E-Banking in India: Risk Management in Payments and Settlement System

Background

The onset of electronic banking (e-banking) in India dates back to 2001 after five years of commencement of electronic clearing service in 1995. Different innovations in this field include RTGS (Real Time Gross Settlement System), NEFTS (National Electronic Fund Transfer System), CTS (Cheque Truncation System), NECS (National Electronic Clearing Service), mobile banking and satellite banking. In the current decade by and large all commercial banks in India are offering internet banking, mobile banking and ATM facilities. In any Indian commercial bank (henceforth ‘bank’) governance of information technology (IT) is a part and parcel of its corporate governance. Every such bank has an independent IT Committee with professionally qualified members. This Committee participates in the Board of Directors and manages all the risks related to IT at the enterprise level.

The needs for mitigation of credit risk in securities settlements and reduction in interest cost of slow speed in physical payments gave birth to the electronic payments and settlement systems. The second benefit of these systems is that they facilitate better management of operational and liquidity risks. The third benefit is that they help faster operations in cross border financial markets. But in the context of exposure to these markets one important lesson learnt from the history of financial crises is that the payments and settlement systems work as a channel through which business risk transmits and in the process, on many occasions, there is change in one category of risk to another, e.g. operational risk may change into market risk. A corollary of the above lesson is that through payments and settlement systems a single category of risk at the point of origin is distributed as multiple categories among the receivers. Other related lessons are that (i) categorization of business risk depends on the types of system design and settlement method, and (ii) it varies from case to case whether the settlement system alone has to bear the risk, share it with clients or bounce back to clients.

In India the banking regulator the Reserve Bank of India (RBI) is at present in the process of addressing the following risks of payment systems - concentration risk, counter-party risk, credit risk, legal risk, liquidity risk, operational risk, regulatory risk, settlement risk and systemic risk. But during the last one year the Deputy Governors of the RBI expressed more concern about operational risk than other risks in their lectures on online banking and electronic payments. Because of the factors typical to emerging economies, like financial exclusion of a sizeable chunk of households, existence of informal sector, a massive parallel economy and availability of education on IT to the miniscule privileged section of the population, other risks could not yet attract attention in the Indian context while online frauds like hacking, leaking database and phishing mostly having been engineered offshore, but involving onshore agents, have been receiving attention.

Therefore being empowered by the Payments and Settlement Systems Act, 2007, the RBI requires every bank to (i) pursue eight basic principles of information security – confidentiality, integrity, availability, authenticity, non-repudiation, identification, authorization, accountability and auditability, and (ii) identify its security requirements in line with the prescription of the Committee on Payment and Settlement Systems (CPSS) constituted by the Bank for International Settlements. In the process a bank needs to detect the threats to information database, explore its vulnerability to security threats and the likelihood of occurrence of such threats, assess the potential impact of such threats on its business and comply with the legal, statutory, regulatory and contractual requirements involving itself as a party and its trading partners, contractors and service providers as counterparties. For ensuring smooth operations and proper conduct of the payment systems the RBI plans to integrate their six aspects – safety, security, soundness, efficiency, accessibility and authorization. This chapter plans to draw a comparative picture of how the banks are managing risks in payments and settlements systems as per regulatory guidelines in India vis-à-vis other countries.