Lessen Core Banking Risks, use IT controls

Thanks to the technological evolution, Indian Banks have not only been enabled to change the mode of transactions, but also drive the transactions at an alarming speed and in different formats. The trend applies to all banks and branches (over a lakh) including Scheduled Commercial Banks, Regional Rural Banks (RRBs) and Urban Cooperative Banks (UCBs). The new channels such as ATMs, Net Banking, Mobile Banking, Cards, IVRs and Branches, and surround systems like Treasury, DEMAT, NEFT, RTGS are leveraging the core banking services (CBS) systems.

As the volume of transactions skyrocket through multiple channels, the environment gets exposed to various technological risks which cannot be ignored; hence, IT managers role in mitigating the risks by applying imperative controls becomes even more crucial. They face Herculean tasks and challenges in streamlining the process and ensuring a risk free transaction. The key imperative of IT managers is to identify the critical challenges of core banking, besides enhancing the necessary skills and expertise to tackle crisis management and deploy best practices to make effective use of core banking services.

Core (Banking) Risks

Amid increasing threats and security risks, IT managers need to work towards keeping the lights on and systems running, and work out an effective mitigating plan by putting in sufficient compensating controls. The key concerns that the IT manager has to confront would be:

• To ensure that the systems and services uptime are kept at near 100 per cent, the integrity of the systems and data are maintained at all costs; and last but not the least, the confidentiality of customer centric data is maintained by securing the data across the transaction life cycle.
• To understand the nuances of the Core Banking system to be able to launch new products successfully. The challenges arising out of some changes in the interest rates would also call for a shuffle in the testing wherein the system date in the test bed has to be taken forward at least by one quarter, to validate the accuracy of the system in computation of monthly interest accruals and the interest compounding.
• To manage the project team, provide quality assurance and also manage stakeholder expectations amid tight deadlines. He should have a clear understanding of all the areas of Project Management namely, Project Integration Management, Scope Management, Time Management, Cost Management, Quality Management, Human Resources Management, Communication Management, Risk Management and Procurement Management.
• To ensure that the CBS and other systems within the banks perimeter are protected by strong firewalls to prevent any unauthorised access and to keep hackers at bay. He is also responsible for monitoring the honey pot, kept as a surveillance and early-warning tool to check any attempts/patterns of unauthorised use by hackers.
• To ensure that he has put policies and controls for access on BYOD devices. With the advent in technology, employees bring their own devices like tabs, mobiles and try to access the bank systems on wi-fi, etc.. The IT manager has to put policies and controls in place to ensure that the access is possible on BYOD devices, only to those systems allowed by him.
• To ensure capacity planning. The increasing volume of transactions on the CBS generates a huge amount of data and puts a great deal of pressure on its storage and retrieval. The IT manager is responsible for capacity planning with enough storage devices to take care of the exponential growth of data.
• To ensure that proper daily data backups are taken for CBS and the backup media is transported off-site in a secured manner. If the bank has implemented mirroring of the production data at the DR/backup site, then he has to ensure that it happens normally. He has to periodically (at least once a year) conduct mock BCP ( Business Continuity Planning) testing from the DR Site to check preparedness, in case of a DR-like situation. He has to mobilise the Operations and business teams for conducting this exercise fruitfully. The Recovery Point Objective (RPO) and the Recovery Time Objective (RTO) are tested against the agreed objectives with the stakeholders, analysed and measures taken to correct any anomalies in the processes. He is responsible for ensuring that the fine-tuning the database happens periodically, the historical data is moved to another location/ archived for better system performance.
• To make sure that all changes (fixes/patches) moving into CBS production systems are approved by the Change Management committee; the down time, if any, is communicated well in advance to stake-holders and customers, if necessary; . proper rollback processes are in place in the event that the change has to be rolled back. Even emergency changes already applied have to be passed through the committee subsequently and ratified.
• To assist in Post Implementation Review (PIR). Once a major CBS project is rolled out into production, he is responsible for assisting in the PIR to gauge whether the benefits derived by the organisation are as per the quantified benefits initially projected by the business.

Right Controls for Risks

Deploying certain best practices would help IT managers to overcome the challenges associated with core banking services. These are the key imperatives that they can use to mitigate risks and the controls they need to put in place:

• Embrace COBIT and ITIL frameworks for best practices
• Compliance to SOX, if any
• Ensure that the Service Delivery team/ outsourced vendors are able to deliver as per defined SLAs
• Develop a team for IS security management, form a committee for IT strategy
• Implement Sigma to ensure Quality Management
• Performance Optimisation
• Sourcing Practices
• IT Balanced Scorecards and Key Performance Indicators (KPIs)
• End User training of all new systems moved into production environment
• Segregation of Duties for reducing or eliminating business risks through the introduction of compensating controls. For example, a voucher in-putter cannot authorise a high value transaction. A separate authoriser role should be created
• Introduce stringent physical access controls, software access controls
• Periodic change of passwords
• Disable all USB, CD drive to prevent data leakage and introduction of any infections/ worms into the system
• Set policies on Usage of IT Assets and BYOD
• Set policies on email usage
• Have set policies on OS Patch management, Endpoint security updates

Be an Expert

It is a pre-requisite for IT managers to possess good banking domain knowledge and be conversant with the features available on the CBS. He should have knowledge of IT audits with Risk assessment techniques to determine whether the information systems are properly protected and controlled and provide value to the organisation. Likewise, an IT manager should also have an understanding of the organisation and its environment, and of factors which can affect the entity, both external and internal. Certain insights into how each of the systems/ applications within the ecosystem talk and exchange information with CBS is necessary.

Familiarisation with when the off-line files/data exchanges occur, their frequencies and duration does help; as also how the off-line transaction catch-up into the CBS occurs.

Another very critical aspect is to be aware of resource management - management of people, resources, vendor, hardware and compliance.

He also needs to have adequate knowledge of Cloud offerings and create opportunities to leverage the benefits of Cloud by moving non-critical data from CBS to Cloud, thus freeing system resources and thereby ensuring enhanced performance.

Adopt Right Attributes

While it is mandatory to have been certified in the core security space, IT managers should carry the mandate of possessing good interpersonal skills to deal with team members and also peers for ensuring proper closure of tasks. Sometimes, it will be necessary to align the team and re-shuffle members to different projects within the CBS as per the managements priority needs. With the handful of resources at his disposal, he has to balance day-to-day functions plus additional work loads of taking up project execution. With his domain knowledge, he is also looked upon at times to bring in operational process efficiencies/improvements and automation in processes. IT managers should have high integrity and display dedication towards their work.

Handling Crisis in Core Banking

Any deficiencies in the service can, at times, get escalated at the banking ombudsman forum. The IT manager would be required to provide adequate data/details to mitigate any losses arising due to this.

• He also has to handle challenges of unscheduled power-cuts by taking steps to ensure uninterrupted power supply and uptime
• He must handle DR like situations and timely escalations to stakeholders.
• He must also ensure timely management of all issues relating to in Firewalls, IDS/ IPS etc.
• Errors associated to production, frauds, hardware or program failure and malicious attack or damage by hackers, vendors and third party mishandling data could result in a major crisis. Frauds happening in the system can make a bank defunct or can cause loss of goodwill. In the event that a fraud is detected, the IT manager has to take strong measures to contain the fraud, by putting in adequate controls from both the system perspective and process perspective. He will be responsible for providing all relevant information to the internal audit team for further investigation.
• The IT manager sometimes also has to control crises arising due to outsourcing of IT support functions or IT systems. It may be due to vendor failure, non-compliance with legal and regulatory requirements, contract terms not being met, disgruntled employees leaking customer data.

Sivakumar Krishnan, CISA

Head IT and Operations

Bhartiya Samruddhi Finance Limited, BASIX Group Company

Nike Air Max 270