G Gopalakrishna Working Group (GGWG) on Electronic Banking
Additional Comments-on Legal Issues-Industry wide considerations
Chapter IX of the GGWG
deals with Legal Issues. There are 18 key recommendations that
the group has made and Naavi.org has already
submitted its point by point comments in the
Previous Article.
Comments have also been made on
"Cheques in Electronic Form" in the earlier article,
, Intermediary
Status.,
Encryption and Data Protection Issues. and
Offence related issues
The GGWG has also commented on
Industry Wide considerations regarding Digital and Electronic
Signatures, Sec 65B of Indian Evidence Act, Use of Two Factor
(2F) authentication. It also discusses data protection aspects in
Banking and refers to Data Protection Act of UK(DPA), Gramm Leach
Bliley Act (GLBA) and Electronic Fund Transfer Act (EFA) of USA.
We shall examine each of these
aspects individually.
Digital and Electronic
Signatures
"Digital Signature" was one of the
key issues covered under ITA 2000 way back in the year 2000 when the Act
was notified with effect from 17th October 2000. Even after 10 years the
world has not seen a better technology that can substitute digital
signatures as a means of authentication of an electronic document. The
choice of the technology was therefore inevitable for a system which had
the two sub objectives namely certifying data integrity of a signed
document and certifying the identity of the person signing the document.
Common people may some times be confused when they realise that law
considers digital signatures as a valid replacement of physical
signatures but not the thumb impression scanning as a "Signature". The
Working group however consisted of experts and hence there is no reason
to believe that they did not understand the difference between a Digital
signature that can authenticate both the person and the document and any
other method of authentication which can only identify the person but
not certify what he has stated. If the report gives any contrary
opinion, we can only wonder if the group wanted to be clever and pass
through recommendations in the hope that no body will challenge them.
Since there was some objection from
technologists that ITA 2000 was dependent on the technology of
Asymmetric Crypto System and hashing for the purpose of authentication
and did not leave scope for new technology innovations, ITA 2008
introduced a flexibility into the legislation by defining what was
called "Electronic Signatures". The "Digital Signatures" as defined in
Section 3 remained one form of Electronic signature already approved. It
was open to Licensed Certifying Authorities (CA) to come up with
alternate technologies that conform to the requirements of Section 3A
and obtain the sanction of the Controller of Certifying Authorities (CCA)
to introduce "Electronic Signatures" which would then be notified in
Schedule II of ITA 2008. Since 27th October 2009 when ITA 2008 has been
notified, no CA has come up with any proposal for Electronic Signature
and hence it appears that as of date there is no alternative to digital
signature for the purpose of authentication of electronic documents.
There is no ambiguity in ITA 2008
as regards this aspect as the working group seems to suggest. An
approved Electronic Signature when notified will be an additional
authentication method and in case any other section needs clarification,
we can expect that it will be done when the notification is issued.
ICICI Bank which was one of the
members of the group had been hurt in the Umashankar Case since the
Adjudicator had found that the Bank was negligent in not using digital
signatures as a means of authentication as per law to distinguish
its e-mails and hence the customer could be cheated by an impersonator.
The working group should have
perused the judgment copy if not the details of the arguments adduced in
the case by Umashankar (which the member Bank could have shared
with the Group for public good) to understand why the learned judge came
to the conclusion that Bank was negligent.
RBI is aware that the S R Mittal
Group had gone into the details of the use of Digital Signatures and the
then Deputy Managing Director of ICICI Bank who was the member of the
group submitted a dissenting report opposing the group's contention that
"PKI is the only form of authentication approved in law and use of any
other technology is a source of legal risk".
The working group should also have
known that ICICI Bank had started using Digital Signatures for
authentication of e-mails in 2004 in its demat division and the
information is in public space at
www.naavi.org.
Working group should also realize
that there are several Government agencies such as MCA and IT department
who have made use of digital signatures compulsory for certain
transactions. RBI itself has a subsidiary IDRBT who was also represented
in the group which is a licensed CA and issues Digital Certificates to
Bankers for their RTGS applications and Truncated Cheque applications.
Despite this wealth of information,
the working group failed to analyse the pros and cons of its
recommendations regarding the use of alternate forms of authentication
as included in the report.
It appears as if the Group was not
interested in exploring why the current technology which is available as
well as affordable and is legally acceptable cannot be mandated for use
in Banking. It was only interested in by passing law and recommend use
of processes which are not sanctioned by law or recommend for the
change of the law itself.
If the regulatory powers of RBI are
applied to change laws that are inconvenient to the Bankers, then it
would be creating a bad precedent in the Country.
If RBI shows any inclination to
succumb to such a strategy, one can envisage that the next request could
be for a retrospective change of law so that ICICI Bank could escape its
liability in the Umashankar's case.
S R Mittal Group had the guts to
reject the dissenting report of the Deputy Managing Director of ICICI
Bank and showed its charecter as the upholder of the regulatory
character of RBI. The GGWG appears to have failed to show a similar
resolve in boldly opposing the move of ICICI Bank for introduction of
recommendations that are not in accordance with law and if approved, may
make RBI a laughing stock in the Supreme Court when such decisions are
questioned by people like Dr Subramanya Swamy.
I trust that RBI when it sits for
giving its operational guidelines based on the report will consider
these inappropriate recommendations and ensure that the image of RBI as
a guard of Indian Banking system is preserved.
The inadequecies of the
recommendations are better illustrated in the following comments on the
two recommendations that the group has made to avoid the use of digital
signatures namely the use of Section 65B certified documentation and
decalration of 2F authentication as "Electronic Signature".
Regarding Section 65B-IEA
authentication
Section 65B of Indian Evidence Act
(IEA) was introduced as a means of making certain printed documents
admissible as "Electronic Documents" in a Court of Law. Just as the
Bankers Book Evidence Act enables certain certified copies of ledgers as
admissible in lieu of presentation of the entire ledger, Sec 65B
envisages that print outs of electronic documents duly certified are
admitted as documents in Courts of Law in lieu of the presentation of
the electronic document itself.
This provision was not meant to be
used as a replacement of authentication of an electronic document. An
electronic document is authenticated by the originator with the use of
digital signatures while Sec 65B enables a third party to certify an
electronic document based on his observations as a "matter of fact".
I may recall a Judgement on
Stamping of Locker documents a few decades back which has some relevance
to the current context. I presume involved State Bank of India which was
one of the other Banker members in the working group. In this case, the
Bank was using Locker Agreements which were unstamped though they
required stamping as per the Stamp Act. Whenever a need arose,
Bank used to pay the penalty of 10 times the understamping value and
present the document in a Court of law. This practice was questioned by
the Stamp authority and it was held as an unfair practice designed to
cheat the law.
The suggestion of the group to
avoid use of digital signatures and instead use Section 65B
certification when a legal requirement arose appears to be similar to
this case.
It must be also noted that Section
65 B certification can be used for documents which the certifier can
view in the ordinary course of his activities. The documents which may
be the subject matter of dispute in a Bank Vs Customer Case are mostly
in the custody of the bank and most documents can only be certified and
presented by the Bank. The Customer will not have any access to such
documents and will be at a great disadvantage.
Section 65B certification can be
provided by a Bank in favour of third parties. But when the bank uses
information from its own server and provides any certified document for
its own purpose, it will be deemed as a "Self Serving Evidence" and lose
substantial weightage in the Court of Law.
If a customer wants to use any
document that he cannot view but is reasonably suspected to be in the
custody of the bank in the servers, the option available to him is to
press for "E-Discovery". The provisions of law for a customer to order
production of documents for e-discovery from Banks in India are weak.
Banks will normally use the "Privacy" argument to stonewall production
of documents.
It may be fair to recall that in
the Umashankar Vs ICICI Bank case, the Bank had appeared to have
deliberately erased certain evidence to frustrate the complainant and
hence even when provisions of e-Discovery is invoked with Court
intervention, the possibilities of Banks erasing the data and claiming
innocent procedures in support are very high.
In any case of Customer Vs Bank
therefore it would be difficult to expect the Bank to produce documents
that may help the customer with due certification from the bank for a
self incriminating evidence.
In fact the working group failed to
discuss Section 67C provisions of ITA 2008 on data retention and develop
guidelines for data retention in Banks to enable e-discovery in respect
of disputes.
This was a failure on the part of
the working group.
The recommendation suggested to be
made to the Central Government to appoint more agencies under Section
79A is irrelevant and has no value to the issue on hand.
Use of 2F Authentication
The working group has made a very
ridiculous recommendations stating,
"..it is recommended that Rules
may be framed by the Central Government under Section 5 of the Act, to
the effect that, with respect to internet or e- banking transactions, 2F
method or any other technique of authentication provided by banks and
used by the customers shall be valid and binding with respect to such
transactions, though 'digital signature' or 'electronic signature' is
not affixed."
This is an irresponsible
recommendation to be made by a high power committee since this is a
suggestion which is legally untenable.
The intention of the members of the
group placing this suggestion is clear that "any other technique of
authentication provided by banks" shall be valid. It appears that the
Group thinks that it can make each Bank a law maker for itself.
For the understanding of the
members, I would like to state that only those techniques which satisfy
the requirements of Section 3A, approved by the CCA and introduced by a
licensed CA can be accepted as an "Electronic Signature". It is
ridiculous to suggest that anything can be declared as a substitute for
the legal method of authentication even if it is ultra-vires the ITA
2008.
RBI does not have powers to make
such a suggestion and if the implementation authorities donot see
through this fraudulent suggestion, they will be paying a price through
legal opposition in the coming days.
The suggestion should be summarily
rejected and the members responsible for such suggestion to be approved
should be censured and black listed from future working groups of RBI.
Exemption of Liability
Amidst the discussions for 2F
method of authentication, the group has slipped in two lines of great
significance which is being pushed as if an under the table suggestion.
The last two lines of the paragraph
on "Proposals" in page number 261 state
"Finally, it is submitted that
provisions similar to the provisions dealing with 'unauthorised
electronic fund transfers', consumers liability for unauthorised
transfers etc., in the Electronic Fund Transfer Act, USA, (as pointed
out later in the report), would be useful in India. "
The intention of the working group
when seen in totality and in particular the recommendation number 18 of
Chapter IX is to use the EFTA as an example to exempt the Bank from
liability arising out of "Unauthorized Transactions".
However, it must be noted that the
EFTA is set in a different context and in an environment where there are
various other laws to protect the Bank consumers and is not necessarily
a representative legislation that can be imported selectively to India.
The laws of digital signatures are different in US and the liabilities
for Privacy invasion are covered by other legislations. There are court
decisions in US where simple E-Mails without digital signatures have
been held as binding on the organization and opening of a face book
account in an impersonated name treated as "Hacking" under Computer
Abuse Act. Hence EFTA provision cannot be imported out of context.
It may be noted that EFTA actually
makes the financial institutions liable for failure of electronic
transactions put through by the Consumers and limits the Consumer
liability to US $50/-. EFTA does not protect the financial institution
for having effected a transaction which was not properly authorized.
Financial institutions are exempted
from liability only on a failure to make an EFT in cases such as when
the Consumer's account has insufficient funds, an act of God, a
technical malfunction known to the consumer at the time he attempted the
transaction and not otherwise.
Passing of any unauthorized
transactions is considered as "Forgery" and the laws of forgery applies
to all "Unauthorized Transactions". In the case of "Forgery" there is a
settled law in India regarding whether the customer is liable for
payment of forged cheques from his account and what are the consequences
of negligence etc.
Hence the suggestion of the GGWG to
refer to EFTA is irrelevant and needs to be ignored.
Data Security
The working group has discussed the
Data Protection obligations on Banks Vis-a-Vis Section 43A liabilities.
We have already discussed this in
an earlier note highlighting that a mere contract between unequal
bargaining powers represented by the Bank on the one hand and the
customer on the other hand would be insufficient.
While one can await further privacy
related legislation from the Government in lieu of the Personal Data
Protection Bill 2006 which lapsed or issue of guidelines under Sec 43A
for "Reasonable Security Practices", Banks cannot ignore the global
principles of data protection by an overriding them with a contractual
agreement.
Any attempt to ignore the global
principles may be held as "Lack of Due Diligence".
(... To Be continued)
Naavi
February 5, 2011
Any Comments on this article can be sent to
naavi@vsnl.com
Copy
of Full Report of GGWG
Copy of Executive Summary
Comments are Welcome at
naavi@vsnl.com
