E Banking Security Guarantee Scheme
Naavi.org has been in the forefront of a
crusade to make E Banking systems safer for the Bank Customers.
Here is a suggestion that the RBI can implement in this
direction. This could be a temporary or a permanent measure that
can ensure safety of the funds of the E-Banking Customer and
could be the only solution for survival of the Indian Banking at
this point of time.
When Internet Banking technology became
feasible in India, there were two options for the RBI to allow
the benefits of technology being used by the Indian Banking
system.
The first was to allow "Virtual Banking" to
be permitted as an E Commerce activity where an organization
could be permitted to receive funds of the public online for the
purpose of lending online without linking it to any of the
existing Banking institutions in the Physical world. Ideally
such institutions could be barred from using the word "Bank" in
their name but could be called as "Virtual Financial Shops".
Public would have looked at such
organizations as a new creation of the Internet and approach
them with the full perception that this is not Banking as we
know but could be an interesting option to park our funds with
the added risks if any.
RBI could have still regulated these Finance
shops under an NBFC license to ensure that they donot indulge in
overtrading. In such a case the traditional banks would have
continued to do what they were good at namely Banking in
physical space where they mobilized public savings and lent it
for good purposes.
The Physical Banks and the Virtual Finance
Shops could have entered into some collaborative products so
that the benefits of Internet transactions became available to
the traditional Bank customers through instruments such as a
"Virtual Shopping Card" with limits like the Credit Card. These
would be like Debit Cards exclusively meant for the Internet and
not accepted in the physical market.
Such a system would have insulated the
traditional banking industry from the risks to which the
Internet was exposed.
Banks could also have been encouraged to open
a "Internet Banking Branch" and allowed its physical world
customers to open new accounts in this branch for Internet
transactions without an automatic transfer of funds facility
from the traditional accounts.
However, in its wisdom RBI did not consider
either of these options but opted to allow the traditional banks
to also extend Internet banking facility as an additional mode
of transaction.
This decision brought the risks of Internet
into the traditional banking system. As Banks started allowing
Internet access as a default facility and the preferred mode for
their customers in view of cost savings it offered, the entire
banking community became exposed to the Internet Banking risks
sold as "Convenience".
The generation of customers who were used to
traditional banking looked upon Banks as "Savings Institutions"
and as a fortress for their funds were now unprepared for the
link to the Internet world which exposed the system to new kinds
of risks.
The recent happennings including the
revelations made in Bangalore by a security expert before an
expert committee constituted by Naavi.org have proved once for
all that Internet Banking can never be safe. At best the risks
can be contained within some limits that the customer agrees to
trade off for the convenience that he gets in return. If the
risks are reduced, the incentives for criminals would also be
lesser and the economics of E Banking frauds would go against
the criminals in the long run.
Though RBI took care to advise the bankers
that under the new dispensation E banking risks are the
responsibility of the Banks, in practice Banks have resisted the
RBI guidelines by simply ignoring them and challenging the
customers to prove in a Court of law that the liability is with
the banks.
Naavi.org has highlighted many recent cases
where the complaints of the customers have been taken to the
Adjudication system and the Cyber Appellate Tribunal which are
the only judicial forums which have the jurisdiction for Cyber
Crime cases. The delays in the system have been a big issue in
getting justice for the customers through the judicial system.
Banks with their better financial powers are likely to take each
case to the highest court of the land and hence cases are
unlikely to be decided wihin a reasonable time.
To this a new kind of risk has been added by
the Adjudicator of Karnataka which is a "Conflict Risk" since
some of the Banks against whom complaints are held by the
Adjudicator are business partners of the department headed by
the same person in his capacity as the IT Secretary.
In the light of these developments, there is
likely to be increased instances of E banking frauds and
increased cases of failure of the judicial system so that the
Bank depositors will certainly find the Banking system
completely unreliable as a savings institution.
We are therefore on the threshold of a time
when Banking industry in India is likely to face increasing
troubles which may soon cause some of the Banks to even close
down.
RBI must understand that there are already
botnets which have compromised millions of Indian computers and
if the kind of vulnerabilities that have been demonstrated
before the committee of experts constituted by Naavi.org on 2nd
of February at Bangalore falls into wrong hands there could be a
serious threat of mass infections of Indian computers resulting
there after in mass hacking of bank accounts which will be
mistaken as "Phishing". This may lead to the failure of at
least one major Indian bank in 2012.
The responsibility to find measures to
correct such a Banking catastrophe lies only with the RBI. At
that time RBI cannot escape by citing Internet Banking
guidelines or Gopalakrishna committee report, Damodaran
Committee report (Yet to be accepted) etc as its efforts to
protect the E Banking transactions.
The tenure of Dr Subba Rao is therefore under
threat of going down as a catostrohic tenure and the predictions
of doom of 2012 may come true at least in this respect.
I therefore urge the Governor of RBI to once
again consider my request to set up an E Banking Security
Guarantee Scheme to protect Bank customers against Phishing
frauds.
The scheme will simply use the KYC
responsibilities under Anti Money Laundering Act to provide the
funding for reimbursing customers on losses arising out of E
banking frauds.
Under the scheme whenever an E banking fraud
takes place, the responsibility for reimbursement should be
fixed on all the Bankers involved in the fraud which includes
the Paying Bank ( Which is the Bank for the victim customer) as
well as the Collecting Bankers (Which is the Bank for the fraud
beneficiaries).
Since post facto, all beneficiaries are
necessarily part of a fraud network, maintaining their network
and allowing them to transfer funds and withdraw from ATMs
amounts to failure of the Anti Money Laundering
responsibilities. Hence all the collecting bankers can be fined
by RBI for AML failure.
The Paying Bank from where the money is
fraudulently transferred is also part of the money laundering
activity due to its failure to adopt such risk management
efforts as to identify the fraudulent transaction.
Hence RBI should fine each of these Banks a
minimum of Rs 5 lakhs per failure and credit it to the E Banking
Security Guarantee Scheme. From this fund the victim should be
paid off without much of a formality. Any short fall should be
met by the Paying Banker who is the prime culprit with
lack of legally acceptable secure technology and procedures.
Any decision to the contrary should only be
based on the banks proving that a fraudulent nexus existed
between the victim and the beneficiaries which should be proved
before a tribunal of the Guarantee Scheme.
In order to give some practical examples I
give below some of the known cases to see if the economics of
the scheme works out
Case |
Net loss of the victim |
number of
beneficiary branches involved |
Total Fine
Realized
including paying branch |
S. Umashankar Vs ICICI Bank |
4,95,000 |
1 |
10,00,000 |
Thomas Raju Vs ICICI Bank |
1,62,800 |
1 |
10,00,000 |
Rajesh Yadav Vs ICICI Bank |
3,91,210 |
2 |
15,00,000 |
GPL Vs Axis Bank |
39,00,550 |
13 |
70,00,000 |
Vijaykumar Vs PNB |
3,00,000 |
5 |
30,00,000 |
Gunashekar Vs PNB |
5,59,200 |
10 |
55,00,000 |
Gopi Vs SBI |
3,39,000 |
5 |
30,00,000 |
As one can easily visualize from the above
the fine that the RBI may collect may be more than adequate in
most cases to cover the loss of the individual victim. In rare
cases such as PK Agarwal Vs PNB in which Rs 165 lakhs were lost
and in another Pune case where a customer of PNB lost Rs 80
lakhs, the fine collected may fall short. The reason in these
cases is mostly because the Bank had no limit on the individual
transaction amount and transfers of upto Rs 60 lakhs were made
on a single transaction in PNB. In such cases the payment can be
made from the surplus amount available from other accounts or
from additional contribution from the Paying bank
I request the Governor of RBI to respond to
consider this proposal and provide a public response as to
whether such an arrangement can be made or why such an
arrangement cannot be made.
I request journalists in Mumbai to take up
this matter with the RBI Governor personally.
Naavi
February 12, 2012
Related Article:
Indian Banking System in
danger of collapse..What are the solutions?
Bomb is ticking to destroy the Indian Banking System