Project on Internet Banking - Reportt of RBI Working Group
Formation of The Working Group & its Terms of Reference

With the popularity of PCs, easy access to Internet and World Wide Web (WWW), Internet is increasingly used by banks as a channel for receiving instructions and delivering their products and services to their customers. This form of banking is generally referred to as Internet Banking, although the range of products and services offered by different banks vary widely both in their content and sophistication.

Broadly, the levels of banking services offered through INTERNET can be categorized in to three types:

1. The Basic Level Service is the banks� websites which disseminate information on different products and services offered to customers and members of public in general. It may receive and reply to customers� queries through e-mail

2. In the next level are Simple Transactional Websites which allow customers to submit their instructions, applications for different services, queries on their account balances, etc, but do not permit any fund-based transactions on their accounts,

3. The third level of Internet banking services are offered by Fully Transactional Websites which allow the customers to operate on their accounts for transfer of funds, payment of different bills, subscribing to other products of the bank and to transact purchase and sale of securities, etc. The above forms of Internet banking services are offered by traditional banks, as an additional method of serving the customer or by new banks, who deliver banking services primarily through Internet or other electronic delivery channels as the value added services. Some of these banks are known as �virtual� banks or �Internet-only� banks and may not have any physical presence in a country despite offering different banking services

From the perspective of banking products and services being offered through Internet, Internet banking is nothing more than traditional banking services delivered through an electronic communication backbone, viz, Internet. But, in the process it has thrown open issues which have ramifications beyond what a new delivery channel would normally envisage and, hence, has compelled regulators world over to take note of this emerging channel. Some of the distinctive features of i-banking are:

• It removes the traditional geographical barriers as it could reach out to customers of different countries / legal jurisdiction. This has raised the question of jurisdiction of law / supervisory system to which such transactions should be subjected,

• It has added a new dimension to different kinds of risks traditionally associated with banking, heightening some of them and throwing new risk control challenges,

• Security of banking transactions, validity of electronic contract, customers� privacy, etc., which have all along been concerns of both bankers and supervisors have assumed different dimensions given that Internet is a public domain, not subject to control by any single authority or group of users

• It poses a strategic risk of loss of business to those banks who do not respond in time, to this new technology, being the efficient and cost effective delivery mechanism of banking services

• A new form of competition has emerged both from the existing players and new players of the market who are not strictly banks.

The Regulatory and Supervisory concerns in i-banking arise mainly out of the distinctive features outlined above. These concerns can be broadly addressed under three broad categories, viz.

1. Legal and regulatory issue

2. Security and technology issues and

3. Supervisory and operational issues

Legal issues cover those relating to the jurisdiction of law, validity of electronic contract including the question of repudiation, gaps in the legal / regulatory environment for electronic commerce. On the question of jurisdiction the issue is whether to apply the law of the area where access to Internet has been made or where the transaction has finally taken place. Allied to this is the question where the income has been generated and who should tax such income. There are still no definite answers to these issues.

Security of i-banking transactions is one of the most important areas of concerns to the regulators. Security issues include questions of adopting internationally accepted state-of-the art minimum technology standards for access control, encryption / decryption ( minimum key length etc), firewalls, verification of digital signature, Public Key Infrastructure (PKI) etc. The regulator is equally concerned about the security policy for the banking industry, security awareness and education

The supervisory and operational issues include risk control measures, advance warning system, Information technology audit and re-engineering of operational procedures. The regulator would also be concerned with whether the nature of products and services offered are within the regulatory framework and whether the transactions do not camouflage money-laundering operations.

The world over, central bankers and regulators have been addressing themselves to meet the new challenges thrown open by this form of banking. Several studies have pointed to the fact that the cost of delivery of banking service through Internet is several times less than the traditional delivery methods. This alone is enough reason for banks to flock to Internet and to deliver more and more of their services through Internet and as soon as possible. Not adopting this new technology in time has the risk of banks getting edged out of competition. In such a scenario, the thrust of regulatory thinking has been to ensure that while the banks remain efficient and cost effective, they must be aware of the risks involved and have proper built-in safeguards, machinery and systems to manage the emerging risks. It is not enough for banks to have systems in place, but the systems must be constantly upgraded to changing and well-tested technologies, which is a much bigger challenge. The other aspect is to provide conducive regulatory environment for orderly growth of such form of banking. Central Banks of many countries have put in place broad regulatory framework for i-banking

In India, too i-banking has taken roots. A number of banks have set up banking portals allowing their customers to access facilities like obtaining information, querying on their accounts, etc. Soon, still higher level of online services will be made available. Other banks will sooner than later, take to Internet banking.

In the above background Reserve Bank of India constituted a Working Group to examine different issues relating to i-banking and recommend technology, security, legal standards and operational standards keeping in view the international best practices. The Group is headed by the Chief General Manager�in�Charge of the Department of Information Technology and comprised experts from the fields of banking regulation and supervision, commercial banking, law and technology. The Bank also constituted an Operational Group under its Executive Director comprising officers from different disciplines in the bank, who would guide implementation of the recommendations.

The Working Group, as its terms of reference, was to examine different aspects of Internet banking from regulatory and supervisory perspective and recommend appropriate standards for adoption in India, particularly with reference to the following:

1. Risks to the organization and banking system, associated with Internet banking and methods of adopting International best practices for managing such risks.

2. Identifying gaps in supervisory and legal framework with reference to the existing banking and financial regulations, IT regulations, tax laws, depositor protection, consumer protection, criminal laws, money laundering and other cross border issues and suggesting improvements in them.

3. Identifying international best practices on operational and internal control issues, and suggesting suitable ways for adopting the same in India.

4. Recommending minimum technology and security standards, in conformity with international standards and addressing issues like system vulnerability, digital signature ,information system audit etc.

5. Clearing and settlement arrangement for electronic banking and electronic money transfer; linkages between i-banking and e-commerce

6. Any other matter, which the Working Group may think as of relevance to Internet banking in India

The first meeting of the Working Group was held on July 19, 2000. The Group held that i-banking did not mean any basic change in the nature of banking and the associated risks and returns. All the same, being a public domain and a highly cost effective delivery channel, it does impact both the dimension and magnitude of traditional banking risks. In fact, it adds new kinds of risk to banking. Some of the concerns of the Regulatory Authority in i-banking relate to technology standards including the level of security and uncertainties of legal jurisdiction etc. Its cost effective character provides opportunities for efficient delivery of banking services and higher profitability and a threat to those who fail to harness it.

The Group decided to focus on above three major areas, where supervisory attention was needed. Accordingly, three sub-groups were formed for looking into three specific areas

1. technology and security aspects,

2. legal aspects and

3. regulatory and supervisory issues.

The Working Group had a number of deliberations. The views of the Group were crystallized in its report, which cover the following by way of its contents:

1. The basic structure of Internet and its characteristics

2. International experience in i-banking, particularly with reference to USA, United Kingdom and other Scandinavian countries, who are pioneers in this form of banking.

3. The Indian Scenario with reference to I-Banking.

4. different types of risks associated with banking in general and i-banking in particular. Emphasis is given on normal risks associated with banking which gets accentuated when the services are delivered through Internet. Risks relating to money laundering and other cross border transactions are discussed

.

5. Technology and security standards are discussed with emphasis onpolicy issues rather than on products and technical tools.

6. The legal environment in which i-banking transactions are carried out is an important regulatory concern. The group has identified gaps in the existing framework and has suggesed changes required.

7. Operational aspects like internal control, early detection system, IT audit, technical manpower, etc are also discussedalong with addressing the impact of i-banking on clearing and settlement arrangements.

8. The specific recommendations of the group were given at the end of the report.

The report is thus a comprehensive document to covering all aspects/considerations thatshould govern successful delivery of banking services through Internet. The broad sbmissins on the working group on the above listed items and its recommendations are given in the following articles.