Operational Risk
• Operational and physical security weaknesses were observed in branches including inadequate CCTV backup retention, unauthorized involvement of non-keyholders in vault operations and cash handling, unrestricted access of messengers, interns, and cleaning staff to vault areas, absence of essential security controls such as alarms and valid fire extinguishers and weak physical infrastructure of vault facilities.
• Instances of weaknesses were observed in process automation such as loans against fixed deposits maturing on official holidays were not automatically settled, requiring manual processing and causing double penalization to clients.
• Deficiencies were noted in CBS and MIS access controls including the use of common usernames and passwords for system logins and the granting of Core Banking System access rights to interns and outsourced staff, violating data security norms.
• Control mechanisms for operational risks found to be inadequate as denominations of currency notes were not reflected in the CBS, the repeated session-extension requests for NCHL-ECC and NCHL-IPS were noted without any remediation measures taken by the bank. Further, the manual stamps for "Good for Payment" were used on cheques without producing and delivering system-printed evidence to the client.
• Lapses were also observed in fund transfer and custody control such as fund transfers were conducted using motorbikes without security guard, uncollected cards and PINs were stored together in a store room for more than a year, chequebooks and ATM cards were kept under a single lock system instead of dual control
Comment