Impact of ITA2000/8
The committee has deliberated
in detail on the impact of ITA 2000/8 and come up with several
observations and a few recommendations. Our earlier point by point
comment already presents some cryptic views and the comments below
contain more details.
In particular, observations
have been made on the following aspects.
(i) "Intermediary" as
defined in ITA 2008
(ii) Encryption
(iii) Data Protection
(iv) Computer related
offences
(v) Banks as Certifying
Authority
(vi) Online Nomination
Facility
There has been references to
select relevant cases to highlight the impact of law on Bankers.
The GGWG has also commented on
Industry Wide considerations regarding Digital and Electronic
Signatures, Sec 65B of Indian Evidence Act, Use of Two Factor
(2F) authentication. It also discusses data protection aspects in
Banking and refers to Data Protection Act of UK(DPA), Gramm Leach
Bliley Act (GLBA) and Electronic Fund Transfer Act (EFA) of USA.
We shall examine each of these
aspects individually.
Intermediary:
It is not clear why GGWG is
interested in making an issue of the definition of
"Intermediary" because its relevance to the banks is low.
The GGWG has raised the issue
of whether Bank should be considered as an "Intermediary" or not
under ITA 2008 and concludes that there is some uncertainty with
respect to the meaning. The concern appears to be that if the
Banks are considered an "Intermediary" then they would be exposed to
the requirements under Section 79 to practice "Due Diligence".
In respect of contraventions
occurring under ITA 2008 attributable to the Bank, the requirement
of "Due Diligence" arises out of Section 85 of ITA 2008 and hence,
in most cases of Cyber Frauds in Banks, "Due Diligence" would any
way be required to avoid liability.
Bank's role as "Intermediary"
is therefore not very critical to determine the liability in respect
of Cyber Frauds.
Section 79 covers the
requirements of an Intermediary to determine the liability arising
out of hosting of
any third party information, data, or communication link.
In this context, the definition of an "Intermediary" as given in
section 2(p) of ITA 2008 which states
"Intermediary" with respect to any particular electronic records,
means any person who on behalf of another person receives, stores or
transmits that record or provides any service with respect to that
record and includes telecom service providers, network service
providers, internet service providers, web hosting service
providers, search engineers, online payment sites, online-auction
sites, online market places and cyber cafes"
has no ambiguity. It refers to an organization that receives, stores
and transmits information on behalf of another person.
Banks receive information about the Customer and keep the records as
owners of the information. Third party information is not received
in the normal course of Banking business involving deposit or
withdrawal of funds by a customer.
If however, a Bank is providing any other service other than
accepting deposits for the purpose of lending, then only the
question of the role of the Bank as an intermediary may arise.
In general Banking Bankers often render different services and
assume roles other than the "Debtor-Creditor" relationship. Such
relationship can be the "Agent-Principal" or "Bailor Bailee" or
"Trustee-Beneficiary" etc.
Likewise if Digital banking services are rendered for other
than core banking where the "Debtor-Creditor" relationship persists
then only the question of "Whether Bank is an Intermediary?" may
arise in respect of such services. Such relationship may co-exist
with the "Debtor-Creditor" relationship and hence it has to be
examined with reference to the specific facts of the case.
In Credit Card transactions the relationship between the card
holder and the Issuing Bank is one of Debtor-Creditor. In case Bank
receives information from a Merchant or from an acquiring bank about
the Card holder, it may become "Third Party Information" as to the
relationship between the Bank and the merchant or acquiring Bank is
concerned. Similar instances may arise if Bank is supporting
insurance services or stock broking services etc.
If Banks are providing its infrastructure to other agencies who
provide Cross Functional services to the Customers in
digital space the role as an "Intermediary" may get invoked.
There are a few Banks who are allowing advertisements from third
parties to appear on their websites though the earlier guidelines
suggested otherwise. Such Banks would be exposed to "Intermediary"
risk.
If the concern is for data leakage pertaining to Customer
information, it is a "Data Protection" issue covered under Section
43 A and not an "Intermediary Issue".
(... To Be continued)
