intentions of NHB for smaller HFCs is not very clear.
The amount of HFCs granted Certificate of Registration (COR) with permission to accept public deposits is 18 as compared to 59 HFCs granted Certificate of Registration (COR) not valid for acceptance of public deposits. The Guidelines require compulsory compliance to a small fraction of HFCs whereas the majority are recommended to comply.
Hi Would like to understand, for a HFC with less than 100 CR asset, is it mandatory to conduct the IS audit for IT systems? In case internal audit department is not there, can Head of IT fullfill the need of internal IS Audit by asking reports from its junior members?