G Gopalakrishna Working Group (GGWG) on Electronic Banking
Comments-3
Are Vested Interests at Work to manipulate RBI ?
The GGWG was an exercise at revising the 10 year old report of the SR
Mittal Group which first addressed the requirements of the Internet
Banking Era. Compared to the task which was ahead of the Mittal Group,
GGWG was in a far more advantageous position since there was a decade
old experience on both technology as well as the legal aspects of
Technology Banking.
Not withstanding some good work reflected in the GGWG, it appears
that the GGWG could have done far better than what it has done. This is
more glaring in the chapters on Cyber Fraud and Legal Issues.
While Naavi.org will analyse the report in greater detail in subsequent
articles, we shall focus on one issue in the working of such
critical working groups of RBI which is a matter of grave concern at
this point of time. It is the issue of vested interests wielding their
influence in the final recommendations of the group.
In the SR Mittal Group,(SRMG) there were 10 members. Of these, three were
from RBI. One was from IDRBT, One was from IIT, One from i-Flex
solutions Ltd, and five from Commercial Banks. Out of the Bank
representatives, one was from ABN Amro Bank, one was
from SBI and Two were from ICICI Bank.
In the GGWG, there are 13 members and 4 more were invitees. Of these 17
persons associated with the working group, 6 were from RBI. There was
one from IIT and another from IISc. There was one from KPMG and another
from Deloitte. There was one from IDRBT, one from IBA and one from DSCI.
There was one from IDBI Intech Ltd . There was one Advocate and the rest
two were from Commercial Banks. Of these, one was from SBI and another
was from ICICI Bank.
In both the committees it may be seen that there was no representation of
the Customers of Banks who are the focus of the Banking business. While
RBI is the regulator, academicians were required to add technical
inputs, the presence of IT Companies like i-flex or IDBI Intech and
commercial banks including SBI, ICICI Bank, ABN Amro Bank has to be
viewed as inappropriate in view of the conflicting interests these have
on the outcome of the working group recommendations.
In the SRMG, the ICICI Bank had a double representation. Banks such
as Canara Bank or Bank of India or Bank of Baroda etc had no
representation in either of the committees. If RBI wanted to broad base
the composition of the group, there was a need to accommodate a
Customer's representative who is the focus of the recommendations on
Cyber Frauds and legal issues.
It is well known that Banks are using Customers as Guinea Pigs in the
introduction of technology and IT companies who have supplied
faulty and insecure applications for Banking are forcing Banks to adopt
e-Banking which is woefully short of information security from the
customer's perspective. Banks such as ICICI Bank are particularly
noteworthy for shortchanging the customer's interests for commercial
gains. However they seem to have a huge say in the working group.
In the SRMG group, ICICI representative even submitted a dissenting report
which was rightly over ruled by the committee. In the recent days, ICICI
Bank has been in the forefront of Phishing frauds. Also in the
recommendations of this Working group, ICICI Bank was having a direct
conflict of interest having lost the Phishing case against S. Umashankar.
One can therefore see clear signs of an attempt at manipulation of the
working group recommendations which fortunately have not succeeded since
law is not on their side.
I will point out specific instances where such an attempt to twist the
recommendations in favour of Banks against the interest of Customers
inherent in this report.
Firstly, the Working group has blindly incorporated certain statements
about the case of S.Umashankar Vs ICICI Bank which are factually
incorrect. For example at two places where a mention about the case has
been made, it has been stated that ICICI Bank has obtained a stay on the
judgement with a deposit of only Rs 50,000/- as against the decreed
amount of Rs 12.85 lakhs.
I want to bring to the notice of the Chairman of the Working Group and the
Deputy Governor of RBI that the correct position is that ICICI
Bank has been granted a stay subject to the hearing of the appeal
against a deposit of Rs 5.50 lakhs. The net unrecovered loss of the
customer is Rs 4.95 lakhs and the deposit ordered was higher than the
amount of loss. The working group has not verified any documentation
before incorporating the erroneous statement indicating as if only a
nominal deposit has been made to get the stay.
The working group is also silent on another Phishing fraud that followed
this judgement where ICICI Bank agreed to pay up one Mr Dwarak Ethiraj
without contest. The report also does not speak of the Nikhil Futan Vs
HDFC Bank case in Mumbai District Consumer Forum where the Bank was
again made liable. Most of the Consumer forum cases quoted in favour of
ICICI Bank were cases where they were dismissed for lack of jurisdiction
since the victims did not know that the correct forum was the
Adjudicating Officer and not the Consumer forum. Phishing is not a
service efficiency issue but is a Cyber Crime issue and though the
Mumbai district Forum assumed jurisdiction and went ahead with the
trial, rejection is not indicative of the lack of merits of the case.
Also most of these cases failed against the Banks due to inadequate
representations from the victims.
The quoting of different cases are therefore misleading and the Working
group could have exercised better diligence before the details were
incorporated in the report. It would be appropriate if the Working group
publishes a correction at least to revise the amount of deposit made by
ICICI Bank in the case of Umashankar's case from Rs 50,000/- to Rs
5,50,000/-. If not the report would be faulty and misleading.
I had recently filed an RTI application to RBI to know about the number of
Phishing cases reported to them through the mandatory fraud reports.
Unfortunately RBI refused to provide the information stating in one case
that the frauds are not classified to indicate the Phishing frauds
separately or that the information is in an application specific format
and cannot be provided. This only indicated a reluctance on the part of
RBI to reveal to the world at large how many Bank customers are being
taken for a ride with the introduction of faulty technology.
Though in most of the Phishing cases Banks try to blame the customer for
answering the phishing mail, they fail to disclose that in many cases,
there is an insider involvement and even when the customer has not
answered the phishing e-mail, fraudulent withdrawals continue to take
place.
As an experienced banker I have my own views on how the risks can be
mitigated but this is not the place to discuss that in detail.
However, having ICICI Bank as a prominent member of both committees was a
grave mistake committed by RBI and it can only be interpreted as
successful lobbying by ICICI Bank. Otherwise why HDFC Bank could not
have been included in GGWG instead of ICICI Bank and why Canara Bank or
Bank of India could not have been used instead of SBI? so that there
could have been some new ideas.
Having accommodated the important stake holder like ICICI Bank and SBI,
there was no reason why RBI could not have included a representative of
a Bank Customer or even a Phishing Victim himself in the working group.
I personally have enough information with me to say that Internet Banking
has been rendered extremely risky because Banks are ignoring the ITA
2000/2008 provisions on digital signatures and are also openly flouting
the recommendations of the SRMG in many respects. Instead of correcting
these anomalies, GGWG appears to have been wrongly guided to include
certain recommendations which show a very inadequate understanding of ITA
2008 and its implications when seen along with PMLA and NI Act.
At one place, the report wants to make the 2F authentication as Electronic
Signature. At another place the working group laments that there is no
punishment for "Attempt" to commit Phishing when in fact it is actually
incorporated in ITA 2008. As could be expected the lobbyists have
managed a remark that the Government may consider another legislation to
absolve the Banks from liabilities of negligence.
All these show that the GGWG has been misdirected probably by some members
who had vested interests in supporting a weak IS implementation for
commercial considerations.
Unfortunately RBI has not done enough research to find out what was
happening in the Phishing scenario and whether it is the Banks who are
more negligent and reckless than the hapless customer.
I have already brought to the notice of both RBI and IBA of the lack of
proper follow up from their end to tighten the security in electronic
banking. Unfortunately neither RBI nor IBA has been responsive enough in
this regard.
The GGWG has now suggested setting up a standing committee to take the
recommendations forward. I would like to request RBI that at lest now it
should not allow vested interests to get into the standing committee. In
case it is felt necessary to give representations to the Commercial
Banks, the representation should not be limited to ICICI Bank and SBI
and the participation of the Banks should be balanced with appropriate
representation from the Bank customer's side.
If RBI does not take proper note of this concern they will find that the
Standing committee would be infiltrated by organizations with vested
interests and dilute the regulatory role of RBI.
Naavi
January 24, 2011
Reference:
Role of Adjudicators in Phishing Cases Reiterated
Phishing Risks under G Gopalakrishna Working Group Report
Copy
of Full Report:
Copy of Executive Summary
Comments are Welcome at
naavi@vsnl.com