RBI Audit: Can Banks Run Its Operations On DR Set-up For One Month? 

Several Founders, Co-Founders, CXO Bankers, CXO Fintech professional & people who participated in the ePanel discussions:

  • Mr. Hitesh Thakkar, Fintech Consultant, Self-Service Automation
  • Mr. Sharad Goklani, former CTO at Equitas Small Finance Bank
  • Mr. Sridhar R, former President & Credit Risk Officer, Lakshmi Vilas Bank
  • Mr. Sony A, General Manager- Technology & Digital Banking, South Indian Bank
  • Mr. Probir Roy, Co-founder, Paymate
  • Mr. Anshul Srivastav, CIO & Digital Officer, Union Insurance
  • Mr. Harveer Singh, former Head- Digital Solutions for India & South Asia, Mastercard
  • Mr. Aishwarya Jaishankar, SVP – Digital Products & Platforms, HSBC
  • Mr. Hemal Shah, former Technical Product Manager, Mastercard
  • Mr. Prasad Likhite, Director Sales, ACI Worldwide
  • Mr. Kamonasish Aayush Mazumdar, Founder & CEO at Foodieverse
  • Mr. Sandeep Todi, Co-Founder & CBO, Remitr
  • Mr. Amarto Chakrabarty, former Principal Consultant- Global Consulting Group, Wipro Limited
  • Mr. Rakesh Shetty, Product Head Micro Loans, Fortune Credit Capital Ltd
  • Mr. Mohammad Hassan, Project Manager, All-State Financial Service Pvt Ltd
  • Mr. Raghu Veer Dendukuri, Founder, Ideal Nation, and Solution Architect at Invincible Tech Systems Inc.
  • Mr. Babu Thomas, Assistant General Manager, The Federal Bank Ltd
  • Mr. Nabunkar Sen, Advisor (Infosec), Bandhan Bank
  • Mr. Roopesh Chandran, Director Business Development, Visa Inc
  • Mr. Jayaram M, Consultant (Partner), Basil Capital
  • Mr. Narayanan, General Manager, Business Solutions, Cognizant
  • Mr. Ashok Kumar, former General Manager & CTO, Karur Vysya Bank
  • Mr. Rahul Dayal, Head- Information Technology, Aditya Birla Sun Life Mutual Fund
  • Mr. Yogesh Raut, Vice President Technology, Mitsubishi  UFJ Financial Group(MUFG)
  • Mr. Rajeev Panikath, COO SBM Bank India
  • Mr. Prasad Likhite, Director Sales, ACI Worldwide
  • Mr. Amarto Chakrabarty, former Principal Consultant- Global Consulting Group, Wipro Limited
  • Ms. Rukmani K Narayan, VP Internal Audit, Equitas Small Finance Bank
  • Mr. Vikas R Panditrao, Co-Founder, Forum of Industry and Academic Knowledge Sharing (FIAKS)
  • Many other CEO/CXO Bankers & Fintech professionals on FIAKS Forum requested to remain anonymous

So here are some crucial questions put forth by the FIAKS community

Question 1: As part of the audit checklist shouldn’t RBI auditor just walk into any bank and switch off the production servers for one month and ask IT teams of the bank, to run the banking operation of DR (disaster recovery) set-up?

  • Assuming physical security is not a barrier and the auditor sees if the bank has BCP (business continuity plan),  RPO (Recovery Point Objective signifies how frequently you take backups) and RTO (Recovery Time Objective signifies the amount of downtime a business can tolerate) target set to move to DR. With several DR drill done and SOP around it is not a major challenge. When there is a system outage, the RPO and RTO are two data points that can tell you how seriously the downtime has impacted a customer’s business operations.
  • Outage cases of DC and DR have RCA (Root cause analysis) going back to release impact, scalability and capacity planning for business growth and transaction load impacted, N-1 patch management strategy (what is N-1 ? It is common practice for risk-averse companies to not run the very latest release of software, instead having a policy of running “N1), and many more on the operation and software side.
  • Most banks have DR capacity to operate for months. NPCI does DR drill for a week or more so it’s not challenging but as mentioned earlier RCA matters to them also.
  • Usually, RBI appoints auditors who are capable of CERTIN ISO27000 PCI as well as RBI audit boundary conditions. Now with Meity also checking the growth of digital payments at the ministry level stakes is high.
  • Issues of the audit are the same findings are not tracked at board level by banks and PSP
  • DR is a fallback setup. If it were primary, then it won’t have the word ‘recovery’ in its name.
  • Failovers are there for a purpose it is to get businesses up and running in the quickest time possible. Not to replace everything 100%, but get enough backup to see the day through.
  • If the backup is failing for such a large bank then it is a serious concern, there should be more than one DR site for complex operations.

Well, why switch off the production servers for one month? Instead, the frequency of tests should be increased;

  • Regular DR switchover is done at all banks and they run production workloads on DR for a reasonable time to test resilience. Agreed it is always a planned switch but also it’s rare for an entire data center to go offline all of a sudden because of the failover design inbuilt in each component.
  • We can test check the robustness of the controls, systems & security without actually hampering the operations. One month is too long. DR set up can test check in a much duration. Also, there are other ways to judge the effectiveness of the DR setup.

Question 2: What % of banks will fail on this test of running the bank & all its products from the DR site?

  • Now that’s a very high-level question. None of the problems in IT are simple as switch on/off. Every single layer at hardware, software, network, and physical does have built-in redundancies. Now it’s impossible for anyone to do a stress test of each component. However, if there are repetitive issues then it is definitely a matter of concern.

Question 3: What is the probability of the success of NPCI to operate all its products on DR set-up for one month?

  • Just like a flight operation the highest point of failure is not in the air but during landing and takeoff. DR generally is a mirror of DC. Key problems are configuration and switching related. And the reason for longer downtimes and lesser resilience is the problem of abrupt shutdowns like a power outage (which is the last thing one expects in a Tier-5 DC with so many power supply redundancies)
  • If shutdowns are not graceful then Recovery Point Objective (RPO )may become longer due to data integrity issues thereby increasing Recovery Time Objective too (RTO). Also, outages have increased post-Covid even for big techs. A point to ponder!

Question 4: Do you see the quality of RBI officials doing bank audits gone down drastically?

Register and Read the complete discussions 

Please register to unlock the full content!

Related Post

2021-05-13T00:33:35+05:30May 3rd, 2021|Categories: FIAKS bespoke|Tags: |Comments Off on RBI Audit: Can Banks Run Its Operations On DR Set-up For One Month? 
Subscribe
SUBSCRIBE NOW

Join our weekly Newsletter Today

Stay updated with all latest updates,upcoming events & much more.
close-link