SEBI Must Ensure Cyber Security And Cyber Resilience Of Stock Exchanges And Financial Market Infrastructures Of India

SEBI Must Ensure Cyber Security And Cyber Resilience Of Stock Exchanges And Financial Market Infrastructures Of IndiaCyber security and cyber resilience for financial market infrastructures is one of the core priority issues for governments and nations around the world. However, this is not an easy task to manage as it requires tremendous techno legal expertise that very few individuals and organisations possess these days. Even the regulatory and governing framework in this regard is still evolving at the international level.

In one such latest international development, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) have published the Guidance on cyber resilience for financial market infrastructures (pdf) (“Cyber Guidance”). As per the latest cyber guidance, the safe and efficient operation of financial market infrastructures (FMIs) is essential to maintaining and promoting financial stability and economic growth. If not properly managed, FMIs can be sources of financial shocks, such as liquidity dislocations and credit losses, or a major channel through which these shocks are transmitted across domestic and international financial markets. In this context, the level of cyber resilience, which contributes to an FMI’s operational resilience, can be a decisive factor in the overall resilience of the financial system and the broader economy.

The cyber guidance document also mentions that financial stability may depend on the ability of an FMI to settle obligations when they are due, at a minimum by the end of the value date. An FMI should design and test its systems and processes to enable the safe resumption of critical operations within two hours of a disruption and to enable itself to complete settlement by the end of the day of the disruption, even in the case of extreme but plausible scenarios. Notwithstanding this capability to resume critical operations within two hours, when dealing with a disruption FMIs should exercise judgment in effecting resumption so that risks to itself or its ecosystem do not thereby escalate, whilst taking into account that completion of settlement by the end of day is crucial. FMIs should also plan for scenarios in which the resumption objective is not achieved. Although authorities recognise the challenges that FMIs face in achieving cyber resilience objectives, it is also recognised that current and emerging practices and technologies may serve as viable options to attain those objectives. Furthermore, the rationale for establishing this resumption objective stands irrespective of the challenge to achieve it. The chapter on response and recovery provides guidance on how an FMI should respond in order to contain, resume and recover from successful cyber attacks.

It is clear that as per the latest cyber guidance, Indian FMIs such as exchanges, depositories and clearing corporations will have to ramp up their network resilience so as to recover and resume operations within two hours of a cyber attack. Presently, SEBI has not prescribed any time-frame for Indian stock exchanges and other players to resume operations following a cyber attack. SEBI has, however, put in place most of the other proposals outlined in the cyber guidance. But now SEBI would be required to ensure a robust and resilient cyber security infrastructure for stock exchanges and FMIs as well.

These are the first internationally agreed guidelines on cyber security for the financial industry. SEBI was part of the working group on cyber resilience, which framed the cyber guidance. SEBI may introduce these requirements for Indian stock exchanges and FMIs within next few months. Perry4Law Organisation (P4LO) welcomes these developments and is committed to extend its techno legal expertise to SEBI and Indian government for the proper implementation of this cyber guidance.

Posted in Uncategorized | Comments Off

Payment and Settlement Systems in India: Vision-2018

Payment and Settlement Systems in India Vision-2018Reserve Bank of India (RBI) has released a vision statement titled Payment and Settlement Systems in India: Vision-2018 (pdf). The objective of this vision docuemnt is to build best of class payment and settlement systems for a ‘less-cash’ India through responsive regulation, robust infrastructure, effective supervision and customer centricity. In short, the aim of this vision document is to improve the techno legal online payment infrastructure of India. Perry4Law Organisation (P4LO) welcomes this move of RBI and would come up with its detailed suggestions in due course of time.

The vision document reads as follows:

1.1 The Vision-2018 for Payment and Settlement Systems in India reiterates the commitment of the Reserve Bank of India (the Bank) to encourage greater use of electronic payments by all sections of society so as to achieve a “less-cash” society. The objective is to facilitate provision of a payment system for the future that combines the much-valued attributes of safety, security and universal reach with technological solutions which enable faster processing, enhanced convenience, and the extraction and use of valuable information that accompanies payments.

1.2 Since 2012-13, all segments of electronic payments, particularly retail electronic payments, have shown healthy growth both in terms of volume and value of usage. For example, RTGS and NEFT volumes increased almost threefold between 2013 and 2016 reflecting greater adoption of the system by all segments of users. Similarly, with increasing number of banks offering mobile banking services and driven by the growth in e-commerce and use of mobile payment applications, the volume of mobile banking transactions has increased nearly seven-fold and the value of transactions has shown a steep rise. Card transactions have also grown significantly at both ATMs as well as at the Point-of-Sale (POS) with the growth in debit card usage at POS picking up significantly. The growth in volume and value of transactions using prepaid payment instruments (PPIs) issued by banks and authorised non-bank entities has also been significant. The volume and value in Immediate Payment Service (IMPS) has also grown significantly with the development of the IMPS as a multi-channel system providing various options to customers to originate transactions. Cheque payments, on the other hand, are showing a declining trend in terms of volume as well as value between 2013 and 2016.

1.3 The broad contours of Vision-2018 revolve around the 5 Cs:

  • Coverage – by enabling wider access to a variety of electronic payment services
  • Convenience – by enhancing user experience through ease of use and of products and processes
  • Confidence – by promoting integrity of systems, security of operations and customer protection
  • Convergence – by ensuring interoperability across service providers
  • Cost – by making services cost effective for users as well as service providers

1.4 Vision-2018 focuses on four strategic initiatives viz., responsive regulation, robust infrastructure, effective supervision and customer centricity.

  1. Firstly, RBI, in consultation with all the stakeholders, will continue its efforts to create a regulatory framework to promote twin objectives of enhanced coverage with interoperability of the payments system and convenience with security for the end-users in sync with emerging developments and innovations.

  2. Secondly, building a robust payments infrastructure in the country to increase the accessibility, availability, interoperability and security of the payment systems will continue to remain a key objective.

  3. Thirdly, Vision-2018 will focus on effectiveness of supervisory mechanisms to strengthen the resilience of the Financial Market Infrastructures (FMIs) and System Wide Important Payment Systems (SWIPS) in the country besides setting up appropriate oversight framework for new systems, and augmenting the data reporting and fraud monitoring systems.

  4. Finally, Vision-2018 will adopt a customer centric approach to streamline the customer grievance redressal mechanism, focus on building customer awareness and education, and initiate customer protection measures.

2. Expected outcomes of Vision-2018

2.1 New policies that are proposed to be framed under Vision-2018 with focus on electronic payments will influence the trends in payment systems in the country. Taking into account the positive developments during the period under Vision 2012-2015, and with the concerted efforts of the Government and all other stakeholders like banks, payment system operators, users, etc.Vision-2018 is expected to result in:

  1. Continued decrease in the share of paper-based clearing instruments;
  2. Consistent growth in individual segments of retail electronic payment systems viz. NEFT, IMPS, Card transactions, mobile banking, etc.;

  3. Increase in registered customer base for mobile banking;
  4. Significant growth in acceptance infrastructure; and
  5. Accelerated use of Aadhaar in payment systems

Payment & Settlement Systems in India: Vision-2018


Building best of class payment and settlement systems for a “less-cash” India through responsive regulation, robust infrastructure, effective supervision and customer centricity






1. Orienting policy with emerging developments and innovations

Framing new policy : Policy framework for CCPs; Exit policy for authorised entities; framework for imposition of penalty; regulation of payment gateway service providers and payment aggregators; monitoring framework for new technologies

Review of existing policies / guidelines in following areas: Prepaid payment instruments (PPIs); mobile banking; White Label ATMs (WLA); Nodal account for Intermediaries

1. Facilitating faster payment services

• National Electronic Funds Transfer (NEFT) – more frequent settlement cycles and exploring feasibility of adoption of ISO messaging format

• Mobile Banking – enhancing options for customer registration for mobile banking services; enabling wider access to mobile banking services in multiple languages for non-smartphone users

• Encourage innovative mobile based payment solutions

1. Assessment of resilience of payment and settlement infrastructure including FMIs and System-Wide Important Payment Systems (SWIPS)

• Draft framework for testing resilience

• Resilience of communication / messaging infrastructure

• Resilience of IT systems of PSOs

• Building capability to process transactions of one system in another system

1. Strengthening customer grievance redressal mechanism

• Frame necessary guidelines to  ensure enhanced customer grievance redressal mechanism in authorized payment systems

• Require payment systems operators to adequately train front-office staff and agents

2. Setting up Payments System Advisory Council (PSAC) of industry and Government representatives/ experts to strengthen the consultative process 2. Improving Accessibility

• Increasing acceptance infrastructure

• Implementation of the Bharat Bill Payment System (BBPS)

• Implementation of the Trade Receivables Discounting System (TReDS)

2. Design an Oversight framework• On the basis of proportionality of risk posed by PSOs

• For large-value payment systems, retail payment systems (including IS audit), BBPS and TReDS.

2. Enhancing customer education and awareness

• Electronic Banking Awareness And Training (e- BAAT)

• Framework requiring PSOs to disclose fees and terms and conditions of their service.

3. Amendments to PSS Act

• Improved governance of Payment System Operator (PSO)

• Resolution of Central Counter Party (CCP)/ Financial Market Infrastructure (FMI)

• Non-Registration of charge on  collateral with CCPs

3. Promoting Interoperability

• Unified Payment Interface (UPI)

• Toll Collection

• Payments for Mass Transit systems

3. Strengthening reporting framework including fraud monitoring

• Move the reporting of periodic returns by payment systems operators to XBRL platform

• Draw a framework for collection of data on frauds in payment systems

3. Protection of customer interest

• Encourage PSOs to develop robust fraud and risk monitoring systems

• Endeavour to build a framework to limit customer liability for unauthorised electronic transactions

4.Strengthen Financial stability

• Encouraging adoption of Legal Entity Identifier (LEI) by financial entities

• Settlement of funds leg of financial transactions in central bank money

4. Enhancing Safety and Security

• Migration to EMV Chip & PIN cards

• EMV card processing at ATM based on chip data

• Security of ATM transactions by holistically strengthening the safety and security of ATM infrastructure

• Examining feasibility of Aadhaar-based authentication

4. Analysing data and publishing reports

• Oversight report on select retail and large value systems

• Analysis of Payment System related data within the Bank

4. Positive confirmation

• incorporate the feature of sending positive confirmation of payment to the remitter in  Real Time Gross Settlement (RTGS) system

• Strengthen positive confirmation feature of NEFT

5. Cheque clearing systems

• Endeavour to eliminate Paper-to-Follow arrangements for all cheques issued by State Governments

• Promoting use of positive pay mechanism, national archive on cheque images, etc.

• Encouraging complete migration of cheques to CTS-2010 standards

5. Conducting customer surveys

• Engage with various stakeholders / professionals to conduct user / customer surveys on specific aspects of payment systems


3. Strategic Initiatives: Responsive Regulation

3.1 Creating a Responsive Regulatory Framework is the first strategic initiative under Vision-2018.

3.2 The legal framework for payment and settlement systems in the country is provided under the Payment and Settlement Systems Act (the PSS Act), 2007. The PSS Act empowers the Bank to regulate and supervise the payment and settlement systems in the country.

3.3 In discharging its roles and responsibilities under the Act, the Bank has been putting in place policy framework, issuing guidelines and instructions to banks and authorised payment system operators relating to safety, security and efficiency of payment systems. Besides formulation of new policies and guidelines, existing policies and instructions are all continually reviewed, taking into account the feedback received from the stakeholders.

3.4 Taking into account the rapid developments and innovations in the area of payment systems, the Vision-2018 envisages a more responsive regulatory framework based on consultations with stakeholders. The policy framework will support payment system initiatives that enhance access to payment services. The principle of “similar business, similar risk, similar rules” will invariably be applied.

3.5 Accordingly, the key focus areas for responsive regulation would be:

3.5.1 New issues / areas for policy framework

  1. Policy framework for Central Counter Parties (CCPs): The CCPs are the critical financial market infrastructure (FMI) and the efficient of the same is important. RBI has already declared the policy framework for regulation and supervision of FMIs under the regulatory jurisdiction of the RBI. The PFMIs against which FMIs are assessed lay emphasis on having effective governance framework and management of various risks, including legal, credit and liquidity risks against which FMIs are assessed. To begin with, the RBI would come out with regulations on Governance, Capital/ net worth requirement, registration/authorisation of foreign CCPS. At a later date, RBI may come out with regulations on risk management, if required. This will also serve as effective criterion to measure the equivalence standards of third country regulatory framework for the purpose of recognizing foreign CCPs operating outside and desirous of applying for recognition in India under these regulations.

  2. Regulation of payment gateway service providers and payment aggregators: The increasing growth of electronic payments, especially online payments, riding the growth of e-commerce and m-commerce transactions, has brought to the fore the increasing role and importance of entities that facilitate such online payments such as payment gateway providers and payment aggregators. The current guidelines on maintenance of nodal accounts for such intermediaries (monitored through banks) are indirect and address only a few specific aspects of their functioning. Given their increasing role, the guidelines will be revised for the payments related activities of these entities.

  3. Exit Policy: Co-existence of an exit policy along with the policy on authorisation of entities which participate in the payment and settlement system is essential for the overall hygiene of the ecosystem. The exit policy would lay down the parameters and processes for voluntary exit of a payment system operator (PSO) authorised to operate a retail payment system. Such a policy would ensure that the interests of the consumers and other stakeholders are protected.

  4. Framework for imposition of penalty: Guidelines and standards for various payment and settlement systems are issued under the provisions of the PSS Act. Non-adherence to these guidelines and standards by participants and operators attract the penal provisions under the PSS Act. A framework for imposition of such penalties under the PSS Act would be put in place.

  5. Monitoring framework for new technologies / innovations: In order to ensure that regulations keep pace with the developments in technology impacting the payment space, the global level developments in technology such as distributed ledgers, blockchain etc. will be monitored, and regulatory framework, as required, will be put in place. Further, the payments eco-system is dynamically evolving with the advancements and innovations taking place, particularly in the area of FinTechs. In order to provide a platform for innovators to showcase their models to the industry, particularly in the areas of interest to payment systems and services, the Reserve Bank has organised an innovation contest through the Institute for Development and Research in Banking Technology (IDRBT). Learnings from such interfaces will also be used as inputs for policy adaptations.

3.5.2 Review of existing policies

  1. Prepaid Payment Instruments (PPIs): With increase in number of entities authorised to issue PPIs in the country, their usage for purchase of goods and services as well as funds transfer has also been growing. Over the years, the guidelines have been expanded to include several types of PPIs, some of which are not really being issued / used actively. Similarly, with growing use of PPIs, the initial forbearance given on KYC requirements, customer-facing aspects such as safety and security, risk mitigation measures, complaint redressal mechanism, forfeiture of unutilised balances, fraud monitoring and reporting requirements, etc. merit a review. A comprehensive review of the PPI guidelines will be undertaken keeping in view the changing scenario.

  2. Mobile banking Guidelines: To promote mobile phones as access channel to payment and banking services, the guidelines will be reviewed to address issues related to customer registration for mobile banking, safety and security of transactions, risk mitigation and customer grievance redressal measures.

  3. White Label ATM (WLA) Guidelines: These Guidelines, formed with the objective of ensuring expansion of ATM infrastructure in rural and semi-urban areas, have not resulted in the much needed growth in ATM infrastructure in the desired geographical segments of the country due to multiple factors. The WLA Guidelines will accordingly be examined holistically and targets realigned to meet present conditions.

3.5.3 Payment System Advisory Council (PSAC)

The Board for Regulation and Supervision of Payment and Settlement Systems (BPSS), set up under the PSS Act, is the apex body for regulating and supervising the payment system related developments and policies in the country. Vision-2018 envisages setting up of a Payments System Advisory Council (PSAC) to assist the BPSS in formulation of new policies, assessing the impact of new technological developments by providing necessary insights about futuristic developments and innovations in the area. The PSAC could have representations from diverse fields such as technology, telecommunication, FinTech, security solution providers, academia, Government, etc. and strive to provide to the BPSS the necessary consultative feedback from stakeholders for making strategic decisions in the area of payment systems.

3.5.4 Amendments to PSS Act

Sound legal basis, including good governance, is the cornerstone for building a safe and efficient payments eco-system. Keeping this in view, amendments relating to settlement finality in the event of Central Counter Party (CCP) being declared insolvent or dissolved or wound down, and statutory charge on escrow account, have been made to the PSS Act which have come into effect from June 01, 2015.The Reserve Bank, as a member of the international Standard Setting Bodies (SSBs), is committed to adopting the international standards including those relating to recovery and resolution of FMIs. Efforts would, therefore, be made to bring in further amendments to the legal framework for addressing issues, such as:

  1. Resolution / insolvency of Central Counter Party (CCP) / Financial Market Infrastructure (FMI).
  2. Non-registration of charge on collateral with CCP: The Companies Act, 2013 has enlarged the meaning of „charge‟ under that Act, covering the right of system provider to appropriate collateral. In a dynamic market scenario, where the market participants constantly move in and move out the collaterals from the control of the CCP, it is practically impossible to continuously register or modify the charge. Non registration of charge under the Companies Act should not in any manner affect the right of the CCP to appropriate the collaterals and the settlement finality. As legal certainty is extremely crucial in this market, for avoiding litigation, necessary amendment to clarify this position would be taken up.

  3. Better governance in critical payment systems operators both in retail and large value payment systems by appointing observers on the board of the service providers or by appointing additional directors, as required.

3.5.5 Measures to strengthen financial stability

  1. Adoption of Legal Entity Identifier: The legal entity identifier (LEI) uniquely identifies parties to financial transactions globally. The need for this was felt in the aftermath of the last financial crisis. Use of LEI would facilitate monitoring the exposure of entities across systems. Bank would put in place a framework to encourage the adoption of LEI for certain transactions / markets / categories of institutions.

  2. Settlement of funds leg of securities and commodity market transactions in central bank money: Settlement in central bank money helps to avoid credit and liquidity risks. Towards this end, steps would be taken to implement funds settlement of all securities and commodity market transactions in central bank money.

4. Strategic Initiatives: Robust Infrastructure

4.1 Development of a Robust Payments Infrastructure is the second strategic initiative under Vision-2018.

4.2 Availability of robust infrastructure to support electronic payments is a critical factor influencing the adoption of electronic payments. This is further augmented by policies that increase the efficiency and speed of payments, enhance transaction security, facilitate risk mitigation, improve accessibility and promote interoperability. Bank will explore options to strengthen technological resilience without impeding innovation. Bank will also encourage smaller banks such as Regional Rural Banks and Cooperative Banks in adoption of modern payment systems.

4.3 Accordingly, the key focus areas for building a robust payments infrastructure would be as outlined below:

4.3.1 Facilitating faster payment services

The payments eco-system in the country provides multiple options to different segments of users for funds transfer as well as for making payments in exchange of value for goods and services. With increasing adoption of electronic payments, particularly those driving e-commerce and m-commerce, there is a growing demand for „faster‟ payment services which, in turn, facilitate ease in doing financial transactions. Towards this end, the measures that will be initiated will include:

  1. National Electronic Funds Transfer (NEFT): The growing adoption of NEFT by individuals, businesses and government agencies/departments, necessitate a review of the system to enable faster payment processing through introduction of more frequent settlement cycles. Similarly, the feasibility of adopting ISO messaging format for NEFT will be explored.

  2. Mobile Banking: The high mobile density in the country is being increasingly leveraged to offer payment services by a wide range of payment service providers so as to enable an on-the-go, faster payment experience to the customers. In addition to the efforts to on-board or increase customer registration level for mobile banking through simplified registration process and increasing the access points for same (through authorised ATM networks), the policy efforts will also focus on ensuring that access to mobile banking services is seamlessly provided to the large number of users of non-smartphone handsets in multiple languages.

  3. Service providers will be encouraged to adopt technology to provide innovative easy to use mobile based payment solutions in an interoperable environment without compromising on security.

4.3.2 Improving accessibility

In order to improve access to more electronic payment channels, Vision-2018 will give priority to the following:

  1. Increasing acceptance infrastructure for electronic payments : The large number of bank accounts opened under the Prime Minister Jan Dhan Yojana (PMJDY) as well as the large number of cards issued to these account holders, particularly in rural and semi-urban areas, necessitate that the access to electronic payment services to these customers are quickly augmented. Hence, a policy framework will be put in place for setting up necessary acceptance infrastructure including ATMs and POS, across all geographical and industry segments such as groceries, education, transport, utilities, government services, healthcare, etc. in the country.

  2. Implementation of the Bharat Bill Payment System (BBPS): BBPS, which is being set up to provide an accessible multi-tier infrastructure facilitating anytime, anywhere, any bill payment, will be made operational. Based on the progress in BBPS and its activities, the scope of payments covered under the system will also be gradually widened to include other types of services, in addition to the repetitive payments for everyday utility services such as electricity, water, gas, telephone and Direct-to-Home (DTH) planned for the present.

  3. Implementation of the Trade Receivables Discounting System (TReDS): TReDS, which is an institutional mechanism for facilitating the financing of trade receivables of MSMEs from corporate buyers through multiple financiers, will be made fully operational.Bank would pursue with other authorities/Government to amend their regulatory framework for speedier implementation and wider coverage of TReDS.

4.3.3 Promoting interoperability

The ability of customers to use and re-use a set of payment instruments seamlessly across different segments to meet a variety of payment requirements should not be constrained by a „silo‟ approach to developments in the payments eco-system. The requirement of users for seamless payment experience are met only when the payment systems are inter-operable and are able to communicate within their own segments on the basis of common standards adopted by all providers of these services. Vision-2018 envisages promoting interoperability in areas which have a high potential for driving electronic payments, including for small value transactions, such as the following:

  1. Unified Payment Interface (UPI): At present although a large number of banks are offering mobile banking services these are not completely inter-operable, especially for merchant transactions. This, in turn, has impacted the use of mobile payments for merchant / P2B (Person to Business) transactions. Full operationalisation of UPI, which aims at this customer convenience, will provide the standard interface for communication across different mobile-banking applications of banks thus facilitating inter-operability in P2B payments.

  2. Toll Collections: Collection of toll, largely done in the form of cash payments, is another segment where efforts to migrate to electronic payments have been sporadic and isolated. Such disparate developments have led to the propagation of different systems across different parts of the country, not only causing confusion and inconvenience to the customers, but also pushing them further into cash payments. Hence, electronification of the toll collection systems on a pan-India basis in an interoperable environment will be encouraged.

  3. Payments for Mass Transit Systems: Another segment which has a huge potential for migrating large number of small value cash transactions to electronic payments, is in the area of mass transit (road transport, metro rail, etc.). Though there have been developments in recent times in different parts of the country to put in place automated fare collection for mass transit systems all of them work on proprietary systems and standards, thus coming in the way of inter-operability. Hence, the focus will be to ensure that the payment mechanisms being put in place in this segment are interoperable and built on open standards, preferably using open system payment instruments.

4.3.4 Enhancing Safety and Security

Safety and security of payment systems and transactions is an important factor that helps in boosting the trust and confidence of the customers in using electronic payment mechanisms. Towards this end, Bank will continue to adopt and implement international standards and best practices that enhance payment systems security. Some of the measures envisaged include:

  1. Migration of cards to EMV Chip and PIN: Banks have been advised that all new cards issued by them should be EMV Chip and PIN cards. A roadmap for migration of all existing magnetic stripe cards to EMV Chip and PIN cards has also been laid down. Bank will continue monitoring the progress made by the banks so as to ensure adherence to the timelines.

  2. EMV card processing at ATMs: Presently the ATMs in the country read and process the card transactions only on the basis of data contained in the magnetic stripe, even though the card may be a Chip and PIN card. With the roadmap in place for issuance of EMV Chip and PIN cards, the aim will be to ensure that all the ATMs in the country migrate to processing of EMV Chip and PIN cards on the basis of Chip data rather than magnetic stripe data.

  3. Security of ATM transactions: Although ATM infrastructure is widely used for meeting cash requirements of the customers, it is increasingly being used as a channel for carrying out other non-financial transactions and delivering value-added services. As such, the operational and logical access security aspects of ATMs assume significance, and any shortcomings in these areas make the systems vulnerable to attacks by fraudsters, thus impairing customer confidence and trust. The Bank will, therefore, examine holistically the physical and logical safety and security requirements of ATMs infrastructure and issue necessary guidelines to strengthen them.

  4. Aadhaar-based authentication: Examine the technical, operational and business feasibility of using Aadhaar as a factor of authentication for payment transactions.

4.3.5 Measures for cheque clearing systems

As cheques continue to be used for limited purposes by certain segments of users, it is sought to enhance the efficiency of cheque clearing systems in the following ways:

  1. Working towards eliminating paper-to-follow arrangement for cheques issued by the State Governments so that clearing of such cheques is also based on cheque images.

  2. Promoting use of positive pay mechanism, wider use of national archive of cheque images etc.
  3. Encouraging complete migration of cheques to CTS-2010 standards for better fraud detection and more effective risk mitigation

  4. Decreasing the frequency of clearing for instruments not complying with CTS-2010 cheque standards.

4.4 The above efforts will ensure ubiquitous participation i.e., provide an environment for payment products that are broadly accessible to everyone and available to be used in a variety of circumstances taking into account convenience, cost and risk considerations.

5. Strategic Initiatives: Effective Supervision

5.1 Effective Supervision over Payment Systems and the Operators will be the third strategic initiative under Vision-2018.

5.2 As migration to alternate modes of payment, viz., electronic payments, both for financial markets as also businesses and individuals are increasing, resiliency of payment systems gains importance. Resiliency is the ability to continue to operate even if a system has failed completely by switching activity to a separate system or process or a combination of both. The assurance of the authorised payment systems‟ resilience comes from the oversight framework.

5.3 In order to have robust Payment and Settlement Systems in the country, it is not only essential to continuously self-test the resilience of the existing payment systems but also assess the various standards adopted for our systems vis-à-vis the existing international standards / best practices for similar systems. In this context, the resiliency of not just the Financial Market Infrastructures (FMIs) but also that of System-Wide Important Payment Systems (SWIPS) assumes significance.

5.4 Keeping the above in view, the Bank would be initiating the following actions in respect of FMIs and SWIPS:

5.4.1 Assessment of resilience of payment and settlement infrastructures

  1. A framework to test the resilience of (both retail and large value) payment systems in the country would be drafted.

  2. For ensuring continued operations and availability of the payment systems, resilience of communication / messaging infrastructure would be assessed.

  3. Payment systems being largely driven by changes in technology, a suitable framework to audit and assure the existence of risk control measures and resilience of their IT systems by payment systems operators would be put in place.

  4. In addition to the existing arrangements to ensure business continuity in individual payment systems, efforts would be made to enhance resilience by building necessary capability to process transactions of one system in another system. For instance, building the capability to process NEFT transactions in RTGS system and vice versa.

  5. As necessary, the support and help of external agencies, both existing and upcoming, will be taken to assess the resilience of the payment and settlement systems.

5.4.2 Oversight framework for existing and new payment systems

A well-structured oversight framework complements the framework for resilience of payment infrastructure. The following measures would be part of the oversight framework for existing and new payment systems that would be implemented:

  1. Proportionality of oversight: The intensity of oversight would be made proportionate to the systemic risks or system-wide risks posed by a payment system or operator or participant.

  2. Large-value payment systems: On-site inspection of FMIs and SWIPS would be carried out periodically with self-assessment to be carried out by FMI / SWIPS on a more frequent basis.

  3. Retail payment systems: A detailed framework on oversight of retail payment systems would be framed. The focus would continue to be on off-site surveillance, regular self-assessment and need based inspection of retail payments. As these systems are largely driven by changes in technology, an appropriate framework for IS Audit would also be put in place

  4. Bharat Bill Payment System (BBPS): An oversight framework to cover both Bharat Bill Payment Central Unit (BBPCU) and Bharat Bill Payment Operating Units (BBPOUs) will be put in place to ensure the safety, security and resilience of the BBPS.

  5. Trade Receivables Discounting System (TReDS): The TReDS will also be functioning as pan-India system. Therefore, a comprehensive oversight framework to ensure the smooth functioning of TReDS and its resilience, including the risk management framework as required, would be put in place.

5.4.3 Strengthening reporting framework including fraud monitoring

  1. Reporting framework: As part of off-site surveillance process, payment system operators (PSOs) are directed to adhere to periodic reporting requirements. The periodic returns would be moved to XBRL system. This would offer major benefits at all stages of business reporting and analysis, aiding in better quality of information and decision-making. In addition, a structured reporting framework for PSOs to communicate the findings of the audit of their IT systems along with their compliance would also be put in place.

  2. Fraud Monitoring: To further strengthen the confidence in the payment systems and minimise instances of frauds, there is a need to monitor the types of frauds that may be taking place in various payment systems. Accordingly, to begin with, a framework for collection of data on frauds in payment systems would be drawn up in consultation with the industry.

5.4.4 Data analysis and publication of reports

  1. Oversight report for retail and large value payment systems: Bank would take steps to publish a separate oversight report for payment systems in the country on a regular basis.

  2. Analysis of Payment System related data within the Bank: With automation of regulatory reporting and generation of large volumes of data, studies would be undertaken to identify the emerging trends / attributes of payment system, seasonality, pattern analysis, etc. This would strengthen the regulatory decision support system.

6. Strategic Initiatives: Customer Centricity

6.1 Focus on customer is the final key thrust areas of Vision-2018.

6.2 Customer acceptance and usage of payment products provide one half of the required network effect in payment systems with the other half coming from the entities willing to accept such payments. Confidence, convenience, and cost are key aspects that will encourage wider customer adoption and usage of electronic payments. Customers‟ increasing expectations are driving provider responses. Towards this end, Vision-2018 would strive to keep the customer interest at the centre of payment system policy actions.

6.3 The measures in this regard would include:

a. Strengthening customer grievance redressal mechanism: A robust and responsive customer grievance redressal system is essential to build an environment of trust and confidence in payment systems. Further, customer experience should be uniform irrespective of whether the service is being provided by banks or non-bank entities. Hence,

  1. The Bank would frame necessary guidelines to ensure that existing complaint redressal framework of authorised non-bank entities is improved, and that new payment systems are set up with appropriate mechanisms to address customer grievances in a proactive manner.

  2. Payment System Operators (PSOs) would also be required to adequately train their own front office staff and their agents to understand and appropriately address diverse requirements when servicing their customers.

b. Enhancing customer education and awareness: Customer confidence in payment systems is reposed with usage combined with better awareness of the product and processes. A well-informed customer base would also facilitate faster migration away from cash payments. Involvement of stakeholders in this exercise can help to reap greater benefits, and, as such, the Bank would collaborate with other stakeholders in creating an environment of awareness and education on e-payments. Hence,

  1. The Bank, in collaboration with all the stakeholders, would endeavour to enhance customer awareness through structured Electronic Banking Awareness And Training (e-BAAT) programs.

  2. Further, the Bank would prepare a framework requiring PSOs to transparently disclose all fees they charge as part of their service along with the applicable terms and conditions, including liability and use of customer data.

c. Protecting Customer‟s interest: The Bank would encourage payment system providers to adopt best practices for protecting customer interest by putting in place robust fraud and risk monitoring systems. In addition, a regulatory framework to limit customer liability in case of unauthorised transactions would be put in place.

d. Ensuring positive confirmation for RTGS transactions: Presently the NEFT system has the feature of sending positive confirmation to remitters regarding the completion of the funds transfer, thus giving an assurance to the remitter that the funds have been successfully credited to the beneficiary account. In order to provide the same confidence to customers using RTGS system for funds transfer, the Bank will incorporate the feature of positive confirmation for RTGS transactions too. Further, the feature in the NEFT system will also be strengthened by ensuring that all banks send the confirmation in a timely manner.

6.4 Conducting Customer Surveys: An important factor which contributes to refinement of policies and regulatory framework is the ability to gauge first-hand the developments / changes taking place in customer habits with respect to payment choices. In order to ascertain these changes, the Bank will engage with various stakeholders / professionals to conduct user / customer surveys over a period of time on specific aspects of payments systems. The findings from these surveys would not only provide insights into the use of existing payment products and processes by customers for meeting their various payment needs but also generate ideas for reviewing policies and empowering the users through structured awareness intervention.

Posted in Uncategorized | 1 Comment

CDSCO Working Towards Drafting New Drugs And Cosmetics Act 2016 And Medical Devices Act 2016

CDSCO Working Towards Drafting New Drugs And Cosmetics Act 2016 And Medical Devices Act 2016Medicines and medical devices are in existence for many years. Information and communication technology (ICT) has changed the way medicines and medical devices were sold in old times. Even medical devices have assumed a totally different identity with the introduction of smart technology and artificial intelligence. Now smart gadgets have connected individuals with hospitals, clinics and family doctors in a 24 x 7 x 365 mode. Health related data and information is available in real time to both doctors and the patients that has significantly improved the health of patients as remedial measures can be taken well in advance based on the data provided by smart e-health gadgets.

However, laws in India are lagging far behind and they are not compatible with the concepts like e-health, telemedicine, m-health, online pharmacies, etc. Further, India has still not enacted necessary dedicated laws for cyber security, privacy, data protection (pdf), online pharmacies, Ayurvedic preparations, etc without which Indian healthcare industry cannot grow and survive. Indian e-health and medical device manufacturers are also not complying with techno legal requirements like cyber law due diligence (pdf), encryption laws, etc. If we wish to incorporate e-health, m-health and telemedicine into a smart city model, then we have additional techno legal compliances that must be ensured.

Indian government is in the process of removing redundant and outdated laws and enacting new one as per contemporary requirements. Healthcare industry is also on the priority list of Indian government for legislative business. For instance, the Central Drugs Standards Control Organisation (CDSCO) is working towards drafting a new Drugs and Cosmetics Act, 2016 and a Medical Devices Act, 2016. The move follows after the ministry of health and family welfare initiated steps to revisit the D&C Act 1940 and Rules 1945. The objective of this step is to enact contemporary laws that can ensure safety, efficacy and quality of drugs and medical devices.

The director (Admin) of Central Drugs Standards Control Organisation (CDSCO) has on June 6, 2016 asked all state drugs controllers to give feedback based on their experience within 15 days from the said notice. There have been several transformations like new brands, biologicals and biotech drugs besides the fixed dose combinations that need a set of dedicated rules. These rules are also relevant keeping in mind the regulatory requirements of different countries where Indian medicines and medical and healthcare products are exported.

For instance, recently the United States Food and Drug Administration (U.S. FDA) issued an Import Alert 66-40 (pdf) titled Detention Without Physical Examination Of Drugs From Firms Which Have Not Met Drug GMPs. This alert deals with detention without physical examination of drugs from firms which have not met drug good manufacturing practices (GMPs). Many Indian pharmaceutical companies have been listed on this alert and import from them has been banned. In fact, Lupin has recalled 9,210 bottles of Suprax drugs for failure to pass purity test.

Border enforcement of intellectual property rights (IPRs) by countries including Europen Union has also posed problem for Indian pharmaceutical and healthcare companies. EU and India even decided to sign a letter of understanding to protect off patent generic drug consignments. Further, due to policy decisions of United States, Novartis AG’s heart drug Diovan was also kept out of patients reach. This is despite the fact that Indian patent law is in conformity with WTO and international obligations. Expiring medicine Patents can boost pharmaceutical business and e-commerce as the generic pharmaceutical companies can provide affordable drugs in large quantity.

The Drugs and Cosmetics Act & Rules 2016 will try to ensure compliance with some of these issues by the Indian pharma industry. There is also the introduction of Central Licensing Authority (CLA) along with State Licensing Authority (SLA) and Central Licensing Approval Authority (CLAA) for Schedule III drugs in the last year’s Amendment Bill. The new regulations may also cover the Uniform Code for Pharma Marketing, Formation of Task Force to formulate bulk drug policy, medical devices policy, creation of price monitoring and resource units in the state drugs control department.

Posted in Uncategorized | Comments Off

India Speeding Up Formation Of Tri Service Cyber Command For Armed Forces Of India

India Speeding Up Formation Of Tri Service Cyber Command For Armed Forces Of IndiaIndia has been working in the direction of establishing a Tri Service Cyber Command for Armed Forces of India since 2013. In the year 2014, India government reiterated its commitment to form the cyber command but again no concrete steps were taken by then government in this regard. The position remains the same till the month of June 2016 as we have no dedicated cyber command for armed forces in India till now.

However, things are going to change very soon. Some officials and analysts in India are calling for progress on the tri-service command on cyber security that is still pending approval by the Ministry of Defense. Perry4Law Organisation (P4LO) has been recommending about such cyber command since 2013 and we once again request the Indian government to do the needful in this regard. The proposed cyber command could cover all the three segments of armed forces of India. P4LO also strongly recommend that sector specific Computer Emergency Response Teams (CERTs) must also be established on the lines of CERT-In. Indian government must also expand the role of the first Chief Information Security Officer (CISO) of India, the position presently held by Dr. Gulshan Rai.

Cyber attacks against India have significantly increased and India must be well prepared to deal with the same. In fact, Indian cyberspace must be protected on a priority basis and suitable techno legal offensive and defensive mechanisms must be established by Indian government in this regard. Indian cyber security is lagging far behind as compared to other countries. India is still struggling to deal with issues like cyber warfare, cyber espionage and cyber terrorism, etc. The critical infrastructure protection in India and its problems, challenges and solutions (pdf) are still to be managed by Indian government.

At P4LO we firmly believe that a dedicated cyber warfare policy of India (Pdf) must be formulated as soon as possible. The present effort of Indian government seems to be a step towards that objective. However, the main thing is the implementation of various policies formulated from time to time. Till now Indian government has not been able to implement the objectives of the National Cyber Security Policy of India 2013 (NCSP 2013). Further, India government has also failed to integrate the NCSP 2013 with the National Security Policy of India.

Another major failure of Indian government in this regard is the failure to enact a legislation mandating strict cyber security disclosure norms in India. Although proposed in the year 2013, the disclosure norms for cyber security breaches in India are still not implemented. This would prevent actual and effective implementation of cyber security norms in India. Recently the Reserve Bank of India (RBI) has hinted for such disclosure norms on the part of banks in India. A cyber security framework for banks in India has been prescribed by RBI and banks are required to comply with the same till 30th September 2016. So work in these directions is also taking place in India although in a very slow manner.

A proposal to set up a dedicated tri-service command for cyber security has been forwarded to the Ministry of Defense after top officials with the Indian air force, army and navy approved the idea. But the plan has yet to be approved. A draft proposal for setting up a separate tri-command on cyber warfare was prepared in consultations with the chiefs of the Indian air force, Indian army and Indian navy after Chinese hackers broke into the computer systems of the headquarters of the Eastern Naval Command in Visakhapatnam in 2012 where the homemade Arihant nuclear submarine was undergoing sea trials.

During the same time, Defence Research and Development Organisation (DRDO) informed that their computer systems were breached and sensitive files were leaked. A top defence ministry officer admitted that India has delayed on the cyber security front. “Cyber command would ensure both offensive and defensive cyber security capabilities. Issues like cyber warfare, cyber espionage and cyber terrorism, etc. would be taken care of by a cyber command. Nevertheless, the proposal to set up the cyber command was kept in abeyance. P4LO hopes that Indian government would now clear the cyber command as we have a government that has both will and courage to see through this much needed project.

Posted in Uncategorized | Comments Off

Cyber Security Framework For Indian Banks Prescribed By Reserve Bank Of India (RBI)

Cyber Security Framework For Indian Banks Prescribed By Reserve Bank Of India (RBI)Cyber security in India is never given a priority and this is the reason why we have no robust and resilient cyber security infrastructure in India. Banking sector of India is no different from other businesses or industries. Cyber security of banks in India is in a very bad shape. Despite many reminders of Reserve Bank of India (RBI), banks have paid no attention to strengthen their cyber security. Banks in India are also not following any cyber crisis management plan (CCMP) for meeting cyber attacks situations. Indian government has also not prescribed any cyber breach disclosure norms in India and banks and organisations are not reporting cyber breaches happening at their branches.

Perry4Law Organisation (P4LO) has been suggesting that cyber security of banks in India needs strengthening. This is more so in the era of zero day vulnerabilities and almost invincible malware that are creating havoc upon businesses and individuals alike. Even Reserve Bank of India decided to set up an IT subsidiary to deal with cyber crimes and cyber security related issues.

It seems the Reserve Bank of India (RBI) has finally accepted the recommendation of P4LO and a cyber security framework for Indian banks has been prescribed by the Reserve Bank Of India (RBI). A notification (pdf) has been issued by RBI in this regard and now cyber security obligations of banks in India have significantly increased. This is in addition to the cyber law and cyber security obligations of directors of Indian companies as prescribed under the Indian Companies Act, 2013 (pdf). A dominant majority of directors in banking and non banking companies in India are ignoring the cyber security obligations as prescribed by the Information Technology Act, 2000, Indian Companies Act, 2013, etc.

RBI has laid down the following cyber security framework for banks in India:

(1) Use of Information Technology by banks and their constituents has grown rapidly and is now an integral part of the operational strategies of banks. The Reserve Bank, had, provided guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (G.Gopalakrishna Committee) vide Circular DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011, wherein it was indicated that the measures suggested for implementation cannot be static and banks need to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns.

(2) Since then, the use of technology by banks has gained further momentum. On the other hand, the number, frequency and impact of cyber incidents / attacks have increased manifold in the recent past, more so in the case of financial sector including banks, underlining the urgent need to put in place a robust cyber security/resilience framework at banks and to ensure adequate cyber-security preparedness among banks on a continuous basis. In view of the low barriers to entry, evolving nature, growing scale/velocity, motivation and resourcefulness of cyber-threats to the banking system, it is essential to enhance the resilience of the banking system by improving the current defences in addressing cyber risks. These would include, but not limited to, putting in place an adaptive Incident Response, Management and Recovery framework to deal with adverse incidents/disruptions, if and when they occur.

(3) There is an urgent need for a Board approved Cyber security Policy for banks in India. Banks should immediately put in place a cyber-security policy elucidating the strategy containing an appropriate approach to combat cyber threats given the level of complexity of business and acceptable levels of risk, duly approved by their Board. A confirmation in this regard may be communicated to Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Reserve Bank of India, Central Office, World Trade Centre-I, 4th Floor, Cuffe Parade, Mumbai 400005 at the earliest, and in any case not later than September 30, 2016.

(4) It may be ensured that the strategy deals with the prescribed aspects. Cyber Security Policy to be distinct from the broader IT policy / IS Security Policy of a bank. In order to address the need for the entire bank to contribute to a cyber-safe environment, the Cyber Security Policy should be distinct and separate from the broader IT policy / IS Security policy so that it can highlight the risks from cyber threats and the measures to address / mitigate these risks.

(5) The size, systems, technological complexity, digital products, stakeholders and threat perception vary from bank to bank and hence it is important to identify the inherent risks and the controls in place to adopt appropriate cyber-security framework. While identifying and assessing the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online / mobile products, technology services, organisational culture and internal & external threats. Depending on the level of inherent risks, the banks are required to identify their riskiness as low, moderate, high and very high or adopt any other similar categorisation. Riskiness of the business component also may be factored into while assessing the inherent risks. While evaluating the controls, Board oversight, policies, processes, cyber risk management architecture including experienced and qualified resources, training and culture, threat intelligence gathering arrangements, monitoring and analysing the threat intelligence received vis-à-vis the situation obtaining in banks, information sharing arrangements (among peer banks, with IDRBT/RBI/CERT-In), preventive, detective and corrective cyber security controls, vendor management and incident management & response are to be outlined.

(6) An arrangement for continuous surveillance must be made by the banks. Testing for vulnerabilities at reasonable intervals of time is very important. The nature of cyber-attacks are such that they can occur at any time and in a manner that may not have been anticipated. Hence, it is mandated that a SOC (Security Operations Centre) be set up at the earliest, if not yet been done. It is also essential that this Centre ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats.

(7) IT architecture should be conducive to security. The IT architecture should be designed in such a manner that it takes care of facilitating the security measures to be in place at all times. The same needs to be reviewed by the IT Sub Committee of the Board and upgraded, if required, as per their risk assessment in a phased manner. The risk cost/potential cost trade off decisions which a bank may take should be recorded in writing to enable an appropriate supervisory assessment subsequently.

(8) An indicative, but not exhaustive, minimum baseline cyber security and resilience framework to be implemented by the banks is given in Annex 1. Banks should proactively initiate the process of setting up of and operationalising a Security Operations Centre (SOC) to monitor and manage cyber risks in real time. An indicative configuration of the SOC is given in Annex 2.

(9) Comprehensively address network and database security. Recent incidents have highlighted the need to thoroughly review network security in every bank. In addition, it has been observed that many times connections to networks/databases are allowed for a specified period of time to facilitate some business or operational requirement. However, the same do not get closed due to oversight making the network/database vulnerable to cyber-attacks. It is essential that unauthorized access to networks and databases is not allowed and wherever permitted, these are through well-defined processes which are invariably followed. Responsibility over such networks and databases should be clearly elucidated and should invariably rest with the officials of the bank.

(10) Ensuring Protection of customer information. Banks depend on technology very heavily not only in their smooth functioning but also in providing cutting-edge digital products to their consumers and in the process collect various personal and sensitive information. Banks, as owners of such data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation and to this end, suitable systems and processes across the data/information lifecycle need to be put in place by banks.

(11) Cyber Crisis Management Plan. A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. Considering the fact that cyber-risk is different from many other risks, the traditional BCP/DR arrangements may not be adequate and hence needs to be revisited keeping in view the nuances of the cyber-risk. As you may be aware, in India, CERT-IN (Computer Emergency Response Team – India, a Government entity) has been taking important initiatives in strengthening cyber-security by providing proactive & reactive services as well as guidelines, threat intelligence and assessment of

preparedness of various agencies across the sectors, including the financial sector. CERT-IN also have come out with National Cyber Crisis Management Plan and Cyber Security Assessment Framework. CERT-In/NCIIPC/RBI/IDRBT guidance may be referred to while formulating the CCMP.

(12) CCMP should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment. Banks need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks. Among other things, banks should take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.

(13) Cyber security preparedness indicators. The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness. These indicators should be used for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals. The awareness among the stakeholders including employees may also form a part of this assessment.

(14) Sharing of information on cyber-security incidents with RBI. It is observed that banks are hesitant to share cyber-incidents faced by them. However, the experience gained globally indicates that collaboration among entities in sharing the cyber-incidents and the best practices would facilitate timely measures in containing cyber-risks. It is reiterated that banks need to report all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank. Banks are also encouraged to actively participate in the activities of their CISOs’ Forum coordinated by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT. Such collaborative efforts will help the banks in obtaining collective threat intelligence, timely alerts and adopting proactive cyber security measures.

(15) Supervisory Reporting framework. It has been decided to collect both summary level information as well as details on information security incidents including cyber-incidents. Banks are required to report promptly the incidents, in the format given in Annex-3.

(16) An immediate assessment of gaps in preparedness to be reported to RBI. The material gaps in controls may be identified early and appropriate remedial action under the active guidance and oversight of the IT Sub Committee of the Board as well as by the Board may be initiated immediately. The identified gaps, proposed measures/controls and their expected effectiveness, milestones with timelines for implementing the proposed controls/measures and measurement criteria for assessing their effectiveness including the risk assessment and risk management methodology followed by the bank/proposed by the bank, as per their self-assessment, may be submitted to the Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Central Office not later than July 31, 2016 by the Chief Information Security Officer.

(17) Organisational arrangements. Banks should review the organisational arrangements so that the security concerns are appreciated, receive adequate attention and get escalated to appropriate levels in the hierarchy to enable quick action.

(18) Cyber-security awareness among stakeholders / Top Management / Board. It should be realized that managing cyber risk requires the commitment of the entire organization to create a cyber-safe environment. This will require a high level of awareness among staff at all levels. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized. Banks should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of the bank’s cyber resilience objectives, and require and ensure appropriate action to support their synchronised implementation and testing. It is well recognised that stakeholders’ (including customers, employees, partners and vendors) awareness about the potential impact of cyber attacks helps in cyber-security preparedness of banks. Banks are required to take suitable steps in building this awareness. Concurrently, there is an urgent need to bring the Board of Directors and Top Management in banks up to speed on cyber-security related aspects, where necessary, and hence banks are advised to take immediate steps in this direction.

Perry4Law Organisation (P4LO) welcomes the step taken by RBI to strengthen the cyber security of banks in India. At the same time, we are also open to extend our techno legal cyber law and cyber security expertise to those banks that need our services. Please establish a client attorney relationship if you are a bank/director and you need our techno legal cyber security assistance.

Posted in Uncategorized | Comments Off

Cyberspace May Be Designated As An Official Operational Domain Of Warfare By NATO Members

Cyberspace  May Be Deignated As An Official Operational Domain Of Warfare By NATO MembersCyberspace has become a very hostile and turbulent domain. Sophisticated malware and cyber attacks are very common in cyberspace these days. The NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) has even released a manual titled the Tallinn Manual on the International Law Applicable to Cyber Warfare (pdf) to provide an academic guidance for international cyber warfare related acts. Perry4Law Organisation (P4LO) has also launched two dedicated blogs titled International Legal Issues of Cyber Security and International Legal Issues of Cyber Attacks for all stakeholders.

Legal issues of Internet and cyberspace are very difficult to manage. For instance, authorship attribution for cross border cyber attacks convictions is a controversial and complicated area that requires attention of nations across the world. US agency DARPA has solicited innovative research proposals in the area of cyber attribution. There are many more challenges that nations around the world are facing in the cyberspace and the same can be managed only by establishing an international techno legal framework. From conflict of laws in cyberspace to civil liberties protection in cyberspace, governments around the world have to manage many sensitive, crucial and constitutional norms. This situation is further made complicated due to absence of international treaties on cyber law and cyber security (pdf).

Nevertheless, a proposed effort of NATO would be a significant step in this direction. According to media reports, NATO members will likely agree during a summit meeting in Warsaw next month to designate cyber as an official operational domain of warfare, along with air, sea, land and space. Major General Ludwig Leinhos, who heads the German military’s effort to build up a separate cyber command, told a conference at the Berlin air show that he expected all 28 NATO members to agree to the change during the coming Warsaw summit. Leinhos, who previously held a senior job at NATO headquarters, said he also expected NATO members to agree to intensify their efforts in the cyber security arena. NATO had also requested cyber security cooperation from India in the past. The United States announced in 2011 that it viewed cyberspace as an operational domain of war, and said it would respond to hostile attacks in cyberspace as it would to any other threat.

However, the bigger question is will NATO also provide warscale privacy protection and civil liberties safeguards while engaging in the cyber warfare or traditional warfare activities due to cyberspace violations? There are many more techno legal issues involved in this process, and we at P4LO hope that these issues would be resolved by NATO while recommending cyberspace as a war frontier.

Posted in Uncategorized | 1 Comment

E-Commerce Litigation And Legal Disputes Would Increase In India Say Legal Experts

White conceptual keyboard - Law symbol (blue key)E-commerce is booming in India but the regulatory environment is not in a position to match its progress. Indian government tried to use the existing provisions of Information Technology Act, 2000 (IT Act 2000) and other Indian laws to regulate e-commerce in India but this exercise has failed. This happened because issues like cyber law due diligence (pdf), internet intermediary liability, e-commerce dispute resolutions, etc were neither appreciated nor made applicable by Indian government to e-commerce entities operating in India.

Even the recent clarification on Foreign Direct Investment (FDI) in E-Commerce Sector of India 2016 has failed to satisfy the doubts of e-commerce businesses in India. We at Perry4Law Organisation (P4LO) has recommended to the government that a dedicated e-commerce law of India is need of the hour and e-commerce websites must be regulated in India by a suitable techno legal framework.

We have also launched two dedicated blogs to help Indian government in general and e-commerce stakeholders in particular. These blogs are titled e-retailing laws in India and e-commerce laws in India. A good techno legal guidance can be taken from these blogs but they are in no situation substitute for a well reasoned and techno legal e-commerce legal consultancy.

Meanwhile, the brick and mortar business community has taken the e-commerce entrepreneurs to Indian courts for violation of Indian laws. They have also complained to the Department of Industrial Policy and Promotion (DIPP) to ensure a level playing field. Commerce and Industry Minister Nirmala Sitharaman has recently told the media that the government has ensured a level playing field between online and offline retail. She informed that what applies to brick and mortar applies to e-commerce too.

We at Perry4Law Organisation (P4LO) believe that this assurance and approach of the DIPP is the “starting point” and not the “end solution” This is so because e-commerce businesses are required to comply with “additional” techno legal compliances that brick and mortar businesses are not required to comply with. In short, e-commerce businesses in India are required to comply with many more techno legal compliances that are presently flouted by them.

Perry4Law Law Firm predicted in the year 2012 that cyber litigations against foreign websites would increase in India. Almost all the famous e-commerce websites in India are presently facing legal actions against them for violating Indian taxation, foreign exchange and cyber laws. This trend is going to increase in near future as India has decided to widen the tax net for foreign companies like Google, Amazon, etc. A software for calculating e-commerce exports has also been developed by Indian government. Nevertheless, legal violations by big e-commerce platforms of India still continues especially for online pharmacies, telemedicine, online gambling, e-health, m-health, internet of things (IoT), etc. Indian government in general and DIPP in particular must take e-commerce related violations very seriously while allowing them to grow as much as possible.

Now other legal experts have endorsed the view point of Perry4Law and they have agreed that it could be a bumpy ride ahead for online e-commerce companies in India, as litigation in this space could go up.They are blaming the recent FDI guidelines for the same but this is just part of the picture. They have missed the techno legal compliance part completely that is more troublesome than the FDI guidelines.

There is a rise in the number of cases where offline retailers, trade associations and even e-commerce entrepreneurs are approaching the courts, asking for intervention of agencies such as Competition Commission of India (CCI) and the Enforcement Directorate (ED). Sp serious is the situation that e-commerce companies have started strengthening their legal departments in the backdrop of the current volatile e-commerce business environment. Many are not conformable with the expression “indirectly influencing the price” under the recent FDI guidelines. The guidelines have prescribed that no e-commerce marketplace platform must directly or indirectly influence the price of products sold on the platform. This has made the e-commerce companies in India nervous. Another area of concern pertains to interpretation of the two business models i.e. marketplace model and inventory based model .

A few weeks earlier, traders’ body CAIT filed a complaint with DIPP, alleging violation of FDI norms for e-commerce by online retail major Flipkart. The complaint was in reference to an advertisement in newspapers announcing the sale of an item, together with its discounted price, to be available on the e-commerce platform of Flipkart, a marketplace. CAIT says the advertisement violates the guidelines for FDI in e-commerce. Organisations such as the All India Vendors Association (AIOVA) has also taken on companies such as Paytm using micro blogging social media network Twitter.

It asked DIPP to clarify if the practice of giving cash-backs by Paytm above the seller-funded discount was within the purview of the FDI guidelines on the segment. DIPP replied, through a tweet, that the choice was with the seller. “Giving a discount or not is a prerogative of the seller owning inventory. FDI is permitted in marketplace, not in inventory-based model,” it said.

There is also fear of increased scrutiny from agencies such as CCI and ED, given the increased regulatory push on the e-commerce sector. Chances are that these agencies would work closely with their counterparts monitoring tax and exchange control aspects to check companies flouting the norms while conducting e-commerce business.

Posted in Uncategorized | Comments Off

Bitcoin Use, Websites And Businesses Can Be Legal In India If They Comply With Techno Legal Compliances

The legality of bitcoin in India is still a grey area as there is no dedicated law to deal with the same. Different stakeholders have interpreted this vacuum differently. Bitcoin entrepreneurs believe that dealing in bitcoin in India is permissible whereas law enforcement agencies and statutory authorities have considered bitcoin as suspicious so far.

Legal authorities and lawyers are also divided on the fate and legal status of bitcoin in India. Some believe that use of bitcoin is legal in India whereas other have argued that use of bitcoin is illegal in India. Both arguments have their own weaknesses and strengths. However, neither legal argument has brought the true picture so far.

We at Perry4Law Law Firm have tried to bring some certainty in this uncertain environment. We believe that bitcoin use, websites and businesses can be legal in India if they comply with techno legal compliances as prescribed by different laws of India. Anything short of this techno legal compliance on the part of bitcoin community would mean a criminal prosecution. Unfortunately, bitcoin stakeholders in India are not at all aware of techno legal compliances.

A cursory analysis of some of the known bitcoin websites in India proved this point. The bitcoin websites have miserably failed to comply with techno legal requirements of Information Technology Act, 2000 and the rules prescribed under the same. Other Indian laws, especially those pertaining to foreign exchange and taxation, are also not complied with by these websites.

The position maintained by us is applicable so long there is no dedicated law governing use of bitcoin in India. The moment such a law is formulated, the legality of bitcoin and their use must be analysed keeping in mind the specific provisions of such law. However, there is very dim possibility that the Reserve Bank of India (RBI) and Indian government would undertake a legislative exercise to regulate bitcoin in India in the near future.

Naturally, the only choice before the bitcoin community is to comply with techno legal compliances. At the same time it is imperative on the part of law enforcement agencies, regulatory authorities and Indian government to ascertain whether bitcoin have been used for anti national and illegal purposes or not.

Perry4Law recommends that a committee must be established by RBI and central government to analyse the business model and commercial activities of bitcoin websites in India. Those found to be complying with existing Indian laws must be encouraged and those violating the same must be punished. However, the approach of keeping the eyes closed is no more appropriate for RBI and central government.

Posted in Uncategorized | Comments Off

Telemedicine And Online Pharmacies Laws Must Be Complied With By Businesses And Entrepreneurs Of India

Technology entrepreneurs and business houses are betting high on e-health, m-health, online pharmacies and telemedicine related business ventures. India government is also trying to streamline the regulatory environment in this regard but it has still to do lots of work in this regard. For instance, the Electronic Health Record (EHR) Standards of India have been prescribed and establishment of a National E-Health Authority (NeHA) of India has also been proposed. However, no dedicated laws for e-health/m-health, telemedicine, online pharmacies, etc have been formulated by Indian government so far.

Information and communication technology (ICT) is proving a useful tool in all spheres of our day to day lives. This also applies to the healthcare sector of India. Medical practitioners and hospitals have started using ICT to effectively manage their medical services. However, there is a problem with this growing use of ICT by medical practitioners and hospitals. In their zest to use ICT for furthering their medical objectives, these medical practitioners and hospitals are flouting Indian laws. Simply putting we have no dedicated telemedicine laws in India and online pharmacies laws in India. However, different laws of India govern the telemedicine and online pharmacies aspects in India.

As on date the online pharmacies in India are violating Indian laws and Indian government is well aware of these violations. In fact, online pharmacies websites of India are under regulatory scanner and punishment may follow. Despite contrary beliefs, online sales of prescribed medicines in India cannot be done through a mere opening of website. The growing craze of e-commerce among Indian medical entrepreneurs has witnessed a spurt of many online pharmacies and telemedicine operations in India. However, most of them are violating the laws of India and some of these laws prescribe very serious punishment for these violations.

While we have basic level e-commerce legal framework in India yet e-health related legal framework is missing. For instance, e-health in India is facing legal roadblocks. Till now we do not have any dedicated e-health laws and regulations in India. The legal enablement of e-health in India is urgently required.

When technology is used for medical purposes, it gives rise to medico legal and techno legal issues. In United States, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH Act), etc are some of the laws that take care of medico legal and techno legal issues of e-health and telemedicine. As far as India is concerned, we have no dedicated e-health and telemedicine laws in India. Even essential attributes of these laws like privacy protection, data protection, data security, cyber security, confidentiality maintenance, etc are not governed by much needed dedicated laws. Time has come to enact a dedicated law that allows online sales and purchase of prescribed drugs and medicines in India.

There is a tendency among medical e-commerce players in India to ignore Indian laws. The Walmart probe , banned drugs regulation in India , e-trading of medicines, digital communication channels , etc have proved that Indian laws must not be taken lightly. Similarly, many telemedicine and online pharmacies initiatives in India rely upon cloud computing without knowing and following the legal and regulatory issues of cloud computing in India. Those engaged in telemedicine and online pharmacies must keep in mind the legal requirements prescribed by Indian laws like Information Technology Act 2000, Drugs and Cosmetics Act, Indian Medical council Act, Code of Ethics Regulations 2002, etc.

The biggest mistake that most of the telemedicine and online pharmacies initiatives in India commit is by believing that offline medico legal requirements can be safely used for online requirements. This is not true and is a fatal misconception as it may bring legal consequences and liabilities.

Online dealings of medicines and healthcare services have their own set of problems and legalities and they must be fully complied with to do an online business. Selling medicines online and providing of online healthcare services in India is not like selling other day to day commodities and they have grave risks attached with their very dealings. Great precautions and absolute compliance with the laws of India is required for their online operations.

The ultimate call is for Indian government to take as it has failed to regulate this much needed field so far. Not only Indian government failed to make dedicated laws in this regard but it has also failed to take stringent action against those who are running illegal online pharmacies and telemedicine shops in India.

Posted in Uncategorized | Comments Off

US And Europe Are Enacting Laws To Protect Trade Secrets Of Businesses And Companies

Trade secrets are integral part of intellectual property of an organisation and they must be protected to the maximum possible extent. At times companies and business houses do not prefer to make their methods and strategy public and these methods and strategies are protected as trade secrets. Business houses have to make a trade off between protection of intellectual property rights like patents, trademark, copyright on the one hand and strategic advantage of the highly personal and advantageous information and knowledge on the other hand. It is not always beneficial to make your invention, method or business model public and get intellectual property protection for the same.

Companies and business houses that prefer to maintain trade secrets as an intellectual property have to go to great extents to protect their trade secrets. These days cyber criminals are targeting trade secrets of big organisations and business houses as a stolen trade mark can be sold at great price in national and international market. Cyber espionage has also significantly increased world over to steal trade secrets and intellectual property rights of big companies.

For instance, in the past Japanese company Kawasaki Heavy Industries (KHI) accused Chinese Company CSR Sifang of stealing its Shinkansen Bullet Trains. Japan had also alleged that technology and information from local companies, including chipmaker Toshiba, had been leaked to rivals from other countries. Japan has decided to fight against growing incidences of industrial cyber espionage. United States has also decided in the year 2013 to introduce a legislation that would target companies using stolen IPRs of U.S. Now in the year 2016 US has finally given a shape to a legislation that would protect trade secrets of US companies. Europe has also formulated a trade secret legislation to protect trade secrets of its member nations.

However, there are many techno legal challenges that nations and big companies need to address. Firstly, we need to address the problem of conflict of laws in cyberspace that is resulting in applicability of different laws for different situations. For instance, the recently expanded Rule 41 of US Federal Rules of Criminal Procedure is not binding upon India and other countries. This modified rule would not only violate the civil liberties and cyber laws of different countries but would also force other countries to speed up cyber warfare and cyber espionage race. Naturally, intellectual property rights and trade secrets would be on the receiving end.

Secondly, international legal issues of cyber attacks and cyber security are still required to be managed. Proving a cyber crime that involves multiple jurisdictions is a tedious task and it cannot be proved with certainty in all cases. Mutual cooperation and Mutual Legal Assistance Treaty (MLAT) are not helpful in most cyber crime cases having international ramifications. It is very important to resolve the authorship attribution dilemma so that guilt for a cyber crime can be imputed to a particular individual, nation or organisation.

Thirdly, cyber security issues are not easy to manage. Present day malware are defeating cyber security products with ease. There is little cyber security available to e-commerce companies and websites in different jurisdictions. In many jurisdictions, including India, cyber security breach disclosure norms are still missing. Thus, if an organisation or company is targeted for cyber attack and its systems are breaches, most of the times such organisation would not report such incidence to the government.

It is good that countries are working in the direction of protection of trade secrets but techno legal issues of trade secret laws cannot be ignored by them.

Posted in Uncategorized | 1 Comment