The Reserve Bank of India (RBI) has come down on banks for their failure to implement robust systems to comply with the regulations, leading to abuse of the banking system by unscrupulous elements.
“We often find banks not having robust systems to comply with the regulations. At the time of on-boarding of the customers, banks are required to assess their customers, their business and expected turnover in their account, source of such transactions etc. In recent times, we have come across several instances of banks having allowed transactions in their customers’ accounts without any due consideration to their declared business profiles,” RBI Deputy Governor SS Mundra said.
The accounts received multiple RTGS/NEFT inward transactions and several such remittances were sent out of these accounts as well. Several accounts were abused to send money abroad in the form of advance import remittances. Despite the disproportionate activity in such accounts, the monitoring mechanism of banks fell short of the RBI’s expectations. “I wonder why banks are not able to devise fool proof technology-based solutions to identify such transgressions,” Mundra said. The RBI had recently imposed penalties on 13 banks for non-compliance with extant KYC/AML instructions including failure to categorise their customers in line with their risk profiles.
According to Mundra, another area is the process for system-based identification of non-performing assets (NPAs). “We feel there is much scope for improvement in this area,” he said while addressing a seminar on ‘Cyber risk and mitigation for banks’.
Another area of concern is the patch management. OEMs (original equipment manufacturers) release patches after known vulnerabilities are escalated to them and if the patches are not rolled out in time, we are practically leaving the door open for exploitation. “User management leaves much to be desired — practice of shared passwords, no passwords, free administrator level access, dated authorized users list are quite common place. Often, there is no robust process for creating new users, reviewing the list and deleting inactive users. Then, there is the issue of implementing physical security. I have seen physical access control systems being in place but usage not insisted upon. Further, the dependence on the vendors is increasing and many a times only the vendors know how the system is to be operated. Customer information is stored at vendors’ facility without adequate safeguards,” Mundra said.
“One common thread I see in all the above cases is the lack of board level oversight and commitment from the executive management. Technology service providers, particularly product vendors also have a role to play,” Mundra said.