Lessons from China to Indian Bankers and RBI

China Banking Regulations Commission (CBRC) has notified guidelines to the Banking industry to use “Secure and Controllable Technology” to strengthen the Internet based Banking system. This guideline has the potential to bring significant changes to the IT industry in China and also the vendors from outside China.

According to the guideline it would be mandatory for Banks in China to use “Secure and Controllable IT Products at a minimum rate of 15% increase each year and to reach 75%  by 2019. The criteria for determining the status of a product as  “Secure and Controllable” have been detailed in the guideline and includes the following.

1. IT Vendors are required to establish own R&D service cetners in China

2. Source code should be filed with CBRC

3. Risk of Product supply chain should be controllable. (i.o.w. there could be a need for more local production in the entire supply chain)

4.The IP rights in respect of certain products could be subordinated to the local requirements. (i.o.w. provisions similar to compulsory licensing may be used)

As a result of these regulations, it would be necessary for the following:

1.Supplier/Service Contracts will have to incorporate necessary compliance clauses.

2. Banks will have to deploy 5% of their R&D budget on deployment of Secure and Controllable IT products

3. Banks need to subject themselves to an annual audit by CBRC  to determine compliance.

As a result of these changes, Indian IT companies having operations in China with exposure to Banking industry need to be prepared for a compliance related modification of their business contracts.  If they fail to adapt, the supply contracts may be terminated.

I think RBI needs to pick up a few lessons from these guidelines since they have mindlessly allowed domination of Chinese products in the Indian Banking industry exposing the country to a great disadvantage in the event of a Cyber War. Banks should also understand that there is national interest beyond the need to increase their bottom line.

 We remember that during the UPA regime, a Security Certification Center was established under the guidance of IISC Bangalore to test IT products from China in particular which were suspected to have OEM-back doors, but was actually sponsored by Huawaei !

I hope the National Cyber Security team in India takes note of these developments and initiate appropriate actions.


China Banking IT Regulation Tightened Up

China Issues new CBRC guidelines

CBRC issues clarifications

CBRC makes life difficult for MNC vendors


Share Button
Print Friendly

Will Axis Bank Explain?

Naavi.org recently was informed of a bizarre instance involving Axis bank and ATM transactions. This incident is a matter of serious concern to all Axis Bank customers and hence we would like to bring this to the notice of all including Reserve Bank of India.

I am reproducing verbatim a comment posted by one Mr Sharad Updhyay about his experience in an ATM in Gurgaon for one of our earlier articles titled “Axis Bank ATM license should be cancelled by RBI

“Recently I tried withdrawing Rs. 2000 using my IDBI Debit card from an AXIS BANK ATM based at Sahara Mall, Gurgaon. The ATM asked me if I want a receipt for the transaction. I opted yes, the transaction was automatically aborted. Wondering what happened to the ATM, I tried again and again (with option “Yes” for transaction receipt) – a total of 5 times, but encountered the same problem everytime.

Meanwhile I noticed that another person who opted “No” for printed receipt was able to withdraw money from the same machine. I followed him – went ahead for withdrawal without transaction receipt, and this time machine dispensed the desired amount i.e. Rs. 2000.

Next day I noticed that my IDBI account was debited twice: first for a sum of Rs. 10000, and once again for Rs. 2000 (which I actually withdrew there). I was wondering what made the ATM cause a debit of Rs. 10000 in a single go – while I never entered this amount at ATM console.

I raised an official complaint with my bank (IDBI), and they escalated the case on my behalf with Axis Bank, however, Axis Bank rejected my claim – stating that their ATM balancing reports, switch files, and other transaction logs show that Rs. 10000 transaction was carried out successfully, and they do not owe me anything.

At this stage my bank i.e. IDBI has been helpless, and I’m just wondering whom to report this fraudster in order to get my money back. It appears that something fishy is going on there in Axis Bank ATMs with help of CMS (the agency which replenishes cash in ATMs) and the Axis Bank staff itself. How is it possible that there was no surplus sum recovered from ATM for my failed transactions, and how is it possible that an ATM automatically converts 5 subsequent transactions of Rs. 2000 each in to a single transaction of Rs. 10000?

Please let me know what can be done in this case, and how can I get my money back. Also, isn’t there any authority to punish the bank owning such malicious ATMs and ripping off the customers like this?”

First comment I would like to make on this incident is that there is apparent fraudulent mis-management by Axis Bank. It is clear that the ATM has been deliberately tweaked to ensure that fraudulent transactions donot come to the notice of the customer when he is withdrawing the amount.

The responsibility for this fraud lies squarely on the management of Axis Bank all the way up to the Chair person.

The reported incident is a report of possible hacking of a critical computer resource belonging to the Banking system. It represents a cognizable offence under ITA 2008. Mumbai police who closely monitor even facebook “likes”  and go the extent of arresting persons, must be considered as being aware of the occurrence of this crime. They should therefore take suomotu action and register a Cyber  Crime under Section 66 of ITA 2008 making unknown Axis Bank employees as suspects. It should also investigate “Negligence” from Axis bank ATM division and the Chair person for not taking adequate information security measures to protect the ATM transactions.

The Reserve Bank of India at the same time initiate its own investigation and take penal action against the officials of the Bank.

Now coming back to the customer and what he can do.

1. Normally  money fraudulently debited to the account should have been reversed immediately on filing of a complaint with the Bank.

2. IDBI Bank cannot absolve itself of its responsibility since they have used Axis Bank as it’s agent and hence they are responsible for their client’s loss.

3. Customer need not go to the Banking Ombudsman since that is a sham run by RBI and most Ombudsman are biased in favour of the banks and simply reject the claim with a further proviso that you cannot appeal to RBI.

RBI is aware that the scheme is a sham and yet has not shown any interest in correcting the same. This is not a reflection on the Banking Ombudsman in Mumbai but a general reflection on the scheme and how it is run.

 If possible I advise the customer to personally meet Mr Raghuraman Rajan, the Governor of RBI and check why he is not considering himself responsible for running a secure banking system.

 4.The customer is fortunate to be in Mumbai where the IT Secretary is one Mr Rajesh Aggarwal. He is also the “Adjudicator” under ITA 2008. For any financial loss arising due to contravention of any of the provisions of ITA 2008, in Mumbai, he is the sole authority having judicial powers to conduct an enquiry and award a compensation.

I advise the customer to make an adjudication complaint to him immediately. If he remains in office for some more time, he will definitely give him justice.

However, since Maharashtra is likely to have a change of Government soon and it is customary to shuffle secretaries if a new Government comes, it is possible that this great officer who is upholding justice under ITA 2008 like no other IT Secretary in India may be shifted out.  Hence the customer should at least get his complaint registered before any such change occurs.

5. It would also be better if a complaint is filed with the commissioner of Police, Mumbai against the officials of IDBI Bank and Axis Bank  for running a fraudulent ATM system and causing loss to you. The customer should not fall into the trap of filing the complaint against the unknown fraudster who might have drawn the money. That person will never be traced since IDBI bank is unlikely to have maintained the CCTV footage or other evidence that may be required for this purpose. Police and Banks will try to hold that only that unknown person is responsible and no body in the Bank is responsible. This is a way of driving the complaint to a dead end. For the customer it is always a transaction with the Bank and hence should hold the Bank alone responsible.

The Police complaint should also mention that RBI has been negligent in enforcing ATM security and is also responsible for pushing customers to such frauds.

If necessary, the customer may take the assistance of a Consumer activist to pursue the complaint.

It may appear that  the money lost may not be substantial and hence may not be worthy of the trouble of complaining. It is this attitude of most of us that emboldens criminals to resort to this type of small ticket frauds which we refer to as “Salami” attacks. It is our duty to bring this to public knowledge and wake up regulators like RBI to remind them of their responsibilities.

In the meantime, I demand that Axis Bank makes an official statement about this incident.


Share Button
Print Friendly

Does Nachiket Mor Committee report impress to deceive?

One of the first initiatives that the new RBI Governor Mr Raghuram Rajan took after assuming office a few months back was the formation of the Nachiket Mor committee on “Comprehensive Financial Services for Small Businesses and Low Income Households”.

Now the committee which was set up only in September 2013 has submitted its report at the same speed with which Raghuram Rajan displayed on the licensing of new banks. RBI released a copy of the report on january 7th for public comments. The Comments may be emailed or sent by post to the Principal Chief General Manager, Rural Planning and Credit Department, Reserve Bank of India, Central Office, 10th floor, Shahid Bhagat Singh Marg, Mumbai 400 001 on or before January 24, 2014.

The committee has made several radical recommendations and while laying down its vision statement for financial inclusion and deepening, has suggested providing a universal bank account to all Indians above the age of eighteen years and has recommended a Vertically Differentiated Banking System with Payments Banks for Deposits & Payments and Wholesale Banks for credit outreach with relaxed entry point norms of ` 50 crore.

On priority sector, the Committee has recommended Adjusted Priority Sector Lending Target of 50 per cent against the current requirement of 40 per cent with sectoral and regional weightages based on the level of difficulty in lending. The Committee has also recommended risks and liquidity transfers through markets.

The Committee has advocated regulatory convergence between banks and NBFCs based on the principle of neutrality with regard to classification of non-performing assets and the Securitisation and Reconstruction of Financial Assets and Enforcement of Security Interest (SARFAESI) Act, 2002 eligibility.

The Committee has suggested that a State Finance Regulatory Commission (SFRC) be created into which all the existing State Government-level regulators could be merged and functions like the regulation of Non-Government Organisations-Micro Finance Institutions and local Money Services Business could be added on.

The Committee has desired that the Reserve Bank should issue regulations on suitability, applicable specifically for individuals and small businesses, to all regulated entities within its purview so that the violation of such regulations would result in penal action for the institution as contemplated under the relevant statutes through a variety of measures, including fines, cease-and-desist orders, and modification and cancellation of licences.

The recommendations are radical and will have significant impact on the Banking and Financial sector in India and will also significantly affect the stock markets. It will also affect the proposed new Banking licensee aspirants.

In view of the nature of some of the recommendations that may also affect security of public money, it is essential for experts in the field to study the report and submit their comments to RBI in time.

Mr M.S.Sriram, a former professor of IIM Ahmedabad opines has published an interesting article titled “Why the Nachiket Mor committee report on financial inclusion disappoints” in livemint.com which makes a good reading to begin your exploration of the report.


Copy of the report is available here.: 

Additional comments of two of the members can be found here:


Share Button
Print Friendly

Bitcoin Regulation.. Where should the focus be?

We have been watching Bitcoin exchange rates growing exponentially at MtGox attracting the attention of regulators both from the point of view of the possible effect on the monetary controls of the Sovereign States and loss of Tax revenue besides the money laundering.

Regulators should also recognize another aspect of the market that could be a cause of worry. That is the growing number of Bitcoin clones in the market. A few days back only 9 bitcoin clones were visible. Yesterday the report was about 53 clones. Today the number of Bitcoin clones appear to have grown to about 142 as this report suggests. (Complete Directory of Crypto Coins)

Since Bitcoin protocol is an open source protocol, we can expect more Crypto currencies to emerge as we go on. In fact many of the “Reward Schemes” operated in the markets can overnight convert themselves into crypto currencies and provide a capital appreciation prospect to the reward points.

Regulators now have to therefore worry not only on Bitcoins, but on all other Crypto Currencies and the dynamics of the issue is is changing so fast that it is difficult for regulators to keep watching any more.

Let’s us now look at some of the major concerns of the regulators.

1. Use of Bitcoins (and all other Crypto currencies) for criminal activities:

Cyber Crimes is an important concern of the community. Today, the Cyber Crime related money laundering transactions is said to be bigger than Drug related transactions. There is therefore a legitimate concern that any system that assists in holding of assets in anonymous and liquid form, movable across the globe in minutes (like BTC) is an obvious choice of the crime mafia.

However the real concern of the society on Cyber Crimes is when money from the physical society is stolen via the Internet. Infact, if a virtual asset of one Netizen is stolen  or lost, the physical society would not be much bothered.  It is only when a person loses his Rupee or dollar balances in his Bank account that the physical society is really concerned.

Hence If Bitcoins are lost by a holder, it is only some body elese in the Bitcoin community who may be bothered and not the physical society regulators.

If the crime syndicate wants to use Bitcoins as the currency for rewarding crimes, they still need to transfer their crime income in Dollars or Rupees to BTCs and vice versa. The concern should therefore be about the “Conversion Point”.

IOW, BTC is not a threat to the society but it is only the convertibility of physical currency to BTC and vice versa which is a matter of concern to the physical society. 

2. Taxing of the Revenue

Governments everywhere are interested in “Taxing” the population and appropriating their wealth so that the Governance can be financed. Whenever they see people making profits in business, they therefore think of how to tax them. If they feel that the profits are earned relatively easily then the urge to tax on a higher tax bracket is more.

Currently the regulators can understand the part of the Bitcoin business which involves buying and selling of BTCs. This is no different from stock market or property transactions. Investors will make either trading profit or loss in the short term or long term. As long as such profits or losses are realized in local currency terms, they can be brought under tax net.

When the stocks remain in BTC form, the regulators need to arrive at a valuation scheme and they may either take the value as prevailing in MtGox or have a system of weighted valuation across a few top Exchanges.

Regulators will however have some difficulty on understanding the nature of wealth creation that occurs in the “Mining Activity”. The value created in the mining activity accumulates in bitcoin wallets which are difficult to trace and it is only when a person declares his holding will the IRS/IT department come to know of the existence of the BTC wealth of the citizen.

However once declared by the miner, it is possible for the tax authorities to value it in terms of the exchange rates and consider it as a property.

The cost of acquisition of the BTC is however not easy to ascertain. The cost of hardware and electricity as well as any other fees paid need to be taken into account just as in any other business. However there is a reasonable way of estimating this based on the calculators that are available. Some uncertainty may still be there when miners adopt innovative strategies to cool the processors and thereby save electricity.

However it would not be difficult for the tax officials to agree upon a cost declaration and allow it as a deduction from the value of the coins created and also agree to tax the holdings on the basis of holdings or on conversion to physical society currency at some point of time in the future.

They may also introduce a condition that unless the costs are declared during the year of operation, they will not be allowed as a deduction on sale in the subsequent years.

Hence taxing of BTC related operations is well withing the grasp of the regulators and can be easily managed.

3. Impact on the Economy

There is one more concern among regulators about whether holding of monetary assets by people as a parallel currency affect the money circulation in the economy and affect monetary policies such as interest rates etc.

This is unfounded since at present the vale of BTC wealth is too small in comparison with the physical currencies floating around.

Even when the BTC holding in an economy goes upto a significant level of say 10 to 20%, what it means is that there would be some “pseudo wealthy persons” in the society who can feel proud that they are millionaires. But their status would be like some property owners who may be sitting on prime property but may not have cash to meet their wealth tax obligations itself.

The wealth has value only when converted into domestic currency and when BTC is sold and coverted to local currency. The wealth then becomes part of the local currency and neither causes inflation or deflation on its own.

I therefore consider that the regulators need not have any worry about the adverse effect of BTC on the economy.

However, I  concede and strongly contend that there is a need to ensure that BTCs are not used as the currency of the Cyber Crime underworld or as the Currency of the criminals for laundering their crime money or for politicians to hoard their ill gotten wealth in BTCs instead of Swiss Banks.

In order to achieve this objective there is a need to regulate the “Exchanges”.  It is necessary for the Governments to ensure that conversion of BTC (Or any other Crypto Currency) to legacy currency of the land or vice versa has to be through a regulated process.

This means that the exchanges have to be “Authorized” and there has to be a proper “Record Keeping including an effective Know Your Customer norm” and “Record Submission to authorities”.

I suggest regulators to start thinking in this direction but otherwise let the crypto currency system to thrive on its own steam.

In fact if more Indians can start BTC mining, then ISPs would be happy with the higher bandwidth usage. Power sellers would be happy with higher capacity utilization ( I assume that power shortage is not an issue at the place of mining). IT hardware industry would be happy since it creates a market for more computers and specialized mining equipments. (Hope this would give a fillip to  computer hardware industry in India!).

More mining in India means more global wealth flow to India and more tax collection by the authorities.

Hope RBI is watching the developments in the right perspective.

There could be a concern however for the environmentalists and those who would like conservation of resources and prioritizing productive uses. The debate could be whether the amount of computing power that is getting diverted into BTC activity is worth the effort. (See the report here). May be this is left to a later point of time when the activity is more significant.


Share Button
Print Friendly

Negligence of Export Promotion Councils, ECGC and Banks lead to Rs 2.35 crore fraud

In what has now become a routine type of fraud, a tobacco exporter  in Andhra has been defrauded to the extent of Rs 2.35 crtores.  Naavi.org recalls its open letter  to RBI and ECGC in its post on July 14, 2013 about the increasing nature of such frauds.

Way back on October 30, 2011, writing in Exim Matters, Naavi in his article “The Law of Internet For Exporters” had highlighted the dangers of relying on unauthenticated e-mails and the possibility of exporters becoming victims of frauds. This was followed up in the next article on the use of Digital Signatures. Had the contents of these articles been properly assimilated by exporters, some of the frauds which we are now facing could perhaps have been prevented.

Again in the July 14, 2013, Naavi.org had highlighted the responsibility of RBI and ECGC on educating Exporters and also black listing some of the destination countries to which fraud remittances are usually sent. No action came forth from these regulators and the problems continued.

In the latest fraud incident the money has been sent not to Nigeria or China or Hong Kong but to USA and Turkey. It therefore appears that these fraudsters have now spread their net across other countries as well. In all these cases the original remittance instructions of an Export or Import order had been altered through fraudulent e-mails. Obviously the original contracts were in the knowledge of banks and therefore they were also privy to the fact that the terms of payment had been changed before the final remittance. This is an easily recognizable modus operandi of these fraudsters and if the Bankers had a reasonable knowledge of such cyber frauds, these could have been prevented.

I therefore place the responsibility for these frauds at the doors of irresponsible and ignorant bankers. The regulators such as RBI and ECGC also has to share the blame for not properly educating the Bankers in this regard.

I therefore suggest that just as the Police in Bangalore have recently pulled up Banks for their lack of security in ATMs, Police in Andhra should pull up Banks in this case by invoking their vicarious responsibility in this regard.

In the meantime ECGC may have to absorb the loss since the Exporter here is also a victim of a Cyber Crime.



Share Button
Print Friendly

The threat of Bitcoins…Attention RBI

An article in Forbes raises an interesting aspect on how China may be preparing for a new Cyber War front based on controlling the virtual currency.

See the article here

Readers of Naavi.org are familiar with the discussions on “Linden” the virtual currency used on secondlife.com and how there was a dispute about conversion of the Lindens into US dollars by a person alleged to have fraudulently sold virtual land in secondlife.com. This happnned several years ago but was an indication of how disputes may arise if Virtual world starts interfering with the physical world in the currency domain.

Now every cyber fraudster has to still collect physical currency through a Bank to enjoy the fruits of his fraud. But if Virtual currencies gain wide acceptance then fraudsters can easily encash their fraud proceeds through the virtual currency by passing the regulatory system of the physical world. This will have very serious adverse consequences on the society.

Now an indication of what is likely to happen has been indicated by the increasing popularity of “Bitcoin”, a peer to peer digital currency that functions without he inter mediation of a central authority. The system is a currency version of Bit Torrent.

Bitcoin is termed as a “Cryptocurrency” since it uses crryptography to control transactions and prevent duplication. The system works through operators known as “Miners” who process the generation of coins.  Every individual transaction is permanently recorded in a public ledger known as the block chain.

Users keep “Wallets” in which bitcoins are stored. Payment gateways assist in transfering payments from one bitcoin wallet to another.

The Bitcoin system originally introduced in 2008 as a concept paper became operational in 2009. In 2011 it is reported that Bitcoin exchange value rose from $0.30 to $32 before falling back to $2.

This year, China appears to be showing increased attention on the system and the China based Bitcoin exchange BTC China is said to have overtaken the Japan based Mt Gox and Europe based Bitstamp to become the largest Bitcoin trading exchage.on 19th November 2013, it is reported that one Bitcoin was traded at US $1100. The total Bitcoin holding is said to be roughly 12 million. The marketcap of Bitcoin is therefore expected to be more than US $7.2billion.

The future threat of Bitcoins is that it is likely to be used in replacement of the Swiss Banks  for black money holding, money laundering and financing of criminal activities.

From the Forbes article it appears that China is promoting the currency with the intention of posing a challenge to US dollars as a globally accepted currency as well as  to overcome international sanctions.

The emerging threats of Bitcoins appear to be many and unless we in India start thinking on how we address the threat, the country may face a new threat from the terrorists who may start using this currency for financing anti India activities.

We therefore request RBI and SEBI to start thinking on how to tackle this threat of peer to peer virtual currency.


Related Article in The Hindu

All about Bitcon

Share Button
Print Friendly