Prevailing IT Supervisory Framework and Regulations 1 Principles of Supervisory Framework and Regulations

The regulation and supervision of the financial and banking system purposes to develop a secure, healthy and efficient payment system, maintain the stability and healthy development of the banking and financial system, and enhance public credibility towards the entire banking and financial system of Nepal, The primary functions of IT supervision are to evaluate the system’s efficacy and security protocols and the BFI’s ability to protect its information assets and properly dispense information to authorised parties. While conducting the supervison of the BFIs, the Bank Supervision Department (BSD) and the Financial Institution Supervision Department (FISD) appoint one IT expert in the supervision team. However, the IT supervision has been remained inactive and ineffective due to the lack of specific supervisory framework, regulations and adequate expertise. The IT supervision is conducted alongside the normal supervision with the inclusion of an IT expert in the supervision team. The IT supervision is solely based on the personal judgement of IT supervisor. However, attempt has been made to conduct the supervision based on the frame of reference provided by the 14 BIS principles of risk management on electronic banking.

It is urgentfortheNRB to formulate a scientific and dynamic IT supervisory framework that is needed to protect the interest of depositors, enhance market competition, develop the banking system, establish risk-based management system, and ensure regulatory compliance, However, it may take a few years to develop a concrete IT supervisory framework for the Nepalese banking system. In the absence of an IT supervisory framework, the NRB supervisors are following the 14 principles of risk management for electronic banking issued by the Bank for International Settlement (BIS). The principles are grouped under the three board categories presented below. However, these principles are not weighted by order of preference or importance.

5.2 Board and Management Oversight (Principles 1 to 3)

Effective management oversight of e-banking activities. 1.

The board of directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks.

Establishment of a comprehensive security control process. 2.

The board of directors and senior management should review and approve the key aspects of the BFI’s security control process.

Comprehensive due diligence and management oversight process for 3.

outsourcing relationships and other third-party dependencies.

The board of directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the BFI’s outsourcing relationships and other third-party dependencies supporting e-banking.

5.3 Security Controls (Principles 4 to 10):

Authentication of e-banking customers. 4.

BFIs should take appropriate measures to authenticate the identity and authorisation of customers with whom it conducts business over the Internet.

Non-repudiation and accountability for e-banking transactions. 5.

BFIs should use transaction authentication methods that promote non- repudiation and establish accountability for e-banking transactions

Appropriate measures to ensure segregation of duties. 6.

BFIs should ensure that appropriate measures are in place to promote the adequate segregation of duties within e-banking systems, databases and applications.

Proper authorisation controls within e-banking systems, databases and 7.

applications.

BFIs should ensure that proper authorisation controls and access privileges are in place for e-banking systems, databases and applications.

Data integrity of e-banking transactions, records, and information. 8.

BFIs should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions, records and information.

Establishment of clear audit trails for e-banking transactions. 9.

BFIs should ensure that clear audit trails exist for all e-banking transactions.

Confidentiality of key bank information.

10.

BFIs should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/ or stored in databases.

169

5.4 Legal and Reputational Risk Management (Principles 11 to 14):

Appropriate disclosures for e-banking services. 11.

BFIs should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank’s identity and regulatory status of the bank prior to entering into e-banking transactions.

Privacy of customer information. 12.

BFIs should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services.

Capacity, business continuity and contingency planning to ensure availability 13.

of e-banking systems and services.

BFIs should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.

Incident response planning. 14.

BFIs should develop appropriate incident response plans to manage, contain and minimise problems arising from unexpected events, including internal and external attacks that may hamper the provision of e-banking systems and services.

5.5 Supervisory Concerns over the IT Supervisory Framework

Supervisors are highly concerned about the operational and systemic risks, within which IT and security risks are prominent. The importance of IT in the BFIs make it necessary for supervisors to assess how well IT resources are managed and the effectiveness of controls of IT risks. Some BFIs in Nepal have their own IT or operational risk department with specialists in this field. These teams can carry out focused IT inspections on their own. They can also rely on external auditors for the assessment of IT risks.

However, the NRB supervisors, while doing supervision of BFIs, would ensure that the BFIs are in full compliance with the prevailing regulations and that the board and senior management of the BFIs have proper oversight over the banking activities. The NRB supervisors would also ensure that the IT operational policies are sufficient and the risk management system is functionally adequate to identify, measure, monitor and control IT risks. The NRB supervisors would also assess the BFI’s internal control system for IT implementation and the function and role of the BFI’s top level IT management committee. The supervisors also

review the IT standard operating procedure and business continuity plan of BFI and provide suggestion if anything is lacking. The supervisors would also make sure that the disaster recovery plan of the BFI is perfect and tested regularly, business secrecy is highly maintained, the terms and conditions of the outsourcing is adequate and BFI-friendly and the cost of maintenance is suitable for the business size and revenue.

5.6 Status of Regulatory Framework and Regulations in Nepal

The following table shows the status of the IT supervisory framework in Nepal.

Figure 8

Status of IT Supervisory Framework

No. Item Yes/No

1 Is IT Implementation reported regularly? No

2 Is IT audit conducted? No

- By bank/IT supervisors from supervisory

authority No

Off-site No

On-site No

- By internal or external (third party) auditors

(on-site) No

- Special IT audit/examination outside regular

examination (on-site) No

3 Does the formal framework exist? No

4 If yes, is it stipulated in a regulation?

5 Is there minimum requirement in IT

Implementation? No

Are the following items implemented:

Active supervision by Top Management (IT

Steering Committee) No

IT Policy and Standard Operating Procedure No IT risk is included in the risk-based management No

System development life cycle No

All layers of IT system No

Internal control system for IT Implementation _No Business Continuity Plan and Disaster Recovery

171

Periodical IT audit (internal/external) _No 6 Because it involves supervision procedure, is IT _{outsourcing especially regulated? No} 7 Because it involves consumer protection, is

e-banking products especially regulated? No 8 Are any IT-related laws (cyber law, e-commerce,

m-commerce, digital signature) installed? No

5.7 Orientation for the Prevailing Supervisory Framework

It is mentioned earlier that there is no formal supervisory framework for IT supervision. The NRB, while working towards the formulation of an IT supervisory framework, would follow the basic frame of reference provided by the BIS principles on risk management for electronic banking and the regulation and supervisory framework as applied in SEACEN member countries. The best practices in IT implementation around the world would also be reviewed while formulating the regulation and supervisory framework in Nepal. The outcome and suggestions of this research project would also be relevant for the NRB in its formulation of new regulation and development supervisory framework for IT- related banking transactions in Nepal.

5.8 IT Supervisory and Audit Practices

To date, IT audit is not practiced in the Nepalese banking system and there is no clear vision and plan for implementing the same. The non-practice of IT audit increases the overall risk profile of IT implementation in the Nepalese BFIs. It also threatens compliance with the legal and regulatory requirements as well as the confidentiality, integrity, reliability and availability of information resources. The IT supervision in BFIs is conducted along with the normal overall supervision by including an IT professional in the supervision team, and supervision is focused on the 14 principles issued by BIS.

5.9 IT-specialised Supervisors/Auditors

The Nepalese financial sector lacks certified system auditors for IS audit. Only few commercial banks conduct IS audit by professional IS auditors. The NRB also does not have certified IS auditors for conducting its supervision activities and it has not yet initiated any move towards developing such professionals. The NRB has appointed few IT graduates (Bachelors in IT Management and Bachelors in hardware or software engineering) in recent years and placed one IT officer each in two of its supervision departments. To date, the IT supervisory training program has not been conducted in the NRB.

5.10 Coordination among BFIs Authorities

Coordination among the BFIs authorities is significantly lacking. Comprehensive regulatory frameworks need to be developed to cope with all the prevailing risks arising from the use of IT as a channel for service delivery.

Figure 9 Status of IT Audit

No. Item Yes/No

1 Is it conducted regularly? No

2 If not regularly, is it conducted case by case? No 3 If regularly, objects of audit:

Organisation and Management System development process Operation

Software and Application, including e-Banking Security (authentication, authorisation and protection – including audit trails, encryption)

BCP/DRP

Communication Network Outsourcing process Internal Auditing

6. Issues And Challenges