G Gopalakrishna Working Group (GGWG) on Electronic Banking
Additional Comments-on Legal Issues
Chapter IX of the GGWG
deals with Legal Issues. There are 18 key recommendations that
the group has made and Naavi.org has already
submitted its point by point comments in the
Previous Article.
Comments have also been made on
"Cheques in Electronic Form" in the earlier article,
and Intermediary
Status. and
Encryption and Data Protection Issues.
The committee has deliberated
in detail on the impact of ITA 2000/8 and come up with several
observations and a few recommendations. Our earlier point by point
comment already presents some cryptic views and the comments below
contain more details. In particular, observations
have been made on the following aspects.
(i) "Intermediary" as
defined in ITA 2008
(ii) Encryption
(iii) Data Protection
(iv) Computer related
offences
(v) Banks as Certifying
Authority
(vi) Online Nomination
Facility
There has been references to
select relevant cases to highlight the impact of law on Bankers.
The GGWG has also commented on
Industry Wide considerations regarding Digital and Electronic
Signatures, Sec 65B of Indian Evidence Act, Use of Two Factor
(2F) authentication. It also discusses data protection aspects in
Banking and refers to Data Protection Act of UK(DPA), Gramm Leach
Bliley Act (GLBA) and Electronic Fund Transfer Act (EFA) of USA.
We shall examine each of these
aspects individually.
Computer Related Offences:
The Working group has considered
the civil and criminal liabilities that arise on a Bank on account of
ITA 2008 and has made references to various cases. It is interesting to
note that most of the cases referred to are cases where Banks have won
against their customers in Consumer Courts on account of Jurisdictional
issues. The case of S Umashankar Vs ICICI Bank which caused a flutter in
the Banking circles in view of the liability fixed on the Bank has been
grudgingly mentioned in such a manner as if it is an aberration. In
reporting the facts of the case, the committee has betrayed a lack of
due diligence in incorporating the particulars. The report mentions that
a stay has been granted on the judgment with a payment of Rs 50,000/- as
against Rs 12.85 lakhs ordered to be paid by the Adjudicator. The
secretary of the working group did not find it necessary to check
documentary facts about the case.
Had the working group done some
research, they would have found that
a) Stay was granted against a
deposit of Rs 5,50,000/- as against the principal loss of Rs
4,95,829/-. The deposit covered the entire loss and a part of the
additional compensation granted towards interest loss and expenses.
This was a case of Phishing where the proceeds were credited to
another customer of the Bank.
b) There was a case of Nikhil
Futan Vs HDFC Bank where the District Consumer Court of Mumbai
ordered payment of compensation of the loss with interest to the
victim of phishing even after the fraudster was arrested by the
Police and part amount was recovered from him. Though the ultimate
resposnibility for the fraud was that of the arrested person, Court
held that Bank was liable to compensate the customer.
c) There was an instance in
Bank of India where the Banking Ombudsman ordered payment of amount
with interest to another Phishing victim in Bangalore. Though this
was not publicized in Press this was an internal record of RBI and
was available for the asking. The group does not appear to have
collected such vital fraud data from within the bank itself.
d) There was also at least one
case where ICICI Bank had repaid a Phishing victim in Chennai
without demur immediately after the Umashankar Verdict. Had the Bank
reported the disposal of such cases as required in their FMR reports
and the group had asked for copies of FMR reports from within the
Bank such cases would also have come to the knowledge of the working
group.
e) There was also a case in
Germany where the Bank had been held liable for a Phishing loss
which was not reported in the report.
The working group therefore failed
to do adequate research and presented a list of cases to mis represent
the situation as if most cases are decided in favour of the bank.
It must be recorded that the
Adjudication as a means of grievance redressal has not been invoked
prior to the Umashankar Case and hence there were inadequate efforts for
grievance Redressal by Phishing victims in the past. Hence the number of
such cases reported were less. There were hundreds of cases in which
customers did not pursue the legal remedies at all. Some went only upto
the Banking Ombudsman where their claims were rejected for technical
reasons. Some did go to the Consumer Court but could not represent their
cases properly and failed to get remedies sought.
After the news about Umashankar
Case was public, there have been a few more such cases which have been
filed in different places. There is no information which the
working group gathered about such cases. The Working group also did not
refer to one of the biggest Phishing cases that surfaced in Delhi
involving nearly Rs 2 crores which was widely reported in the national
TV. The presentation of the incidence of frauds in Internet
Banking and how they have jolted the confidence of the public in the
Banking system has not been considered by the Working group at all. The
working group's analysis of the legal issues involved regarding offences
was therefore tainted with lack of serious effort to be truthful to the
task. RBI must keep this factor in mind before taking a view on some of
the recommendations of the GGWG.
Bank as a Certifying Authority
The working group has recommended
that banks should apply for being licensed as Certifying Authorities
(CA). While this is a decision to be given a serious consideration since
in due course every banking transaction needs to be authenticated by
digital signature, and there is a huge business potential involved in
being a Certifying Authority, there could be conflict issues arising out
of disputes involving digital signatures.
Further, Bank turning into a CA
would expose them to additional liabilities arising out of failure in
KYC, technical deficiencies, data leakages etc.
It has been observed that Banks
have failed in discharging KYC norms in many cases and the Phishing
frauds occur because of such fraudulent accounts being opened by them.
If the inefficiency continues, then the same fraudsters who are today
opening accounts for routing Phishing frauds may start committing frauds
involving digital signatures.
The time therefore is not ripe for
Banks to assume this responsibility.
Online Nomination Facility
The working group has recommended
that provision for online nomination should be facilitated. The working
group has however missed the fact that at present a nomination made with
the use of electronic documents is not valid by virtue of Section 1(4)
of ITA 2008. Unless this is changed there is no way the recommendation
can be considered.
It is surprising that the
provisions of ITA 2000/8 have not been appropriately examined by the
working group before making some of the suggestions and this
recommendation about online nomination is one such legal error.
(... To Be continued)
Naavi
February 5, 2011
Any Comments on this article can be sent to
naavi@vsnl.com
Copy
of Full Report of GGWG
Copy of Executive Summary
Comments are Welcome at
naavi@vsnl.com
