Nepal Rastra Bank NRB IT Policy and Guidelines: The use of Information Technology (IT) by the financial institutions/sector has completely changed their way of doing their businesses. It has become indispensable part of their business rather than supporting the business and creating management and management challenges. Problems with coping with technology, system migration, adequate internal control system, restricted system and data access to unauthorized sources, protecting electronic transactions, meeting legal requirements, managing outsourcing services, and managing other IT-related risks arise in the banking sector making the need of NRB IT Policy.
You may also like to read Information and Communication Technology ICT Policy of Nepal 2072 (2015)
New delivery channels such as ATMs, online banking, mobile banking have increased the risk of financial losses and electronic fraud and other banking risks. Technological risks are not limited to banking risk, other banking risks such as credit risk, reputation risk, compliance risk, market risk, strategic risk are also increasing. In addition, emerging concept such as virtualization, storage of data and management of disaster recovery centers, security releases etc. has also increased the challenges of dealing with these issues necessitating NRB IT Policy.
Technology has also provided a new way of cyber fraud and fraudulent methods as internal and external employees have changed. Frauds related to debit and credit cards, ATMs, online banking and mobile banking are emerging in the current global financial institution. In this regard, the NRB has seen the need to regulate and direct IT-related activities in commercial banks with the aim of strengthening banks to address emerging cyber fraud, manage information technology by monitoring and minimizing the risks posed by the use of information technology by NRB IT Policy. The main objectives of the NRB IT Policy are 2068 are:
- To ensure secure, stable and standard IT infrastructure.
- To ensure availability, integrity, and confidentiality of information.
- To enhance user awareness for efficient, effective and economic use of the IT system.
- To minimize IT-related risk.
- To facilitate the efficient operation of the information system in the financial sector.
Nepal Rastra Bank NRB IT Policy
The various NRB IT Policy are described below:
- Ensure efficient, effective and economic IT operation by implementing appropriate IT system, e.g Financial Information System (FIS), Management Information System (MIS), Enterprise Resource Planning (ERP) System, Real-time Gross Settlement System (RTGS), Scripless Security Settlement System (SSSS), etc.
- Maintain well-structured, secured physical IT infrastructure with proper documentation.
- Maintain multi-level security for information.
- Implement IT system audit.
- Develop, implement and maintain data backup and recovery policy.
- Establish and maintain efficient, effective and economic Disaster Recovery Planning (DRP) System as an instrument to “Fail Safe System” with minimum downtime. Also, develop and maintain Business Continuity Planning (BCP).
- Develop and implement IT outsourcing and third-party involvement mechanism.
- Maintain uniform and legitimate IT infrastructure for all the offices.
- Provide IT Directive to licenses bank and financial institutions.
- Set a standard for IT procurement and shall be reviewed as per the technological changes.
- Promulgate” NRB IT Code of conduct” for proper usage of NRB IT resources.
- Strengthen the IT capacity building for employees.
Nepal Rastra Bank NRB IT Guidelines 2068
The major objectives of the IT Guidelines are to promote sound and effective risk management and to strengthen system security, credibility, access and business continuity for commercial banks in Nepal. Banks must adhere to these guidelines within two years from the date of issue. The Action Plan (and the deadline for each action) to implement the guidelines must be developed and submitted to the Department of Banking Administration, Nepal Ratra Bank within six months of its issuance. Compliance with this guide will be assessed during site management offline or off-site from the NRB.
1. IT Governance
- A bank should us IT resources in an efficient, effective, and economical manner so that all business requirements are met.
- IT-related risks should be considered in risk management policy.
- A bank needs to carry out a detail risk analysis before adopting new technology/system since it can potentially introduce new risk exposure.
- A bank should constantly monitor and measure IT functions and report to an appropriate level of management.
- The board should be adequately aware of the IT resources of the bank and ensure that it is sufficient to meet the business requirement.
- Bank should have process in place to identify and adequately address the legal risk arising from cyber law and electronic transaction related laws and acts of Nepal.
2. Information Security
- There should be a board approved Information Security Policy addressing all electronic delivery channels and payment system and it should be well communicated to employees, contractors/suppliers, consultant and officials.
- Bank should conduct Risk Assessment periodically (at least annually) for each asset that has possibility of impacting the CIA of the information of the bank.
- Bank should harden their system i.e. should be configured with highest level of security setting in operating system, firewall and system software.
- Bank should develop and implement comprehensive computer virus protection mechanism.
- Bank should deploy strong cryptography and end-to-end encryption to protect customer PINs, user passwords and other sensitive data in networks and in storage.
- CCTV at each ATM location should be installed with adequate lighting inside ATM centre so as to capture clear picture of person doing ATM operation. However; CCTV should not capture the PIN entered by customer.
- Bank should implement adequate security measure to secure their web applications from traditional and emerging cyber threats and attacks and critical application should employ latest SSL encryption.
- The information security policy, guidelines and education program should be updated according to latest threats and changes in modus operandi of electronic attacks.
3. Information Security Education
- Bank should develop information security awareness program and periodically conduct to its employees, vendors, customers and other related stakeholders. The awareness program should be customized according to the target group.
- Bank should ensure that customers are adequately educated so that they take appropriate security measures to protect their devices and computer systems and ensure that their hardware or system integrity is not compromised when engaging in electronic banking.
- Banks should be responsible to use appropriate customer authentication system to authenticate customers before access to system is allowed and customers should also be adequately educated and aware of securing their credentials.
4. Information Disclosure and Grievance Handling
- Bank should publish clear information about the dispute or problem resolution process in case of any security breaches and fraudulent access to customer’s account.
- Bank should publish customer privacy and security policy; cost of transaction etc. in their website or at the time of subscription of the corresponding electronic delivery channels.
- Bank should develop dispute handling mechanism with expected timing of bank response, to handle disputed payments, transaction and other issues in electronic banking delivery channels.
- Bank shall be responsible for grievance handling in case of customer files complaints on disputed transaction and procedure for handling grievance should be formulated by the bank.
- Banks should provide clear information to their customers about the risks and benefits of using e-banking delivery services to enable customers to decide on choosing such services.
5. Outsourcing Management
- Bank should evaluate the risk before entering into outsourcing agreement of technical operations that can significantly impact the business operation and reputation of the bank.
- Banks should establish a process for monitoring and control of outsourcing activities and it should commensurate with the nature, scope, complexity and inherent risk of the outsourced activity.
- Bank should ensure that availability and quality of the banking services are not be adversely affected by outsourcing arrangements of the bank.
- Banks should clarify the jurisdiction for their data and applicable regulations at the beginning of an outsourcing or offshoring arrangement.
6. IT Operations
- Board and higher management should oversee functioning of IT operation and should ensure safe IT operation environment.
- Bank should conduct periodic risk assessment of their IT environment including human resource, technology and processes.
- There should be documented standards/procedures for administering an application system, which are approved by the application owner and kept up-to-date.
- Vendors, suppliers or consultant who are authorized to access critical system of the bank should be subject to close supervision, monitoring and access control similar to those applying to internal staffs.
- Bank should be able to ensure that they have adequate resources in terms of hardware, software and other operating capability to deliver consistently reliable service. Bank should identify and maintain standby software, hardware and network components critical for availability.
7. Information System Acquisition, Development, and Implementation
- User functional requirements, security requirements, performance requirements and technical specification should be documented and approved by appropriate level of management before software is developed.
- Information security requirement should be incorporated at each stage of software development lifecycle.
- All system should have audit trail detailed enough to use it as forensic evidence and audit trail should meet, inter-alia, regulatory and legal requirements.
- Banks are encouraged to conduct source code review of the application with the objective of finding loopholes and defects residing in the software due to poor programming practice, coding errors, malicious attempts etc. All the vulnerabilities, loopholes and defects found should be fixed before system is implemented.
8. Business Continuity and Disaster Recovery Planning
- There should be detail procedures and guidelines for prioritizing critical business functions, incident handling and how the institutions will manage and control identified risk. The Business Continuity Planning (BCP) should also include allocation of sufficient resources, allocating knowledgeable person etc and should be reviewed periodically.
- A BCP should consider all probable natural and man-made disasters, security threats, regulatory requirements, dependencies on outsourcing activities and issues of operating in multiple countries. BCP should also consider people aspect along with technical aspects.
- A BCP team should be formed and it should comprise of senior offers from various departments as required and it should be formed in head office as well as in branch offices.
- BCP should be periodically, at least annually, tested to ensure its effectiveness including all aspects and constituents of the bank i.e. people, processes and resources including technology.
- Bank can use their own standby site and system or outsource it from some disaster recovery providers.
- The datacenter, disaster recovery solution, enterprise network and security and branch or delivery channels should be designed and configured for high availability and no single point of failure.
- The location of building containing datacenter and critical equipment rooms must be chosen so as to minimize the risk of natural and man-made disaster, flood, fire, explosion, riots, environmental hazards etc.
- Bank should develop appropriate incidence response plans, including communication strategies and outsourced services, to ensure business continuity, control reputational risk and limit liability of service disruption.
9. Information System (IS) Audit
- Board or the audit committee should provide sufficient resources to conduct audit to ensure the audit team is capable of evaluating IT controls in sufficient IT coverage.
- If the bank does not have enough staff to conduct IS Audit or bank lacks expertise and experience in its staffs, IS audit can be outsourced to external professional provider. The audit committee should ensure that the outsourced service provider has expertise and experience in IS Audit.
10. Fraud Management
- Banks should identify and document all electronic attacks and suspected electronic attacks in their system and report to Nepal Rastra Bank monthly.
- Customers should be made aware of frauds along with fraud identification, avoidance and protection measures.