NRB IT Policy and NRB IT Guidelines - Summary (Banking Notes)

Nepal Rastra Bank (NRB) have issued the IT policies and guidelines in order to maintain the strong and secure IT activities in banks and financial institutions. There are 12 policies and 10 guidelines that every banks and financial institutions should follow to properly maintain the information technology related risks. In this post, I have compiled the gist of the NRB IT Policy and NRB IT Guidelines.

NRB IT Policy

There are 12 Points in Nepal Rastra Bank IT Policy.

Ensure efficient, effective and economic IT operation by implementing appropriate IT system, e.g Financial Information System (FIS), Management Information System (MIS), Enterprise Resource Planning (ERP) System, Real-time Gross Settlement System (RTGS), Scripless Security Settlement System (SSSS), etc.
Maintain well-structured, secured physical IT infrastructure with proper documentation.
Maintain multi-level security for information.
Implement IT system audit.
Develop, implement and maintain data backup and recovery policy.
Establish and maintain efficient, effective and economic Disaster Recovery Planning (DRP) System as an instrument to “Fail Safe System” with minimum downtime. Also, develop and maintain Business Continuity Planning (BCP).
Develop and implement IT outsourcing and third-party involvement mechanism.
Maintain uniform and legitimate IT infrastructure for all the offices.
Provide IT Directive to licenses bank and financial institutions.
Set a standard for IT procurement and shall be reviewed as per the technological changes.
Promulgate “NRB IT Code of conduct” for proper usage of NRB IT resources.
Strengthen the IT capacity building for employees.

Formula – EMMI DED M PS PS

Objectives of NRB IT Guidelines

The objectives of this guideline are to promote sound and robust technology risk management and to strengthen system security, reliability, availability and business continuity in commercial banks of Nepal. Banks should compulsorily comply with this guidelines within two years from the date of issuance. The Action Plan (along with time frame for each action) for the implementation of the guidelines should be developed and provided to Bank Supervision Department, Nepal Ratra Bank within six month from the issuance. The extent of compliance of this guideline will be examined during the periodic onsite/offsite supervision from NRB.

NRB IT Guidelines 2068

The use of information technology by financial sector has changed the way they are doing business. It has become a part of the business rather than supporting factor for business and has created challenges of managing and governing it. Issues of tackling with changes in limiting access to system and data from one to another, maintain an adequate internal control system, limiting access to system and data from unauthorized access, securing electronic transactions, meeting legal requirements, managing outsourcing services, and managing other IT related risks have been emerged in the banking sector.

1) IT Governance

A bank should us IT resources in an efficient, effective, and economical manner so that all business requirements are met.
IT-related risks should be considered in risk management policy.
A bank needs to carry out a detail risk analysis before adopting new technology/system since it can potentially introduce new risk exposure.
A bank should constantly monitor and measure IT functions and report to an appropriate level of management.

2) Information Security

A bank should harden their system i.e should be configured with the highest level of security setting on OS, firewall and system software.
A bank should develop and maintain a comprehensive computer virus protection mechanism.
A bank should develop strong cryptography and end-to-end encryption to protect customer PINs, user’s password and other sensitive data in network and storage.
CCTV system should be installed in all the ATMs with an appropriate lighting system.
A bank should implement adequate security measures to secure their web applications and databases to protect from cyber threats.

3) Information Security Education

A bank should develop an information security awareness program and periodically conduct to its employees, vendors, customers, and other concern authorities.
A bank should ensure that customers are adequately educated so that they can operate banking operation securely.
A bank should use appropriate customer authentication system to authenticate customers before the accessing system.

4) Information Disclosure and Grievance Handling

A bank should publish clear information about the dispute or problem resolution process in case of any security breaches and fraudulent access to customers account.
A bank should publish customer privacy and security policy, fee & commission on their website.
A bank shall be responsible for grievance handling in case of customer complaints.
A bank should provide clear information to their customer about the risks and benefits of using e-banking, online banking, mobile banking.

5) Outsourcing Management

A bank should ensure that their service providers are capable of delivering the level of performance, service reliability, capability and security needs that are required.
A bank should evaluate the economic, social and political risk factors before doing an outsourcing agreement.
A bank should ensure that the availability and quality of the banking services are not adversely affected by the outsourcing agreement.

6) IT Operations

Board and higher management should oversee the functioning of IT operation and should ensure a safe IT operation environment.
A bank should be able to ensure that they have adequate recourses in terms of hardware, software, and other operating capabilities to deliver timely, reliable, secure information.
A bank should conduct a periodic risk assessment of their IT environment.
There should be documented standard for administering application system.

7) IT Disaster Recovery and Business Continuity Planning

The introduction of the electronic delivery channel and 24/7 service availability has increased the demand for business continuity planning (BCP) framework.
A BCP should consider all the probable man-made and natural disaster, security threats, regularity requirements, dependencies in outsourcing activities.
A bank should maintain an efficient, effective and economic disaster recovery system as an instrument to “Fail Safe System” with minimum downtime.

8) Information System Acquisition, Development, and Implementation

Many software fails due to inadequate system testing and bad system design.
An application that handles financial information of customer’s data should inter-alia, satisfy security requirements.
All the vulnerabilities, loopholes and defects should be fixed before the implementation of the system.

9) Information System Audit

To ensure the effectiveness of the implemented controls framework and adequacy of the adopted security plan and procedures, a bank should conduct IS audit periodically.
If the bank does not have enough staff, then expert from outside the bank should be appointed as IS auditor.

10) Fraud Management

A bank should identify and document all the electronic attacks and submit a report to Nepal Rastra Bank.
Customer should be made aware of fraud along with fraud identification, avoidance and protection measures.

These guidelines to regulate and guide IT related activities in commercial banks with the objectives to strengthening banks for tackling with emerging cyber frauds, managing information technology prudently and mitigating risk aroused from the implementation of information technology.

Bank Note:

Comments Box