Another Verdict Goes against Bank in Phishing Case
The trendsetting judgement from the Adjudicator of Tamil
Nadu, Sri PWC Davidar on 12th April 2010 on the complaint of Sri Umashankar
Sivasubramaniam
against ICICI Bank has done yeoman service to the Banking consumers in India
by creating a shocking awareness about the insecure Banking practices
prevailing in India and how the consumers are being subjected to avoidable
risks in the guise of technology introduction in the Banking industry.
Today's Times of India (Bangalore Edition) carries a
report about another Consumer Court verdict in Mumbai where a client by name Nikhil Futan has won a compensation of Rs 4.6 lakhs in a Net Banking Fraud
case. (P.S: We donot have full details about the case nor the copy of the
judgment at this point of time with us and welcome any reader to provide the
same for larger circulation through this site).
Earlier Naavi.org has also reported another incident where
the Banking Ombudsman of Chennai had ordered repayment of Phished amount with
interest to a customer of Bank of India in Bangalore which the Bank had
rightfully accepted without demur.
Thus there are now three arms of legislation/regulation who
have come to the decision that Banks should be held liable for frauds on its
customers. We are sure that we will have more such instances in
future....Naavi
What Next?
I am aware that Banks today are like wounded tigers and
they will try to muscle their way out of this situation by trying to get the
legislation changed if required. The commercial interests are so strong that
soon principles may take a back seat and all sorts of vested interests may
start influencing the future developments. I would like to therefore start a
national debate on this subject so that consumer interests are not short
changed in the altar of technology adoption.
While I welcome introduction of technology for the
betterment of Banking services, I strongly emphasize that the primary
focus of Banking should be "Safety of Customer Interests".
Introduction of technology like Internet Banking or Mobile Banking cannot
therefore be with a dilution of the security of Banking from the users's
perspective.
Let's explore some
thoughts on how different Government and Industry agencies have repeatedly
erred in the past to expose the Indian Banking Consumer to grave risks of
technology.
In this exploration, I would like to address the
responsibilities of the following parties.
a) Banking Software Companies
b) Banks
c) Reserve bank of India
d) Indian Banks Association
e) SEBI
f) Consumer Interest Organizations/All India Bank
Depositor's Association
g) Media
Kindly note that these are my first thoughts and not a
complete analysis of the problem and the expected action. I am placing this
note in public domain so that others can join in this debate and we have a
good outcome of this situation.
I have already invited the Chairman of IBA, Mr M V Nair to
a public debate which I would like to organize in Bangalore (could be at any
other place also) and am awaiting his response. This online debate should
provide enough background material on the subject for a meaningful debate. I
also invite the national TV channels such as NDTV, CNN IBN, Times Now,
Headlines Today/aajtak, etc to also take up the debate to the electronic
media.
Role of Banking Software Companies:
Indian Bankers today use banking software which are
supplied to them by reputed organizations such as Infosys, I Flex, Polaris
etc. Many Banks have re-engineered their business process to suit the
software. Today it is not the Banking that drives the software but it is the
otherway round. None the Banking software providers have embedded the digital
signature system of authentication into the core banking software at least
when the software was first installed with these Banks. Subsequently Banks
have also not insisted on upgradation since like the Y2K issue, this is a
problem with a deficient software being provided in the first instance and
Banks charged for the upgradation of what is actually to be treated as
"Bug Fixing".
Of course technically the software companies may say that
the specifications mutually agreed was for password based authentication and
not digital signature based authentication and it is the responsibility of the
Bank as a software customer to determine what is required by them.
However it is necessary for the software majors to
introspect and see if it was not their responsibility to point out as a
"Technology Consultant" that if the legacy system of physical signature based
authentication has to be adopted to an IT base the equivalent system can only
be with a digital signature system and not a password based system. This law
has been in force since 17th October 2000 and even the
Internet
Banking guidelines of RBI issued in 2001 has in no uncertain terms
indicated that not using Digital signatures in authentication will hoist the
"Legal Risk" on the Bank.
Should we assume that the software majors were naive not to
understand these provisions? Or Should we assume that their CSR did not extend
to supply of "Risk Free Software" to their Bank customers who were in awe
about the technology and perhaps did not even know how to draw a proper
software specification.
I would like socially conscious software persons like Sri N
R Narayanamurthy to share with the public why a company like Infosys could not
have incorporated digital signatures as a mandatory authentication mechanism
to their software and priced their products accordingly when they supplied
their first version of Banking software to ICICI Bank?
Banks
I accept that the first generation of Banking software was
accepted by the Banks on "As is Where Is Basis" supplied by the software
experts. However there was enough discussion of the "Non Compliance of Law in
Banking industry" even on this one site
www.naavi.org for any serious Banker to sit up and take notice. Naavi has
personally contacted a number of Banks on a number of occasions (mostly in the
seminar environment) and always insisted that Banks are ignoring the legal
risk and are even becoming non compliant with Basel 2 norms. If these cries
have not been heard, it is because the Bankers have chosen to pay deaf
deliberately. Since the passing of the ITA 2008, Naavi has intensified his
educative efforts and have directly confronted some Banks and nearly charged
them of conducting the business in a manner not approved by law or regulatory
advise. Violation of the obligations under Clause 49 were also repeatedly
highlighted. I would be surprised if not less than 20 Chairmen of Banks would
not have received the communication in no uncertain terms during the last 6
months before the Umashankar judgement.
Regretfully none of the Banks were interested in either
conducting an ITA 2008 audit first to understand where they are going short,
let alone take a decision to implement the digital signature system.
What is surprising to note is that ICICI Bank which is in the
center of the storm today had itself
started
using digital signature for its e-mails some time back. When Naavi
pointed out certain technical deficiencies in the system, instead of correcting the system,
they chose to drop the system altogether. The clarification issued by ICICI Bank at
that time and Naavi's remarks there on
can be
read here.
I am surprised that a Bank which has access to the
experience of Banking veterans such as Mr K V Kamat and several persons who
earlier worked in Canara Bank could not understand that they were behaving in a
very Un-Banker manner by choosing to do business deliberately challenging the
law.
Reserve Bank of India and IBA
In my previous article I have responded to the number of comments posted
on the Economic Times website against the article reporting the Umashankar
Case. These comments were posted from techno savvy persons many of them from
abroad. Some of them expressed that they were aghast that Bank could be held
liable for such a fraud since according to them the customer was "Stupid" and
caused the fraud on himself.
In this context, as an Ex-Banker from a Nationalized Bank,
having serviced customers who could hardly understand the nature of Banking
transactions despite maintaining accounts I would like to request techno savvy
customers to spare a thought for the not so tech savvy clientele of the Banks.
Today introduction of debit cards and Internet Banking is more for the
convenience of the Banks and not for the convenience of the Customers.
When technology was first recommended for Banks by the
Narasimhan Committee, the community was given an assurance that technology
would increase efficiency and reduce costs.
I would like Indian Bank's Association and RBI to conduct a
study of Banking practices in India and share their study results with the
public to assess " Whether the technology introduction has either improved
efficiency or reduced the costs and if so to what extent".
Today most Banks charge fees even to issue or reissue
passwords for the Internet Banking accounts. Internet Banking facility and
debit Cards are issued as a matter of routine and charged at the expense of
the client. At the same time the facilities provided donot meet the basic
security requirements nor the law of the land.
RBI had been wise to clarify in its Internet Banking
Guidelines that if Banks donot adopt digital signatures, they have to take the
legal risk. This single line is sufficient to say that Banks are responsible
for all e-frauds which are happening now and there is no need for each victim
to go to the Adjudicator or Consumer Court or Banking Ombudsman.
However one need to also ask RBI if they were not aware
that their guidelines were not being adopted by any Bank in India. If not,
then their system of Bank audit was faulty. If they did observe and yet
decided to turn a blind eye, the Governor of Reserve Bank has to examine if
there was dereliction of duty at multiple levels in the RBI.
Are RBI regulations only meant to be on paper? If this is
so for Internet Banking guidelines then can Banks also ignore other
instructions? We are aware that Banks are flouting many other
established banking norms in the case of Credit Cards. RBI has been content in
periodically issuing instructions and press statements but not implementing
its own guidelines. On the other hand before securing the Internet Banking,
RBI has gone ahead and approved Mobile Banking and increased the risks
to the customers.
I request RBI to constitute a new working group for "Secure
Banking in Technology Era" and address all aspects of information and
transaction security in Banks.
IBA is a body of the Bankers. It has more interests in
commercial matters rather than regulatory matters. However, historically IBA
has been pushing the Banks towards better procedures and systems and "Customer
Interest" has been the core of IBA working in the past. I am not however sure
if the priorities have undergone a change in the recent past or IBA has become
impotent as a self regulatory body.
I donot mean to hurt the current Chairman of IBA (whom I
had the opportunity to know personally several years back when he was in
Corporation Bank) but I would not hesitate to re-iterate that IBA has a big
role in ensuring that Banks tighten their security and if they donot act now,
history would hold the body responsible for lack of action. I have even
pointed out to the IBA Chairman in his capacity as Chairman of Union Bank of
India how introduction of digital signature for
every Internet Banking customer is feasible and cost effective.
As of today, it is neither a difficult technical problem to
implement digital signature in Internet Banking nor it is prohibitively
expensive. If Bankers want to have a working proposal on this front, I am
willing to request some vendors who can implement the system within the next
few months if possible even on a BOLT basis.
If IBA does not respond now, it would be presumed that the
"Consumer is the King..respect him" principle has been sacrificed at the altar
of modernization. As a Banker who grew up in the era when this quote from
Mahatma Gandhi adorned the walls of every Bank Branch, I would be sad that the
unwritten wall poster today is "Customer is a Bakra..exploit him".
SEBI
Today SEBI has a mandate to protect investors in the
stock markets. Since many of the Banks today are listed corporate entities,
protection of its share holder interest falls within the domain of SEBI. The
listing guidelines particularly the Clause 49 which requires CEO certification
of regulatory compliances is a tool designed by SEBI in the same manner SOX
tries to regulate the US listed companies.
If Banks are absorbing "Legal Risks" by not adopting "Cyber
Law Compliant security measures", and Umashankar type of liabilities keep
occurring frequently, then the financial interests of the share holders are
seriously affected. Hence the CEO certifications under Clause 49 without ITA
2008 compliance by a Bank would amount to providing a fraudulent declaration
to mislead the investors.
It is therefore necessary for SEBI to specially send out an
enquiry to all listed companies after they submit the March 31, 2010 annual
report if they have taken adequate steps to cover the risks associated with
the non compliance of ITA 2008 as effective from October 27, 2009 and
take penal action where warranted if the Company is proved to have given a
blind certificate in the annual report without ground action. The independent
Directors of Banks should also be sent notices if they have taken adequate
steps to ensure legal compliance of ITA 2008 provisions by Banks and if not
show cause why action cannot be taken against them.
If SEBI fails to discharge its duty in this regard, then
Clause 49 compliance is as good as buried and redundant. The current Chairman
of SEBI once had a reputation as an "Investor Friendly" regulator in his
earlier stint with SEBI and I am sure that he would not allow this image to be
tarnished by remaining silent on the brazen non compliance of the spirit of
Clause 49 requirement.
Consumer Organizations
For those who have followed Indian Banking industry, the name
of late Mr M.R.Pai would be familiar. He was one of the most revered
characters in the 1980s in the Banking circles for having started a Consumer
awareness movement and fighting for the cause of bank customers. I am sure
that the current day Bankers in ICICI Bank who respond to customer queries on
Phishing have never heard of this gentleman who was a pioneer in
consumerism in India. He along with late Mr Kannan of Chennai who focussed on
retail stock market Investors , had been legends of the 80's in the
consumerism movement in the financial services industry in India. I am sure
that Mr M V Kamat or Mr Bhave or Mr Vaghul can recall what these men of
character stood for and how they tried to protect the consumer interest.
With the growing commercialization of Banks today, there is
no body around who can uphold the interests of the investors either in the
Banks or in the investment domain. Naavi's own efforts have largely remained
as an individual's crusade and not supported adequately by any organizations
which hold public interest at heart.
To fill this vacuum, I am now inviting Cyber Society of
India (Cysi) of Chennai, CCITO (Cyber Crimes and Insider Threat Obviation) of
Maharashtra, R Srikumar (Former DGP of Karnataka and promoter of Crime
Stoppers) of Bangalore and a few other organizations to join hands with
Naavi/Naavi.org/Digital Society Foundation/Cyber Crime Complaints and
Resolution Center to form a new "Cyber Security Consortium of India" and work
towards protection of Netizens in India.
Hope this will be a platform which will in due course
contribute to a Secure E -Transaction Framework in India.
Media
Media is always on the forefront of any consumer awareness
movement. In the current phase of consumer awareness suggested for "Safe
Banking", I feel that national media has a strong role. Unfortunately the
Umashankar Judgment which should have occupied national headlines are only
being discussed on the Internet media as if this is not relevant to the
general public. I wish that this aberration is corrected and we see active
national debates on the electronic and print media.
Naavi
April 16, 2010
Related Article:
Land Mark Judgment in Phishing Case
An Open Letter to IBA Chairman
ICICI Bank Phishing Case..comments
More Information on the Consumer Court Decision:
Bank involved HDFC Bank: Main Beneficiaries arrested, part amount recovered
and proceeding for balance amount.
Comments are Welcome at
naavi@vsnl.com
