“We cannot put thousands or lakhs of customers who are using digital banking into any kind of difficulty for hours together, especially when we are ourselves giving so much emphasis on digital banking. The public confidence in digital banking has to be maintained,” Reserve Bank of India (RBI) Governor Shaktikanta Das said on Friday.
Responding to questions raised during the RBI’s monetary policy press conference, Das said that going forward since the entire financial landscape is going to become more IT dependent, there is a need for all banks and financial entities to invest more in their systems and technology. “If you want to remain competitive in the coming years technology is the key, robustness of your IT system is the key,” he said.
Rising system outages and payments issue
On Thursday, HDFC Bank said that the RBI had issued an order directing the bank to temporarily stop all launches of its digital business activities, stop sourcing new credit card customers and examine lapses with regards to a number of incidents over the last two years which saw the banks’ internet banking, mobile banking, and payments channels go offline. A senior bank official told MediaNama, on the condition of anonymity, that while HDFC Bank is engaging with the regulator to ensure that their systems comply with the RBI order, all digital services continue to be available for all existing customers.
Later in the day, the State Bank of India (SBI) said that its flagship mobile banking application, YONO, which had been facing issues for the past few days, was impacted by a system outage.
Digital payments transactions and customer engagement with digital banking platforms have increased in the wake of the COVID-19 pandemic. But the high volume of transactions that take place every month, whether through bank apps and websites or through the Unified Payments Interface (UPI) for instance, is now weighing down the banks’ IT systems and server capacity. Payments companies say that during the last four to five weeks they have faced several frequent system outages on the UPI network due to poor banking infrastructure.
“In the case of HDFC Bank there were earlier episodes also and HDFC Bank has an overwhelming presence in the digital payments segment and internet banking segment. We have some concerns about certain deficiencies therefore, we felt that it is required and it is necessary that HDFC Banks strengthens its IT systems before expanding further. Therefore, these business restrictions have been imposed on them and I am quiet sure HDFC Bank will comply with our suggestions,” Das said. With regards to the issues at State Bank of India, the Governor said that the RBI is studying the issue.
A senior banker told MediaNama that some banks are just not equipped to deal with the sheer scale at which digital transactions are taking place, not just on UPI but also card networks and other digital payments platforms. “SBI and HDFC Bank are the leading banks of the country and they have invested heavily in digital banking initiatives. The rise in digital transactions in the last few months has placed a burden on every banks’ Core Banking System (CBS) and other IT systems that are either inter-connected to the CBS or are connected to third-parties,” the banker said on the condition of anonymity.
“Think of it like flying an aircraft, you now have to be aware of every nut and bolt on the flight to ensure that the system is safe, secure and resilient,” says Vivek Belgavi, partner and fintech leader at PwC India. Banks may have a CBS, as a core software system, but in reality they have over 300 IT systems connected to the CBS which are at various stages of maturity and development, on top of which banks are adding new digital services, he told MediaNama.
“The broader demand for financial services will require everyone’s infrastructure to scale up at the same space. We are going through a fair bit of transformation but the strain on the core infrastructure has also increased. Things can break in any system, but resiliency allows you to recover very fast,” Belgavi said. You need the whole machinery to work smoothly for systems to be resilient, so it is important that bank managements take a deep look into upgrading their infrastructure and how they can build sustainable infrastructure to survive shocks like power outages, he said.
Signalling future interventions
The RBI usually issues penalties against banks when they are found be to in violation of its guidelines. While the central bank takes such actions based on supervisory visits by RBI inspectors or based on financial statements, cyber-security and IT audits, banks are given a chance to appeal against a penalty order. But in the case of HDFC Bank, this is the first time that the RBI has imposed business sanctions against a bank, for system outages on their digital banking platforms.
“We are constantly engaged with the managements of banks and non-banks where we see deficiencies in their systems and procedures. We always try to work with them internally and nudge them, advise them to improve their systems. We will continue to do that but in certain situations certain actions become unavoidable and inevitable,” Das said.
According to analysts at Edelweiss Securities, across the world, regulatory fines have often been perceived as an easy way out for financial companies. “To that extent, a moratorium on new business acquisition until all the boxes are ticked in RBI’s check list demonstrates regulatory intent to effect intervention,” they said in a December 3 report.
In a December 3 report, analysts at Motilal Oswal Financial Services said that since banks are facing tough competition, many have launched digital products to gain market share without proper testing, which could be a reason for such failures. “Global regulators are much stricter for such lapses and ensure banks maintain a high standard of service quality and continuity of banking services. RBI’s strict stance towards the top private sector bank [HDFC Bank] could be a step in this direction as the bank witnessed multiple outage instances over the past two years,” the report said.
Since the RBI is signalling its intent to intervene in such matters through business restrictions or sanctions against banks, a few aspects need to be considered:
- Interventions in the case of IT or digital banking issues by the regulator need to be based on specific criteria and thresholds
- These thresholds, for instance type of system outage or the amount of time the system was down, need to be applied across all banks regardless of ownership structure
- The type of sanction needs to be uniform based on the extent of the IT system issue
- The thresholds, however, can differ for banks depending on their size and institutional structure, such as payments banks, small finance banks, cooperative banks, non-bank lenders and commercial banks
- The RBI orders, in these matters and others, need to be made public on the central banks’ website. Consumers, investors and the general public should not have to rely on stock exchange notifications by a bank to be made aware