Introduction

Digital transactions and fintech have been the buzz words during the past few years. The Indian government, the regulators and the industry have trained their focus on adopting fintech and digital transactions.

While cashless transactions continue to be driven by fintech, cash continues to have a significant market share in the retail space within the overall payment transactions. It is understood that private sector banks are leading the electronic mode of transactions and PSU banks have an edge in cash transactions at the automated teller machine (ATM) network level.

One key component of banking operations has been transactions undertaken at ATMs and the real time IT network connecting all the ATMs for the seamless execution of transactions by customers. Often these ATMs are exposed to hacking, resulting in fraudulent transactions and data breach.

Every new technology takes time to be perfected and undergoes modifications due to glitches arising during its teething period. In 2016, the debit cards details of several customers were compromised due to a malware injected in ATM network managed by an ATM service provider. There has also been a substantial increase in the number of ATM frauds being reported throughout the country. The Reserve Bank of India (RBI) has at various instances flagged these issues pertaining to ATM frauds to the banks, and asked the banks to improve security measures to prevent ATM frauds.

In this direction, the RBI in its fifth Bi-Monthly Monetary Policy Statement 2019-20 announced its intention to introduce certain cyber security controls for ATM switch application service providers (ASPs) engaged by banks and other regulated entities (RREs) for managing their ATM switch ecosystems.

The RBI realised that the increase in dependency of RREs on ASPs for managing ATMs, exposes the ASPs to the payment system landscapes and associated confidential information, leaving such RREs exposed to cyber security threats. Consequently, the RBI deemed it necessary to formulate and implement certain guidelines to ensure that adequate measures are taken to secure ATMs systems and network.

Recently, the RBI has issued a slew of circulars to strengthen IT systems and frameworks of RREs. The circulars have mandated measures to be undertaken in relation to cyber security primarily to protect customers from cyber frauds, breaches, data leakages, and such other incidents.

With this backdrop, RBI issued a circular DOS.CO/CSITE/BC.4084/31.01.015/2019-20 on 31 December 2019 (Circular) directing all RREs to ensure implementation of cyber security controls by ASPs. The RBI has also stipulated a timeline of 31 March 2020 for RREs to revise their contracts with the ASPs to ensure compliance with these cyber security controls.

Overview of the Circular

The Circular lays down host of cyber security controls to be adopted by ASPs. The RREs will be responsible to ensure that the ASPs abide by this Circular, by appropriately amending the contracts between the RREs and ASPs on or before 31 March 2020. 

The above Circular will apply to RREs such as Scheduled Commercial Banks, Regional Rural Banks, Local Area Banks, Primary (Urban) Co-operative Banks, State and Central Co-operative Banks that generally set up ATMs as well as White Label ATM service providers.

Some of the cyber security controls required to be implemented by ASPs as per the Circular are listed below:

  • Setting up mechanisms for preventing access of unauthorised software and/or applications and monitoring them.
  • Establish appropriate controls for securing the physical location of critical assets and protecting them from natural and man-made threats.
  • Maintain baseline security measures for all applicable devices (such as databases, networks, security systems etc.).
  • Follow a documented risk-based strategy for patch, vulnerability and change management.
  • Implement a centralised authentication and authorisation system for accessing network.
  • Develop a comprehensive data leakage prevention strategy to safeguard sensitive business and customer information.
  • Maintain, manage and analyse audit logs pertaining to user actions in a system.
  • Establish a mechanism for incident response and management.
  • Create a robust defence against the installation, spread, and execution of malicious code.
  • Periodically conduct vulnerability assessment and penetration tests on applications, servers and network components.
  • Arrange for network forensics / forensic investigations, mitigation services on standby.
  • Comply with the relevant standards applicable to IT ecosystem.

Comments

These new cyber security norms are similar to those prescribed by the RBI for banks and other regulated entities regarding their IT systems and networks. The RBI vide the Circular has widened its net, by mandating a robust cyber security framework for ASPs, in light of the service providers being increasingly privy to confidential information and exposed to cyber security threats. Implementation of these norms will entail additional time and cost for the ASPs. It will have to be seen whether the timeline of 31 March 2020 would be achieved by the RREs for implementing the Circular.