SBI’s NEFT system poses a legal risk…Action required from SBI and RBI

One of the customers of SBI has reported a faulty behaviour of the NEFT system in SBI which needs to be explored both by SBI and the RBI. It could be considered as causing a “Legal Risk” both to the Bank itself as well as the customers.

The customer has sent video evidence of the incident which is with me and I am not immediately posting it in public domain since it contains information that is confidential. It can however be shared with SBI or RBI if it is requested.

The observation reported is this:

As we all know, when a customer logs into the account, he can view the previous transactions. In the incident referred to, the customer observed that there was an NEFT receipt from one Mr X. But when the customer refreshes the transactions, each time he sees different names as the remitter of the NEFT credit. One time it says money received from X or and another time Y or Z and so on. The amount and the transaction number  remains the same but only the name changes.

The customer has not so far lost any money due this peculiar behaviour which appears to be a bug in the software and it is said that the changing of the names of the remitter stops after lapse of a period which could be after the transaction moves to a different status in the server.

However, my objection is this:

If I capture the screen record at one point of time, it will show all the details of the customer and an evidence  that a remittance with a certain transaction ID has been received from Mr X. At another time, the same transaction is shown as money received from Y and yet another time it is shown as Z and so on.

This means that the evidence presented by the server is unreliable and any other information from a similar source presented as evidence either under Section 65B or under Banker’s Book of Evidence Act will be unacceptable in a Court of Law.

We can interpret this issue in two ways:

  1. We can demand that no Court should henceforth accept any evidence presented from SBI server showing a remittance since it is unrelaible and could be a result of a faulty software. or
  2. We can say that SBI has manipulated the evidence to show a person who has not sent the money as the remitter.

-This is “Tampering” with the electronic file and an offence under Section 65, 66 and other sections of ITA 2000/8.

-These are cognizable offences under which the SBI officer responsible for the business and the CEO and Directors may face prosecution.

I request SBI and RBI to undertake an investigation of this incident and whether this is a one off occurrence with the particular customer or it occurs with others.

This report appearing in a public website is to be treated as an “Incident” coming to the knowledge of SBI and RBI and should be documented in the books of SBI.  Also, according to the recent “Cyber Security Framework” released by RBI  it should be reported to the RBI in the periodical report along with its resolution.

(P.S: If after a time, an RTI with RBI does not show the report of this incident, then it would confirm that there was non compliance of the RBI guideline.)

I look forward to appropriate action from SBI and RBI, though I would not be least surprised if both of them simply ignore this public notice and carry on with the “All is Well Syndrome”.#

#”All is Well Syndrome” is a behavioural trait often expressed by Information Security professionals,  businessmen, regulators and software professionals that nothing will go wrong and has gone wrong in their systems and occasional reports of bugs are better ignored… a trait which is the bane of all compliance managers.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

One Response to SBI’s NEFT system poses a legal risk…Action required from SBI and RBI

  1. V Rajendran says:

    Ver well observed. In fact, what Naavi has said is a very relevant point which not only poses a grave non-compliance on the part of SBI on question of tampering and absence of due diligence but exposes the customer to a greater risk too.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.