Technology roadmap for secure digital economy
MA khan, MD & ceo, idbi intech ltd
In order to grow in the evolving digital world, banks have to be fully digital. This means more than just paying lip-service in the form of Internet banking and mobile banking. It means embracing digital thinking, enabling scalability, enhancing customer analytics and delivering services directly to customers at a time and place that suits them.
Digital transformation driven by artificial intelligence and cloud computing have the potential to transform both front office and back office operations and provide the required agility and elasticity to meet the growing customer expectations.
Butchi Babu Burra, Adviser it, Bank of india
Why are we confusing customers with lots of products (multiple wallets, cards, BHIM, etc.) for a transaction rather than making it easy? Do I need an instrument to transact or can I transact anywhere? Whether the digitisation is to include the people or to make my transaction cheaper. Among all the kind of apps which are floating, probably the best idea (in the recent past) is UPI, where you download the app and start transacting.
CA Jayant Gokhale, Chairman, Audit Committee, Syndicate Bank
About digital security, my observations are that the focus of technical people tends to be more on systems. I look at it with a slightly different perspective as ultimately the proof of the pudding is in the eating. I don’t care what system is running in the background. What I am concerned about is the output and its cost effectiveness. I have got two red flags to highlight; one is we all are focusing on NPA. As I see looming on the horizon the next threat before NPA dies down is the fraud threat, and I think it is accentuated by the fact that digital provides the anonymity, which enables crime. Therefore, one factor that I flagged as the emerging threat in the banking industry is a risk of frauds. The second is unique to Indian banking partly because we had a large background of public sector banks, which are more regulated by checklist and are more compliance oriented rather than result oriented.
Subrata Gupta, Chief General Manager - Fi & Banking Technology, NABARD
Information security is the area where it has to be preached that faster the information travels within the organisation, faster we can take security measures. Another problem area that needs to be addressed especially from the security point of view is the outsourcing of the business. Many business items are outsourced, and lots of problems can come from that side. I am of the firm opinion that there has to be some regulatory sandbox for testing technology. There are multiple technologies coming in the field, which one should I take, which one I shouldn’t. How do I test and who tests it? How independent is that?
TV Ramanmurthy, General Manager-IT, Bank of Maharashtra
More than security, our concern is frauds. Our bank has a lot of middle class and lower middle class customers throughout Maharashtra and elsewhere. The most common form of fraud is phishing where these people call and ask for
password and the customer is ready to share the debit card number and other details. This is going to be one of the biggest challenges. Every day there are a couple of queries asking when will I get my lost money. Thanks to RBI, now they have come up with a policy that the customer liability is limited in the case of an unauthorised transaction. Now, forgery in the transaction will not directly affect the customer, and it adds over digitisation and financial inclusion. Apart from that, digital transactions are cheaper. When a customer walks into a bank, then the cost of transaction for the bank comes out to be ₹54 whereas in case of digital transaction, it costs ₹3-4. We can use the particular fund – amount saved by adopting digital technology – in creating digital education fund. With this fund, we can educate gullible customers, particularly the Jan Dhan account holders to adopt the digital technology with all security and confidence.
Ashutosh Jain, chief information security officer, Axis Bank
Mobile banking services are provided by either banks or various other ecosystems behind the bank to the customers. So, the services the bank provides are safe and secure to that extent, and not misused from the end point perspective. Then there are responsibilities like the users have to ensure safety and security of end points. For example, everybody knows about routed devices, antiquated devices and lots of malicious applications not to be used on the same mobile, which is used for mobile banking. These basic precautions from customers are required so that it becomes a shared responsibility. Globally, two years back, there were 2 billion users having digital identity across the world out of total approx 6 billion global population. Now that 2 billion has suddenly swelled to 4 billion digital identities across the world, which means 2 billion people have suddenly come into the ecosystem which is a huge number. It is actually 100 percent jump in last two years. Naturally these people are not the part of the earlier ecosystem and not savvy as the first 2 billion people. These people are definitely susceptible to all kinds of risks such as phishing and all kind of digital crimes. They probably are not aware and cautious of all the responsibilities that they have to discharge. So it is the common responsibility among all the institutions, irrespective of what they are, to educate these people. So, you have to maintain the same rigor to educate them and ensure that they are doing the right things while getting them on board.
rajendra Bhalerao, chief information security officer, npci
Apps have to be cost effective, but the security assessment cannot be compromised. Usually, people tend to go for open source, but they need to understand there are lots of vulnerabilities associated with that as well. From the cyber security perspective, if we look at the apps we have developed like BHIM, UPI, we ensure that we have necessary controls in place, we have control over Google app store i.e. on which it is getting uploaded. We have informed the banks particularly about the phishing and rogue apps. Quite often we have interactions with CERT-IN. They have come and conducted audit with us too. We are associated with CERT-FIN, which tackles anti-fraud (email related). One most important point about cyber security is the threat vectors are increasing day-by-day. There are different threat vectors, which gives us sleepless nights. So necessary skills to address these threats becomes a big challenge for everyone. Analytics will play a key role.
nabankur sen, chief information security officer, Bandhan Bank
We started with the customer base of about 50 lakh in microfinance, including rural areas and the poor. It has increased to 70 lakh now. The challenge concerning the digital economy is educating these customers. Securing the digital economy is about creating awareness on how they are duped. Some people are always on the prowl for phishing attack. It is very difficult to teach rural and poor people that they are being deceived. We are trying to find out the solution and the one solution we are thinking is that we must analyse the customer and then give the product. We should do the customer profiling and understand which products they need. So the digital product which we circulate or place in the entire channel, we must analyse the need beforehand. There is a term in information security “Deny all, allow restricted”. The other thing is the digital products are coming; the security of products lies in the security of the process. The process includes getting the customer on board, issuing the ATM card, file generation, and file movement in the organisation. This entire process should be looked into by the security staff. They should test and then certify. The
process of certification is very important. We have seen many instances of fraud in the recent past, which happened due to some faults in the process. Another thing is that the analytics should be done very judiciously, and also the online products should be comprehensive and mandatorily certified by an external body.
raghava rachuri, chief information security officer, sidbi
In today’s world of business transformation, you can’t move data in silos. You need to integrate and unleash the 3D’s of data – diverse, distributed and dynamic data. You have to integrate them across not only on an enterprise level but also on the cloud. Now data-centric businesses are the order of the day, and we have to tear down the barriers i.e. digital barriers, the business barriers and unify the data. But security is the challenge. Earlier, security was always an after thought, and most of the times the business head will announce the release date and say security will be discussed later. But now that has changed. Now, the business head will send the report first and ask for clearance before launching the software, that is the key change. We also face key challenges in getting quality data and getting it in dynamic and current form. We require strong standards which are vital for the growth of the digital economy. But then who will decide these standards, whether business and consumers or technology companies through the standard bodies or government. So these are the key questions that need to be addressed. We have to have a good balance between the standards and also the flexibility regarding innovation and development. One of the challenges we face in the SME sector is how do we adopt digital economy and digital payment in SME sector. Many of you have heard about Fintech companies. They are bringing a lot of new innovative products which by just filling the few pages of data online, they collect the data in a non-intrusive way. Every time these people, when they do an online transaction, or they browse, they leave digital footprints. So, we can use strong analytical tools to find out what are the business and non-business transactions that they are doing and we can find out whether the finance is being used for business purpose. The same thing is done by Fintech companies to find out the customers’ needs, and they can give working capital online within days. There is humongous amount of data. You require right kind of skill sets and technology. We require the PPT - people, process and technology. Even though technology is an enabler and also gives the platform, it is the process and people with right skill sets, which will sustain and realise the transformation.