When Banks in India don't use Digital Signatures
..It would be a Clause 49 Non Compliance
Corporate Governance is an important responsibility of
top management in any listed corporate entity in India. An offshoot
of this responsibility is the written commitment given by the Management in
the annual report. This written commitment commits the Chairman as well as
the Independent Directors besides the executive directors.
Normally while signing the annual report, the focus
would be on matters concerning financial reporting of the Company. However,
since any activity of the company may ultimately reflect on the integrity
of the financial status reported in the annual report, the management is
expected to include in its Corporate Governance disclosures, any activity
of the organization which is likely to have impact on the financial status
of the Company.
Since the Company works under a legal regime where
carrying out certain activities or not carrying out certain activities may
result in financial liabilities, current or contingent, all such activities
are expected to be examined by the Company and properly disclosed along
with the measures taken to control the adverse impact of such activities.
In other words, any matter which is likely to result in
a vicarious liability to the Company should get disclosed in the annual
report along with the "Controls" instituted by the Company to reduce or
eliminate the financial risks associated with them.
The revised clause 49 requires the
Independent Director to periodically review legal compliance reports
prepared by the company and any steps taken by the company to cure any
taint. The revised clause specifies that no defence shall be permitted
that the independent director was unaware of this responsibility in case of
any proceedings against him in connection with the affairs of the company.
Certification by CEO/CFO
Under Clause 49, the
CEO (either the Executive Chairman or the Managing Director) and the CFO (Whole-Time Finance Director
or other person discharging this function) of the company has been put
under an obligation to certify that, to the best of their knowledge and
belief, they have reviewed the balance sheet and profit and loss account
and all its schedules and notes on accounts, the cash flow statements as
well as the Directors’ Report and these statements do not contain any
materially untrue statement, omits any material fact or do they contain
statements that might be misleading. Further they are required to certify
that these statements together present a true and fair view of the company,
and are in compliance with the existing accounting standards and/or
The revised clause requires
them to be responsible for establishing and maintaining internal controls,
to evaluate the effectiveness of internal control systems of the company,
and to disclose to the auditors and the Audit Committee, deficiencies in
the design or operation of internal controls, if any. They are also
required to disclose to the auditors as well as the Audit Committee,
instances of significant fraud, if any, that involves management or
employees having a significant role in the company’s internal control
systems, whether or not there were significant changes in internal control
and / or of accounting policies during the year.
While providing such a certification, auditors are more focused on the
regulatory compliances regarding accounting systems such as GAPP compliance
if required. However auditors are not equipped to check if the regulatory
compliance requirements need to be checked from the point of view of a law
such as ITA 2008 and leave it to the management to certify compliance in
For example, under Section 3 and 3A of ITA 2008 any electronic document
that requires authentication needs to be authenticated using Digital
Signatures. Since many of the Company's transactions are done using
electronic documents and liabilities are being created far and against the
Company through such electronic documents, if the electronic documents are
not authenticated in a "Non Repudiable Mannner" there would be an adverse
impact on the Company.
Hence if there is no compliance of Section 3/3A of ITA 2008, there would be
deficiency in Compliance. If this is not properly disclosed, there
would be "untrue" declarations in the annual report to which all the
Directors, the CEO and the auditors would be responsible.
In Banks, RBI has through its Internet Banking Guidelines clearly stated
that if the Banks donot use digital signatures for authentication it must
be considered as a "Legal risk". Not using digital signatures directly
result in "Phishing" and if the
Bank of India decision of the Banking Ombudsman is any indication,
there would be a number of Phishing related liabilities on the Banks. Since
this is having an impact on the financial aspects, it becomes a mandatory
area for the auditors to verify. The CEO's certification that "there are
adequate internal controls" fails the conviction test.
Some Banks may try to hide behind confirmations from CRISIL or ICRA
that their Corporate Governance is adequate and satisfactory. However, even
the CRISIL or ICRA systems of evaluation of Corporate Governance fail to
properly take note of non compliance of ITA 2008 and its impact on the
financial reporting of Banks. If so, they would not have ignored the lack
of use of digital signatures as a means of authentication in Internet
Banking for over 8 years since digital signatures became available.
Now with the Phishing liabilities coming up on Banks, the negligence of the
auditors in ensuring adequate regulatory compliance under Clause 49 will
start coming into the open.
In our opinion it is the duty of the auditors to confirm through a CEO
certification that all regulatory requirements including under ITA 2008
have been complied with and make a reasonable verification of the
correctness of the statement. The lack of digital signature usage in Banks
is too glaring to require any special verification. The auditors are fully
aware of the status though they may be ignorant if this is a compliance
requirement or not.
December 24, 2009
Copy of the SEBI
Comments are Welcome at