Regulation of E Banking in India
E Banking frauds have become so common in Banks in India that they soon
will not be considered as worthy of discussion. Naavi has been in the
forefront of a crusade against Bankers who have jumped into the
e-Banking bandwagon throwing all caution to wind and making customers
pay for the commercial greed of the Banks. While some Banks learn from
their past mistakes and try to improve their security, there are some
Banks who tend to remain adamant and challenge the customers.
Naavi has brought to the notice of authorities several Banking frauds.
Yesterday a case involving an ATM Fraud in Bangalore in which Bank of
India and Canara Bank was involved have been brought to light. Earlier
cases against Punjab National Bank and ICICI Bank have also been
highlighted. There are other cases involving HDFC Bank, SBI, Axis Bank
which have from time to time been reported through Naavi.org.
Press has also been highlighting certain cases from time to time. The
latest case of Phishing reported is from Lucknow in which an UP State
Government officer has lost around Rs 34361/- from PNB. Victim of this
case being a Government official, perhaps PNB may to go for a
compromise.
The fraudsters are now adopting "Salaami" tactics of siphoning of less
than Rs 50000/- from accounts some time as low as a few thousands safe
in the feeling that no body can launch an effective legal battle to
recover a small amount. Police normally refuse to entertain such cases
and customers are virtually left with no option to forget their losses
and move on.
The problem has reached such proportions that there is a need for RBI to
take stock of the situation and check of the foundation of Indian
Banking system has become shaky. An all India survey of e-Banking frauds
has to be undertaken by RBI with the assistance of CBI to identify if
certain Banks have deliberately violated KYC norms to establish a
network of "mules" who act as conduits for fraud proceeds being passed
through. It is necessary to also subject the banking systems to security
audits since the current audits have failed to stem the frauds. IDRBT
should review the security clearance they have given to some of the Core
Banking software since they have not adhered to the required security
norms.
When challenged Banks take cover under the fact "Our software is
supplied by a reputed software company. It cannot go wrong".. despite
evidences to the contrary. Some time they say "Our systems have been
audited by a reputed audit firm and therefore our systems are safe and
secure.. despite evidences to the contrary".
If the software systems and audits were effective, we would not have
seen so many frauds. (P.S: The argument that customers are ignorant,
negligent and part with their passwords is not tenable as this does not
absolve the banks from their responsibility to use systems which cannot
be tampered with easily. Naavi has explained the relative liabilities of
Banks and Customers through earlier articles).
RBI has gone into the problem of security in e-banking and way back in
June 2001, came up with its Internet Banking Guidelines. Continued
defiance of the regulations contained in the circular dated June 14 2001
has caused all the e-banking frauds in India so far. RBI has been clear
to understand and accept that Information security cannot be foolproof
and Banks cannot avoid completely the losses to their customers on
account of hacking, denial of services and other e-frauds. It therefore
advised banks to obtain insurance against such losses in its Internet
Banking guidelines. It also stated in clear terms that the "legal risk"
for not using digital signatures for authentication of electronic
documents used by them has to be borne by the banks and not pushed to
the customers.
These guidelines were reiterated by the G Gopalakrishna Working group on
security in E Banking and fresh instructions were circulated in April
2011.
However, Banks have not given adequate respect to the recommendations of
the RBI in the past and we need to wait and see how they respond to the
current set of instructions.
In the meantime, a question arises on how RBI should ensure that its
guidelines are respected and implemented by the Banks. Can RBI force the
Banks to implement the security guidelines or only be satisfied that it
has done its duty by sending out the necessary circulars?
In order to end speculation in this regard, Naavi has now placed a
request with the Governor of Reserve Bank of India that in three
instances of known violation of RBI guidelines brought to their
knowledge, RBI should penalize the respective branches of the bank by
cancellation of branch licenses. One of the branches involved belongs to
PNB and the other to ICICI Bank.
In the past RBI is known to impose financial penalties when its
guidelines such as KYC norms are violated. This however has not been a
sufficient deterrent for Banks. There is a need for a more effective
deterrent to be used by RBI to ensure that Banking does not become a
nightmare for the customers.
RBI now has two options before it. One is to refuse the demand made by
Naavi and condone the violation of RBI guidelines in the past. Second is
to accept the demand and impose a penalty which will bring out the
seriousness in the consequences of negligence of the Banks.
In other words the decision will determine...
Whether RBI is with the people? or with the Banks?.
Is its duty to "Regulate e-Banking? or "Promote e-Banking?".
"Is it strong enough to regulate? or Is it meek to only toe the line
of Banks".
Which way RBI will move is a matter which will determine the future of
e-Banking in India. If RBI chooses to ignore the request, it is for the
Citizens of this country, the Customers of different banks, the
Legislators, the Finance Ministry, PIL activists, other NGOs and the
higher Judiciary to take up the matter and pursue.
[Disclaimer: Naavi is an ex-Banker and has lot of respect to Banking
as a Profession and Industry. The current aggressive stand taken by
Naavi as a Netizen Activist is not a stand meant to denigrate the Indian
Banking system but to strengthen the system. If in pursuance of this
noble objective to serve the Banking customers, I express displeasure on
several Banks, it is only because most Banks have fallen into a vicious
circle of introduction of new technology without adequate consideration
of security and I sincerely believes that Technology should not be only
a means to make more profit. It should maintain the fundamental nature
of Indian Banking as a secure option for the public to park their
funds.]
Naavi
3rd July 2011
Comments are Welcome at naavi@vsnl.com
