Professional Documents
Culture Documents
These issues ultimately have the potential to impact the safety and soundness
of a bank and in extreme cases may lead to systemic crisis.
1. Group was set up under the Chairmanship of the Executive Director Shri.G.Gopalakrishna.
2. Shri P K Panda, Chief General Manager (Member Secretary)
3. Prof H Krishnamurthy, Principal Research Scientist, IISc, Bangalore
4. Dr. G.Sivakumar, Professor, IIT Mumbai
5. Shri Pavan Duggal, Advocate, Supreme Court of India
6. Shri Patric Kishore, GM and CISO, SBI, Mumbai
7. Shri Nandkumar Saravade, GM,ICICI Bank, Mumbai
8. Shri Sanjay Sharma, MD & CEO, IDBI Intech Ltd
9. Shri Akhilesh Tuteja, Executive Director, IT Advisory Practice, KPMG, Mumbai
10. Shri Abhay Gupte, Senior Director, Deloitte Touche Tohmatsu, New Delhi
11. Dr. K Ramakrishnan, Chief Executive, IBA
12. Shri. B. Sambamurthy, Director, IDRBT, Hyderabad
13. Dr. K.K. Bajaj, CEO, Data Security Council of India
(i) Board of Directors/ IT Approving IT strategy and policy documents, Ensuring that the IT
Strategy Committee organizational structure complements the business model and
its direction etc.
(ii) Risk Management Promoting an enterprise risk management competence
Committee throughout the bank, including facilitating development of IT-
related enterprise risk management expertise
(iii) Executive Management Among executives, the responsibility of Senior executive in
Level charge of IT operations/Chief Information officer (CIO) is to
ensure implementation from policy to operational level involving
IT strategy, value delivery, risk management, IT resource and
performance management.
(iv) IT Steering Committee Its role is to assist the Executive Management in implementing
IT strategy that has been approved by the Board. An IT Steering
Committee needs to be created with representatives from the IT,
HR, legal and business sectors.
(i) Boards of The Board of Directors is ultimately responsible for information security.
Directors/Senior Senior Management is responsible for understanding risks to the bank to
Management ensure that they are adequately addressed from a governance perspective.
(ii) Information Security Banks should form a separate information security function/group to focus
Team/Function exclusively on information security management.
(iii) Information Security Includes business heads from different units and are responsible for
Committee enforcing companywide policies & procedures.
(iv) Chief Information Security A sufficiently senior level official of the rank of GM/DGM/AGM needs to be
Officer (CISO) designated as the Chief Information Security Officer (CISO) responsible for
articulating and enforcing the policies that a bank uses to protect its
information assets. The CISO needs to report directly to the Head of the Risk
Management function and should not have a direct reporting relationship
with the CIO.
1 Board of Directors and To meet the responsibility to provide an independent audit function
Senior Management with sufficient resources to ensure adequate IT coverage, the board
of directors or its audit committee should provide an internal audit
function which is capable of evaluating IT controls adequately.
2 Audit Committee of the The Audit Committee should devote appropriate and sufficient time
Board to IS audit findings identified during IS Audits and members of the
Audit Committee would need to review
critical issues highlighted and provide appropriate guidance to the
bank’s management.
3 Internal Audit/Information Banks should have a separate IS Audit function within the Internal
System Audit function Audit department led by an IS Audit Head, assuming responsibility
and accountability of the IS audit function,
reporting to the Chief Audit Executive (CAE) or Head of Internal Audit.
(c) Separate Department to The activities of fraud prevention, monitoring, investigation, reporting and
manage frauds awareness creation should be owned and carried out by an independent
group in the bank.
(d) Fraud review councils The council should comprise of head of the business,
head of the fraud risk management department, the head of operations
supporting that particular business function and the head of information
technology supporting that business function.
(ii) Fraud detection Quick fraud detection capability would enable a bank to reduce losses and also serve
as a deterrent to fraudsters. Setting up a transaction monitoring group within the fraud
risk management group, alert generation and redressal mechanisms, dedicated e-mail
id and phone number for reporting suspected frauds, mystery shopping and reviews.
(iii) Fraud investigation The examination of a suspected fraud or an exceptional transaction or a customer
dispute/alert in a bank shall be undertaken by Fraud risk management group &
special committee.
(iv) Reporting of frauds As per RBI circular, dated July 1, 2010, fraud reports should be submitted in all cases
of fraud of 1 lakh and above perpetrated through misrepresentation, breach of trust,
manipulation of books of account, fraudulent encashment of instruments like
cheques, drafts and bills of exchange, unauthorized handling of securities charged to
the bank, misfeasance, embezzlement, misappropriation of funds, conversion of
property, cheating, shortages, irregularities, etc.
(v) Customer awareness Banks should thus aim at continuously educating its customers and solicit their
participation in various preventive/detective measures.
(vi) Employee awareness Employee awareness is crucial to fraud prevention. Training on fraud prevention
and training practices should be provided by the fraud risk management group at various forums.
• As part of an organization’s governance structure, a fraud risk
management program should be in place, including a written policy to
Principle 1 convey the expectations of the board of directors and senior
management regarding managing fraud risk.
(ii) Operational Risk This group needs to incorporate legal risks as part of operational risk
Group framework and take steps to mitigate the risks involved in consultation
with its legal functions within the bank.
(iii) Legal Department The legal function within the bank needs to advise the business groups
on the legal issues arising out of use of Information Technology with
respect to the legal risk identified and referred to it by the Operational
Risk Group.
Web http://www.niiconsulting.com
Email info@niiconsulting.com
Tel +91-22-2839-2628
+91-22-4005-2628
Fax +91-22-2837-5454