KATHMANDU, Aug 17: Nepal Rastra Bank, the central bank, has come up with Information Technology (IT) Guidelines, which among others, make it mandatory for all commercial banks operating in the country to formulate IT security policy, legalize parking of data in foreign land by resorting to cloud computing and compel banks to have disaster recovery plan in place so that customers do not have to suffer in case of unforeseen events like earthquake.
“The banks should compulsorily comply with the guidelines within two years from the date of issue,” say the guidelines made public on Thursday.
“But an action plan for the implementation of the guidelines should be developed and provided to the Bank Supervision Department of Nepal Rastra Bank within six months of issuance.”
The guidelines come at a time when banks´ growing dependence on technology has, on the one hand, opened new avenues to cut costs and made services customer-friendly, while on the other, raised incidents of cyber crime, raising concerns for users of e-banking services and plastic money.
The guidelines call on all category ´A´ financial institutions to formulate IT-related strategy and policy containing detailed operational procedure and to manage all IT operations. Banks should also formulate information security policy to address threats likely to hit electronic delivery channels and payment system, and ensure security of data stored or transmitted electronically.
“These policies should be approved by the board of directors and reviewed periodically,” the guidelines say. “To enforce these policies, banks should also designate an information security officer.”
The guidelines acknowledge that emerging technologies like virtualization, data center hosting, disaster recovery site hosting, and applications as a service and cloud computing have no clear legal jurisdiction for data and cross border regulations. “Banks, therefore, should clarify the jurisdiction of their data and applicable regulations at the beginning of an outsourcing or offshoring arrangement,” say the guidelines. And banks that are storing or processing data abroad should have suitable controls, like data segregation, in place.
The guidelines also say banks should have business continuity plan in place to minimize financial, operational, legal, reputational and other risks in case of disasters like earthquake. Such plan should also include policies, standards and procedures to ensure continuity, resumption and recovery of business processes and minimize the impact of disasters on financial institutions.
“Besides, business continuity plan should specify amount of data, measured in time, that can be lost from disaster and amount of time it takes to recover from a disaster event,” say the guidelines.
Among other things, the guidelines also call on banks to replace current magnetic stripe cards with chip-based cards, instantly alert clients about online payment and use more than one factor for authenticating critical activities like fund transfers through internet banking service.
The guidelines also call on banks to replace existing signature-based system in card-based transactions with PIN based authorization system. “Non-PIN based swipe machines should be withdrawn within certain period,” the guidelines says.
Besides, CCTV at each ATM location should be installed with adequate lighting inside ATM kiosks so as to capture clear picture of the person conducting transaction. However, the CCTV should not capture PIN being entered by the customer, say the guidelines.