Fraud & Cybersecurity: The Growing LinkagesNPCI's Bharat Panchal on the Interconnectedness of Security and Fraud
Cybersecurity issues are slowly making their presence felt in Indian boardrooms. Everybody in the industry, especially BFSI, is more or less aware at a strategic level of what could go wrong in the case of a cyberattack, says Bharat Panchal, who is head of risk management at the National Payments Corporation of India.
With the rapid uptake of technology, gone are the days where things used to be tried out first in the west and would then percolate down to India. Now more and more innovative technology is finding application in India first, before being tried elsewhere, he says. The rate is slow, but it is on the rise. And so are the attendant security issues (see: Securing Digital India).
From a security point of view, good progress and collaboration are happening, Panchal says, citing initiatives such as Indian Banks - Center for Analysis of Risks and Threats of IDRBT; the CISO forum for the banking sector; and even some of NPCI's forums, including the Indian Payments Risk Council.
"In a couple of years it is a possibility that a consortium be formed which will take the centralized responsibility for the security of the entire sector perhaps," he says. "Shared resources and a centralized command center sort-of setup is where we might be heading."
Fraud and cybersecurity are coming closer than ever before, he believes. The fraud landscape has changed dramatically because of several reasons. The primary factor is the advancement of technology and a concerted push from the BFSI sector to popularize sophisticated and easy-to-use payment solutions in the country. This has invited trouble, says Panchal, where people are easily adopting new technology, but unfortunately are not taking the time to educate themselves about the flip side of technology.
The NPCI is a quasi-public organization set up by the Indian Banking Association and the Reserve Bank of India in 2008 and promoted by the top 10 banks in the country - private and public. It an umbrella organization for all retail payments systems in India. NPCI itself is responsible for many of these disruptive multi-channel payments solutions in use today.
Some include the RuPay card - one of NPCI's prominent products in the recent past, which is presented as an indigenous alternative to international card brands such as AmEx, Mastercard and Visa, with around 275 million RuPay cards being issued, according to Panchal. NPCI also boasts hosting the world's first real-time payment system the Immediate Payment Service that can be used for 24x7 transfers.
The unified payment platform is the latest innovation to come out of NPCI and works on multiple protocols and provides interoperability amongst banks, wallets and merchants. The UPI system uses an alias and does not need direct sharing of sensitive information. It has a built-in three-factor authentication security system and has been endorsed by the RBI (see: Securing NPCI's Unified Payment Service Against Online Fraud).
"Earlier fraud monitoring was restricted to insider and physical fraud. This has changed because the nature of fraud has changed from traditional models to more technology driven frauds or cyber frauds," he says. "So the shift which has happened now is to protect preemptively rather than detect the fraud after the fact."
On Creating Awareness
While government, BFSI industry and bodies like IBA have undertaken numerous initiatives to educate users and spread awareness, Panchal believes that there is a cultural aspect to India that has an intrinsic tendency to gullibility when it comes to some institutions that will take some time to overcome.
"For instance, people in rural areas and villages are very susceptible to vishing or voice phishing fraud. This is because when then get a call purporting to be their bank from fraudsters, they tend to instinctively trust the caller," he says. Because representatives of institutions such as banks, the postal service and schools are trusted pillars of the community in rural societies, he explains.
These kinds of social mores are difficult to overcome all of a sudden, Panchal says. "Technology has its limitations, and we need the awareness to go deep in terms of how people understand that sharing sensitive personal and banking information can be exploited," he says. Indians by nature like to share, and it is too easy today for a fraudster to extract such information from a generation of first-time technology users, he says (also see: Securing Digital India from Fraud).
Panchal was a panel moderator at the recently concluded ISMG Data breach & Fraud Prevention Summit in Mumbai, where he chaired the panel on Advanced Persistent Threats (see: Securing Against Advanced Threats). In this candid audio interview with ISMG recorded at the summit (audio link below image), Panchal discusses the following:
- The trajectory security and Fraud is taking in India;
- The intersections between cyber fraud and security; Predictions for security's future in Indian BFSI.
Panchal is Head - Risk Management of National Payments Corporation of India since April 2011. He is responsible for establishing the ownership for risk management activities across the organization and partnering with functions and member banks to ensure efficiency and e¬ffectiveness of operations, safeguarding of tangible and intangible assets, accuracy and integrity of transactions and processes. Under his leadership, NPCI has achieved PCI DSS, ISO 27001, ISO 22301 and ISO 9001. He has 22 + years' of experience, mainly in the banking and telecommunication industry. Prior to NPCI, he worked for Kotak Mahindra Bank, Citi, Reliance Communications and AVAYA GlobalConnect.