The NBFC (Non-Banking Finance Company) sector has grown in size and complexity over the years. As the NBFC industry matures and achieves scale, its Information Technology /Information Security (IT/IS) framework, Business continuity planning (BCP), Disaster Recovery (DR) Management, IT audit, etc. must be benchmarked to best practices. Accordingly, directions on IT Framework for the NBFC sector that are expected to enhance safety, security, efficiency in processes leading to benefits for NBFCs and their customers are released by RBI. NBFCs may have already implemented or may be implementing some of the requirements indicated below. NBFCs are therefore required to conduct a formal gap analysis between their current status and stipulations as laid out in the master directions on Information Technology Framework for the NBFC Sector and put in place a time-bound action plan to address the gap and comply with the guidelines. Such an analysis may be submitted to the Board of the company within six months of the issuance of these directions.
The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. The directions are categorized into two parts, those which are applicable to all NBFCs with asset size above Rs 500 crore (Section A) and for NBFCs with asset size below Rs. 500 crore (Section B).
IT Governance–IT Governance is an integral part of corporate governance. It involves leadership support, organizational structure and processes to ensure that the NBFC’s IT sustains and extends business strategies and objectives. Effective IT Governance is the responsibility of the Board of Directors and Executive Management. Well-defined roles and responsibilities of Board and Senior Management are critical, while implementing IT Governance. Clearly-defined roles enable effective project control. People, when they are aware of others’ expectations from them, are able to complete work on time, within budget and to the expected level of quality. IT Governance Stakeholders include: Board of Directors, IT Strategy Committees, CEOs, Business Executives, Chief Information Officers (CIOs), Chief Technology Officers (CTOs), IT Steering Committees (operating at an executive level and focusing on priority setting, resource allocation and project tracking), Chief Risk Officer and Risk Committees.
The basic principles of value delivery, IT Risk Management, IT resource management and performance management must form the basis of governance framework. IT Governance has a continuous life-cycle. It’s a process in which IT strategy drives the processes, using resources necessary to execute responsibilities. Given the criticality of the IT, NBFCs may follow relevant aspects of such prudential governance standards that have found acceptability in the finance industry.
1.1 IT Strategy Committee: NBFCs are required to form an IT Strategy Committee. The chairman of the committee shall be an independent director and CIO & CTO should be a part of the committee. The IT Strategy Committee should meet at an appropriate frequency but not more than six months should elapse between two meetings. The Committee shall work in partnership with other Board committees and Senior Management to provide input to them. It will also carry out review and amend the IT strategies in line with the corporate strategies, Board Policy reviews, cyber security arrangements and any other matter related to IT Governance. Its deliberations may be placed before the Board.
1.2 Roles and Responsibilities of IT Strategy Committee: Some of the roles and responsibilities include:
· Approving IT strategy and policy documents and ensuring that the management has put an effective strategic planning process in place;
· Ascertaining that management has implemented processes and practices that ensure that the IT delivers value to the business;
· Ensuring IT investments represent a balance of risks and benefits and that budgets are acceptable;
· Monitoring the method that management uses to determine the IT resources needed to achieve strategic goals and provide high-level direction for sourcing and use of IT resources;
· Ensuring proper balance of IT investments for sustaining NBFC’s growth and becoming aware about exposure towards IT risks and controls.
IT Policy: NBFCs may formulate a Board approved IT policy, in line with the objectives of their organisation comprising the following:
· An IT organizational structure commensurate with the size, scale and nature of business activities carried out by the NBFC;
· NBFCs may designate a senior executive as the Chief Information Officer (CIO) or in-Charge of IT operations whose responsibility is to ensure implementation of IT Policy to the operational level involving IT strategy, value delivery, risk management and IT resource management.
· To ensure technical competence at senior/middle level management of NBFC, periodic assessment of the IT training requirements should be formulated to ensure that sufficient, competent and capable human resources are available.
· The NBFCs which are currently not using IPv6 platform should migrate to the same as per National Telecom Policy issued by the Government of India in 2012. (As per Circular DNBS(Inf.).CC.No 309/24.01.022/2012-13 November 08, 2012)
Information and cyber security : Information Security–Information is an asset to all NBFCs and Information Security (IS) refers to the protection of these assets in order to achieve organizational goals. The IS Policy must provide for a IS framework with the following basic tenets:
· Identification and Classification of Information Assets. NBFCs shall maintain detailed inventory of Information Asset with distinct and clear identification of the asset.
· Segregation of functions: There should be segregation of the duties of the Security Officer/Group (both physical security as well as cyber security) dealing exclusively with information systems security and the Information Technology division which actually implements the computer systems. The information security function should be adequately resourced in terms of the number of staff, level of skill and tools or techniques like risk assessment, security architecture, vulnerability assessment, forensic assessment, etc. Further, there should be a clear segregation of responsibilities relating to system administration, database administration and transaction processing.
· Role based Access Control – Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented.
· Personnel Security – A few authorized application owners/users may have intimate knowledge of financial institution processes and they pose potential threat to systems and data. NBFC should have a process of appropriate check and balance in this regard. Personnel with privileged access like system administrator, cyber security personnel, etc should be subject to rigorous background check and screening.
· Physical Security – The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. NBFCs need to create a secured environment for physical security of IS Assets such as secure location of critical data, restricted access to sensitive areas like data center etc.
· Maker-checker is one of the important principles of authorization in the information systems of financial entities. For each transaction, there must be at least two individuals necessary for its completion as this will reduce the risk of error and will ensure reliability of information.
· Incident Management – The IS Policy should define what constitutes an incident. NBFCs shall develop and implement processes for preventing, detecting, analysing and responding to information security incidents.
· Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail.
· Public Key Infrastructure (PKI) – NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation.
IS Audit: The objective of the IS Audit is to provide an insight on the effectiveness of controls that are in place to ensure confidentiality, integrity and availability of the organization’s IT infrastructure. IS Audit shall identify risks and methods to mitigate risk arising out of IT infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications etc. IS Audit should form an integral part of Internal Audit system of the NBFC. While designing the IS framework, NBFCs shall refer to guidance issued by Professional bodies like ISACA, IIA, ICAI in this regard. ICAI has published “Standard on Internal Audit (SIA) 14: Internal Audit in an Information Technology Environment” on the subject. NBFCs shall adopt an IS Audit framework duly approved by their Board. Further, NBFCs shall have adequately skilled personnel in Audit Committee who can understand the results of the IS Audit.
IT Services outsourcing: Outsourcing of IT related business process can provide an NBFC the opportunity to realise valuable strategic and economic benefits. However, prior to commencement of any outsourcing arrangement, careful consideration of risks, threats of contractual arrangements and regulatory compliance obligations must take place. Companies usually outsource their IT related business process to a third party vendor because of higher efficiency, inadequate resources and lack of specialized knowledge.
Recommendations for NBFCs with asset size below Rs 500 crore
It is recommended that smaller NBFCs may start with developing basic IT systems mainly for maintaining the database. NBFCs having asset size below Rs 500 crore shall have a Board approved Information Technology policy/Information system policy. This policy may be designed considering the undermentioned basic standards and the same shall be put in place by September 30, 2018. The IT systems shall have:
· Basic security aspects such as physical/ logical access controls and well defined password policy;
· A well-defined user role;
· A Maker-checker concept to reduce the risk of error and misuse and to ensure reliability of data/information;
· Information Security and Cyber Security;
· Requirements as regards Mobile Financial Services, Social Media and Digital Signature Certificates as indicated in para 3.18, 3.10 & 3.11 above;
· System generated reports for Top Management summarising financial position including operating and non-operating revenues and expenses, cost benefit analysis of segments/verticals, cost of funds, etc.;
· Adequacy to file regulatory returns to RBI (COSMOS Returns);
· A BCP policy duly approved by the Board ensuring regular oversight of the Board by way of periodic reports (at least once every year);
· Arrangement for backup of data with periodic testing. PHD