Fraud Management & Cybercrime , Governance & Risk Management , Professional Certifications & Continuous Training

India Post's New Bank: Building in Security

While the banking industry in India has achieved a level of security maturity over the past few years thanks to the central bank's proactive activity in this area, India Post will be starting from scratch as it launches India Post Payments Bank.

See Also: When Every Identity is at Risk, Where Do You Begin?

But the new bank, designed to serve the nation's large "unbanked" population, will have the opportunity to build security into its infrastructure and processes, rather than bolting it on later.

India Post Payments Bank will roll out its banking services by September 2017, the postal service announced. The bank has begun recruiting top executives, including CEO, CTO and leaders for operations, risk and compliance, finance, human resources, sales and marketing.

For years, India Post has been involved in financial services in a limited way. It's been accepting deposits and has facilitated money transfers in the form of money orders. But with its new payments bank arm, it will need to set up complete technology infrastructure as well as comply with regulatory mandates.

Some Background

In August 2016, the Reserve Bank of India gave out 11 banking licenses to "payments banks" - a unique regulatory innovation targeting small deposits from traditionally unbanked segments of the population, including migrant labourers, small businesses and low-income households. Payments banks are not allowed to give out loans or accept deposits in the excess of 1 lakh rupees.

The new India Post Payments Bank, which will be a payments bank, will also offer digitally enabled payments and remittance services of all kinds. Plus, it will provide access to third-party financial services, such as insurance, mutual funds, pensions, credit products and foreign exchange.

The bank will have the advantage of leveraging India Post's network of close to 155,000 branches, in addition to launching 650 new branches.

The new bank also plans to get support from 250,000 "Grameen Dak Sevaks" - the postal department's agents in rural areas, in enrolling account holders.

"Everyone is familiar with the money order delivered by postmen across the remotest post offices without error," says Mumbai-based Dinesh Bareja, COO of Open Security Alliance and founder IndiaWatch. "[The] post has the reach into rural India, which no one can match, and the infrastructure is in place for payments and logistics. It will be easy to convert to electronic systems - maybe handheld, NFC/Bluetooth-enabled or bio-metric linked to Aadhar." Aadhar or UIDAI is the Indian government's ambitious universal identity program.

India Post Payments Bank plans to recruit 3,500 employees in the coming months and has also called for deputations from other public sector banks for corporate positions. Reserve Bank of India's regulatory mandates require banks to have a separate CISO function reporting into the head of risk, so it's likely the new bank will need to fill this position as well.

Building Infrastructure

The new bank may take a managed services approach to building its technology infrastructure, experts say. Given that it has the opportunity to build a digital infrastructure free of legacy issues, it can make sure security is adequately addressed.

"Technologically, the most important task is to break out of the legacy mindset," Bareja says. "But this may already happen, since IPPB is a new entity. They have the opportunity to bring in the best and latest in terms of technology and avoid the problems faced by other banks."

Given that the new bank is going to have access to a massive rural target demographic that has not yet been penetrated by commercial banking, the opportunities are there for the taking.

But because the new bank will serve a largely low-income population that has little experience with banking, much less mobile or online technology, the bank could face some fraud-prevention challenges. For example, its customers could be targeted by social engineering schemes.

Susceptible to Fraud

In a recent interview, Bharat Panchal, head of risk management at the National Payments Corporation of India, noted: "People in rural areas and villages are very susceptible to vishing or voice phishing fraud. ... When they get a call purporting to be their bank from fraudsters, they tend to instinctively trust the caller, because representatives of institutions such as banks, the postal service and schools are trusted pillars of the community in rural societies." (See: Fraud & Cybersecurity: The Growing Linkages)

Sameer Ratolikar, CISO at HDFC Bank, also says that building awareness of fraud risks among customers will be a big challenge for the new bank. "Social engineering frauds will be a problem, which means [providing] awareness [training to] the customers on a regular basis in their native language.... is critical." he says. This needs to be coupled with slow and steady approach toward funds transfer, transaction monitoring systems on the technology side, to remain vigilant fraud, he says.

Bareja, however, says that India Post is well-equipped to educate first-time technology users of its new bank. "The postman at the last mile has personal relationships with rural dwellers and is the best person to enable that first timer into the use of technology," he says. "They must innovate and look at empowering the postman at the last mile. And as a government body, there are many peripheral services that can be linked to like Aadhar, E-chaupal, MyGov services, and video conferencing, email, internet access."

The postal delivery system has the potential to make its new bank one of the most accessible banking networks in the country, building on the trust that the institution has built across communities over generations. Will it succeed in bringing banking services to those who lack them? And will it be able to deal with potential security and fraud challenges? We invite you to share your views.