RISKY PRACTICE IN BANKS IN NEPAL

This is to make you aware of the extremely risky practice which is going on in commercial banks of Nepal. We are not sure if you are aware or have turned a blind eye to this practice. But as a group of banking professionals, we definitely cannot put a blind eye to this.

No IT systems in Nepal are as vulnerable and anytime at risk as the Banking IT System. We have experienced this in the recent past, with various kinds of internal and external attacks and numbers of systems being hacked in one way or another.

This is solely to draw your attention that on this day a number of the commercial banks are at high risk.

Risk being that many commercial banks’ total IT Systems and Applications are unfortunately, in the direct and indirect control of one single private group and its subsidiaries/sisters companies.

The vendor is a supplier of Finacle Core Banking System from an India based company Infosys to commercial banks in Nepal.

These Banks overall applications and data are hosted at the same vendor owned and controlled servers and systems. The datacenter where these servers are hosted again belongs to practically same vendor’s sister organizations. This is not only the main system but also backup and DR IT systems are also controlled by them.

In totality the overall IT systems of these banks is with one private entity logically and physically.

The most intriguing thing is that these critical applications including core banking systems run on the shared IT Systems. The bank has access to their Application Virtual Systems only. However the management and control of those Systems are not with the banks but the vendor. IT Systems ownership , location and management  is totally under control of the vendor and we can’t deny the fact and risk of misuse of system from the vendor.

In some banks, even having resistance from IT Team and Risk Team, the management had given go ahead to host their application to that particular vendor’s systems. All because of special interest and relationships between vendor and top management. IT Department is given direct orders to move to a particular vendor. When doing so not even a public tender is floated. Upon querying if NRB would permit this, Management had said “We shall take care of NRB; we will take care of them; you do what you are told to do. Other banks are also doing same.”

Some banks even had to dump recently invested IT systems valued at crores of rupees to move to that particular vendor recently.

In some cases it has also been seen that if the IT department tries to work out a different comparative deal, then the vendor further provides hefty discount with an unprecedented price cut to keep the overall infrastructure access to themselves. The influence of Finacle vendor is such that even HBL and NIBL merger is at stake on which IT system and application to work with in future. We also have come to know that few of Non-Finacle banks will be signing up with them in this fiscal year. The decision is already made and just for the sake of formalities they might just float a quotation or RFP request.

We, as cautious bankers, just understand that nothing is for free and cheap. For now we have just understood that a number of  class “A” Banks are at high risk of a single vendor lock-in and clearly visible one private organization monopoly in the banking IT sector.

Further we would also like to highlight how without any regulation in place, the core banking system is in third party IT systems and without the ownership, visibility and management of IT systems by the bank.

They don’t even provide proper support and solution to optimize performance of Finacle Software that are hosted on banks own system. and hence those banks system run slower than the banks systems hosted at vendor servers. Having the advantage of being the Core Banking Application Provider, they have been able to forcibly build dependencies around them and moving out of them will be challenging in future.

Had it been for any non-core systems that would be fine in a third party system. But core banking itself is a big question? Apart from that the databases of those core systems are monitored from some team in India by same vendor.

It’s really concerning how NRB can have two different perspectives for bigger and smaller players of the financial system.

The Payment Systems Department of NRB forces small startups of fintech or aspiring payment service providers (PSPs) to buy dedicated hardware infrastructure of their own,  knowing the fact that they are a growing startup and have limited capital, to invest and manage heavy IT Systems, else their licenses are withhold.

And at the same time, we have class “A” commercial banks who earn billions of profits and are not able to manage their own IT system. And these are  handed over to third party controlled shared IT systems and to a single vendor in the name of cost saving, when they can easily afford and have the capacity to manage their own IT System. It does not cost even as much as CEO takes salary and bonus from the bank in a year to maintain a proper IT system.

We do understand cloud hosting is the future. But this is generally fit for business who has less capital like startups, ecommerce services, digital services, or in case of Nepal like co-operatives, microfinances etc. But not for class A Banks with their core banking systems on a shared infrastructure and definitely when you don’t have any proper guidelines and regulation to control and measure impact.

Our concern is that, the bank should be able to manage IT systems and not risk giving direct and indirect control of core banking applications and databases  and systems to third parties. Banks should have taken sufficient control in managing the IT systems, applications, database and data by themselves. It’s not costly for a bank to have a dedicated DBA and System Admin to manage its IT systems.

We don’t want our Nepalese Banking Sector to be highlighted frequently for compromises in the  IT systems and become an example. In today’s world IT is the core of the business. All we see is in the name of cost saving, the banks are risking everything to one private organization directly or indirectly,  and knowingly or unknowingly.

Please note that these banks hold critical personal and financial information of most of the businesses and personalities in Nepal.

We are expecting that NRB should be vigilant on this and help minimize the risk with effective monitoring, supervision and guidelines and without the influence of a few business houses to put overall banking system and its users at high risk.

We truly believe NRB will take necessary tangible measures to discourage such practice before any major incident takes place.

Else in coming days more banks will follow the same creating a greater risk ripple.

IN SHORT:

  1. Class A Banks are capable enough to hire best in class technical resources to manage its IT System or train internal resources to build competency.
  2. Banks should have access, management and control of its IT systems and more specifically the core banking system.
  3. Any vendors should not have direct access to Bank’s Core IT System.
  4. At any point, Banks need to ensure that they don’t put all risk in one basket.
  5. NRB should first provide guidelines to banks for hosting before actually moving core banking in third party.
  6. NRB monitoring should be more vigilant in discouraging such practices.