Share Gyan·2021

NRB IT Policy and NRB IT Guidelines – Summary (Banking Notes)

NRB IT Policy and Guidelines

Nepal Rastra Bank (NRB) has issued the IT policies and guidelines in order to maintain strong and secure IT activities in banks and financial institutions. This summary covers the NRB IT Policy (12 points) and the NRB IT Guidelines 2068 (10 sections).

NRB IT Policy (12 Points)

Mnemonic Formula: EMMI DED M PS PS
  1. Ensure efficient, effective and economic IT operation by implementing appropriate IT systems (FIS, MIS, ERP, RTGS, SSSS, etc.)
  2. Maintain well-structured, secured physical IT infrastructure with proper documentation.
  3. Maintain multi-level security for information.
  4. Implement IT system audit.
  5. Develop, implement and maintain data backup and recovery policy.
  6. Establish and maintain efficient, effective and economic Disaster Recovery Planning (DRP) System as an instrument to "Fail Safe System" with minimum downtime. Also, develop and maintain Business Continuity Planning (BCP).
  7. Develop and implement IT outsourcing and third-party involvement mechanism.
  8. Maintain uniform and legitimate IT infrastructure for all the offices.
  9. Provide IT Directive to licensed banks and financial institutions.
  10. Set a standard for IT procurement and shall be reviewed as per the technological changes.
  11. Promulgate "NRB IT Code of conduct" for proper usage of NRB IT resources.
  12. Strengthen the IT capacity building for employees.

Objectives of NRB IT Guidelines

The objectives of this guideline are to promote sound and robust technology risk management and to strengthen system security, reliability, availability and business continuity in commercial banks of Nepal. Banks should compulsorily comply with these guidelines within two years from the date of issuance.

NRB IT Guidelines 2068 – 10 Key Areas

1) IT Governance

  • A bank should use IT resources in an efficient, effective, and economical manner so that all business requirements are met.
  • IT-related risks should be considered in risk management policy.
  • A bank needs to carry out detailed risk analysis before adopting new technology/system.
  • A bank should constantly monitor and measure IT functions and report to an appropriate level of management.

2) Information Security

  • System hardening – configure with the highest level of security on OS, firewall and system software.
  • Develop and maintain comprehensive computer virus protection mechanism.
  • Develop strong cryptography and end-to-end encryption to protect PINs, passwords and sensitive data.
  • CCTV system should be installed in all ATMs with appropriate lighting.
  • Implement adequate security measures for web applications and databases.

3) Information Security Education

  • Develop information security awareness program for employees, vendors, customers.
  • Ensure customers are adequately educated for secure banking operations.
  • Use appropriate customer authentication systems.

4) Information Disclosure & Grievance Handling

  • Publish clear dispute/problem resolution process for security breaches.
  • Publish customer privacy/security policy, fee & commission on website.
  • Bank shall be responsible for grievance handling on customer complaints.
  • Provide clear info about risks and benefits of e-banking, online, mobile banking.

5) Outsourcing Management

  • Ensure service providers are capable of delivering required performance and security.
  • Evaluate economic, social and political risk factors before outsourcing.
  • Ensure availability and quality are not adversely affected by outsourcing.

6) IT Operations

  • Board and higher management should oversee IT operation functioning.
  • Ensure adequate resources (hardware, software) for timely, reliable, secure information.
  • Conduct periodic risk assessment of IT environment.
  • Maintain documented standards for administering application systems.

7) IT Disaster Recovery & Business Continuity Planning

  • BCP should consider all probable man-made and natural disasters, security threats.
  • Maintain efficient disaster recovery system with minimum downtime.
  • The 24/7 service availability has increased the demand for BCP framework.

8) IS Acquisition, Development & Implementation

  • Many software fails due to inadequate system testing and bad design.
  • Applications handling financial information should satisfy security requirements.
  • All vulnerabilities and defects should be fixed before implementation.

9) Information System Audit

  • Conduct IS audit periodically to ensure effectiveness of controls framework.
  • If bank lacks staff, expert from outside should be appointed as IS auditor.

10) Fraud Management

  • Identify and document all electronic attacks and submit report to NRB.
  • Make customers aware of fraud along with identification and protection measures.

Related Banking Notes

  • 1. Format of Balance Sheet (Major Heading as Per NRB Directive)
  • 2. Format of PL Account (Major Headings as per NRB Directive)
  • 3. Accounting Concept, Principles of Accounting
  • 4. Double Entry System Concept
  • 5. ADBL – Establishment, Development, Work Nature, Mission, Vision & Objectives
  • 6. What is KYC (Know Your Customer) in Banking?
  • 7. SWOT Analysis of ADBL (Agricultural Development Bank Limited)
  • 8. BAFIA 2073 Major Highlights