PUBLIC NOTICE FOR TRANSFER OF UNCLAIMED DEPOSITS TO DEA FUND OF RBI.

Public notice for transfer of unclaimed deposits to DEA fund of RBI

PUBLIC NOTICE FOR CLOSURE OF DORMANT AND INOPERATIVE ACCOUNTS.

Public notice for closure of dormant and inoperative accounts

Recruitment for the post of Resource Person for the Business Diversification & Product Innovation Cell (BDPIC)

Recruitment Advertisement for BDPIC

NABARD has floated RFP for National Level PACS Software Vendor (NLPSV)

National Bank for Agriculture and Rural Development (NABARD) has floated an RPF for the selection of National Level PACS Software Vendor (NLPSV) under Centrally Sponsored Project for ‘Computerization of Primary Agriculture Credit Societies’. The detailed RFP is available on Central Public Procurement Portal (www.eprocure.gov.in/Tender ID: 2022_NABAR_677021_1) and NABARD website (www.nabard.org).

Internet Banking (View Only)

https://cedgeinb.in/MSCX/

Annual General Body Meeting

***Annual General Body Meeting Postponed indefinitely (Office Order)

PROPOSAL FOR AMENDMENT OF THE EXISTING BYE-LAWS OF THE MSCB LTD.

• AMENDMENT OF NOMINATION PAPER(SOCIETY & INDIVIDUAL)
• AMENDMENT OF DELEGATION FORM (SOCIETY & INDIVIDUAL).
• AMENDMENT OF BALLOT PAPERS

 

Comprehensive Support Plan (CSP)

Click here to download office order for recruitment of Resource Person for CSP

In pursuance of decision taken in the Meeting of the Board of Management of the Manipur State Cooperative Bank Limited (MSCB Ltd.) held on 31/08/2021, applications are invited from intending and eligible candidates for the following posts in “Comprehensive Support Plan (CSP) Cell” of the Manipur State Cooperative Bank Ltd., for direct recruitment on contract basis for a period of 3 (three) years:

1. Name of post: Resource Person.

2. of post: 2 (two)* (*One Resource Person should preferably be a former Bank Officer from Cooperative Banks).

3. Reservation: The post is unreserved.

4. Essential Qualifications: @Master in Business Management/Rural Management/ Cooperative Management/Commerce/Agriculture and Allied disciplines. This may be relaxed by the Recruitment Committee depending upon the experience and ability of the candidate. (@Not applicable in case of candidates belonging to former Bank Officer).

5. Essential Minimum Experience: @Two to three years experience in Rural Financial Institution, NBFC, MFI, Insurance, Sales and Retail or in other relevant developmental Institution. (@Not applicable in case of candidates belonging to former Bank Officer).

6. Age limit as on the date of application: @Should preferably be less than 30 years of age and this can be relaxed by the Recruitment Committee depending on the education, experience and ability of the candidate. (@Not applicable in case of candidates belonging to former Bank Officer).

7. Desirable: Should have sound knowledge of Indian Rural Economy with working computer knowledge.

8. Remuneration: 20,000/- per month.

9. Eligibility Condition:
10. i) The candidate must be a citizen of India.
11. ii) The candidate must be able to speak, read and write Manipuri (in Bengali script) and have working knowledge of English/Hindi.

iii) The candidate must be a permanent resident of Manipur provided that a candidate  whose parent(s) or any of his/her direct lineage are permanent resident of the State, with proper documentary proof like enrolment in the electoral roll and birth certificate, will also be eligible.

10. Application Fees:

11. Former Bank Officer:

Candidates applying to former Bank Officer post should have rural baking experiences and well versed with rural banking practices.

 

12. Mode of Selection: Walk in Interview. Shortlisted candidates based on the laid down criteria will be called for Interview.

13. Last Date of Submission of Application : 20/11/2021 (4.00 P.M.)

14. How to APPLY:

1. Candidates are required to go through the website mscbmanipur.in. The applicants are required to submit single application in the format specified in the Appendix to email ID: mscbltd@gmail.com.
2. Candidates working under any organisation/institutions are required to submit an undertaking along with the application that they have informed in writing to their Head of Office/Department that they have applied for the post of Resource Persons in MSCB Ltd. Candidates should note that in case any communication is received from their employer, withholding permission to the candidates applying, candidature of such candidates shall be cancelled. At the time of joining, the recommended candidates will have to bring proper discharged/relieving certificates from their employer.

NOTE: Candidates are not required to submit along with their applications any ORIGINAL certificates in support of their claims regarding Age, Educational Qualifications, etc. which will be              verified at the time of the interview only.

15. Payment of TA/DA: Candidates will be required to appear at the Interview at their own expense and no allowances including TA/DA will be paid for the purpose.

16. General Instructions:
17. i) Before applying, candidates should ensure that they fulfil the eligibility criteria for the post of Resource Person in the MSCB Ltd. The Bank would conduct interviews in respect of the eligible candidates only applying for the post on the basis of the information furnished in the application and shall determine their eligibility only at the final stage i.e. interview stage. If at that stage, it is found that any information furnished in the application is false/incorrect or if according to the Bank, the candidate does not satisfy the eligibility criteria for the post, his/her candidature will be cancelled and he/she will not be allowed to appear for interview.
18. ii) Application form not as per the prescribed format or incomplete in any respect will not be entertained.

iii) Canvassing for the posts, in any form will be a disqualification

iv) The Bank does not assume any responsibility for the candidates not being able to submit their applications within the last date for any reason.

v) In all matters regarding eligibility, interviews, assessment, prescribing minimum qualifying standards in interview, in relation to number of vacancies and communication of result, the Competent Authority’s decision shall be final and binding on the candidates and no correspondence shall be entertained in this regard.

vi) Any resultant dispute arising out of this advertisement shall be subject to the sole jurisdiction of the Courts situated at Imphal.

vii) The selected candidate shall be required to be relieved from his/her current employment before joining the post, if he/she is working under any organisation/institutions.

viii) The selected candidate must join within 30 days from the date of appointment. If the selected candidate fails to join within 30 days without any valid ground, the Competent Authority shall consider the next candidate as per the merit list.

ix)The applications shall be screened by the Screening Committee and suitable candidates meeting the eligibility criteria shall be shortlisted and informed by email for interview for the appointment as per extant rules and policy. The decision of the Competent Authority will be final.

 

 

CYBER SECURITY POLICY FOR MSCB LTD

CYBER SECURITY POLICY

For

THE MANIPUR  STATE CO-OPERATIVE BANK LTD.

 

1)  Introduction :-

Bank’s information systems and the data, these information systems process, are fundamental for its daily operations and effective service provision. The Bank shall implement adequate security policies, procedures and controls to protect confidentially maintain integrity and ensure availability of all information stored, processed and transmitted through its information systems. To build a secure and resilient cyberspace for customer there is a need to have an effective cyber security policy in the Bank.

Cyberspace is vulnerable to a wide variety of incidents, whether intentional or accident man-made or natural and the data exchanged in the cyberspace can be exploited for nefarious proposes. The cyberspace is expected to be more complex in the foreseeable future with increase in networks and devices connected to it.

Use of information technology by the Bank has grown rapidly and is now integral part of the operational strategies of the Bank. It is therefore important to develop policies, procedures and technologies based on the new developments and emerging concerns and fine tune the same as per evolving cyber threats.

The protection of information infrastructure and preservation of the confidentiality, integrity and availability of information in cyberspace is the essence of a secure cyber space. Due to the dynamic nature of cyberspace there is now a need for these actions to be unified under a cyber security policy, with an integrated vision and a set of sustained and coordinated strategies for implementation.

The cyber threat landscape has evolved from one of individual hackers to highly organized groups and advanced cyber criminal syndicates cyber attacks are more targeted and sophisticated than ever before. Powerful new malware is capable of stealing confidential data, card information and disabling network infrastructure. Attacks on critical infrastructure, including payment systems, can disable physical machinery cause catastrophic equipment failure and even result substantial financial loss to the Bank. Bank must be prepared to address the types of threats as mentioned in an indicative but not exhaustive list given as Annexure –A.

Cyber security policy is an evolving process and it caters to the whole spectrum of people process and technology, it serves as an umbrella framework for defining and guiding the actions related to security of cyberspace.

To combat growing cyber threats and enhancing the resistance of the banking system to address cyber risks, RBI vide its circular no.RBI/2018-19/63/DCBS. CO. PCB. Cir No.1/18.01.000/2018-19 dated 19^th October 2018 directed the Bank’s as under:

1)”To put in place a cyber-security Policy elucidating the strategy containing an appropriate approach given the level of complexity of business and acceptable levels of risk duly approved by their Board.”

This Cyber Security (CS) Policy has been framed on the basis of stipulated RBI guidelines, information Technology Act and international Standards.

The Cyber Security Policy is distinct from IT Policy and information Security Policy.

2)  Ownership

The Board of Management (THE MANIPUR STATE COOPERATIVE. BANK LTD.) is the owner of the policy and ultimately responsible for overall functioning of cyber security in the bank.

3)  Cyber Security Scope and Applicability

1. This policy applies to all employees, contractors, consultants and third-party users (internal and external) accessing Bank’s information systems from within or outside.
2. This policy covers the usage of all of the Bank’s information technology and communication resources, including but not limited to:
3. All computer-related equipment like PCs, workstations, telecom equipment, databases, printers, servers, shared computer resources etc. & all networks & hardware to this equipment is connected.
4. All software including purchased or licensed business software applications, in-house applications, vendor/supplier provided applications. Computer operating systems, firmware and any other software residing on Bank owned equipment.
5. All intellectual property and other data stored on the Bank’s

 4)  Policy Framework

1) The Cyber Security Policy is designed as per the cyber security framework defined below. The framework has been built on the basis of the RBI circular to provide a compliance overview for each of the functional areas as outlined in the circular. The Distributed Denial of Services (DDoS), ransom-ware/ crypto ware, destructive malware, business email frauds including spam, phishing etc.

2) Define robust/cyber security framework to ensure adequate cyber security preparedness for addressing cyber risks, identify the inherent risks and the controls in place to adopt appropriate cyber security framework.

3) Define cyber security measures/controls to ensure protection of Bank’s and customer information and to maintain confidentiality integrity and availability of the data across the data/information life cycle.

4) To design IT architecture in a manner that it takes care of facilitating the security measures at all times.

5) To respond, resolve and recover from cyber incidents and attacks through timely information sharing, collaboration and action.

Collectively, these objectives provide the foundation for protecting against and preparing for cyber threats (i.e. a proactive approach to cyber security) as well as detecting, responding to and recovering from threats and challenges (i.e. reactive cyber security efforts)

5)  Guiding Principle

Bank’s approach to cyber security is based on the following principles.

1. Bank has an important responsibility to, safeguard customers confidential information, systems and networks and to ensure their confidentiality, integrity, and availability. The bank will therefore, lead by example, implementing cyber security requirements while building and adopting innovative and new technologies.
2. Individuals are responsible for being aware of threats, adopting best practices, understanding who is collecting their personal information and securing their own information systems and networks.
3. Strong security measures and sound test practices are encouraged to protect personal and private information, unauthorized access or misuse. Bank will derived security procedures from the policy statements and provide the details of necessary actions to achieve the objectives of the policy statement.

6)  Policy Statement

The Bank shall strive for the preservation of the Confidentiality, integrity and availability of Bank’s information assets pertaining to customer’s data, for safe & secure computing environment in order to build adequate trust & confidence in electronic transactions.

7)  Objective

1. a) To safeguard the cyber facing information infrastructure of the Bank various types of cyber threats including, but not limited to Denial of Service (DoS), pursue cyber security policy and initiatives that preserve Bank’s values and expectations, consistent with laws and regulations.
2. b) All the third-party vendors are to be managed as per the information security procedure for third party.
3. c) Bank will co-ordinate with external agencies during and after the cyber crisis as per the cyber Crises management Plan (CCMP).
4. d) Head office and Dept. Heads to identify the inherent risk (including the cyber risk) & controls in place for any product/process be lunch of the same and periodically the same is to be reviewed as per the Risk Management Policy of the Bank.
5. e) An indicative but not exhaustive list of requirements to be put in place by banks to achieve baseline cyber security framework given in the policy. This may be evaluated periodically to integrate risks that arise due to newer threats, products or process.

8)  Roles and Responsibilities

     Head information Technology Cell/Dept.

1. Head of IT Cell/Department will be responsible for bringing to the notice of the Board/IT sub-committee of the board about the vulnerabilities and cyber security risk the Bank is exposed to.
2. Head of IT Cell/Department by virtue of his role, may ensure inter alia, current /emerging cyber threats to business and the Bank’s preparedness in these aspects are invariable discussed in such committee(s).
3. Head of IT Cell/Department shall manage monitor and drive cyber security related projects.
4. Should co-ordinate the activities pertaining to Cyber Security Incident Response Teams within the Bank.
5. Shall develop and get an independent assessment of Cyber Security including its coverage at least on a quarterly basis.
6. Shall have a robust working relationship with Banks Top Management. HEAD OF IT Cell/Department may be a member of (or invited to) committees on operational risk where IT/IS risk is also discussed.
7. Head of IT Cell/Department shall be adequately staffed with technically competent people. If necessary through recruitment of specialist officers commensurate with the business volume, extent of technology adoption and complexity.
8. Shall be an invitee to the IT committee and IT steering committee.

(i). Board Level IT Committee:

An I.T. Sub-Committee at the Board level shall be constituted with the following members:

• Managing Director/

Chief Executive Officer of the Bank                   – Chairman.

• Any 3(three) members of the

Board of Management                                        – Members.

• Head of the I.T. Cell/Department         – Convener.

The IT Sub-Committee of the Board shall meet at least once in a quarter. The committee should focus on the following:

1. Reviewing the initiatives taken by the T. Steering Committee. After assessing, the committee shall apprise to the Board.

 (ii). I.T. Steering Committee:

An IT Steering Committee shall be formed with representative from the IT, HR, Legal, Loans & Advances and Accounts Departments. Its role is to assist the Executive Management in Implementing IT strategy that has been approved by the IT Sub-committee of the Board. The IT Steering Committee should apprise/report to the IT Sub-Committee periodically. The Committee should focus on implementation of Bank’s IT Policy. Its functions, inter alia include;

1. a) Defining project priorities and assessing strategies fit for IT proposals.

1. Reviewing, approving and funding initiatives, after assessing value additions to business process.

iii). Information Security Committee:

Since IT/Cyber security affects all aspects of an organization, in order to consider/cyber security, an Information Security Committee of executives shall be formed. The Head of the IT Cell/Department shall be the Member Secretary of the Committee. The Information Security Committee may include, among others, the chief Executive Officer (CEO) and two senior Management officials well versed in the subject.  The Committee shall meet at least once on a quarterly basis.  Major responsibilities of the Information Securities Committee, inter alia include:

1. Developing and facilitating the implementation of information security policies, standards and procedures to ensure that all identified Risk are managed within a Bank’s Risk appetite.
2. Supporting the Development and implementation of the Bank’s information security management programme.
3. Shall not have direct reporting relationship with the IT Cell/Department Head and shall not be given any business targets.

Information Technology Cell/Department

1. To provide IT products support and services to the divisions and functions in accordance with the cyber security requirements of the Bank.
2. Provide alternative solutions on industry practice to satisfy increased protection requirements.
3. Provide relevant support to other on meeting cyber security objectives and plans.
4. Provide periodic metrics to evaluate the cyber security posture of the Bank on a quarterly basis.
5. Coordinate all activities necessary for compliance to the cyber security policy
6. Oversee the execution of the cyber security planning at the functional level
7. Maintain and update the relevant document.

Legal & Compliance

*   Provide guidance and support in contract negotiations and advise on legal issues (such as levels of liability), arising in connection with the contract and on regulatory requirements.

Branches / Departments

1. a) Branches / Departments should support in meeting the Bank’s requirements around cyber security risk management.
2. b) Help in identifying inherent risks in business / process and communicating the same to IT department.

Human Resources

1. a) Ensure that all personnel are made aware of their information / Cyber security responsibilities
2. b) Assign relevant information/Cyber security trainings to staff
3. c) Provide guidance and support on the procedures that ensure compliance with applicable HR policies and employment regulations
4. d) Address security requirements for all personnel before, during and at termination or change of employment which include trigger access to system, email and physical access at time on-board/off boarding of employee.

 Employee

1. a) Comply with Bank’s cyber security policy
2. b) Practice reasonable care to protect their Bank provided assets and access credentials
3. c) Follow established cyber security incident reporting and escalation procedures

Third Party

1. a) Comply with Bank’s cyber security policy
2. b) Practice reasonable care to protect their Bank provided assets and access credentials
3. c) Comply with the terms and conditions as per the Banks non-disclosure agreement and confidentiality agreement
4. d) To ensure/confirm that the software /apps provided (if any) by third party for Bank’s use are free from embedded malicious/fraudulent code.

9)  Implementation Approach

Successful implementation of the Cyber Security Policy requires continuous commitment, governance and action by various stake holders who are collectively responsible for the Bank’s approach to cyber security. Bank shall develop and maintain or hire professional cyber security workforce. Bank has implemented various controls/measures to address various cyber security threats as mentioned in the Annexure-B in addition to this, Bank will adopt new innovative cyber security technology and solutions as required from time to time to protect ban information assets.

1. a) Cyber Crisis Management Plan of the Bank should cover effective measure prevent cyber attacks and to promptly detect any cyber intrusion so as to respond / recover / and contain the fall out.
2. b) Respective Officers /Management of IT Dept. Controlling Cyber facing applications must take following steps to make progress against the Cyber Security Objective.
3. c) Identify & Safeguard Bank’s Cyber facing information Infrastructure.

• Indentify & prepare a list of the Cyber facing information infrastructure Assess the threat to Cyber facing information infrastructure.
• Identify the Gap and the cyber security controls
• Implement cyber security controls / standards or suggest management action plan to mitigate risk.
• Analyze cyber security trends and threats to provide timely reports to management
• Always make the use of trustworthy technology products and services
• Continuously monitor the security posture of cyber facing IT & information infrastructure.

1. d) Respond, resolve and recover from cyber incidents:

In case the cyber facing infrastructure, the asset owner suspects any incidents then:

• Do the preliminary assessment of the incident
• If any cyber-attack is observed, report the matter immediately to the competent authority in accordance with the Bank’s cyber crisis Management plan.
• Take immediate remedial steps to stop/reduce the cyber infections within cyber facing information infrastructure as per CCMP.
• Take action to correct and recover from cyber security incidents and system failures
• Establish mechanisms and procedures to facilitate timely information sharing and action among stakeholders as per the CCMP.
• Enhance and maintain situational awareness capabilities.
• Establish and continuously enhance incident response capabilities
• Ensure preparedness by conducting cyber security exercises and drills.

10) Cyber Security Awareness Training

1. Bank shall take the steps to enhance cyber security awareness amongst the staff using trainings, posters, mails etc. on continuous basis.
2. Staff of IT Dept. Handling cyber facing applications must take periodic trainings to make themselves aware of new cyber threats and measures.

11)  Reporting and Performance Measurement

1. Performance of Cyber Security implemented by the Bank should be monitored continuously and based on the assessment future cyber security requirements should be identified.
2. Regular assessment should be carried out for identifying potential threats in cyber security.
3. Quarterly report about the Cyber Security Incident should be put before the Board and return thereof should be to be submitted to RBI on due date.

12) Policy Review and Approval

This policy document shall be reviewed at least annually by the information Security Department or in events of any significant changes in the existing IS environment (internal/external) affecting policies and procedures. The policy owner must be responsible to make the changes to the policy document and to get approved from the Board.

13)    Compliance

1. The Bank expects all employees to comply with the policies. Violation or any attempted violation of the cyber security policy shall result in disciplinary action to be taken by the Bank as per the extant guidelines. Disciplinary action shall be consistent with the severity of the incident as determined by an investigation.
2. Violations, if any, of the cyber security policy must be reported to the respective department head and the HEAD OF IT.
3. While the Bank would like to respect privacy of its employees, it reserves the right to audit and / or monitor the activities of its employees and information stored, processed transmitted or handled by the employees using Bank’s information systems.

14)    Exceptions

1. Approval for exceptions or deviations from the policies, wherever warranted, must be provided by IT Committee for High Risk items and HEAD OF IT information Security Department for Medium and Low Risk items.
2. Exceptions must not be universal but must be agreed on a case by case basis, upon official request made by the information asset owner. These may arise, for example because of local circumstances, conditions or legal reason existing at any point of time. Exceptions to the cyber security policy may have been allowed at the time of execution/updating or on ad-hoc basis if needed.
3. All exceptions during implementation must be submitted by the concerned stakeholder to HEAD OF IT or any other official of the information security team. All the exceptions are to be raised as per the Bank’s cyber security policy exception form, The Bank’s HEAD OF IT. This request must be approved by the User Department Head / information asset owner.
4. The information Security Department must review all exceptions, as the case may be every year for validity and continuity. The summary of high severity exceptions allowed should be reported to IT committee on a quarterly basis.

15)   Inquiries

Any inquiries relating to policy to the application of this policy should be referred to the HEAD OF IT Cell/Department.

16)     Cyber Security Domains

• Inventory Management of IT Assets

1. The Bank should maintain an up-to-date inventory of IT assets. IT assets include systems and network, including disaster recovery systems and networks with their supporting facilities but limited to information, software, physical, service and people indicating their criticality.
2. Ensure confidentiality, integrity and availability of information, an information classification scheme designed by the Bank should be adhered to.
3. The Bank should secure information accessible by the internal teams, external agency and partners through approved methods, including information in electronic form, information in physical form and information during transit.
4. Any remote administration connections authorized by the Bank should use strong authentication (typically two-factor authentication) as well as corresponding encryption methods (such as ssh, ssl and vpn) to secure communication traversing the network.
5. Bank should ascertain the risk related to critical information stored, transmitted, processed and accessed.

• Preventing Access of unauthorized software

1. The Bank should maintain central inventory of all software(s).
2. Bank should develop mechanism to control installation of unauthorized software in the Bank.
3. Bank should track use of authorized / unauthorized software (if any) in the Bank.
4. Bank should define procedures for granting and approving exceptions which at minimum should cover justification of exceptions, duration of exception and authority for approving.
5. Bank shall white list authorized application/software/ libraries etc.

• Environmental Controls

1. A cyber risk profile based on activities at various locations such as   Administrative offices, branches, data centre and disaster recovery site, should be documented and maintained which help risk based decision and implementation of cyber security controls.
2. The Bank should ensure that physical access to information processing areas and their supporting infrastructure (communications, power, and environmental) are controlled to prevent, detect, and minimize the effects of unintended access to these areas (e.g., unauthorized information access, or disruption of information processing itself).
3. Bank should monitor compromises of environmental controls relating to temperature, water, smoke, access alarms, service availability alerts (power supply, telecommunication, servers), access logs, etc.
4. The Bank shall evaluate the cyber security risks and take up cyber insurance of anappropriate value from time to time. The need will be assessed on a yearly basis.

4) Network Management and Security

1. Network security architecture should be documented at Bank level. Network security architecture should be updated as and when there are major changes inBank’s environment or at least annually.
2. Security architecture and standard security management principles should be applied in network devices configuration, vulnerability and patch management and change in routing table or setting of network devices.
3. Access to network’s device should be restricted to only Bank’s authorized network staff and appropriate access control mechanism that support individual accountability and access restriction.
4. Bank should define standard operating procedures for all major IT activities.
5. Bank should ensure that certain, events are logged and these logs are collected using various types of log collection software and infrastructure.
6. A central repository for the log collection should be established which would be used to generate alerts, based on established parameters.
7. Bank should install network security devices, such as  firewalls as well as intrusion detection and prevention systems, to protect its IT infrastructure from security exposures originating from internal and external source.
8. Bank should periodically conduct configuration review of  network components.
9. Bank shall deploy mechanism to detect and remedy any unusual activities in systems, servers, network devices and endpoints.
10. Bank shall implement solutions to automate network discovery and management.

5) Secure Configuration

1. Document and apply baseline security requirements/ configurations to all categories of devices (end-points/workstations, mobile devices, operating systems, databases, applications, network devices, security devices, security systems, etc.), throughout the lifecycle (from conception to deployment) and carry out reviews periodically

1. Periodically evaluate critical device (such as firewall, network switches, security devices, etc.) configurations and patch levels for all systems in the bank’s network including in Data Centers, in third party hosted sites, shared-infrastructure locations.

1. The Bank should document minimum baseline security standards (MBSS) for IT platforms.

1. The MBSS should be tested before any major release on an IT platform.

1. The MBSS should be reviewed at least once annually and before major upgrade.

6) Anti Virus and Patch Management

1. Follow a documented risk-based strategy for inventorying IT components that need to be patched, identification of    patches and applying patches so as to minimize the  number of vulnerable systems and the time window of vulnerability/exposure.
2. Implement and update antivirus protection for all servers and applicable end points preferably    through a centralised system
3. Put in place systems and processes to identify, track, manage and monitor the status of patches to operating system and application software running at end-user devices directly connected to the internet and in respect of  Server operating Systems/ Databases /Applications/ Middleware, etc

1. Changes to business applications, supporting technology, service
   components and facilities should be managed using robust configuration management processes, configuration baseline that ensure integrity of any changes thereto
2. Periodically conduct VA/PT of internet facing web/mobile applications, servers & network components throughout their lifecycle (pre- implementation, post Implementation, after changes etc.)
3. Periodically conduct Application security testing of web/mobile applications throughout -their lifecycle (ore-implementation, post implementation, after changes) in environment closely resembling or replica of production environment.
4. As a threat mitigation strategy, identify the root cause of incident and apply necessary patches to plug the vulnerabilities.
5. For further details, Information Security Procedure for Change management is to be followed.
6. The Bank should implement security controls to provide robust defence against the Installation spread and execution of malicious code at multiple points in the enterprise
7. Mechanisms such as-web security, anti-malware and continuous monitoring to detect advanced threats such as ransom ware, cyber extortion, data destruction, DDOS should be implemented.
8. Anti-Virus should be installed on all end points, servers and centrally, managed for policy configuration management, virus definition updates.
9. The Bank should implement and maintain preventive, detective and corrective measures across the enterprise to protect information systems and technology from malware.
10. Anti-Malware packages for operating systems should be deployed and definitions should be periodically updated.
11. Malware protection should be installed on all web-gateways, exchange servers and centrally managed for policy implementation.
12. The Bank should implement white listing of internet websites/systems.
13. Bank should have threat intelligent mechanism that collect & analyses threat related information from different internal and external sources.
14. Based on the analyze threat intelligence. Bank should share inferences and intelligence to regulatory bodies like RBI, IDRBT, CERT-ln.
15. The Bank shall deploy mechanisms to deep scan network packets including secure {HTTPS, etc.) traffic passing through the web / internet gateway.
16. Mechanisms to manage events related to phishing/rouge applications should be implemented.

7)   User Access Control and Management

1. Provide secure access to the bank’s assets/ services from within/outside bank’s network by protecting data/ information at and in-transit.

1. Carefully protect customer access credentials such as logon user id, authentication information and tokens, access profiles, etc. against leakage/attacks

1. Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a need to know basis and for specific duration when it is required following an established process.

1. Implement appropriate (e.g. centralized) systems and controls to allow, manage, log and monitor privileged/supervisor/administrative access to critical systems (servers/OS/DB, applications, network devices etc.)
2. Implement controls to minimize invalid logon counts, deactivate dormant accounts.
3. Monitor any abnormal change in pattern of logon.
4. Implement measures to control installation of software on PCs/laptops, etc.
5. Implement controls for remote management/wiping/locking of mobile devices including laptops, etc.
6. Implement measures to control use of VBA/macros in office documents, control permissible attachment types in email systems
7. For details, Information Security Procedure for Logical access is to be followed.

8)   Secure Mail and Messaging System

1. Implement effective systems and procedures to ensure that e-mails are used as an efficient mode of business communication.
2. Ensure that e-mail service and operations remain secure, efficient while communicating within intranet as well as through internet.
3. Email specific server controls should be documented.
4. Security of email communication should be enhanced by use of disclaimer, hashes or encryption.
5. The Bank should control permissible attachment types in email systems.

9)   Removable Media

1. By default, access to removable media, drives {USB ports, CD / DVD ROM drives, floppy drives) should be disabled.
2. Critical and sensitive information stored in removable media should be sanitized before disposal. Removable media should be disposed of securely and safely when no longer required.

1. Bank should deploy governing mechanism for use of personally owned and official mobile devices.

1. Bank should deploy mechanism to scan removable media for malwares, before granting any read /write access.

1. Bank should implement centralized policies through active directory or endpoint management systems to restrict use of removable media.

1. Exceptions for granting write access to removable media should be granted after approval of HEAD OF IT and regular recertification process should be established, tracked and documented.

 10)  User \ Employee \ Management Awareness

1. The Bank should deploy mechanism to protect data at rest and in transmit by implementing secure access controls to the Bank’s network.
2. The Bank should deploy mechanism in place to protect customer access credentials against data leakages.
3. The Bank should provide access rights on a need to know basis for specific duration.
4. Users should not be granted administrative rights on end-user workstations /laptops.
5. The Bank should implement centralized authentication and authorization system for accessing IT assets including but not limited to applications, operating systems, databases, network and security devices/systems, point of connectivity.
6. The Bank should enforce strong password policy for all critical assets.
7. The Bank should implement appropriate systems and controls to log and monitor administrative access to critical systems.
8. The Bank should implement controls to minimize invalid logon counts and deactivate dormant accounts.
9. The Bank should deploy measures to control installation of software on end user devices.
10. The Bank should deploy controls to restrict use of VBA / macros in office documents.
11. The Bank shall deploy controls to monitor abnormal changes in pattern of logon.

11) Customer Education and Awareness

1. Customer education and awareness program should be designed and implemented.
2. Customers should be encouraged to report any phishing mails/websites, etc.
3. Customers shall be educated on the downside risks involved in sharing of their login credentials to any third party and the consequences arising of such situations.
4. Communication medium such as E-mail, SMS, banner, advertisements, Audio-Visual at branch offices should be used to improve customer cyber security awareness.

12) Backup and Restoration

1. Periodic back up of the important data should be taken and store this data ‘off line’ (i.e., transferring important files to a storage device that can be detached from a computer/system after copying all the files).

 13) Vendor and Outsourcing Risk Management

1. Banks shall carefully evaluate the need for outsourcing critical processes and selection of vendor/partner based on comprehensive risk assessment
2. Among others, banks shall regularly conduct effective due diligence, oversight and management of third party vendors/service providers & partners.
3. Establish appropriate framework, policies and procedures supported by baseline system security configuration standards to evaluate, assess, approve, review, control and monitor the risks and materiality of all its vendor/outsourcing activities shall be put in place
4. Banks shall ensure and demonstrate that the service provider adheres to all regulatory and legal requirements of the country. Banks may necessarily enter into agreement with the service provider that amongst others provides for right of audit by the bank and inspection by the regulators of the country.
5. Reserve Bank of India shall have access to all information resources (online/in person) that are consumed by banks, to be made accessible to RBI officials by the banks when sought, though the infrastructure /enabling resources may not physically be located in the premises of banks
6. Further, bank has to adhere to the legal and regulatory requirements relating to geographical location of infrastructure and movement of data out of borders.
7. Banks shall thoroughly satisfy about the credentials of vendor/third-party personnel accessing and managing the bank’s critical assets.
8. Background checks, non-disclosure and security policy compliance
   agreements shall be mandated for all third party service providers.

14)   Vulnerability Assessment and Penetration Testing

1. The Bank should periodically conduct vulnerability assessment and penetration testing (VA/PT) for all the critical systems.
2. Vulnerabilities identified should be remediated in a timely manner.
3. Penetration testing of public facing systems and critical applications should be carried out by professionally qualified teams.
4. Concerned Asset owners/team leaders should ensure that necessary remedial measures are implemented to close the findings detected by penetration testing.
5. VA/PT findings and follow up actions should be closely monitored by senior management as well as Information Security/ IT audit team.
6. The Bank should periodically & actively participate in external cyber drills.

15)   Risk Based Transaction Monitoring

1. Fraud Risk Management System (FRMS) should be deployed by Bank across each delivery channel for monitoring risk based transactions.
2. Continuous surveillance should be used to monitor and detect fraudulent or large transactions in the Bank.
3. Immediate notifications through alternate channels like E-mail and SMS are provided to customers on transactions executed by customer across various means i.e. online, cheque, ATM.
4. For transaction above tolerance limit Call Back Verification (CBV) control shall be implemented.

16)  Incident Response arid Cyber Crisis Management

1. Bank should adhere to incident response procedures to respond consistently to attacks, minimize all loss, leakage or disruption during an attack.
2. Learning’s from information security incidents should be documented and communicated to stakeholders. This information shall be used in improving the processes and systems to reduce recurrence and/or future impact of the security incident.
3. Employees and third parties shall report any observed or suspected information security weaknesses in systems or services through proper communication channels.
4. Bank should develop recovery strategies to ensure critical application systems are resumed within the agreed Recovery Time Objectives (RTO).
5. Management responsibilities should be assigned to ensure a quick, effective, and orderly response to information and cyber security incidents.
6. For information security incident that involves legal action (either civil or criminal), evidence should be collected, retained, and presented as per laws to conform to the rules laid down in the relevant jurisdiction(s).
7. Contacts with relevant authorities such as law enforcement agencies, regulatory bodies and national nodal agencies should be maintained.
8. The Bank should have process for collecting and sharing of threat
   information from local, national or international sources following legally accepted/defined means/processes.
9. Advance cyber security incident like containing ransom ware/cyber extortion, data destruction, DDOS, etc. should follow cyber crisis management plan.

1. Cyber-attacks should be controlled by implementing security controls like shielding, quarantining the affected devices/systems.
2. Policy for aligning, Incident Response and Digital forensics to reduce the business downtime/ to bounce back to normalcy should be in place.

17) Forensics

1. The Bank should conduct preliminary investigation and evidence gathering and involve external forensics service on case to case basis
2. The Bank should have a forensic risk evaluation criterion to decide on incidents that qualify for forensics.
3. Security function must coordinate legal, HR.
4. Digital evidence related to information security incidents should be collected, stored and processed to facilitate necessary forensic investigation as per the applicable laws and regulations.
5. The Bank should periodically and actively participate in external cyber drills.

Cyber Crisis Management

Cyber crisis management plan that includes identification, validation, activation, response, recovery and containment of cyber crisis should be documented, implemented and reviewed at least annually.

 Type of Threats

• Hacktivists; These are individuals or groups who seek to disrupt systems and networks for a variety of motives, including notoriety, financial gain, or political agendas. They connect across borders to overwhelm targeted websites and access sensitive information. They may seek to harm their enemies by either shaming them or disabling their services. Hacktivists typically launch distributed denial of service (DDoS) attacks, deface websites, access sensitive government data, and publish the personal information of high-ranking persons and business leaders.

• Advanced Persistent Threats (APT}: These occur when malicious actors use complex and unique malware to quietly gain access to proprietary or personal information and sensitive government information. They may also use customized solutions to take advantage of insiders, social engineering, network hardware, and third-party software to cause various malfunctions, destroy data, and disable networks.

• Cyber Crime Syndicates: These organizations seek account information to make fraudulent transactions or to siphon money, information theft is also common, as cyber criminals will sell sensitive corporate information to unauthorized individuals or groups. Cyber criminals leverage various methods to achieve their objectives, such as distributing massive amounts of e-mails while posing as banks or other authorities to obtain customer identification and financial information. They may also use large-scale DDoS attacks to overwhelm Internet dependent enterprises.

• Malicious Insiders: These are trusted individuals who are motivated to compromise the confidentiality, integrity, or availability of an organization’s information and information systems. Their motives may include financial gain, revenge, or ideology. Insiders do not need to infiltrate perimeter network defences because they have trusted access to information and information systems and can use various methods to damage or destroy government and business systems.

• Root kit: is a collection of tools that are used to obtain administrator-level access to a computer or a network of computers. A root kit could be installed on any computer by a cybercriminal exploiting a vulnerability or security hole in a legitimate application on the computer and may contain spyware that monitors and records keystrokes.

• Botnet: also called a “zombie army” is a collection of software robots, or bots, that run automated tasks over the Internet. It is a group of computers connected to the Internet that have been compromised by a hacker using a computer virus or Trojanhorse. An individual computer in the group is known as a “zombie” computer

The botnet is under the command of a “bot herder” or a “bot master,” usually to perform nefarious activities by running programs such as worms, Trojan horses, or backdoors. This could include distributing spam to the email contact addresses on each zombie computer, for example. If the botnet is sufficiently big in number, it could be used to access a targeted website simultaneously in what’s known as a denial-of-service (DoS) attack. The goal of a DoS attack is to bring down a web server by overloading it with access requests.

• Trojan horse : Users can infect their computers with Trojan horse software simply by downloading an application they, thought was legitimate but was in fact malicious. Once inside the computer of a user, a Trojan horse can do anything from recording his/her passwords by logging keystrokes (known as a keystroke logger) to hijacking the webcam to watch and record his/her every move.

• Spam : is electronic junk email. The amount of spam has now reached to about 90 billion messages a day. Email addresses are collected from chat rooms, websites, news groups and by Trojans which harvest users’ address books. SPIM is spam sent via instant messaging systems such as Yahoo! Messenger, MSN Messenger and ICQ. Its Danger level is Low but Prevalence is Extremely High.

Spam can clog a personal mailbox, overload mail servers and impact network performance. On the other hand, efforts to control spam such as by using spam filters run the risk of filtering out legitimate email messages. Perhaps the real danger of spam is not so much in being a recipient of it as inadvertently becoming a transmitter of it. Spammers frequently take control of computers and use them to distribute spam, perhaps the use of a botnet. Once a user’s computer is compromised, their personal information may also be illegally acquired.

• SQL Injection : Such attack involves the alteration of SQL statements that are used within a web application through the use of attacker-supplied data. Insufficient input validation and improper construction of SQL statements in web applications can expose them to SQL injection attacks. SQL injection is such a prevalent and potentially destructive attack that this has become the number one threat to web applications.

• Authentication Bypass: This attack allows an attacker to log on to an application, potentially with administrative privileges, without supplying a valid username and password.

• Information Disclosure: This attack allows an attacker to obtain, either directly or indirectly, sensitive information in a database.

1. Compromised Data Integrity: This attack involves the alteration of the contents of a database. An attacker could use this attack to deface a web page or more likely to insert malicious content into otherwise innocuous web pages.
2. Compromised Availability of data; This attack allows an attacker to delete information with the intent to cause harm or delete log or audit information in a database.
3. Remote Command Execution: Performing command execution through a database can allow an attacker to compromise the host operating system. These attacks often leverage an existing, predefined stored procedure for host operating system command execution.

12) Ransomware : is a type of malware that prevents or limits users from accessing their system, either by Socking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransom ware families, collectively categorized as Crypto – ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.

• Website defacement: is an attack on a website that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.

• Spoofing : is an attack situation in which one person or program successfully masquerades as another by falsifying data, thereby gaining an illegitimate advantage.

E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source. The e­mail often contains malicious software as attachment which will be used to get unauthorized access to the user’s computer.

• Session Hijacking: Sometimes also known as cookie hijacking is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Once the user’s session has been accessed the attacker can masquerade as that user and do anything the user is authorized to do on the computer.

• Man in the Middle Attack : It is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. Online banking and e-commerce sites are frequently the target of such attacks. The attacker can capture login credentials and other sensitive data from the user’s computer with this type of attacks.

Control Measures Implemented in Bank:

• Use and maintain an updated anti-virus software – Anti-virus software recognizes and protects our computer against most known viruses. Anti-virus software is maintained up-to-date with latest version, patches & updated definition on ail the Desktops and Servers and monitored.

• Keep our operating system and application software up-to-date:- Bank deployed security patches on all endpoints, as soon as they become available, to eliminate exploitable vulnerabilities (i.e. zero day vulnerabilities) or known problems. 

• Regular Backup: – Execution of daily backups of all critical systems and periodically execute an “offline” backup of critical files to removable media in accordance with Data Retention Policy and IS Procedure for Data Backup. 

• Blocking of removable media devices: – Prevention or limitation of all removable media devices on systems to limit the spread or introduction of malicious software and possible exfiltration of data, except where there is a valid business need for use.
• Restricting account privileges: – All daily operations are executed using standard user accounts unless administrative privileges are required for that specific function. Configuration of all standard user accounts to prevent the execution and installation of any unknown or unauthorized software. Both standard and administrative accounts have access only to services required for nominal daily duties, enforcing the concept of separation of duties. 

CYBER SECURITY POLICY FOR MSCB LTD

New Recruitment

Claim/Activation of unclaim/Inoperative Accounts with The MSCB LtdRecruitment for the post of Resource Person for the Business Diversification & Product Innovation Cell (BDPIC)
Click here to download office order for recruitment of Resource Person for BDPIC

Office Order on Recruitment of Resource Person for Comprehensive Support Plan (CSP)

Click here to download office order for recruitment of Resource Person for CSP

Final Result for the recruitment of Sr. Acct Assts. and Deputy Managers

Appointment order for Senior Account Assistant

Appointment order for Deputy Manager

List of candidates recommended for appointment to the Post of Senior Account Assistant

List of candidates recommended for appointment to the Post of Deputy Manager

Notification on Computer Proficiency Test and Interview:-

Corrigendum

Computer Proficiency and Interview

Submission of Self Attested Documents

• New Notification

**(New) Declaration of Result for Written Test held on 14-02-2021 for the Post of Deputy Mangers and Senior Account Assistants**

• Written test result

Advertisement for the Recruitment MTS/Deputy Manager/Sr. Acct. Asst.

• Recruitment of Driver and Multi Tasking Staff
• Recruitment of Senior Account Assistant and Deputy Manager

Result for the recruitment to the post of Multi Tasking Staffs and Drivers

• Candidates recommended for the post of MTS
• Candidates recommended for the post of Drivers
• List of applicants recommended for appointment to the post of Multi Tasking Staff under die-in-harness scheme
• Waiting list for the post of MTS

Exam Notification for the post of Senior Account Assistants and Deputy Managers

• Exam Notification for Wangkhei High School (New)
• Exam Notification for Deputy Managers and Senior Account Assistants
• List of Rejected Applicants for the post of Deputy Managers
• List of Rejected Applicants for the post of Senior Account Assistants

** All eligible candidates of Deputy Managers and Senior Account Assistants are requested to download the Admit Card from www.nerecruitment.in after login with registered ID and Password**

Scheme of Examination:

• Click_here_to_download_Scheme_of_Examination (for Deputy Manager and Senior Account Assistant)
• Scheme of Examination for Driver & Multi tasking Staff (for MTS)

List of Candidates for Appearing Written Test:

• Recommended for Written Test – MTS
• Recommended for Written Test – Driver
• Not Recommended for Written Test – MTS
• Not Recommended for Written Test – Driver

Notification:

• Exam Notification for the post of Multi Tasking Staff and Driver

Note: If any issue arises in the online registration/submission, please contact Portal Manager +91 6026937517

MSCB LTD BC POLICY

 

THE MANIPUR STATE COOOPERATIVE BANK LTD., ADMINISTRATIVE OFFICE, IMPHAL.

Policy on financial inclusion by extension of banking services-Use of Banking Correspondent (BC)

 

1. Objective:
2. To achieve financial inclusion in the state in a holistic manner and bring the vast majority population within the banking fold.
3. To provide access to banking market, access to credit market and financial education to people in unbanked areas.

• To increase outreach of the Bank with the need of substantially increasing our market shares in rural and semi-urban areas.

1. To reach to the vast number of untapped small and marginal clients at the bottom of the pyramid to increase the business, enhance the profit and spread risks.
2. To provide comprehensive financial services to the underprivileged encompassing Savings, Credit, Remittance, Insurance, and Pension products in a cost effective manner particularly in untapped/ unbanked areas.
3. To reduce transaction cost as well as increasing efficiencies by providing linkages between existing network of our branches and the informal and formal agencies engaged with poor, by adopting Information Communication Technology(ICT) based solutions.

 

2. Eligible individuals/entities:

2.1      Business Correspondent:

 

1. Societies registered under MCS Act, 1976/Mutually Aided Cooperative Societies Act (MACS).
2. NGOs registered under Societies Registration Act, 1980.

• MFIs set up under Indian Societies/Trust Act/ Societies Registration Act, 1980/NBFCs.

1. Companies registered under section 25 of the Companies Act 1956( provided that section 25 companies in which NBFCs, Banks, Telecom companies and other corporate entities or their holding companies do not have equity holding in excess of 10 %).
2. Post offices.
3. Retired Government Employees and Ex-servicemen.

• Retired Bank employees who have retired on superannuation.
• Farmers Clubs.

1. Retired School/college teachers.
2. Authorised functionaries of well run Self Help Groups (SHGs) linked to banks.

 

3. Eligibility Criteria for BC

The identification process shall be based on, inter-alia, the reputation of the individual/entity in terms of commitment, integrity and competency, governance structure, capability for proper maintenance of records and accounts, capacity to provide social support to poor and marginalized sections,   grass root presence in the area proposed to be served by them and experience of prior relationship with the bank. The source of funds, if any of the entity, its deployment, etc, should be examined.

• Business Correspondent:

1. Should know Manipuri/local language/dialect.
2. Should satisfy the norms of due diligence.

• Should have knowledge about the area.

1. Should not affiliate to any political party /religious organisation.
2. The organization/office bearers/members should not have any criminal record which should be verified from police record.
3. The BC in case of individual should be referred by two customers of our bank having satisfactory dealings or two reputed persons of the locality known to the bank.

• In case of an organisation, it should have satisfactory track record so as to ensure that they have the aptitude and capability to perform the role of business facilitator.
• Should not be a defaulter borrower to any bank.

1. Should not a BC of any bank.
2. Persons/organizations with satisfactory dealings with the bank should be preferred.
3. Minimum education qualification for individual Business Correspondents should be X^th standard pass.

• The Individual BC should be a permanent resident of the area in which he proposed BC to operate and must have resided there for a period not less than 10 years.
• Age in respect of individual BC should not be less than 25 years and not exceeding 65 years at the time of selection. Individual BC should continue till the age of 70 years subject to annual review.
• In case of individual, he should not be a Director or officer/ employee of the bank or a relative having the same meaning under section 6 of the Companies Act, and in the case of an entity, it should not be owned or controlled by such persons.

1. Should enjoy good reputation and stature and have the confidence of the local people.

• Should have the capability for proper Synthesizing of information, documentation, maintenance of records and accounts.
• Should have the capacity to provide social support and guidance to poor and marginalized sections.

• Should have commitment for social action and capacity building, should be non-discriminative, secular, non-exploitative, transparent and have good governance structure (Code of ethics).
• Should have significant rural/ semi-urban presence.

1. The entity should have satisfactory track record and should be able to generate the funds required for rendering the services.

• Ability to invest in Point of Service (POS) devices and other equipment.
• Ability to retain the required cash balance at Point of Sale and the balances in the Current account on continuous basis.
• Preference should be given to well regulated entities.

 

# Due diligence should involve an evaluation of all available information about the service provider, including but not limited to:

1. Past experience and expertise to implement and support the proposed activity over the contracted period.
2. Financial soundness of the service provider and ability to fulfil commitments even under adverse circumstances.

• Business reputation and culture, compliance, complaints and outstanding or potential litigation.

1. Security and internal control, audit coverage, reporting and monitoring environment, Business continuity management.
2. External factors like political, economic, social and legal environment, of its jurisdiction in which the service provider operates and other events that may impact service performance.
3. Ensuring due diligence by service provider of its employees.

 

• Appointment of Sub-agents by BCs:

1. In case, duly appointed BCs as entity of the bank desire to appoint Sub-agents at the grass root level to render the services of a BC, Bank have to ensure that:
2. The Sub agents of BCs fulfil all relevant criteria stipulated for BC in terms of the extant guideline.
3. The BC appointed carries out proper due diligence in respect of sub agents to take care of the reputation and other risks involved.

• The distance criteria of BCs as applicable from the place of business and base branch in rural, semi urban and urban centres should invariably be fulfilled in case of all sub agents.

 

1. Individual BC is not permitted to appoint Sub-agent.

 

 

• Adoption of appropriate technology:

 

The Bank may utilise the following available ICT solutions for financial inclusion:

 

1. Micro ATM.
2. EMV card.

 

Bank will however also explore to avail the future technological developments in this area. However security, confidentiality, integrity, interoperability among the systems adopted by different banks, etc will be guiding factor for adoption of ICT based solution.

 

4. Activities to be undertaken

4.1 Activities to be undertaken by the Business Correspondent.

The scope of activities to be undertaken by the Business Correspondent will include:

1. Opening of “No- Frill” deposit accounts under ICT based financial inclusion.
2. Accepting of small value deposits.

• Paying for small cash withdrawals.

1. Disbursal of small value credit.
2. Collection of small value deposits per month.
3. Receipt and delivery of small value remittances/other payment instruments.

• Payment/Receipt in respect of e-governance activity.
• Recovery of principal/collection of interest subject to the fulfilment of conditions as stipulated in RBI guideline on engagement of Recovery Agent.

1. Sale of Micro insurance/mutual fund products/pension/other third party products.
2. In respect of all such transactions, the BC/its agent will be authorized to accept/deliver cash either at the place of work or any convenient location subject to ceiling of Rs.10,000/-per customer per day. The total transaction in a year should not exceed Rs.1.00 lakh per customer.
3. Furnishing of mini account statement and other account information.

• Any other services on behalf of the Bank, duly authorized by the appropriate authority.
• The activities to be undertaken by the Business Correspondents would be within the normal course of the Bank’s banking business, but will be conducted through and by the entities indicated above at places other than Bank’s premises. The BC will be linked to a nearby branch (link branch/base branch).
• Preliminary processing of loan applications including verification of primary information/data.

 

 

5. Selection procedure for Business Correspondent:
6. The selection will be made at Head Office level and the selection committee will consist of Managing Director/CEO, Deputy General Manager, Assistant General Manager (Accounts), Assistant General Manager (Loans & Recovery) and Chief Officer (Information Technology). The Managing Director will act as Chairman of the Committee and Deputy General Manager will act as member secretary to the Committee.

 

1. After formation of the committee, advertisement will be inserted in a widely circulated local daily newspaper containing the salient features for selection and engagement of BCs. In the advertisement, it should be made clear that calling an application shall not be construed as right for selection and the Bank reserves its right to select/reject the application on merit.

 

• The advertisement may be waived at the discretion of selection committee in the following cases.

 

1. Reputed corporate having IT enabled rural outlets or entities with an established presence. (i.e. Reliance, ITC etc.)
2. When BC is a government Department (e.g. India Post).
3. PACS/Societies/NGOs/MFIs already financed by the bank whose repayment and performance is satisfactory.

 

1. The applicant for BC will submit his/her application in the prescribed format to Head Office through any of the branch in its area of operation. Application form may be available at Bank’s Head Office or branches.
2. The Deputy General Manager with assistance of other officers at Head Office will scrutinise the applications for selection of BC, carry out due diligence.
3. Local enquiries and field survey will be conducted by involving officials, as decided by the Selection Committee and may include officials of Head office, Branches of bank to assess the availability of infrastructure, equipment, manpower as well as reputation of the applicants.

• The Selection Committee at their discretion may call short listed candidates for personal interview.
• Based on above selection process, the Selection Committee will select the most suitable entities/individuals. The number of entities/ individuals will be selected based on eligibility/potentiality of the business.

1. During the selection process, it will be made clear to the selected entities that they/their agents will render services to the bank on contract basis with payment of service charge/fee depending on work/performance and there will be no employer employee relationship between the bank and the BC.
2. The selected BCs will be enrolled by the Managing Director with exchange of an engagement letter along with code of conducts in details.

 

 

 

1. An agreement will be entered into by the BC with the bank. The Agreement will be signed by the Managing Director on behalf of the Bank. The agreement will contain the terms and conditions, incentives, structure and such other details of the engagement.

• A suitable Fidelity/secrecy undertaking shall be obtained from BCs.
• The original Agreement with BC will be kept at Head Office, and the copy should be kept at Branch offices where the service of the BC will be utilised.
• The BC will furnish a list of authorized agents proposed to be employed by him with details of their bio-data containing photograph, address,  age, educational background, present occupation, monthly income details, details of existing banking arrangements (should not be a defaulter with any bank), area of operation and past experience, if any, related to banking & insurance. The lists of agents so proposed will be received by the Head Office where their services will be utilised and after getting examined by the concerned branches for suitability, the approval will be advised to the BC by Head Office.

 

6. Security Deposit.

(i) To mitigate agency risks, the Bank will obtain security deposit as mentioned below:

BC as entities:  As a fixed percentage determined by the respective Selection Committee in terms of their expected business volume in a year with a minimum of Rs.1.00 lakh.

BC as individual: As a fixed percentage determined by the respective Selection Committee in terms of their expected business volume in a year with a minimum of Rs.0.25 lakh.

The security deposit should be kept in the form of RIP for a minimum period of 5 years at the rate applicable from time to time and should be kept lien with the concerned Branch. The safe custody receipt will be kept free of cost at the concerned branch.

(ii) Notwithstanding anything contained in Para No. 6(i), the Security Deposit requirement may be exempted if the responsibilities and duties of the BC is restricted to (i) Cash withdrawal and (ii) Remittance of funds only.

7. Service charge/fee for BC:

 

7.1 Loans and advance:

 

1. For disbursal of loan, service charge should be @ 0.50% of total loan amount subject to maximum Rs.1000/- to be paid in the following schedule.
2. Recovery in standard loan account: 0.50 % of recovered amount.

• Recovery in NPA up to Rs.1.00 lakh : 2 % of recovered amount

1. Recovery in NPA for loss and written off account up to Rs. 1.00 lakh: 5% of recovered amount.

 

 

7.2 Deposit account:

1. Savings/RD account: Rs.5/- per account.
2. New Term deposit: 0.5 % of the deposit amount for term deposit of minimum six months tenure.

• Proportionate service charge will be realized from the BC if the term deposit is prematurely closed before six months.

1. No service charge for deposit above card rate.
2. No service charge for Bulk deposit, public sector, government deposit.
3. No service charge for NRE,NRO, FCNR deposit

• No service charge for transfer of deposit from one branch to another.
• No service charge for renewal of deposit.

 

7.5 Cash withdrawal: 0.5 % of the transaction amount.

7.6 Cash deposit: 0.5 % of the transaction amount.

7.7 Cash Management: 0.5 % of daily cash deficit at CSP level (Cash withdrawal- cash deposit)

7.8 Remittance: 1 % of the transaction amount.

7.8 Sale of Mutual fund/Bank insurance products/pension/any other 3^rd party product: 10 % of the commission earned by bank.

7.9 The other charges payable by the Bank to BC are as under:

1. BC having less than 500 customers – Rs.2,000/- per month.

(Customer handling & maintenance Fee)

 

1. BC having 500 customers or more – Rs.2,500/-per month.

(Customer handling & maintenance Fee)

 

iii. USB Maintenance cost of BC

(a)  BC having less than 500 customers        – Rs.500/- per month.

 

(b) BC having 500 customers or more           – Rs.750/- per month.

 

8. Duties and responsibilities of BC
9. BC will be accessible to the account holder minimum 8 hours from 9 AM to 5 PM
10. BC will ensure that the outlets are manned by reliable and knowledgeable persons so that the business continuity is maintained.

• BC will provide permitted Banking services on behalf of the bank.

1. BC will visit the households in their area of operation regularly.
2. BC will maintain a Register to keep records of the persons contacted with full details of name, address, date of contact and outcome of the visit.
3. BC will carry with him the stationery items/brochures etc. relevant to Bank’s Deposit/loan products and other financial products relating to cross selling.

 

 

• BC will carry Identity card issued by the bank and produce the same before the customer on demand.
• BC will explain the salient features of the Bank’s products to the prospective customers.

1. BC will assist the prospective customer for completing the account opening form/loan application.
2. BC will brand his name & code number on every application sourced by them.
3. BC will verify the primary information/details given by the applicant, will identify the customer and will make a recording of his verification /identification on the account opening form/loan application form.

• The concerned BC, after the account is opened at the branch, will collect the chip based photo personalized prepay card against dated acknowledgement in a register maintained at the branch for the purpose.
• The BC will upload the details of the applicant enrolled during the day to pre-paid host from a web based interface/CBS or any other manner as may be specified.
• BC will deliver the account opening forms (after accounts are opened by him) and loan applications to the identified link branch against acknowledgement.

1. BC will accept /disburse cash by undertaking transaction through ICT based solution.

• BC will issue system generated printout of cash transaction immediately and mini statement to the card holder on demand.
• BC will ensure that the daily cash withdrawal limit does not exceed the threshold limit fixed for such accounts by the bank and advised to him from time to time.
• List of Dos & Don’ts will be displayed by the BC at their outlet and a copy to be provided to the customers along with the account opening forms/loan applications.
• BC will display the Bank’s products at their outlets.

1. BCs will obtain suitable cash insurance cover for holding cash overnight and in transit and also to obtain fidelity insurance cover for their agents.(BCs only)

• BC will claim the commission/service charge due from the respective link branch at the end of every month.
• BC is prohibited from charging any fee from the customer directly for services rendered by them on behalf of the bank.
• BC will educate customer about terms of sanction of loan, repayment and recovery.
• BCs will account for and reflect the transaction in the Bank’s book by the end of the day or next working day of the transaction. The transaction should be accounted for in the Bank’s book latest by the end of the second working day from the date of transaction.
• BC or its agent will handle their responsibilities with care, diligence and sensitivity.

 

 

• BC should ensure that their agent conduct all financial transaction on line. If transaction are conducted off-line mode, in case connectivity is temporarily not available then they should ensure to account for and transfer all the receipts and payments to the pre-paid host server as soon as connectivity is restored. Under no circumstances transfer to pre-paid host server of such off line transaction beyond 24 hours of the connectivity being restored.
• During recovery procedures, BCs will adhere to Bank’s Fair Practice Code for Lenders. The BCs will refrain from any action that could damage the integrity and reputation of the Bank and observe strict customer confidentiality.
• BC will not resort to intimidation and harassment of any kind, either verbal or physical against person in their recovery process.
• BC should adhere to the Code of Conduct in letter and spirit failing which penal provisions including termination of agreement would be attracted.
• A complaint book will be maintained by the BC at their outlet to enable the customers to records their complaints, if any.

 

9. Duties and responsibilities of Base branch:
10. To develop contacts with NGOs, MFIs, working Co-Operating Societies, Post Office, community based organisations, etc and seek their help in identifying suitable BCs.
11. To identify potential villages for BC initiatives.

• To help the Head office in selection of BC by undertaking field visit and local enquiry to verify the particulars of the BC, to assess the availability of infrastructure, equipment, manpower as well as reputation of the  applicants.

1. To maintain a list of all BCs and their authorized agents attached to it and to display their names and address prominently in the notice board.
2. To ensure wide publicity for engagement of BCs
3. To designate a suitable officer to deal with the implementation and operation of BC model, closely monitor the activities and performance of BFs and to bring to the notice of the branch head the lapses/violation of terms and condition of the BC, if any. However branch head will also remain equally responsible for proper monitoring, follow up and supervision of the functions of the BCs of the Branch.

• To appraise the empanelled BCs about bank’s brand equity, product features, KYC norms, expectations & Goals.
• To explain the roles and responsibilities of the BC and to clear their doubts.

1. To supply adequate number of account opening forms/loan applications to the BCs for their use.
2. To receive back completed account opening form along with documents for compliance for KYC norms.
3. To ensure compliance of KYC formalities.

• To keep custody of account opening form received from BC.
• To upload the account opening information to prepaid host/CBS server through web interface, wherever warranted by the process.
• To provide support to the BCs for inflow and outflow of cash for operation purpose.

 

1. To arrange payment of service charge/fee to the BCs on the basis of their actual performance on monthly basis after deducting TDS and issuance of TDS certificate.

• To watch the performance of accounts brought in by BC and to rate the agencies on the basis of performance of the account. The assessment shall include the remoteness of the accounts brought in, the types of the client, the regularity of the savings/credit usage and repayment, upkeep of records etc
• The supervision/monitoring at the initial stage should be on weekly basis at least for six months, thereafter on monthly basis and advise controlling offices accordingly.
• To obtain feedback on each BC, from minimum 10 customers to be selected at random, per quarter to obtain feedback.
• To recommend termination of inactive BCs

1. Ensuring list of Do’s and Don’ts is made available to the customer in vernacular language.

• To undertake customer awareness and education programme regarding the BC Models.
• To undertake regular visit to outlets of BC, verify books and records of BC by the Branch Manager or authorized officer and to take necessary steps for improvement, keeping record of the same and reporting to controlling offices. These visits should initially be more frequent preferably once in a week and later could be fortnightly/monthly.
• To Report any adverse feature/act of BC not in the interest of the bank to the controlling offices.
• To control, supervise and monitoring of BC

 

10. Duties and Responsibilities of Head Office (General)
11. To prepare corporate level action plan for BCs as well as action plan for implementation of financial inclusion by use of BCs.
12. To prepare and communicate Branch wise business plan for mobilizing business through BC.

iii. To select and engage BC following procedure mentioned in the guideline.

1. To accord approval of agents to be employed by BCs for the branches after carrying out necessary due diligence.
2. Act as process owner /planning.
3. To review the policy and procedures of BC model and suggestion for any modification, addition/deletion in the same.

vii. To issue circular and communication to the branches for implementation of BC facility.

viii. To review performance of the branches for implementation of BC model progress of financial inclusion.

1. To review and monitor the volume of the business generated by BCs.
2. To look into the functioning of BC during the visits of the officials from Head Office to the branches.
3. To oversee the branch level monitoring mechanism for BCs.

 

 

xii. To arrange training of agents of BCs through retired bankers, experts, specific training institutes etc.

xiii. To keep custody of agreement with BCs and diarizing for renewals etc.

xiv. To monitor and review branch wise performance of BCs.

1. MIS-collecting, collating and forwarding to Board/RBI/NABARD/Government as the case may be.

xvi. Review code of conducts of BFs.

xvii. To review the performance of BCs engaged and renewal of agreement.

xviii. Review and re-fixing of threshold business limit at periodical interval.

xix. To control, supervision and monitoring of BCs with the assistance of branches.

1. To ensure compliance to RBI, NABARD, Government guidelines and communicate with them.

xxi. To maintain a central record of all engaged BCs.

xxii.. To undertake audit of BCs engaged by the bank.

• Launching of products and services suitable for financial inclusion.

xxiv. To ensure prompt and proper Redressal of grievances of customers for the outsourced activities.

 

 

11. Duties and responsibilities of Head Office (computer department):
12. Selection of appropriate technology to scale up financial inclusion efforts with necessary care to ensure that solutions are highly secure, amenable to audit, and follow widely-accepted open standards to allow inter-operability among different systems adopted by different banks.
13. Selection of Technology vendor for hard ware, soft ware and connectivity under ICT based financial inclusion involving BC.

• To facilitate selection of BC

1. Signing of MOU with technology provider.
2. Supervision and Monitoring of ICT solution under financial inclusion with BC Model.
3. Provide support for verification of enrolled data and uploading data in link Branch for opening of No-frills account

• To ensure the preservation and protection of the security and confidentiality of customer information in custody or possession of BCs under ICT solution.
• To ensure appropriate checks and control for technology related operational risks like failure, fraud, error, etc.

1. Co-ordination with technology vendors for all data/IT/ CBS related issues
2. To review the performance of the technology vendors and renewal of service contracts at regular intervals.
3. Audit of the technology vendor.

• Payments of bills of technology provider.

 

 

 

12. Compliance with Know Your Customer (KYC) norms.
13. Bank will be responsible for compliance of KYC norms. RBI has, however provided sufficient flexibility, especially in case of BCs. In addition to introduction from any person on whom KYC has already been done, any certificate of identification issued by the Business Correspondent (Who is an existing account holder), Block Development officer(BDO), head of village panchayat, Post Master of the Post office concerned or any other public functionary known to the bank.
14. Simplified KYC norms as proposed by RBI and modified from time to time will be observed in respect of accounts opened by BC under this model for no-frill accounts.

• On receipt of Application Forms in respect of Account opened by the BCs, link branch will arrange verification of particulars of the account holders in respect of minimum 5 % of the accounts so opened, through arranging personal visits.

1. Detailed KYC norms will be observed by Bank if the balance crosses the threshold limit of Rs.50,000/- or yearly credit in all the accounts taken together exceeds Rs.1.00 lakh

 

13. 13. Monitoring of performance of BC
14. The BCs will submit village wise performance report to the link branch at monthly interval office in standard format containing the following reports.
15. & amount of new deposit accounts sourced (SB/TD)
16. & amount of loan application sourced – of which loan application sanction, loan application disbursed, loan application rejected, loan application pending.
17. Cross selling: No. & Amount
18. Receipt & Payment of cash (No. & amount )
19. Recovery of loan (No. of accounts & amount)- of which recovery from live account, NPA and written off account.
20. Awareness meeting organised: No. of meeting and No. of person attended the meeting.

 

1. The performance will be measured with reference to the target assigned to the BCs

• The deficiencies both for qualitative and quantitative will taken up with the concerned BCs and to be followed up for improvement.

1. The Branches will submit the report to the Head office at monthly interval.
2. Persistent deficiencies should be separately reported to the Head office for necessary action.
3. The Head office will measure the performance with reference to branch level plan for BCs. It will review the performance, working and conduct of BCs and will take necessary steps for improvement of performance of BCs. The Head office will take a view on persistent deficiency reported by Branches.

 

 

• Head office will review the performance, working and conduct of BCs on the basis of report received from branches and will take necessary corrective steps for improvement of performance. The Head office will take a view on persistent deficiency of BCs reported by branch offices. Head Office will measure the performance with reference to the corporate level plan for BCs and submit consolidate report to Board on quarterly basis for review.
• To enable reporting on the desired line, a unique reference number should be allotted to the BCs which are to be made a part of every transaction emanating from the BC concerned.

1. The reporting format for monitoring performance of BCs will be prepared by Head office. A software meant for monitoring performance of BCs may be identified and put in place with the help of computer department.
2. The Format for inspection and audit may be developed by head office inspection department.

 

14. Review / Renewal of services:
15. In first year : Half yearly renewal of service
16. Subsequent Year: Yearly renewal of service

• The review will be carried out by the selection committee.

1. The periodicity for renewal of BC may be changed at the discretion of the selection committee.
2. The Agreement will be renewed on expiry of the same or three years from the date of agreement whichever is earlier.

 

 

15. Custody of Agreements/MOU entered into with BCs
16. The custody of agreement and responsibility of renewal rest with the Head office for all BCs engaged by the bank.
17. Termination of Agreement:

On review, if it is observed that any of the terms and conditions of the MOU/code of conduct was violated by any agent of BC, the bank’s approval in respect of the concerned agent will be withdrawn and will be conveyed to the concerned BC, which have to withdraw the agent with immediate effect. If the BC happen to be individual, the arrangement with BC will stand terminated.

The   decision in this regard will be taken by the selection committee on recommendation of Branch.

The service of BC’s will be terminated on the following ground:

1. Submission forged documents indicating dishonesty or lack of integrity.
2. Leakage of customer’s data.

 

• Failure to meet statutory liabilities, in turn which may fall on the bank as principal

1. Involvement of fraud.
2. Any other action/act of the BC which is detrimental to the interest of the Bank.

 

The termination of BC will be widely publicised through newspapers, notice in Branches etc. The identity card issued to the concerned BC will be taken back and destroyed and suitable noting should be made in the identity card issue register. The list of such terminated service providers along with reason of termination shall be informed to the IBA so that IBA can include the name in their caution list for sharing amongst the Banks.

17. Payment of Fees to the BFs/BCs:

The BCs will submit the claim of service charge to the link/base branch on monthly basis along with monthly returns. Branch Manager will pay the service charge to the BC as per approved rate after making proper scrutiny of Bills and approval from Head Office. The payment of service charge after deducting TDS will be made by creating a new PL account in CBS system in the name “Service charge paid to BC”. The payment of fees will be made by the link/base branch within the first five working days of the month succeeding the completed month by way Banker’s cheque or credit to BCs account.

18. Cost of Point of Service (POS) and other equipments:

In terms of RBI circular no.DBOD.NO.BL.BC.63/22.01.009/2009-10 dated November 30,2009 Bank will bear the initial set up cost and other costs of  the BC and will extend a handholding support to the BCs,  during the initial stages at least for one year.

19. Financial education and consumer protection:

It is the responsibility of the bank to take proactive steps as below to ensure that disputes are kept at minimum:

1. Bank will educate its clientele in their respective vernacular language regarding the benefits of banking habits.
2. Sufficient publicity should be given regarding the appointment of BC and the outlet/agent by holding meetings in the villages and/or through notifications published in the local newspapers in the regional languages. In addition, notices may also be displayed in the village panchayat office and the link branch.

• Information regarding BCs engaged by banks should be placed on the Bank’s Website.

1. The Annual Report of the Bank should also include the progress in respect of extending banking services through the BC model and the initiatives taken by Banks in this regard.

 

 

1. Bank will take necessary measures to ensure the preservation and protection of the security and confidentiality of the customer information in the custody or possession of the BCs.
2. Bank will educate the customers through various print and electronic media about the care to be exercised by them when transacting at the BC outlet, the role of the BC and their obligation towards the customers, in vernacular language.

• While opening accounts, a complete list of Dos and Don’ts relating to their actions with BCs in the local language should mandatorily be made available to the customers at the BCs outlets. These are also to be explained to the customers at the village level meetings to be held by the branches.
• Bank will put in place an appropriate grievance redressal mechanism.

 

20. Redressal of Grievances:
21. The grievances of the customers in regard to services provided by the Business Correspondent shall be redressed properly without involving delay as per existing grievance redressal mechanism of the Bank which has been well publicized through notices displayed in branches/offices and placed on Bank’s website prescribing time schedule for redressal of grievances are given below:

• 7 days at Branch level,
• 21 days at Head Office level

 

1. The Customer shall have the liberty and having option to approach office of the Banking Ombudsman concerned for redressal of grievance, if satisfactory response is not provided for by the bank within 60 days from the date of lodgement of complain.
2. Risk Factor & Risk Mitigation:

Bank’s policy on “Managing risks & code of conduct in outsourcing of financial services” identified risks associated with outsourcing of financial services which are as follows:

1. Strategic Risk- the service provider may conduct business on its own behalf, which is inconsistent with overall strategic goals of the bank.
2. Reputation risks- poor service from the service provider, its customer interaction not being consistent with the overall standards of the bank.
3. Compliance Risk- Privacy, consumer and prudential laws not adequately complied with.
4. Operational Risk –Arising due to technology failure, fraud, error, inadequate financial capacity to fulfil obligation and /or provide remedies.
5. Legal risk- includes but is not limited to exposure to fine, penalties or punitive damages resulting from supervisory actions, as well as private settlement due to omission and commission of the service provider.

6. Exit Strategy risks- Risks arising from over-reliance on one firm, the loss of relevant skills in the bank itself preventing it from bringing the activity back in-house and contracts entered into where in speedy exit would be prohibitively expensive.
7. Counter party risks- Due to inappropriate underwriting or credit assessment.
8. Country risk: Not applicable as BC & BF should be permanent resident of the area of operation.
9. Contractual Risk- Arising from whether or not the bank has ability to enforce the contract.
10. Concentration and systemic risk- Due to lack of control of the bank over a service provider, more so when overall banking industry has considerable exposure to one service provider.

It is therefore imperative for the bank to ensure effective management of risks. Some of the elements of checks that will be put in place by the Bank for the management of risks as described above are-

1. Due diligence to be exercised at the time of selection of BF/BC to assess the capabilities of the service to comply with the obligations in the outsourcing agreement in regard to qualitative and quantitative, financial, operational and reputational factors .Compatibility of the service provider’s system with bank’s own system and their standard of performance including the area of customer service shall be taken care of. Where ever possible independent views and market feedback on the service provider shall be obtained to supplement Bank’s own findings.
2. The reputational, financial and fidelity risks involved have to be assessed and managed by the bank through a process of formal rating of the institutions that will act as a support system.

• The performances of the BCs are to be monitored at prescribed interval.

1. A well defined contractual agreement duly approved by the legal department of the bank on their legal effect and enforceability to be entered into between the Bank and BF/BC. Every such agreement should address the risks and risk mitigation strategies identified at the risk evaluation and due diligence stages. The agreement should be sufficiently flexible to allow the bank to retain an appropriate level of control over the outsourcing and the right to intervene with appropriate measures to meet legal and regulatory obligations. The agreement should also bring out the nature of legal relationship between the parties- i.e whether agent, principal or otherwise. Some of the key provision of the contract would be.

 

1. The contract should clearly define what activities are going to be outsourced including appropriate service and performance standards.
2. The bank will ensure that it has the right and ability to access all books, records and information relevant to the outsourced activity available with the service provider.
3. The contract will provide for continuous monitoring and assessment by the bank of the BCs so that any necessary corrective measure can be taken immediately.

 

 

1. A termination clause and minimum periods to execute a termination provision, if deemed necessary, will be included.
2. Service provider shall ensure access to customer information by its employee on need to know basis i.e. limited to those areas where the information is required in order to perform the outsourced functions.
3. To ensure confidentiality of the customer data and liability of the service provider in case of breach of security and leakage of confidential customer related information.
4. Contingency plan to ensure continuity.
5. The contract should provide for the approval by the bank of the use of subcontractors by the service provider for all or part of an outsourced activity.
6. The contract will provide the bank the right to conduct audits, on the service provider whether by its internal audit or external auditors, or by agents appointed to act on its behalf and to obtain copies of any audit or review reports and findings made on the service provider in conjunction with the services performed for the bank.
7. Outsourcing agreements should include clauses to allow the Reserve Bank of India or persons authorised by it to access the bank’s documents, records of transaction, and other necessary information given to, stored or processed by the service provider within a reasonable time.
8. Outsourcing agreement should also include recognising the right of the Reserve Bank to cause an inspection to be made of a service provider of a bank and its books and account by one or more of its officers or employees or other persons.
9. Maintenance of confidentiality of the customer’s information even after expiry /termination of the contract.
10. Preservation of data and documents by the service provider, in accordance with the legal/regulatory obligations of the bank.

1. A code of conduct duly vetted by legal department for responsibilities of BC including adherence to banks fair practice code to be signed by BC.
2. Security deposit is to be insisted upon in terms of expected business volume in a year. It is proposed minimum security deposit for Rs.5000/- for BF individual and Rs.10, 000/- for a BF other than individual. In case of BC the minimum security deposit is proposed for Rs.0.50 lakh for an individual and Rs.10.00 lakh for others.

• Provision of maximum cash limits both in terms of per client and per day transactions keeping in view, among others , the economic profile of the area, reasonability factors, track record of Business correspondent, etc.
• BC and its agents are to be trained adequately to handle with care and sensitively to discharge their responsibilities in soliciting customers, hours of calling, privacy to customers information and conveying the correct terms and conditions of the product on offer and other  relevant areas. Adequate ongoing training is to be put in place.

 

 

 

1. As a concentration risk management measures the exposure limit for business developed through an individual BC should not be more than 10 % of the total business developed by BCs collectively. The exposure limit for business developed by a BC other than individual should not be more than 30 % of total business developed by the BCs collectively. The exposure limit may be reviewed periodically on the basis of business developed through correspondent collectively as well as individually.
2. The portfolio developed through the Business Correspondent may be segregated as easily identifiable in the bank’s books/IT system. The portfolio shall be readily available for supervision and monitoring and for statistical compilations.
3. The Bank will take the steps to rate the Business Correspondent and only well rated agencies may be engaged. In the case of MFIs, the rating may be undertaken by independent agencies.

• Use of technology based solution (ICT solution) that ensures proper authentication and other security measure to minimise the operational risks.
• Obtaining suitable cash transit insurance.
• Educating the customers about their responsibilities and the role of the BF/BC and their obligation towards customers.

1. To put in place an appropriate grievance redressal mechanism, this should be widely published and also be placed in public domain.

• Bank should insist on a to draw suitable business continuity plan, documented and should be made a part of MOU
• Surprise checks.
• Audit/inspection

 

22. Training to BCs

The bank will impart training to the BCs in the local language to provide proper attitudinal orientation and Skills to the BCs.

23. Temporary overdraft to BCs:

Reasonable temporary overdraft may be allowed to BCs to improve the viability of the BC. However, limit should not exceed 25 % of the security deposit or average daily net cash deficit    (Cash payment – Cash receipt)   whichever is lower.

24. Service charges to be levied from the customers by Bank:

Service charges will be levied by the bank in the following areas.

1. Payment of wages under NREGA, payment of social security pension and payment of other Government benefits, if no transaction fee is provided by the concerned State Government/Central Government: 1 % of the transaction amount subject to minimum Rs.10/- maximum Rs.50/-.
2. Remittance of Fund (maximum Rs.10, 000/-): 1 % of transaction amount subject to minimum Rs.10/-.

 

25. Other conditions for engagement of BC
26. Customer will also have the freedom to use branch banking facilities even though the Business correspondent are available in their locality or even if they are initially sponsored by Business correspondent.
27. All agreement/contracts with the customer should clearly mention that the bank is responsible to the customer for acts of omission and commission by the business facilitator/Business correspondent.

————

 

 

Click here to download BC Annexures