G Gopalakrishna Working Group (GGWG) on Electronic Banking
Additional Comments-on Legal Issues
Chapter IX of the GGWG
deals with Legal Issues. There are 18 key recommendations that
the group has made and Naavi.org has already
submitted its point by point comments in the
Previous Article.
Comments have also been made on
"Cheques in Electronic Form" in the earlier article,
and Intermediary
Status.
The committee has deliberated
in detail on the impact of ITA 2000/8 and come up with several
observations and a few recommendations. Our earlier point by point
comment already presents some cryptic views and the comments below
contain more details. In particular, observations
have been made on the following aspects.
(i) "Intermediary" as
defined in ITA 2008
(ii) Encryption
(iii) Data Protection
(iv) Computer related
offences
(v) Banks as Certifying
Authority
(vi) Online Nomination
Facility
There has been references to
select relevant cases to highlight the impact of law on Bankers.
The GGWG has also commented on
Industry Wide considerations regarding Digital and Electronic
Signatures, Sec 65B of Indian Evidence Act, Use of Two Factor
(2F) authentication. It also discusses data protection aspects in
Banking and refers to Data Protection Act of UK(DPA), Gramm Leach
Bliley Act (GLBA) and Electronic Fund Transfer Act (EFA) of USA.
We shall examine each of these
aspects individually.
Encryption:
GGWG has made reference to the
provisions of DOT guidelines which prescribe encryption of not
more than 40 bits while in practice, encryption of higher strength is
used by the industry. It suggests that a "Minimum and reasonable level
of encryption may be suggested for the Banking sector"
The DOT guidelines apply to data
transmitted by an ISP. It states
"Individuals/Groups/Organizations are permitted to use encryption
upto 40 bit key length in the RSA algorithms or its equivalent in
other algorithms without having to obtain permission. "However,
if encryption equipments higher than this limit are to be deployed,
individuals/groups/organizations
shall do so with the permission of the Telecom Authority and deposit the
decryption key, split into two parts, with the Telecom Authority"
This instruction may be treated as
binding for the ISP and may not impose any liability to impose
encryption standards at the end user level. As far as the ISP is
considered, they receive certain information as binary data and transmit
as binary data. Whether it contains plain text or encrypted plain text
or an image or a sound may not be a matter of regulation at the ISP
level.
We may therefore consider that the
Government is free to introduce any encryption standard that they may
consider necessary under Sec 84C of ITA 2008 for the Banking industry.
In fact there is no need for the Government to specifically suggest an
encryption standard for the Banking industry. The concept of "Due
Diligence" includes reasonable steps required for securing information
and the Bank is free to use encryption standard that it may deem fit to
secure data in its custody. This refers to security of data in storage.
As regards security of data
transmitted, the use of digital signature may be considered as "Due
Diligence" since it at least ensures verification of data integrity at
the recipient's end. If in addition, public key encryption is used,
Banks can adopt an end to end security from the Bank to the customer
irrespective of the carrier.
The recommendation on Encryption is
therefore not of much significance.
Data Protection:
GGWG has made a reference to
Sections 43A, 72 and 72A of ITA 2008 and has raised one valid question
whether "Reasonable Security Practices" under section 43A could be
interpreted as determining the security requirements entirely on the
basis of the contractual obligations between the data owner and the data
processor.
RBI should recognize that Section
43A has been framed for a Business to Business Data processing contracts
and not for the Banker-Customer relationship. Banker-Customer contracts
are between two parties with unequal bargaining powers and contracts are
mostly of the "Standard Form" type. In such contracts the customer has
no say on what he can prescribe as a security procedure. Hence "Due
Diligence" automatically has to be determined on the basis of
International norms and other laws. The role of RBI is very important in
prescribing the necessary standards of security in the interest of the
customer.
RBI cannot even delegate this
responsibility to IBA since IBA is a body of the Bankers which is a
stakeholder interested in minimizing the security responsibilities. RBI
is a "Regulator" with a constitutional responsibility to protect the
system and the interests of the Customers. Bankers are expected to be
driven by commercial considerations and if a choice is given to them
they will opt for "Buyer Beware" option and will be happy to avoid any
responsibility for security.
It is not out of place to mention
that one of the member Banks to the GGWG has a stated policy that they
would provide security only to the extent it is commercially viable...
and of course they will determine what is commercially viable for them.
It was a big mistake for RBI to have included such brazenly customer
unfriendly Bank as a member of the working group.
RBI should realize that they are
dealing with such sharks who are out there to get their pound of flesh
even from their customers. Unless RBI either represents the Customers or
ensures that the customer's voice is reflected in all such Working
groups in future, justice would not be considered as being done for the
Bank customers nor to the constitutional obligations of RBI.
Internationally there are certain
principles of "Privacy Protection" and customer's of Indian Banks expect
that these are taken into consideration in framing the security
requirements of Internet Banking.
The universally acceptable
privacy principles such as "Collect only what is required", "Use only
for the purpose it is collected", "Ensure accuracy", "Destroy when no
longer required" and "Secure when in storage" are applicable for any
personal information that a Bank collects from the Customer.
At present, Banks donot adhere to
any of these principles. Banks share critical financial data with CIBIL
and often the data with CIBIL is not updated. As a result incorrect data
of a customer is held by CIBIL and used in a manner that is detrimental
to the interests of the Customer. Most Customers donot know what is
CIBIL and what information is shared with them. CIBIL again does not
have a direct interaction with the customers and hence the sharing of
information with CIBIL is entirely an "Agency" responsibility of the
Bank. Hence the Bank is responsible for any inaccurate information with
CIBIL and for the consequences thereof. CIBIL does not share the data
with the Customer who is the owner of the data except at a price. It is
highly unethical and unfair that a customer of a Bank has to pay for his
own data even to check if it is correctly recorded or not.
It is surprising that none of the
members of the Working Group thought it necessary to discuss the issue
of data sharing with CIBIL and that indicates the level of awareness of
the issues and the concern for Privacy of members of the group. Had RBI
considered providing representation of Bank customers or appropriate
NGOs aware of the Customer's problems such as the CCHAI, the working
group could have done a better job in fulfilling its objectives.
The working group was more
interested in expressing its concern on the liabilities that may arise
on the bankers on account of breach of data secrecy rather than looking
at what "Privacy" means to the Data Subject. In recommending measures
for "Data Protection" the committee made references to DPA and
GLBA. In India, ITA 2008 has created the office of an Adjudicator who is
capable of examining violations of sections 43A and other
sections. There is no reason at this point of time to doubt the ability
of the Adjudication system to meet the requirements of Data Protection
in respect of Bank customers. Working group also did not think of
reviewing the performance of the Banking Ombudsman function or the
Whistle Blower system in RBI and whether some solution can be found
through these agencies in protecting the Privacy of Customer data and to
address grievances regarding wrongful use of such information.
GGWG therefore failed to address
the issue of Data Protection and Privacy of Customer data in the proper
perspective and in the required depth.
The Working Group on the other hand
draws attention to the Electronic Fund Transfer Act (EFTA) of USA
and suggests that some measures of EFTA regarding exemption of Banks
from liability in the event of a fraud by the customer or a technical
failure should be considered in India.
It is necessary to appreciate that
in a fraud committed by the Customer initiating a transaction for
his own benefit, the current laws make the person liable and Banks do
not need any law for avoiding liability against the customer who
originated the fraudulent transaction.
However if the fraudulent
transaction results in a wrongful loss to another customer who was not
the person who initiated the transaction, Bank cannot absolve its
liability against such an innocent customer. The working group is trying
to twist the provisions of EFTA to get a statement from RBI that Bank is
exempted from liability against a customer without distinguishing the
customer who had suffered a wrongful loss and a customer who made a
wrongful gain with the assistance of the weakness in the Bank's security
system or due to the lack of due diligence on their part. Also if the
loss arises due to technical failure, some body other than the customer
has to bear the loss. Why should the Customer need to bear the loss when
he has no control on the technology?. The only solution in such cases is
for the technology owner namely the Bank to assume the loss and cover it
with appropriate insurance. This is precisely what S R Mittal Group
suggested and needs to be pursued.
The GGWG has tried to find means of
reducing the responsibilities of the bank in terms of implementing a
robust technology and back it up with adequate security and make the
Customer a Guinea Pig in technology experimentation where as the gains
of technology goes entirely to the Bank.
(... To Be continued)
Naavi
February 4, 2011
Any Comments on this article can be sent to
naavi@vsnl.com
Copy
of Full Report of GGWG
Copy of Executive Summary
Comments are Welcome at
naavi@vsnl.com