Bank Fines HPE's Financial Services Arm In India

The Reserve Bank of India has fined HP Financial Services (India) the equivalent of $12,400 for not complying with regulations – some related to know your customer (KYC) measures – and failing to have necessary IT committees.

In a notice [PDF] published last Friday, the reserve bank asserted it had notified HP Financial Services (India) of violations and asked it to argue why a penalty shouldn't apply, and found its response insufficient.

The full allegations include that HP failed to establish a system for regularly reviewing and updating the risk classification of accounts, or explaining its risk assessment method. It's also alleged not to have adequately disclosed interest rates it charged, or the reasons for varying rates to borrowers in its loan forms and sanction letters.

The Indian outfit is also said to have failed to form IT strategy and steering committees.

Hewlett Packard Enterprise, which runs HP Financial Services (India), acknowledged compliance gaps with its unit. "HPE India is committed to following all regulatory requirements in the markets where we operate," a spokesperson told The Register.

"Upon learning of some gaps in our compliance filings for HPE Financial Services, we took prompt action to rectify the matter, and we will continue to work closely with the RBI to ensure we remain in full compliance. Our business operations are not impacted, and we will continue to service our customers and partners as usual."

• HP Inc loves China – but wants to reduce the risks it presents
• HPE to pursue $4B claim against estate of Mike Lynch over Autonomy acquisition
• India to make its digital currency programmable
• India contemplates compulsory dynamic 2FA for digital payments

The $12,400 fine levied on HPE is even smaller than the $27,500 fine imposed on Japanese financial services group SMFG by the reserve bank for cyber security related infractions.

Details of the fines were released on the same day.

SMFG's penalty was announced after an April 2023 control gap assessment revealed inadequate monitoring provisions in vendor contracts; that SMFG had never conducted an infosec audit for network and security solutions; insufficient storage and analysis of email gateway audit logs; and not taking action on a critical alert generated from Endpoint Detection & Response solution for malware detection from an infected server.

SMFG was also given a chance to dispute the fine, according to [PDF] the reserve bank, and the financial institution found SMFG's explanation insufficient to avoid a penalty.

It's been a busy week for the reserve bank. It also sanctioned another bank for operating as a technology service provider. A penalty of ₹1.91 crore ($227,642.97) was levied against Axis bank for that and other violations.

We've previously spotted the regulatory authority banning banks from opening new accounts just for not having adequate infosec – two years of warnings and outages left regulators out of patience with Kotak Mahindra Bank in April of this year.

The reserve bannk's penalties increased 88 percent over the past three years, due to fines issued for anti-money laundering and KYC violations. The increase has been attributed by some to the merging of the financial industry with technology to become the fintech industry, with technology professionals lacking the expertise needed to comply with the extensive regulations of banking. ®

Editor's note: This article was updated on September 16 to include HPE's statement, and to clarify the ownership of HP Financial Services (India).