Bank security rules to boost tech spending

Latest RBI guidelines on banks’ technology governance, information security, audit, outsourcing and cyber fraud could open up a $300-million opportunity for IT vendors and audit firms. The central bank recently directed IT governance frameworks, data leakage prevention, encryption, multi-factor authentication and digital asset archiving mechanisms for banks.

The RBI working group’s April 29 recommendations on information security and electronic banking will spur investments in software products, consulting, system integration and IT services.

Market-watchers said the guidelines liberalise vendor qualification criteria in some respects, lowering entry barriers for tier II and maybe even tier III players into public sector banks. While estimates on actual banking spending vary, experts said the rules, to be implemented in a year, could boost a bank’s technology spending in the near term by approximately 30%.

The Indian BFSI market, currently at $2 billion (R9,000 crore), is expected to grow 14-15% in the next few years. According to an industry survey, PSU banks collectively spent R22,052 crore on technology between September, 1999 and March, 2010.

?Implementing the rules will involve setting up a fully functional IT governance committee, implementing digital security certificate-based authentication to internet banking solutions and changing simple text messages to encrypted messaging in transaction-related messages, among others,? said Ravi Jagannathan, MD and CEO of eMudhra Consumer Services, a security and IT solutions company. ?Implementing such next-generation measures will involve a significant cost?around Rs 1,500 per corporate banking user per annum,? he added.

The company expects a surge in its digital security certificate business and increased usage of SecMsg, a patent pending solution to ensure SMSs are encrypted. Kartik Shahani, country manager of RSA, the security division of EMC, said the guidelines will spur investments in technologies doing risk score assessments, profiling of customers, equipment and gear to manage infrastructure as well as more applications. ?The bigger issue is consumers going online. Online banking requires more than two-factor authentication to be able to provide protection to a consumer. But two-factor authentication is not enough. RBI says that beyond two-factor, by March 2012, banks should start looking at things like ?adaptive authentication? This means that there will be artificial intelligence that will help in raising a risk score and use other sources of authentication,? he noted.

For the first time, there is a big shift in guidelines from infrastructure protection to information protection. Banks have to move to a proper policy-based governance and IT framework. Anand Naik, director of Technology Sales in Symantec India and SAARC said that in a scenario where banks don?t have any technology solutions, the implementation cycle will continue for 18-24 months. ?Most of the banks, though, are implementing different pieces. Banks have started with a gap analysis of where they are today. Depending on the gaps that are identified, they have to priotise what is important to meet the audit requirements. The first deadline is October 31 this year and banks need to ensure a framework is in place by then,? Naik said.

For IT services firms, the RBI mandate presents opportunities in IT strategy, information security, business continuity, disaster recovery, and information security audit, Ramanath L Ram, vice president of India and Middle East Consulting at Wipro Infotech noted. ?Some guidelines that were issued earlier will also be used along with the new ones. Since RBI has come up with a specific time frame of one year, more banks are expected to go for implementation or would be looking to speed up existing initiatives,? he said.