Comprehensive Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) – A Graded Approach

As per the Statement on Developmental and Regulatory policies of the Fifth Bi-monthly Monetary Policy Statement for 2019-20 dated December 5, 2019 the RBI has also decided to prescribe a comprehensive cyber security framework for UCBs, as a graded approach, based on their digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk.

A comprehensive Cyber Security Framework for UCBs has been formulatedby RBI  based on a graded approach. The UCBs have been categorised into four levels based on their digital depth and inter-connectedness to the payment systems landscape. The levels are defined as below:

Level Criteria Regulatory Prescription Remarks
Level I All UCBs Level I controls prescribed in Annex I In addition to the controls prescribed to the UCBs vide circular dated October 19, 2018, bank specific email domain with DMARC controls, two factor authentication for CBS etc., are salient controls prescribed.
Level II All UCBs, which are sub-members of Centralised Payment Systems1 (CPS) and satisfying at least one of the criteria given below:

  • offers internet banking facility to its customers (either view or transaction based)
  • provides Mobile Banking facility through application (Smart phone usage)
  • is a direct Member of CTS/IMPS/UPI.
Level II controls given in Annex II, in addition to Level I controls. Additional controls include Data Loss Prevention Strategy, Anti-Phishing, VA/PT of critical applications.
Level III UCBs having at least one of the criteria given below:

  • Direct members of CPS
  • having their own ATM Switch
  • having SWIFT interface
Level III controls given in Annex III, in addition to Level I and II controls. Additional controls include Advanced Real-time Threat Defence and Management, Risk based transaction monitoring2
Level IV UCBs which are members/ sub-members of CPS and satisfy at least one of the criteria given below:

  • having their own ATM Switch and having SWIFT interface
  • hosting data centre or providing software support to other banks on their own or through their wholly owned subsidiaries
Level IV controls given in Annex IV, in addition to Level I, II and III controls Additional controls include setting up of a Cyber Security Operation Center (C-SOC) (either on their own or through service providers), IT and IS Governance Framework

This site uses Akismet to reduce spam. Learn how your comment data is processed.