RBI Action on one of the renowned Indian bank: Is your data in other banks safe?

By Vikrant Rana , Anuradha Gandhi and Isha Sharma

INTRODUCTION

Banks serve as repositories of money, and data including financial information as well as sensitive personal information of millions. This article sheds light on the intricate processes by which banks collect, store and processes this data.  Furthermore, it delves into the critical issue of whether banks can be held accountable for any lapses in safeguarding these valuable data.

A notable stance involves the Reserve Bank of India (RBI)’s directive issued to one of the renowned Indian bank on April 24, 2024, compelling the immediate cessation of onboarding new customers through online means and mobile banking channels, as well as the issuance of fresh credit cards[1].

The directive reasoned that such a step was taken subsequent an event on April 15, 2024[2].

Events that led to the Directive- What happened on April 15, 2024?

On April 15, 2024, several customers were unable to use the bank’s mobile application, and took to social media to express their dissatisfaction.[3]

The RBI mentioned this incident and observed that the bank has not been able to upgrade its Information Technology systems in line with its growth. It was further observed that, for two consecutive years (2022-23), the bank was assessed to be deficient in its IT Risk and Information Security Governance, with respect to requirements under Regulatory guidelines. It explained that serious deficiencies and non-compliances were observed in the areas of:

1. IT inventory management,
2. vendor risk management,
3. data security and data leak prevention strategy, etc.[4]

The directive stated that in the absence of a robust IT infrastructure and IT Risk Management framework, the bank’s Core Banking System (CBS) and its online and digital banking channels have suffered frequent and significant outages in the last two years, the recent one being a service disruption on April 15, 2024, resulting in serious customer inconveniences.” [5]

Hence, the Reserve Bank, has placed certain business restrictions on the bank as mentioned above.

This directive is pertinent given the amount of data that is handled by banks, and the need for a heightened security measure as well as risks involved is hardly misplaced.

DATA COLLECTED BY BANKS AND FINANCIAL ORGANIZATIONS

The wide variety of data collected by banks include, personal information, financial information among others.[6]

It is to be noted that the DPDP rules are still to be notified, and therefore, these nuanced compliances will only come into force once the Act has been notified, meanwhile, similar obligations are levied under the Information Technology Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the SPDI Rules).[7]

How is the Data stored, processed and shared?  

This personal data is then processed and stored by banking and financial institutions for authentication and providing specific services to their customers, and to maintain a check on the transactions and prevent a theft or banking fraud. Banks deal with a lot of sensitive personal data as well, data, that is uniquely identifiable to an individual, and this data calls for a higher standard of protection.

The DPDP Act provides three guiding principles for the manner in which Data is to be handled.

1. Consent: Explicit consent must be received from the Data Principal. (Section 6 of the DPDP Act)
2. Specific Purpose: Data so processed by the data fiduciary should only be for the specific purpose that the data principal has consented for,
3. Withdrawal of Consent: Data Principal must have the right to withdraw their consent at any time. [8]

An example would be, the use of Know Your Customer (KYC) data. The data collected for KYC should be used for limited purposes only pertaining to the authentication of customers[9], and this purpose should not extend to marketing.

Retention of Data

Banks generally keep a record of their customer’s financial transactions for a minimum period of five years. However, they may retain these records for longer periods.

Section 12 of Prevention of Money Laundering Act 2002, places obligations on every banking company, financial institution and intermediary to maintain a record of prescribed transactions, and the records of the identity of its clients for a period of 10 years from the date of cessation of transactions with the clients.[10]

This period was also notified in the Master Circular – Know Your Customer norms / Anti-Money Laundering Standards/ Combating of Financing of Terrorism /Obligation of banks under PMLA, 2002 released in 2008.[11]
Extraterritorial processing and transfer of Personal Data
Section 16 of the DPDP Act curtails the transfer of personal data to countries restricted by Central Government through notification[12].

Storage and Transfer of Financial Data

The Reserve Bank of India issued a directive dated April 06, 2018  advising all system providers to ensure that, within a period of six months, the entire data relating to payment systems operated by them is stored in a system only in India[13]

Further, in January 2023, RBI released a set of guidelines for fin-tech companies, with an aim on ensuring the safety and security of customers’ data. These guidelines place a strong emphasis on the importance of data protection and data backup in the financial sector, as the mishandling of sensitive information can have serious consequences for both customers and the companies. They required companies to implement comprehensive measures to protect customer data and to regularly back up this data to secure servers. It further, required fintech companies to have a data protection policy in place, and appoint a Chief Data Officer (CDO) for overseeing company’s data protection and backup efforts. [14].

Is the Data really secure in banks?

As per a recent report in March, 2024, IDfy[15] an integrated identity verification and digital onboarding platform, has released a report that shed light on the data privacy practices of the few popular Indian banks:

1. 9 out of 10 banks were found to have misleading and unclear privacy policies.
2. 8 out of the 10 banks, did not specify the personal identifiable information that was collected in their privacy policy, such as account numbers, PAN card and Aadhaar Card details.
3. Many banks were also found to be collecting information, such as employer’s name, work email ID, religion and caste during account opening process, information that were deemed unnecessary, and thereby violative of the data minimization provisions. [16]

HEIGHTENED LIABILITY OF FINANCIAL ORGANISATIONS

Owing to the amount of data processed by banks, they have a heightened classification as Significant Data Fiduciaries, or SDF under the DPDP Act. The Central Government can issue an SDF on the basis of the volume and sensitivity of the personal data processed. [17]

Being a Significant Data Fiduciary comes with its own list of obligations which include,

1. Appointing a Data Protection Officer (DPO), appointed by the company in India, and act as the point of contact for the grievance redressal mechanism under the provisions of this Act.
2. Appointment of an independent data auditor to evaluate the compliance of the Significant Data Fiduciary
3. Periodic Data Protection Impact Assessment (DPA), for the assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed by the Act.[18]

What are the penalties?

Under Section 8(5) the Data Fiduciary will be fined NR 250 Crore for failure to take security measures to prevent data breaches, and INR 200 Crore for breach in giving notice of a Personal Data breach to the Board or the Data Principal under Section 8(6).[19]

DATA BREACHES AND BANK FRAUDS AND HOW TO COMABT THEM

Financial institutions sit at a high risk when it comes to frauds and attacks on the integrity of their data security. Bank Frauds and data breaches often come up owing to weak authentication and access controls and outdated software and security measures

These attacks include, among other forms of attacks[20]:

1. Cyber-attacks: wherein systems are hacked and compromised, leaving them vulnerable.
2. Insider theft: where Employees within the organization might misuse their access to commit fraudulent activities, leading to significant financial losses.
3. Identity theft: Cybercriminals use the PII of another individual to assume someone else’s identity and carry out unauthorized transactions
4. Unauthorized Transactions: where hackers gain access to individuals’ online banking accounts and perfume fraudulent transactions, causing significant losses, and,
5. Physical security breaches.
6. Phishing

RBI guidelines on the information technology governance at banks

On April 1, 2024, the Master Directions on Information Technology Governance, Risk, Controls, and Assurance Practices became effective. The Directions were released on November 7, 2023,  in exercise of the powers conferred to the RBI vide Section 35A of the Banking Regulation Act, 1949 (which vests in the Reserve Bank, the authority to give directions); Section 45L of the Reserve Bank of India Act, 1934 and Section 11 of the Credit Information Companies (Regulation) Act, 2005. This Master Direction was specifically applicable to regulated entities, including banks and provides comprehensive directions to banking companies, NBFCs, Credit Information Companies, on dos and don’ts in the realm of information technology (IT) Governance, information technology (IT) Infrastructure and Services Management and other important aspects such as cybersecurity.[21]

Credit Information Companies (Regulation) Act, 2005

The other Act applicable includes the Credit Information Companies (Regulation) Act, 2005, which regulates the manner in which credit information data is handled by companies. The Act sets out the obligations of credit information companies in relation to access to data, fidelity, and secrecy of the data, data collection and purpose limitation, disclosure norms, obligation to maintain confidentiality, and accuracy.[22]

In order to better equip the system against these attacks, financial institutions should:

1. Encrypt the data, by anonymizing it or pseudonymization it,
2. Control access to the data,
3. Install up-to date firewall detection systems,
4. Perform regular audits and compliance,
5. secure authentication,
6. data minimization, as in collect, as little data as required to fulfil the specified purpose
7. Conduct regular Employee training on data protection and handling and have at ready, an incident response plan,
8. vendor risk management, and,
9. Continuous monitoring and improvement of the network. The DPDP Act, 2023 also provides for continuous monitoring and undertaking of periodic audits to assess their data protection practices.

CONCLUSION

The bank will be reviewed upon completion of external audit and corrective action plan to RBI’s satisfaction which typically takes six to twelve months, as per a research report by Emkay[23].

Banks process a large amount of very vulnerable data, which often becomes a ripe target for attacks as there is direct monetary benefit to be reaped from it. Protecting Data in the custody of these institutions, thus becomes a task of paramount importance. The new Data Protection regime sets out a blue print for banks to follow and places on them heightened obligations suited to the amount of data that is collected by them. The RBI mandate on the Indian bank, is a step in the same direction.

Ahana Bag , Junior Associate Advocate at S.S. Rana & Co. has assisted in the research of this article.

[1] https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=57769

[2] https://economictimes.indiatimes.com/wealth/personal-finance-news/kotak-mahindra-bank-penalised-by-rbi-what-happened-on-april-15-that-was-the-final-straw/articleshow/109565395.cms?from=mdr

[3] Ibid

[4] https://rbi.org.in/Scripts/BS_PressReleaseDisplay.aspx?prid=57769

[5] Ibid

[6] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

https://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf

[8] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[9] https://www.rbi.org.in/CommonPerson/english/scripts/notification.aspx?id=2607

[10] https://indiacode.nic.in/handle/123456789/2036?sam_handle=123456789/1362#:~:text=Long%20Title%3A,connected%20therewith%20or%20incidental%20thereto.&text=Notification%3A,%2C%202005%2C%20vide%20notification%20No.

[11] https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=4354#mai

[12] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[13] https://www.rbi.org.in/commonperson/English/Scripts/FAQs.aspx?Id=2995

[14] https://nimesa.io/blogs/rbi-guidelines-for-fintech-the-role-of-data-protection-and-data-backup/

[15] https://www.financialexpress.com/business/banking-finance-banks-not-collecting-data-protection-act-compliant-consent-says-idfy-3424540/#:~:text=Several%20banks%20in%20the%20country,verification%20and%20digital%20onboarding%20platform.

[16] https://www.varindia.com/news/idfy-report-reveals-alarming-data-privacy-gaps-in-top-indian-banks

[17]https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[18] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[19] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[20] https://www.idfy.com/blog/inside-the-rise-of-bank-fraud-in-india/

[21] Master Directions on Information Technology Governance, Risk, Controls, and Assurance Practices https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12562&Mode=0

[22] https://www.indiacode.nic.in/bitstream/123456789/2057/2/A200530.pdf

[23] https://economictimes.indiatimes.com/wealth/save/kotak-mahindra-bank-is-your-kotak-811-account-safe-can-kotak-mahindra-credit-card-customers-renew-cards-8-key-queries-answered/articleshow/109595095.cms?from=mdr