Category Archives: Reserve Bank Of India

Consolidated FDI Policy Of India 2012 By DIPP: Objectives

Perry4Law and Perry4Law Techno Legal Base (PTLB) would like to inform that the Department of Industrial Policy and Promotion (DIPP), Ministry of Commerce and Industry, Government of India (GOI) has issued the Consolidated FDI Policy of India 2012. The same would be effective from April 10, 2012.

The consolidated FDI policy of India 2012 reflects the intent and objective of the GOI to attract and promote foreign direct investment (FDI) in order to supplement domestic capital, technology and skills, for accelerated economic growth. FDI, as distinguished from portfolio investment, has the connotation of establishing a lasting interest in an enterprise that is resident in an economy other than that of the investor.

To achieve this objective, the Indian Government has put in place a policy framework on FDI, which is transparent, predictable and easily comprehensible. This policy framework has been incorporated in the Consolidated FDI Policy of India 2012, which may be updated every year, to capture and keep pace with the regulatory changes, effected in the interregnum.

DIPP, Ministry of Commerce and Industry, GOI makes policy pronouncements on FDI through Press Notes/ Press Releases which are notified by the Reserve Bank of India (RBI) as amendments to the Foreign Exchange Management (Transfer or Issue of Security by Persons Resident Outside India) Regulations, 2000 (notification No.FEMA 20/2000-RB dated May 3, 2000). These notifications take effect from the date of issue of Press Notes/ Press Releases, unless specified otherwise therein. In case of any conflict, the relevant FEMA Notification will prevail. The procedural instructions are issued by the Reserve Bank of India vide A.P. Dir. (series) Circulars. The regulatory framework, over a period of time, thus, consists of Acts, Regulations, Press Notes, Press Releases, Clarifications, etc.

The present consolidation subsumes and supersedes all Press Notes/Press Releases/Clarifications/ Circulars issued by DIPP, which were in force as on April 09, 2012, and reflects the FDI Policy as on April 10, 2012. This Circular accordingly will take effect from April 10, 2012. Reference to any statute or legislation made in this Circular shall include modifications, amendments or re-enactments thereof.

Notwithstanding the rescission of earlier Press Notes/Press Releases/Clarifications/Circulars, anything done or any action taken or purported to have been done or taken under the rescinded Press Notes/Press Releases/Clarifications/Circulars prior to April 10, 2012, shall, in so far as it is not inconsistent with those Press Notes/Press Releases/Clarifications/Circulars, be deemed to have been done or taken under the corresponding provisions of this circular and shall be valid and effective.

Internet Banking Guidelines In India By RBI

Internet banking is all set for a big growth in India. With increasing emphasis upon e-governance and e-commerce, Internet banking in India would be used more frequently. However, along with the benefits of use of Internet banking, the cyber crimes and financial fraud risks are also increasing.

Cyber security of banks in India is still not given a priority. Banks are not interested in ensuring cyber security of electronic transactions. Even the recommendations of Reserve Bank of India (RBI) to ensure cyber security, appointment of chief information officers (CIOs), establishing a steering committee at board level, etc have remained unfulfilled. Even RBI has warned banks for inadequate cyber security.

As per the notification number DBOD.COMP.BC.No.130/ 07.03.23/ 2000-01 of RBI, issued on 14th June 2001, RBI has issued the following guidelines to be implemented by banks in India regarding Internet banking:

(1) Technology And Security Standards:

(a) Banks should designate a network and database administrator with clearly defined roles as indicated in the Group’s report. (Para 6.2.4)

(b) Banks should have a security policy duly approved by the Board of Directors. There should be a segregation of duty of Security Officer / Group dealing exclusively with information systems security and Information Technology Division which actually implements the computer systems. Further, Information Systems Auditor will audit the information systems. (Para 6.3.10, 6.4.1)

(c) Banks should introduce logical access controls to data, systems, application software, utilities, telecommunication lines, libraries, system software, etc. Logical access control techniques may include user-ids, passwords, smart cards or other biometric technologies. (Para 6.4.2)

(d) At the minimum, banks should use the proxy server type of firewall so that there is no direct connection between the Internet and the bank’s system. It facilitates a high level of control and in-depth monitoring using logging and auditing tools. For sensitive systems, a stateful inspection firewall is recommended which thoroughly inspects all packets of information, and past and present transactions are compared. These generally include a real time security alert. (Para 6.4.3)

(e) All the systems supporting dial up services through modem on the same LAN as the application server should be isolated to prevent intrusions into the network as this may bypass the proxy server. (Para 6.4.4)

(f) PKI (Public Key Infrastructure) is the most favoured technology for secure Internet banking services. However, as it is not yet commonly available, banks should use the following alternative system during the transition, until the PKI is put in place:

(i) Usage of SSL (Secured Socket Layer), which ensures server authentication and use of client side certificates issued by the banks themselves using a Certificate Server.

(ii) The use of at least 128-bit SSL for securing browser to web server communications and, in addition, encryption of sensitive data like passwords in transit within the enterprise itself. (Para 6.4.5)

(g) It is also recommended that all unnecessary services on the application server such as FTP (File Transfer Protocol), telnet should be disabled. The application server should be isolated from the e-mail server. (Para 6.4.6)

(h) All computer accesses, including messages received, should be logged. Security violations (suspected or attempted) should be reported and follow up action taken should be kept in mind while framing future policy. Banks should acquire tools for monitoring systems and the networks against intrusions and attacks. These tools should be used regularly to avoid security breaches. The banks should review their security infrastructure and security policies regularly and optimize them in the light of their own experiences and changing technologies. They should educate their security personnel and also the end-users on a continuous basis. (Para 6.4.7, 6.4.11, 6.4.12)

(i) The information security officer and the information system auditor should undertake periodic penetration tests of the system, which should include:

(i) Attempting to guess passwords using password-cracking tools.

(ii) Search for back door traps in the programs.

(iii) Attempt to overload the system using DDoS (Distributed Denial of Service) & DoS (Denial of Service) attacks.

(iv) Check if commonly known holes in the software, especially the browser and the e-mail software exist.

(v) The penetration testing may also be carried out by engaging outside experts (often called ‘Ethical Hackers’). (Para 6.4.8)

(j) Physical access controls should be strictly enforced. Physical security should cover all the information systems and sites where they are housed, both against internal and external threats. (Para 6.4.9)

(k) Banks should have proper infrastructure and schedules for backing up data. The backed-up data should be periodically tested to ensure recovery without loss of transactions in a time frame as given out in the bank’s security policy. Business continuity should be ensured by setting up disaster recovery sites. These facilities should also be tested periodically. (Para 6.4.10)

(l) All applications of banks should have proper record keeping facilities for legal purposes. It may be necessary to keep all received and sent messages both in encrypted and decrypted form. (Para 6.4.13)

(m) Security infrastructure should be properly tested before using the systems and applications for normal operations. Banks should upgrade the systems by installing patches released by developers to remove bugs and loopholes, and upgrade to newer versions which give better security and control. (Para 6.4.15)

(2) Legal Issues:

(a) Considering the legal position prevalent, there is an obligation on the part of banks not only to establish the identity but also to make enquiries about integrity and reputation of the prospective customer. Therefore, even though request for opening account can be accepted over Internet, accounts should be opened only after proper introduction and physical verification of the identity of the customer. (Para 7.2.1)

(b) From a legal perspective, security procedure adopted by banks for authenticating users needs to be recognized by law as a substitute for signature. In India, the Information Technology Act, 2000, in Section 3(2) provides for a particular technology (viz., the asymmetric crypto system and hash function) as a means of authenticating electronic record. Any other method used by banks for authentication should be recognized as a source of legal risk. (Para 7.3.1)

(c) Under the present regime there is an obligation on banks to maintain secrecy and confidentiality of customers’ accounts. In the Internet banking scenario, the risk of banks not meeting the above obligation is high on account of several factors. Despite all reasonable precautions, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking/ other technological failures. The banks should, therefore, institute adequate risk control measures to manage such risks. (Para 7.5.1-7.5.4)

(d) In Internet banking scenario there is very little scope for the banks to act on stop payment instructions from the customers. Hence, banks should clearly notify to the customers the timeframe and the circumstances in which any stop-payment instructions could be accepted. (Para 7.6.1)

(e) The Consumer Protection Act, 1986 defines the rights of consumers in India and is applicable to banking services as well. Currently, the rights and liabilities of customers availing of Internet banking services are being determined by bilateral agreements between the banks and customers. Considering the banking practice and rights enjoyed by customers in traditional banking, banks’ liability to the customers on account of unauthorized transfer through hacking, denial of service on account of technological failure etc. needs to be assessed and banks providing Internet banking should insure themselves against such risks. (Para 7.11.1)

(3) Regulatory And Supervisory Issues:

As recommended by the Group, the existing regulatory framework over banks will be extended to Internet banking also. In this regard, it is advised that:

(a) Only such banks which are licensed and supervised in India and have a physical presence in India will be permitted to offer Internet banking products to residents of India. Thus, both banks and virtual banks incorporated outside the country and having no physical presence in India will not, for the present, be permitted to offer Internet banking services to Indian residents.

(b) The products should be restricted to account holders only and should not be offered in other jurisdictions.

(c) The services should only include local currency products.

(d) The ‘in-out’ scenario where customers in cross border jurisdictions are offered banking services by Indian banks (or branches of foreign banks in India) and the ‘out-in’ scenario where Indian residents are offered banking services by banks operating in cross-border jurisdictions are generally not permitted and this approach will apply to Internet banking also. The existing exceptions for limited purposes under FEMA i.e. where resident Indians have been permitted to continue to maintain their accounts with overseas banks etc., will, however, be permitted.

(e) Overseas branches of Indian banks will be permitted to offer Internet banking services to their overseas customers subject to their satisfying, in addition to the host supervisor, the home supervisor.

Given the regulatory approach as above, banks are advised to follow the following instructions:

(a) All banks, who propose to offer transactional services on the Internet should obtain prior approval from RBI. Bank’s application for such permission should indicate its business plan, analysis of cost and benefit, operational arrangements like technology adopted, business partners, third party service providers and systems and control procedures the bank proposes to adopt for managing risks. The bank should also submit a security policy covering recommendations made in this circular and a certificate from an independent auditor that the minimum requirements prescribed have been met. After the initial approval the banks will be obliged to inform RBI any material changes in the services / products offered by them. (Para 8.4.1, 8.4.2)

(b) Banks will report to RBI every breach or failure of security systems and procedure and the latter, at its discretion, may decide to commission special audit/ inspection of such banks. (Para 8.4.3)

(c) The guidelines issued by RBI on ‘Risks and Controls in Computers and Telecommunications’ vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated 4th February 1998 will equally apply to Internet banking. The RBI as supervisor will cover the entire risks associated with electronic banking as a part of its regular inspections of banks. (Para 8.4.4, 8.4.5)

(d) Banks should develop outsourcing guidelines to manage risks arising out of third party service providers, such as, disruption in service, defective services and personnel of service providers gaining intimate knowledge of banks’ systems and misutilizing the same, etc., effectively. (Para 8.4.7)

(e) With the increasing popularity of e-commerce, it has become necessary to set up ‘Inter-bank Payment Gateways’ for settlement of such transactions. The protocol for transactions between the customer, the bank and the portal and the framework for setting up of payment gateways as recommended by the Group should be adopted. (Para 8.4.7, –

(f) Only institutions who are members of the cheque clearing system in the country will be permitted to participate in Inter-bank payment gateways for Internet payment. Each gateway must nominate a bank as the clearing bank to settle all transactions. Payments effected using credit cards, payments arising out of cross border e-commerce transactions and all intra-bank payments (i.e., transactions involving only one bank) should be excluded for settlement through an inter-bank payment gateway. (Para 8.4.7 )

(g) Inter-bank payment gateways must have capabilities for both net and gross settlement. All settlement should be intra-day and as far as possible, in real time.
(Para 8.4.7)

(h) Connectivity between the gateway and the computer system of the member bank should be achieved using a leased line network (not through Internet) with appropriate data encryption standard. All transactions must be authenticated. Once, the regulatory framework is in place, the transactions should be digitally certified by any licensed certifying agency. SSL / 128 bit encryption must be used as minimum level of security. Reserve Bank may get the security of the entire infrastructure both at the payment gateway’s end and the participating institutions’ end certified prior to making the facility available for customers use. (Para 8.4.7 )

(i) Bilateral contracts between the payee and payee’s bank, the participating banks and service provider and the banks themselves will form the legal basis for such transactions. The rights and obligations of each party must be clearly defined and should be valid in a court of law. (Para 8.4.7)

(j) Banks must make mandatory disclosures of risks, responsibilities and liabilities of the customers in doing business through Internet through a disclosure template. The banks should also provide their latest published financial results over the net. (Para 8.4.8)

(k) Hyperlinks from banks’ websites, often raise the issue of reputational risk. Such links should not mislead the customers into believing that banks sponsor any particular product or any business unrelated to banking. Hyperlinks from a banks’ websites should be confined to only those portals with which they have a payment arrangement or sites of their subsidiaries or principals. Hyperlinks to banks’ websites from other portals are normally meant for passing on information relating to purchases made by banks’ customers in the portal. Banks must follow the minimum recommended security precautions while dealing with request received from other websites, relating to customers’ purchases. (Para 8.4.9)

The Reserve Bank of India have decided that the Group’s recommendations as detailed in this circulars should be adopted by all banks offering Internet banking services, with immediate effect. Even though the recommendations have been made in the context of Internet banking, these are applicable, in general, to all forms of electronic banking and banks offering any form of electronic banking should adopt the same to the extent relevant.

All banks offering Internet banking are advised to make a review of their systems in the light of this circular and report to Reserve Bank the types of services offered, extent of their compliance with the recommendations, deviations and their proposal indicating a time frame for compliance. The first such report must reach us within one month from the date of this circular. Banks not offering any kind of I-banking may submit a ‘nil’ report.

Banks who are already offering any kind of transactional service are advised to report, in addition to those mentioned in paragraph above, their business models with projections of cost / benefits etc. and seek our post-facto approval.

RBI Warned Indian Banks For Inadequate Cyber Security

The Reserve Bank of India (RBI) has been issuing various directions and recommendations from time to time to strengthen cyber security of banks operating in India. Further, RBI has also prescribed a cyber due diligence for Indian banks. However, Indian banks are not following the directions of RBI in this regard and a majority of banks in India still do not have a well defined cyber security

Merger And Acquisition Trends In India 2011

In this special column, Ms. Geeta Dalal, Partner at Perry4Law and a Techno Legal Corporate and Business Restructuring Expert, is discussing the merger and acquisition trends of India in the year 2011.

Merger and acquisition has seen many ups and downs in the year 2011 and many crucial developments took place in 2011.

Corporate mergers and acquisitions (M & A) in India are very common. India has been updating its corporate merger and acquisition regulations in India from time to time. Recently, Competition Commission of India (Procedure in regard to the transaction of business relating to combinations) Regulations, 2011 were formulated by the by Competition Commission of India. The main objective of the same was to regulated the combinations formulated in an anti competition manner in India.

Regulatory environment touching mergers and acquisitions in India was also streamlined in the year 2011 and stress upon and technological developments were made. The Securities and Exchange Board of India (SEBI) is planning to use electronic initial public offer (IPO) in India. Foreign investments in pharmaceutical in India has been liberalised by Reserve Bank of India. Similarly, foreign direct investment (FDI) in India has also been liberalised in many crucial areas. Naturally, lots of investments, IPOs, private equity funds exchange and many more collaborative and cooperative activities would take place in India in the year 2012.

The year 2011 envisaged an attempt by Reserve Bank of India (RBI) to regulate banking related mergers and acquisitions (M&A) in India. With the clearance of the Banking Laws (Amendment) Bill, 2011 by the Parliamentary Standing Committee on Finance, this may be the reality very soon.

Further, to streamline the banking transactions, an integrated banking law in India has been proposed. Similarly, the cap upon mobile banking financial transactions in India has been removed by the RBI. These reforms would help merger and acquisition transactions in India in the coming years.

Although there was a slow down in the merger and acquisition deals in India in 2011 yet India’s energy, mining and utilities sector witnessed a sound growth. The telecommunication sector faced the biggest setback in India and there were very few M&A dealing in this sector in 2011.

Perry4Law and Perry4Law Techno Legal Base (PTLB) would come up with the projected or forecasted merger and acquisition trends in India 2012 very soon.

Mobile Banking Cyber Security In India

Mobile Banking is the buzz word these days. While the idea of mobile banking is promising yet it requires certain prerequisites to be successful in India. The chief among these requirements is the requirement to have a robust cyber security for mobile banking in India.Cyber security in India in general and cyber security for online banking transactions in particular is not in good shape. The

E-Discovery In India And Its Uses

ByBaljeet Singh Electronic discovery has many purposes to achieve. It can be used as an effective measure to prevent frauds from being committed by timely detection of suspicious activities. It can also be used for detection of these frauds and crimes after their commission. Thus, e-discovery is both preventive and curative in nature.E-discovery must be regulated by a legal framework to give it

Chief Information Officers (CIOs) Made Mandatory For All Banks In India

Reserve Bank of India (RBI) executive director G Gopalakrishna recently said that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. G Gopalakrishna further said the banks will have to implement the facility of “second factor verification” at merchant establishments and ATMs