G Padmanabhan: Efficient systems and proficient banks

Keynote address by Mr G Padmanabhan, Executive Director of the Reserve Bank of India, at the CIOs (Chief Information Officers) Conference, held at IDRBT (Institute for Development and Reasearch in Banking Technology), Mumbai 10-11 March 2014.

The views expressed in this speech are those of the speaker and not the view of the BIS.

Central bank speech  | 
13 March 2014
PDF version
 |  7 pages

Assistance provided by Smt Nikhila Koduri and Shri Saswat Mahapatra in the preparation of the address and comments on the draft by Shri S Ganeshkumar, Shri A Madhavan and Dr A M Pedgaonkar is gratefully acknowledged.

1. Shri Sambamurthy, Dr Ramasastri, Dr Gulshan Rai, CIOs of banks, faculty and staff of IDRBT, ladies and gentlemen. I would like to express my gratitude to the Director for inviting me to deliver the keynote address at the two day Conference for the Chief Information Officers (CIO) of banks. I addressed a similar forum of CIOs in December 2012 at this very venue. I recollect that I had left the audience with a few questions for further deliberations in the Conference. I hope the participants found them useful and have found workable approaches to those issues. I intend doing something similar this time too, although this happens to be the day two of the Conference.

Who is a CIO?

2. Over the years, the roles and responsibilities of the CIOs have been undergoing a major transformation. Today's CIO has to deal with modern technologies which require a different way of thinking and finding new avenues to lead the changing environment, which may otherwise lead to technological irrelevance. In addition, in the long run, they have to ensure to drive up productivity of the bank while ensuring innovation and security of systems thus playing the role of a Chief Innovating Officer and a Chief Intelligence Officer. Though not strictly comparable, one can surmise that the demands on a CIO of a complex bank are akin to those of a CTO of a technology start-up: whether it is in leading innovation- product and process or managing multiple teams to develop and deliver or focusing on the customer experience or partnering with sales/marketing to deliver. But of course, as compared to technology start-up CTOs, the bank CIOs have to work in an extremely complex environment and therefore they need to possess multi-dimensional skill sets.

3. In my address today, I would first like to focus on few issues that have relevance for CIOs of banks in the present day context and then leave you all with a set of questions on each of these issues, for you to ponder over in the days to come.

Human capital - the weakest link

4. By its very definition, Human capital1is "the stock of competencies, knowledge, social and personality attributes, including creativity, cognitive abilities, embodied in the ability to perform labour so as to produce economic value". The challenge that most institutions including banks face, is realising this resource to serve its purpose. The future of banking in India, in my view, is going to be driven by critical elements; the most significant among them being human capital and technology and in that order.

5. For some years now, we all have been hearing, that Indian banks, especially those in the Public Sector will be facing severe crunch of manpower. To visualise that 60-80% of senior executives, 50% of middle managers and 60% of other staff (which amounts to nearly 1.5 lakh personnel) will be retiring in the next 5 years is indeed a daunting challenge. While it is comforting to note that initiatives are being taken to recruit manpower in larger numbers than before, we need to ponder over the requirements of banks in a changed scenario where both technology and soft skills hold the key to ensuring the achievement of the goals set up by the management. In this connection, I often wonder whether the recruiting agencies employed have clear directions from the management about the skill sets to look for, aligned to needs of the institutions.

6. Banks would, therefore, need to reorient their strategies with specific reference to HR management so that change to the new environment - which has already taken strong roots - is not only smooth but also well sustained. In the days to come, banks that deal optimally with HR issues such as appropriate talent acquisition and management, career planning, rewards and succession planning, compensation, learning and development, attrition and retention, calibrating skill gaps (including re-skilling and up-skilling) will, in my view, most certainly outperform the laggards.

7. In this context, I would like to raise the following questions to ponder over:

(a) The much abused/overused cliché is to say that "an organisation's people are its most important assets". But have we even attempted to create assets in its true sense out of these resources?

(b) What have we done to keep up the levels of motivation among our employees?

(c) Have we gone - at least thought - beyond traditional aspects of rewards and incentives?

(d) Is our HR environment conducive to promoting growth of the institution as also that of its personnel?

Intellectual capital leading to innovation

8. Innovation leads the way in all industries and banking is no different. A few decades back, this statement may not have held any water; but now this holds the key to success. Innovation in banking takes 3 dimensions - product, technology as also the process. Innovation needs organizational support particularly from the Top Management, to succeed.

9. With regard to innovation, Satya Nadella, CEO, Microsoft, in his first letter to the Microsoft employees, observed: "While we have seen great success, we are hungry to do more. Our industry does not respect tradition - it only respects innovation". This is the importance that successful companies give to innovation.

10. I like to cite a few successful examples from industries other than banking. In the news recently is the case of WhatsApp! It is amazing to note that a company consisting of 55 persons could acquire an intrinsic value of $ 16 billion in a matter of a few years. Let us understand the innovative capability of the product. It has managed to bring together 400 million users with the help of a smart phone and a simple business plan.

11. Why can't such products be emulated in the banking sector? Are we making available a sound innovation framework, including adequate organizational support? Let us introspect. I am sure it is not easy but should we not at least make the right attempts?

12. We need to also look at customer oriented innovation. Most of the innovative steps taken by banks in the recent past have a bearing on the profitability of banks, on their own operational improvements, better housekeeping and the like. How many of us can look back and identify the innovations which have resulted in customer delight, or if not, at least better customer satisfaction? I am reticent of challenging you openly with this question as I am a little skeptical about the outcome. But let us at least begin, now that banks are looking beyond the CBS.

Data quality - standardisation - the new normal?

13. At the base of all information processing is data. We are all straddled with huge volumes of data. But they remain mere data which cannot even pass the test of easy comparison across two different systems. The IT Vision 2011-17 document of the Reserve Bank has emphasised the importance of both quality and timeliness of data for MIS and decision making purposes. To achieve this, uniform data reporting standards are of vital importance.

14. A majority of banks have implemented the Automated Data Flow (ADF), a project initiated by the Reserve Bank to ensure smooth and timely flow of quality data from banks to the Reserve Bank. Simultaneously, work is also underway to develop the XBRL schema for returns which enables standardisation and rationalisation of various returns with internationally accepted best practices.

15. A Committee has been formed with representation from the Reserve Bank, a few representative banks and IT firms which, among other things, will bring about synergy and uniformity in the efforts being undertaken in the areas of data reporting and data standardisation. One of the terms of reference of this Committee is to study the Quality Assurance Procedures and functions relating to data within the European Central Bank (ECB) and analyse its possible emulation at the RBI.

16. In the ECB, a special effort was made to maximise the use of standardised concepts, data structures that are already in existence. This is expected to lower the costs, including the costs to partner institutions, and promote European and international interoperability, as well as greater accessibility of the statistics.

17. In the context of Data quality, I would urge the stakeholders to deliberate over the following:

(a) Do we all understand that in the process of decision making, rather than lack of data, it is inconsistent data which is more painful to handle?

(b) Let us not put the blame of poor quality of data on IT; it is the business streams which are more responsible. Do we have a solution to address this problem?

(c) Another relevant aspect pertains to Data ownership. Who owns the data? Is it IT or the respective business streams in your bank? Who should ideally own this?

Power of Big data and analytics

18. Intelligent banking rests on good decision making. In this regard, the presence of a robust DSS that can provide relevant information and analytics based on the available data will be definitely helpful. This is where technology of Big data can be utilised. The challenge lies in churning this mammoth amount of data being handled at enterprise level into informed decisions really quickly. I wonder how many banks have taken launching business analytics projects in all seriousness. I suggest IDRBT conducts a case study and research paper on the business analytics deployed in the banking industry, technology trends and suggest potential future models based on these analytics.

19. With rising competition among banks, the one who understand the customers better will stand a better chance in performance. To know their customers well, banks will need to understand and analyse their requirements, preferences as also behavioural patterns of the banking transactions of their customers.

20. Sometime back, I came upon a study by IDC2 on the Digital Universe in 2020. By definition, Digital Universe is a measure of "all the digital data created, replicated, and consumed in a single year". Their analysis, starting with data collected in 2005, shows a continuously expanding, increasingly complex, and ever more interesting digital universe. In their sixth annual study of the digital universe, they have come out with the following findings:

(a) While the portion of the digital universe holding potential analytic value is growing, only a tiny fraction of territory has been explored.

(b) By 2020, as much as 33% of the digital universe will contain information that might be valuable if analyzed, compared with 25% today.

21. How can banks collect this data and churn it to useful information? Do we have right specialists to do this job for us? Can we use technology for transaction pattern analysis and for flagging aberrations? Most importantly, as decision makers or those who facilitate decision making, do we know what data is required and in what form or manner?

Mobile banking - what's next?

22. The potential of mobile banking as a delivery channel in particular, for financial services is unrivalled in India. The developments in mobile telephony, as also the mobile phone density in the country, with over 870 Mn subscribers, presents a unique opportunity to leverage the mobile platform to meet the objectives and challenges of financial inclusion. By harnessing the potential of mobile technology, large sections of the un-banked and under-banked society can be empowered to become inclusive through the use of electronic banking services.

23. In India we have consciously adopted the bank led model for mobile banking, while the non-banks, including MNOs, have been permitted to issue mobile wallets, where cash withdrawal is not permitted as of now. However, we are considering the cash withdrawal from such wallets subject to certain legal / statutory clearances. However, mobile banking has not picked up in a big way due to constraints of mobile numbers registration, user authentication, user interface etc.

24. Reserve Bank had recently set up a Technical Committee on Mobile Banking (Chairman: Shri B. Sambamurthy) to examine the operational as well as technical issues and challenges faced presently by banks in leveraging upon mobile density and advancements in mobile technology to meet the objectives of financial inclusion. In India, despite high mobile density, it is also a reality that most of these handsets are basic ones and many of these connections belong to the category of prepaid subscription base. These constraints cannot be lost sight of if mobile technology has to be harnessed as the medium to deliver basic financial services to large masses.

25. This Committee has recommended interalia, the need for a standardised and simplified procedure for registration/authentication of customers for mobile banking services, a cohesive awareness programme to be put in place, adoption of common application platform across all banks to be delivered to the customers independent of the handset being used along with use of SMS and USSD technology for providing necessary level of security (through encryption) for such transactions.

26. In this context, inter-regulatory cooperation has also been underscored through the issuance of necessary guidelines by the Telecom Regulatory Authority of India which has prescribed the optimum service parameters as also ceiling on transactional cost for extension of the USSD services by telecom operators to the banks and their agents. The efforts already taken by NPCI for a common USSD gateway for banks can now be taken forward towards fruition. Here is a great opportunity for very important stakeholders - banks and telecom service providers - to come together to deliver the mobile banking services in a seamless and secure manner to their customers. Let me make a suggestion. To start with, for mass application of the handheld devices for payment of bills, why not we integrate gas booking for residences with mobile technology for payment. This would eliminate payment of cash to the dealers, which is a great carry risk. There could be many more such applications but gas payments could be a significant step to inculcate the mobile payment culture.

27. In the context of mobile banking, the following questions still remain without satisfactory answers:

(a) Given the recent developments and the enabling conditions, isn't it time that banks and MNOs work together to deliver the financial services through mobile in a big way? Can the key stakeholders partner to make India a successful case of mobile banking?

(b) How can the stakeholders work together for faster implementation of the recommendations of the Technical Group so that the potential of mobile as a channel of financial delivery be leveraged?

Let me reiterate that RBI / GOI will not hesitate to intervene more decisively, if the stake holders still fail to shake hands to take this initiative forward.

Payments - path for a "less cash" and financially inclusive society?

28. The road to achieving financial inclusion is a long and arduous one, giving one a feeling of "running on the treadmill". When will we get there? Banks, the strategic players in meeting the financial inclusion objectives, are challenged as the outcome has not been proportionate to the efforts made by them.

29. However, this is not to say that we have not seen any measure of success at all. One of the roads to financial inclusion is through the "payments" route. "Payments" as a means of financial inclusion has been empirically tested in many other parts of the world. Towards this end, the Payment Systems Vision of the Reserve Bank, is also focusing on "inclusiveness" of payment services. Complementing this is achieving a "less-cash" (rather than cashless) society which is high on our agenda.

30. Despite the encouraging trends noticed in non-cash electronic payments, the numbers are well-below the potential in the country. Payment services are a classic example of goods where the network externalities are high, and as such it leads to a "chicken and egg" situation in analysing the cause and consequence of low usage of electronic payments. Thus, it would require concerted efforts of the service providers to reach out to customers to provide accessible services and create awareness while customers have to gradually overcome their payment habits, concerns of safety and security etc.

31. While the Reserve Bank is responsible for providing a conducive regulatory and policy making environment, it needs the collaborative efforts of all stakeholders to translate these policies into operational services. The "catalyst" role of the authorities has to be complemented by the payment system stakeholders who have to hit the ground running.

32. The National Payments Corporation of India (NPCI) has been playing out its role as the umbrella organisation for retail payments in the country, non-bank issuers of prepaid payment instruments, cross border fund transfer providers, card payment networks, ATM networks, White Label ATMs etc. Other players such as aggregators and intermediaries, technology providers / processors, BCs etc., should also contribute their might in realising the vision of "less cash" society. These entities, though not directly authorised, are subject to some sort of oversight.

33. In this regard, the following issues are worthy of deliberation:

(a) Have we made the right moves in the path to financial inclusion?

(b) How do we balance safety, security with convenience, user friendliness and navigational ease in electronic payments? How do we make electronic payments simple and convenient for customers and impenetrable/un-breachable for fraudster?

(c) The spurt in electronic transactions, multiple channels/sources of payments, multiple interfaces and timely processing requirements underscore the need for large scale automation of payment processing. The challenge is to balance automation with exception handling. How can the technology automate payments processing while minimising the risk of wrong account posting, wrong payments, reconciliation etc?

(d) How can technology be leveraged to increase the access footprint even in Tier III to VI cities so that the benefits of electronic payments reach the unbanked and under-banked areas?

(e) In electronic payments, be it internet banking or mobile banking, the customer and banks relationship is becoming impersonal. Can we utilise the prowess of technology in identifying unusual patterns and aberrations in transactions which are critical in detecting and minimising attempted frauds?

Oft neglected - and most important - information security

34. Information security is another issue that must be very well understood by all institutions including banks. In the last few years, the information systems and the networks of the banks are increasingly faced with security threats from a wide range of sources including computer-assisted fraud, sabotage, vandalism etc. The sources of damage such as the computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and increasingly sophisticated in the networked environment. The ever-growing dependence of organisations on the information systems - and more so when there is outsourcing - has made them more vulnerable to such security threats. A word of caution here: Balance convenience of use of systems and robustness of security measures in them in such a manner that usage does not get complicated.

35. In order to ensure that banks accord appropriate attention to aspects relating to the above, the Reserve Bank has advised banks to take suitable steps to ensure that the issues relating to governance, information security and business continuity get adequate attention at the Board level. Further, banks have also been advised to secure their ISs, ensure their continuity, and check their robustness, by putting in place appropriate business continuity plans (BCPs).

36. Are our CISOs meeting often to share information relating to information security that may be mutually important to them? After all the chain is as strong as its weakest link and the weakest link here is Information Security - which is most talked about and least appreciated or understood.

37. A Working Group with representatives from the Reserve Bank, banks, Controller of Certifying Authority (CCA) and IDRBT has recently submitted a report on "Enabling PKI for payment systems". The report highlights security features in existing payment system applications and roadmap for implementing PKI in various payments system applications. The Group has recommended that banks may carry out the PKI implementation for authentication and transaction verification in a phase-wise manner. The report has been placed on the RBI website for comments from public.

38. Recently the Reserve Bank has advised CISOs of banks to share information on security incidents, external attacks, internal compromises on banks' websites etc. As of now, information sharing among banks on these issues is not very prevalent. Sharing of such information/ incidents/experiences would greatly benefit banks in taking appropriate preventive/corrective measures. IDRBT has developed a Security Incident Tracking Platform where banks would be able to report security incidents in an anonymous manner; thus keeping the information reported by the banks confidential. The platform will be hosted on the INFINET and the access provided only to Chief Information Security Officers (CISOs) of respective banks.

39. The Bank of England has recently appointed a CISO who is a former policeman and has specialised in fraud and counter-terrorism. Should our CISOs be specialists of this nature? Are we not exposed to similar risks? Is there a need for a formal CISO forum in our country with greater powers including standards setting?

40. The UK regulators3 are in the process of overseeing a test, conducted by a private consultant, of UK banks' ability to withstand a cyber-attack. The UK's Financial Conduct Authority has already produced a study comparing banks' "cyber resilience practices" to allow institutions to compare themselves with their peers. Should we not be emulating such tests to make our systems stronger?

New RTGS system

41. Lastly I want to speak about a system that has made our country stand out in the world. The new Real Time Gross Settlement (RTGS) system is operational for a few months now. The application is working very well and I must compliment the banks and IDRBT on its success. This application uses the ISO 20022 messaging standards. It is for the first time in the world that these messaging standards have been used in the wholesale payments. Though the plain vanilla version of the application is in operation presently, it has many more features that would be introduced gradually in days to come. In order to introduce these features in the application, the cooperation of all stakeholders is vital. Training to banks and spread of awareness among banks as also customers would be vital at the time of introduction of the features. I take this opportunity to request the cooperation of all banks in our endeavour to make this happen.

42. Allow me to conclude by saying that in the changing environment, CIO must lead innovation by anticipating requirements for new applications and services and by enabling access to internal data with the proper controls in place to manage risk and network security. CIOs must also spend more time in the C-suite planning the future and less time in the Data Centres sustaining the past.

43. Here's wishing the Conference - whatever is left of it - fruitful deliberations.

2 THE DIGITAL UNIVERSE IN 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in the Far East.