Let's Build a Responsible Cyber Society

Visit
www.ceac.in


Visit
www.arbitration.in

 

G Gopalakrishna Working Group (GGWG) on Electronic Banking

Comments-on Legal Issues

Chapter IX of the GGWG deals with Legal Issues. There are 18 key recommendations that the group has made  and our comments are given below.

These are preliminary observations and are subject to be modified before submission to RBI. Public may send their comments on this note if required.

 

Sl No

Recommendation of the Group

Comments

1

The Risk Management Committee at the Board level needs to put in place processes to ensure that legal risks arising from cyber laws are identified and adequately addressed. It also needs to ensure that the concerned functions are adequate staffed and the human resources are trained sufficiently to carry out the above. The Operational Risk Group need to incorporate legal risks as part of operational risk framework and take steps to mitigate the risks involved. The legal function within the bank needs to advise the business groups on the legal issues arising out of use of Information Technology.

This is a necessary step and needs to be endorsed in full

2

It is necessary that banks have a robust system of keeping track of the transactions of the nature referred to in PMLA and PMLR and report the same within the prescribed period. Apart from the risk of penalty, this involves reputational risk for such entities.

A similar provision is already in place under PMLA as well as the Cyber Fraud reporting guideline but the implementation appears to be lacking. In several instances of Phishing there is clear indication of money laundering. However, Banks have not been reporting such frauds. There is need to review the implementation mechanism and also increase the penalties for deviance. Individual officers responsible for deviance should be identified and penalized.

3

A cheque in the electronic form has been defined as "a mirror image" of a paper cheque. The expression 'mirror image' is not appropriate. The expression, "mirror image of" may be substituted by the expression, "electronic graphic which looks like" or any other expression that captures the intention adequately

There are several grey areas in law regarding “Cheques in Electronic Form”. These cannot be corrected except by making some changes to the NI Act. Since RBI has already implemented the truncated cheque system on a pilot basis, there is no problem in introducing the “Cheque in Electronic Form” also with appropriate devices. This requires a separate technical discussion and is outside the current scope of this comment. Suffice it to say that the law as it is can be given effect to and the suggested change is not immediately required and can be deferred.

4

The definition of a cheque in electronic form contemplates digital signature with or without biometric signature and asymmetric crypto system. Since the definition was inserted in the year 2002, it is understandable that it has captured only digital signature and asymmetric crypto system dealt with under Section 3 of IT Act, 2000. Since IT Act,2000 has been amended in the year 2008 to make provision for electronic signature also, suitable amendment in this regard may be required in NI Act so that electronic signature may be used on cheques in electronic form.

 

Extension of what is applicable to Digital Signatures in NI Act to Electronic Signatures is  required. However as of now there is no “Electronic Signature” other than “Digital Signature” in place and hence decision on this can be deferred.

5

There is uncertainty with respect to the meaning of a crucial expression such as, 'intermediary" as per IT Act 2000 and as amended by IT Amendment Act, 2008. As such, it is necessary, that clarity is brought about by statutory amendment with respect to the meaning of the expression 'intermediary' in so far as banks and financial institutions are concerned.

From times immemorial Banker Customer relationship consisted of multiple roles such as Debtor-Creditor, Agent-Principal, Bailor-Bailee, Trustee-Beneficiary etc. Similarly Bankers will have the role as “Intermediary” in certain respect and as “Data/Information Owners” in certain other respects. The traditional relationship such as Debtor-Creditor etc continues.

Hence there is no “ambiguity” as regards the “Intermediary” definition in ITA 2008. The recommendation needs to be ignored.

6

A combined reading of Section 2(p) and sub-sections (1) and (2) of Section 3 of IT Act makes it clear that in terms of the Act an electronic record may be authenticated by affixing 'digital signature' and if a party wants to authenticate the electronic record by affixing digital signature, the electronic method or procedure for affixing digital signature shall be asymmetric crypto system and hash function. While authentication of an electronic record by affixing digital signature is optional, the procedure for affixing digital signature, namely, use of asymmetric crypto system and hash function, is mandatory.

The group seems to lack full clarity on this issue. ITA 2000/8 does not say whether signature for an electronic document is mandatory or optional. It only states that there is a method of authentication that is equivalent to “Signature”. If any other law requires a signature, and it has to be given effect to in electronic form, then only digital signature becomes mandatory. If an electronic document is not digitally signed and if the law accepts oral or unsigned documents then the users of electronic documents can leave the document un-digitally signed. What cannot be done is “Not affixing digital signature to an electronic document and trying to provide legal sanctity to such a document as equivalent to a signed paper document”.

If therefore a “Cheque” requires “Signature” in paper form, it requires “Digital Signature” in digital form. If any material instruction from a customer has to be acted upon and in the paper based banking it would have required a signature, such an electronic document requires digital signature (or an approved electronic signature if there is any).

RBI should not try to re-draft age old Banking laws just to accommodate the commercial convenience of a few Bankers. This will be ultra-vires the objectives of RBI as a “Regulator of the Banking Systems in India”.

7

The question that arises for consideration is whether a party may be bound by the transactions entered into through electronic means (whether through ATMs, Internet or otherwise) though the electronic records in question are not authenticated by using digital/electronic signature. On a reading of Section 65B (1) of Indian Evidence Act, it is clear that electronic records may be proved in courts even though they are not authenticated by using digital or electronic signature if the conditions mentioned therein are satisfied. The difficulty in proving the various conditions set forth in sub- sections (2) and (3) of section 65B of Indian Evidence Act is ameliorated to a great extent by sub-section (4) thereof under which the certificate of a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate.

This is another indication that the group has not clearly understood the ITA 2008.  Section 65B is not meant to substitute digital signatures for authentication of electronic document. It is a forensic support to make electronic documents admissible in law. There is similarity in Sec 65B provisions and the provisions of the Banker’s Book Evidence Act regarding presentation of evidence. Just because it is admissible to provide a certified copy of an electronic document as an evidence, it is not possible to use it in replacement of signature. It will be like saying that since a third party affidavit is an admissible document for a certain fact, public can present an affidavit stating that so and so order the Bank to make payment of such an such amount to such and such person, get it notarized and present it as a “Cheque”.

This recommendation should be ignored.

8

Government should specify sufficient number of agencies under section 79A of the Indian Evidence Act to assist courts in arriving at a decision on the evidentiary value of electronic records irrespective of whether digital or electronic signature is affixed or not.

This recommendation should be ignored because of what is stated above. It betrays an erroneous reading of the provisions of ITA 2008 by the group.

9

Financial transactions such as, operation of bank accounts and credit card

operations are being carried on by banks in a big way by using cards, pin numbers and passwords, etc. Banks are using many security features to prevent frauds to the extent possible. The proposed 'two factor authentication method' (2F method) is also a step in the same direction. It may not be ideal and practically feasible to insist on using a particular technology for all retail transactions of the customers with their banks.

The group has not understood the basics of digital signature which is a combination of data confirmation and entity identification.

2F authentication is a shade ahead of password based authentication but cannot replace the characteristics of a digital signature.

If an appropriate 2F system is created which satisfies the requirements of Section 3A of the ITA 2008, there is no problem in getting it approved as provided in ITA 2008 as one of the new electronic signature method of authentication.

Present systems are only adding a mobile based PIN or an RSA token generated random key as the second factor. It is nothing but a double password system and cannot satisfy the legal requirements of a signature.

This is a suggestion which is ultra vires the ITA 2000/8. RBI does not have the legal right to validate what is not permitted in law. The suggestion is therefore untenable and has to be summarily rejected.

If recommended, RBI would create a situation where Banks will be acting illegally under the sanction of RBI. RBI will therefore be legally liable for violations of law.

10

As a short term measure it is recommended that Rules may be framed by the Central Government under Section 5 of the Act, to the effect that, with respect to internet or e- banking transactions, 2F method or any other technique of authentication provided by banks and used by the customers shall be valid and binding with respect to such transactions, though 'digital signature' or 'electronic signature' is not affixed.

 

11

ISP license restricts the level of encryption for individuals, groups or organizations to a key length of only 40 bits in symmetric key algorithms or equivalents. RBI has stipulated SSL / 128 bit encryption as minimum level of security. SEBI has stipulated 64/128 bit encryption for Internet Based Trading and Services. Information Technology (Certifying Authorities) Rules, 2000 requires 'internationally proven encryption techniques' to be used for storing passwords. An Encryption Committee constituted by the Central Government under Section 84A of the IT Act, 2000 is in the process of formulating Rules with respect to encryption. Allowance for higher encryption strength may be allowed for banks based on recommendations of RBI

ISP guideline is a direction to ISPs for inter-ISP transactions. It need not be considered as restricting the data encryption which is either before or after transmission of data through an ISP. There should be no difficulty in Banks adopting higher strength encryption if required.

12

Section 43A of IT Act deals with the aspect of compensation for failure to protect data. The Central Government has not prescribed the term "sensitive personal data," nor has it prescribed a "standard and reasonable security practice". Until these prescriptions are made, data is afforded security and protection only as may be specified in an agreement between the parties or as may be specified in any law

The points 12, 13, 14 contain only observations which donot require any action from RBI.  

Point number 15 is an erroneous statement since Section 84C of ITA 2008 provides for punishment for “Attempt” to commit an offence. It is surprising that the committee could make such a blatant error.

The real intention of the elaborate presentation of points 12 to 15 is betrayed by the recommendation number 16 which suggests that it is necessary to provide “Protection to Banks against any fraudulent or negligent act of customer”.

At present any fraudulent act of a customer does not require any separate legislation to protect the Bank. In such cases the customer is a fraudster and should be punished and is being punished.

It is necessary to analyze this recommendation along with the presence of a reference to the case of S. Umashankar Vs ICICI Bank where the Bank was held liable to pay compensation to the victim customer in which the status of the case is falsely depicted.

It is clear from the circumstances that there is an attempt by one of the participating banks to suggest a new law that exempts it from the liabilities contemplated under ITA 2008.

If RBI makes such a suggestion, it would be a fraud on the public and may be opposed as a matter of principle in the appropriate judicial forum.

Phishing losses are a matter of serious concern to Bank customers and in most cases there will be one fraudulent customer of the bank cheating another genuine victim of Phishing making use of the insecure information systems and policies used by the Bank. There could be instances where Bank employees are hands in glove with fraudulent customer particularly in opening of accounts with no KYC and complete violation of PMLA provisions.

In case Banks are exempted from liability in Phishing as is suggested by the group, it will be a free license to criminal gangs to rob money in the bank belonging to a number of innocent customers.

The recommendation should be dismissed since it is an attempt to help criminal customers at the cost of genuine customers.

13

Apart from affording protection to personal data ("sensitive personal data'- 43A), The IT Act, 2000 also prescribes civil and criminal liabilities (Section 43 and Section 66 respectively) to any person who without the permission of the owner or any other person who is in charge of a computer, computer system etc., inter alia, downloads, copies or extracts any data or damages or causes to be damaged any computer data base etc. In this context Section 72 and 72A of the amended IT Act, 2000 are also of relevance. Section 72 of the Act prescribes the punishment if any person who, in pursuance of the powers conferred under the IT Act, 2000, has secured access to any electronic record, information etc and without the consent of the person concerned discloses such information to any other person then he shall be punished with imprisonment upto two years or with fine upto one lakh or with both. Section 72A on the other hand provides the punishment for disclosure by any person, including an intermediary, in breach of lawful contract. The purview of Section 72A is wider than section 72 and extends to disclosure of personal information of a person (without consent) while providing services under a lawful contract and not merely disclosure of information obtained by virtue of 'powers granted under IT Act, 2000'.

14

The IT Act, 2000 as amended, exposes the banks to both civil and criminal liability. The civil liability could consist of exposure to pay damages by way of compensation upto Rs 5 crore under the amended Information Technology Act before the Adjudicating Officer and beyond   Rs five crore in a court of competent jurisdiction.

There could also be exposure to criminal liability to the top management of the banks given the provisions of Chapter XI of the amended Information Technology Act. Further, various computer related offences are enumerated in the various provisions.

15

Of late there have been many instances of 'phishing' in the banking industry whereby posing a major threat to customers availing internet banking facilities. Though Section 66D of the amended IT Act could broadly be said to cover the offence of phishing, attempt to commit the act of phishing is not made punishable. It is suggested that there is a need to specifically provide for punishment for attempt to phish as well in order to deter persons from attempting it.

16

 It is necessary to balance the interests of customers and that of banks and provide protection to banks against any fraudulent or negligent act of customer. It is not appropriate to leave such an important issue to be dealt with in documentation. Appropriate statutory provision needs to be enacted in this regard.

17

Whether Section 43A read with Section 72 and 72A of the IT Act, 2000 presently address the issue of data protection adequately or they need to be duly supplemented by long-term provisions which can help facilitate effective and efficient protection and preservation of data would depend on the prescriptions of the Central Government. Various suggestions have been offered in this report to address issues in this regard.

This is an observation which appears to have been inserted only to divert the attention of the public from the fraudulent suggestion made in the earlier paragraphs.

Even now Banks do follow the principle of secrecy regarding customer information. Such secrecy is breached only in the instance of police inquiry or judicial orders.

Effect of 43A etc could affect Banks giving away customer details to their insurance partners  and provide a remedy to the victim.

18

In India though there is no specific legislation which deals only with 'electronic fund transfer' and which is consumer protection driven, certain concerns have been dealt with in the Payment and Settlement Systems Act, Rules, Regulations, directions etc issued there under as well as the provisions of general law. However, it may be apposite to have some provisions similar to those in EFT Act which exempts the bank from liability in the event of fraud by the customer or a technical failure etc (for example, provisions dealing with 'unauthorized electronic fund transfers' and consumers liability for unauthorized transfers).

RBI must recognize that it is a “Regulator” of the Banking system in the interest of the economy and the citizens of India. RBI is not a “Promoter of Banks”.

There is therefore no  need to suggest introduction of provisions that exempt Banks from liabilities which arise because of the general law of the land.

If a similar approach is taken by other regulators and each industry sector attempts to protect its members, then SEBI can protect share brokers from online frauds, TRAI can protect telecom operators from telecom frauds. Ultimately the suffering customers will be left to fight it out with the fraudulent customers while the establishments will keep making commercial gains at the cost of public.

If an attempt is made by RBI to introduce or recommend any provisions that provides immunity to Bankers against the liabilities they face in laws such as ITA 2008 or IPC, RBI will be open to the charge of acting against its constitutional obligations and the officials responsible for such recommendations could be open to be charged with malicious intentions.

It is recommended that RBI should not take any action that is aimed at protecting the banks against the interests of genuine customers who are being exposed to technology risks because Banks have been using untested technology and restricting their security efforts to what is "Commercially viable". Some of the recommendations appear to be motivated by an intention to provide uncalled for legal immunity to erring Bankers causing loss to public and such recommendations should be recognized and rejected.

Digital Signature as a means of authentication of an electronic document is the law of the land.  With the amendments in ITA 2008 there is a possibility of variants of "Electronic Signature" coming into place. RBI cannot therefore take any stand to endorse 2F authentication as even a temporary substitute measure.

Vicarious liabilities to officials of Banks for lack of "Due Diligence" is also part of the common law and RBI cannot interefere in the operation of law through its administrative guidelines. 

The S.R Mittal Group had made the correct suggestion that Banks should bear legal risk for not using the legally approved form of authentication and obtain insurance to cover the losses arising out of hacking etc crimes.

The need for insurance should be further extended even to losses arising out of failure of technology.

Such insurance should be at the cost of the Bank and not at the cost of the customer. In certain cases in Credit Card business, Banks are asking Customers to obtain insurance against encashment of lost credit cards. Banks should avoid passing on costs of such insurance to the customers.

The only instance where a customer should take the liability is when he himself is part of the fraud. It is open to the Banks to charge any of their Phishing victims as fraudsters if they so desire and try to prove it in the Court of law and also face defamation charges if their charge is not founded on sound reasons.

RBI should mandate that the annual report of every bank should contain a paragraph where the directors report on the Legal Compliance measures taken by the Bank in their Electronic Banking divisions.

RBI should conduct a special investigations of Banks particularly in Mumbai, Pune and Delhi from where frequent instances of Phishing beneficiaries opening accounts with Banks in total disregard of KYC norms are occuring. According to Police intelligence reports there are organized gangs of criminals operating in these places who hire hackers to steal Bank customer's passwords and organize Phishing attacks. There have even been instances where a gang appears to have organized a Phishing attack so that one of their debtors could get a huge amount through Phishing and then hand it over to them. Many of these fraudster's accounts have been maintained for years and repeatedly used for encashing fraud benefits  when the recent Phishing cases were filed without the Bank discovering the fraudulent use. There have been many instances where zero balance accounts received a few lakhs of rupees in internet transfer during the midnight and the person withdrew the amount in the morning through cash at the counters. Such instances have to be interpreted as a collusion of the bank employees and cannot be dismissed as mere negligence.

RBI should also review the banking software being used and the Risk Analysis capabilities of such software so that IT Companies donot get away supplying non cyber law compliant software with inadequate security.

Banks are often driving their phishing customers to file police complaints and take their own action against ultimate beneficiaries. Though RBI has issued clear directions to the Banks to file police complaints whenever frauds take place, Banks have not been doing so. Banks should be penalized if they push customers to file their own private complaints for frauds that occur within the Bank unless the customer wants to file the Police complaint against the Bank officials.

Top management in most Banks are ignorant of the provisions of ITA 2008 and all Directors of the Banks including the Chairman and Executive Directors should be suitably educated by RBI. It is reasonable to expect that the heads of Banks which want to do digital banking must be aware of the laws of Digital Banking. Before appointing any person as Chairman or Executive Director of a Bank, RBI should take care that his or her knowledge of Digital Banking laws is adequate to meet the responsibilities.

RBI cannot be oblivious to such instances and has to work out a suitable fraud management structure along with the Police to double check the credentials of the customers in Banks and make Banks liable for violation of KYC both at the time of opening of the account as well as monitoring suspicious transactions in the accounts any time later.

Naavi

February 4, 2011

Any Comments on this article can be sent to naavi@vsnl.com

Copy of Full Report of GGWG

Copy of Executive Summary

 Comments are Welcome at naavi@vsnl.com

Visit
www.Naavi.net

Visit
www.lookalikes.in