IAS Gyan

Daily News Analysis

RBI Draft Circular on Alternative Factor Authentication

2nd August, 2024 Economy

RBI Draft Circular on Alternative Factor Authentication

Disclaimer: Copyright infringement not intended.

Context

  • On July 31, the Reserve Bank of India (RBI) released a draft circular proposing an Alternative Factor Authentication (AFA) for all transactions to enhance the security of digital payments.

Principles for Authenticating Digital Payments

The draft circular outlines the principles for authenticating digital payments:

  • An additional factor of authentication is mandatory.
  • The additional factor must be robust and dynamically created, meaning it is generated for one-time use only.
  • The type of authentication factor should be determined based on various parameters, including the customer's risk profile and transaction value.
  • RBI has stated that any alternative to the SMS-based OTP as an additional factor of authentication should be dynamically generated.

Current Authentication Mechanisms

RBI’s guidelines for 'alternative authentication mechanisms for digital payment transactions' specify that while OTPs have been widely adopted, technological advancements have introduced alternative methods. The RBI noted that:

  • No specific factor is mandated for authentication.
  • The digital payments ecosystem has primarily used SMS-based OTP as AFA.
  • Alternatives should be considered as technological advancements progress.

Customer Consent and Options

The RBI mandates that:

  • Customers must provide consent before a new factor of authentication is implemented.
  • Customers have the option to withdraw consent and deregister if desired.

Exemptions from the Proposal

Certain transactions are exempt from the proposal:

  • Contactless cards with a value below ₹5000 per transaction.
  • Insurance premiums.
  • Credit card payments exceeding ₹1,00,000.
  • Other categories up to ₹15,000.

 A Multi-Factor Authentication Strategy and How It Protects Banks, NBFCs, and Financial Institutions from Hackers

  • Fraud remains a significant concern for financial institutions (FIs), affecting both individual and corporate clients.
  • The issue extends beyond traditional banking or wire transfers, posing security risks even before transactions are initiated.

 Fraudulent Strategies

  • Fraudsters employ various strategies to access sensitive financial data, beginning with the registration or onboarding process and continuing through actual transactions.
  • To combat these threats, financial institutions and businesses must adopt multi-faceted approaches.

 Multi-Factor Authentication

  • A robust strategy includes the use of one-time passwords (OTPs) and multi-factor authentication (MFA).
  • These methods, when combined, provide strong protection against fraudsters.
  • However, to enhance security further, technology leveraging alternative data and additional verification layers must be utilized.

Importance of Relevant Data

  • The success of a security system depends on gathering data pertinent to the nature of the transaction and the specific business context.
  • Financial institutions should prioritize bank account verification, with varying levels of due diligence based on the transaction size and type.

 Advancements in Technology

  • Recent advancements, including open banking and encrypted data, have improved the ability to tailor information provided by banking clients to specific transactions.
  • The rise of decentralized identities and advanced digital technology powered by artificial intelligence helps protect personal and financial information, as well as transactions.

 Global Information Assurance Certification (GIACT)

  • GIACT highlights the importance of prioritizing bank account verification, particularly for larger transactions involving significant sums of money or asset management. Enhanced verification processes are essential to mitigating fraud risks.

 Conclusion

  • By embracing cutting-edge digital technology and integrating multi-factor authentication strategies, financial institutions can effectively safeguard their clients' personal and financial information.
  • The continued evolution of technology and data management plays a crucial role in defending against cyber threats.

Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC) is an information security certification entity founded by the SANS Institute in 1999, and the term GIAC is trademarked by The Escal Institute of Advanced Technologies. GIAC specializes in technical and practical certifications and new research through its GIAC Gold program, offering a set of vendor-neutral computer security certifications aligned with SANS training courses. It focuses on leading-edge advancements in IT security to stay ahead of "black hat" techniques, with papers from GIAC certification candidates featured on the SANS Reading Room. Initially, all SANS GIAC certifications required a written paper or "practical" for certification. However, in April 2005, the certification format was revised into two levels: the "silver" level, achieved through a multiple-choice exam, and the "gold" level, which requires a research paper and the completion of the silver level as a prerequisite.

 

PRACTICE QUESTION

Q. Discuss the role of Multi-Factor Authentication (MFA) in protecting financial institutions from hacking attempts. How can MFA be effectively integrated into existing security protocols?

 SOURCE: THE HINDU