Let's Build a Responsible Cyber Society




E Banking Security Guarantee Scheme

Naavi.org has been in the forefront of a crusade to make E Banking systems safer for the Bank Customers. Here is a suggestion that the RBI can implement in this direction. This could be a temporary or a permanent measure that can ensure safety of the funds of the E-Banking Customer and could be the only solution for survival of the Indian Banking at this point of time.

When Internet Banking technology became feasible in India, there were two options for the RBI to allow the benefits of technology being used by the Indian Banking system.

The first was to allow "Virtual Banking" to be permitted as an E Commerce activity where an organization could be permitted to receive funds of the public online for the purpose of lending  online without linking it to any of the existing Banking institutions in the Physical world. Ideally such institutions could be barred from using the word "Bank" in their name but could be called as "Virtual Financial Shops".

Public would have looked at such organizations as a new creation of the Internet and approach them with the full perception that this is not Banking as we know but could be an interesting option to park our funds with the added risks if any.

RBI could have still regulated these Finance shops under an NBFC license to ensure that they donot indulge in overtrading. In such a case the traditional banks would have continued to do what they were good at namely Banking in physical space where they mobilized public savings and lent it for good purposes.

The Physical Banks and the Virtual Finance Shops could have entered into some collaborative products so that the benefits of Internet transactions became available to the traditional Bank customers through instruments such as a "Virtual Shopping Card" with limits like the Credit Card. These would be like Debit Cards exclusively meant for the Internet and not accepted in the physical market.

Such a system would have insulated the traditional banking industry from the risks to which the Internet was exposed.

Banks could also have been encouraged to open a "Internet Banking Branch" and allowed its physical world customers to open new accounts in this branch for Internet transactions without an automatic transfer of funds facility from the traditional accounts.

However, in its wisdom RBI did not consider either of these options but opted to allow the traditional banks to also extend Internet banking facility as an additional mode of transaction.

This decision brought the risks of Internet into the traditional banking system. As Banks started allowing Internet access as a default facility and the preferred mode for their customers in view of cost savings it offered, the entire banking community became exposed to the Internet Banking risks sold as "Convenience".

The generation of customers who were used to traditional banking looked upon Banks as "Savings Institutions" and as a fortress for their funds were now unprepared for the link to the Internet world which exposed the system to new kinds of risks.

The recent happennings including the revelations made in Bangalore by a security expert before an expert committee constituted by Naavi.org have proved once for all that Internet Banking can never be safe. At best the risks can be contained within some limits that the customer agrees to trade off for the convenience that he gets in return. If the risks are reduced, the incentives for criminals would also be lesser and the economics of E Banking frauds would go against the criminals in the long run.

Though RBI took care to advise the bankers that under the new dispensation E banking risks are the responsibility of the Banks, in practice Banks have resisted the RBI guidelines by simply ignoring them and challenging the customers to prove in a Court of law that the liability is with the banks.

Naavi.org has highlighted many recent cases where the complaints of the customers have been taken to the Adjudication system and the Cyber Appellate Tribunal which are the only judicial forums which have the jurisdiction for Cyber Crime cases. The delays in the system have been a big issue in getting justice for the customers through the judicial system. Banks with their better financial powers are likely to take each case to the highest court of the land and hence cases are unlikely to be decided wihin a reasonable time.

To this a new kind of risk has been added by the Adjudicator of Karnataka which is a "Conflict Risk" since some of the Banks against whom complaints are held by the Adjudicator are business partners of the department headed by the same person in his capacity as the IT Secretary.

In the light of these developments, there is likely to be increased instances of E banking frauds and increased cases of failure of the judicial system so that the Bank depositors will certainly find the Banking system completely unreliable as a savings institution.

We are therefore on the threshold of a time when Banking industry in India is likely to face increasing troubles which may soon cause some of the Banks to even close down.

RBI must understand that there are already botnets which have compromised millions of Indian computers and if the kind of vulnerabilities that have been demonstrated before the committee of experts constituted by Naavi.org on 2nd of February at Bangalore falls into wrong hands there could be a serious threat of mass infections of Indian computers resulting there after in mass hacking of bank accounts which will be mistaken as "Phishing".  This may lead to the failure of at least one major Indian bank in 2012.

The responsibility to find measures to correct such a Banking catastrophe lies only with the RBI. At that time RBI cannot escape by citing Internet Banking guidelines or Gopalakrishna committee report, Damodaran Committee report (Yet to be accepted) etc as its efforts to protect the E Banking transactions.

The tenure of Dr Subba Rao is therefore under threat of going down as a catostrohic tenure and the predictions of doom of 2012 may come true at least in this respect.

I therefore urge the Governor of RBI to once again consider my request to set up an E Banking Security Guarantee Scheme to protect Bank customers against Phishing frauds.

The scheme will simply use the KYC responsibilities under Anti Money Laundering Act to provide the funding for reimbursing customers on losses arising out of E banking frauds.

Under the scheme whenever an E banking fraud takes place, the responsibility for reimbursement should be fixed on all the Bankers involved in the fraud which includes the Paying Bank ( Which is the Bank for the victim customer) as well as the Collecting Bankers (Which is the Bank for the fraud beneficiaries).

Since post facto, all beneficiaries are necessarily part of a fraud network, maintaining their network and allowing them to transfer funds and withdraw from ATMs amounts to failure of the Anti Money Laundering responsibilities. Hence all the collecting bankers can be fined by RBI for AML failure.

The Paying Bank from where the money is fraudulently transferred is also part of the money laundering activity due to its failure to adopt such risk management efforts as to identify the fraudulent transaction.

Hence RBI should fine each of these Banks a minimum of Rs 5 lakhs per failure and credit it to the E Banking Security Guarantee Scheme. From this fund the victim should be paid off without much of a formality. Any short fall should be met by the  Paying Banker who is the prime culprit with lack of legally acceptable secure technology and procedures.

Any decision to the contrary should only be based on the banks proving that a fraudulent nexus existed between the victim and the beneficiaries which should be proved before a tribunal of the Guarantee Scheme.

In order to give some practical examples I give below some of the known cases to see if the economics of the scheme works out

Case Net loss of the victim number of beneficiary branches involved Total Fine Realized

including paying branch

S. Umashankar Vs ICICI Bank 4,95,000


Thomas Raju Vs ICICI Bank 1,62,800 1 10,00,000
Rajesh Yadav Vs ICICI Bank 3,91,210 2 15,00,000
GPL Vs Axis Bank 39,00,550 13 70,00,000
Vijaykumar Vs PNB 3,00,000 5 30,00,000
Gunashekar Vs PNB 5,59,200 10 55,00,000
Gopi Vs SBI 3,39,000 5 30,00,000

As one can easily visualize from the above the fine that the RBI may collect may be more than adequate in most cases to cover the loss of the individual victim. In rare cases such as PK Agarwal Vs PNB in which Rs 165 lakhs were lost and in another Pune case where a customer of PNB lost Rs 80 lakhs, the fine collected may fall short. The reason in these cases is mostly because the Bank had no limit on the individual transaction amount and transfers of upto Rs 60 lakhs were made on a single transaction in PNB. In such cases the payment can be made from the surplus amount available from other accounts or from additional contribution from the Paying bank

I request the Governor of RBI to respond to consider this proposal and provide a public response as to whether such an arrangement can be made or why such an arrangement cannot be made.

I request journalists in Mumbai to take up this matter with the RBI Governor personally.


February 12, 2012

Related Article:

Indian Banking System in danger of collapse..What are the solutions?

Bomb is ticking to destroy the Indian Banking System


 Comments are Welcome at naavi@vsnl.com