Banks may become liable under Section 65 and 67C in Fraud cases..

I refer to the discussions we had in the case of the Phishing fraud at Musiri Branch of State Bank of India where I tried to provide some guidance to the Customer on what sort of complaint he has to register. I had also sent an e-mail directly to the branch.

I understand that the customer has lodged a formal complaint with SBI on the lines suggested.

As is usual, SBI branch will send the complaint to the LHO and the Branch Manager normally does not take any action. The reply will normally be so much delayed that the fraudster could make an easy escape before the investigation even starts.

We are all aware that most computer systems work on the principle of “Cache” storage of log information which automatically gets over written after some time with new data. Hence if any evidence has to be extracted from computer systems, it should be done within a short time after the incident. Otherwise the evidence gets erased and the system owner can give an excuse that information is no longer available.

SBI will also use the same excuse and after making the customer wait for some time will say that the information is no longer available. Some times this can be out of ignorance and some times it could be deliberate.

Law however is very clear that “Deletion of data when it was required to be kept for the time being under law” is a cognizable offence under Section 65 of ITA 2000/8 with a possible imprisonment of upto 3 years. Even under Section 204 of IPC, it is an offence carrying a sentence of 2 years.

Once therefore the customer informs the Bank that an unauthorized transaction appears to have taken place in the electronic systems belonging to the Bank, all the log records and associated information becomes recognized as “Potential Evidence in a Cognizable Crime”. Hence they shall not be destroyed in the usual course of “Cache being over written”. All relevant information needs to be “Archived” securely and as per Section 67C of ITA 2000/8 for such period and in such format as is relevant for the purpose. Otherwise there is a second offence under Section 67C carrying another 3 years imprisonment.

This also applies to the Mobile Service Providers and Wallet Companies who may be involved in the fraud. The ultimate beneficiaries of the fraud and all the intermediaries who are involved in the process would be known from the Bank’s records.

The first task is therefore to obtain a certified copy of a report from the Bank about the status of the account indicating their version of how the transactions indicated by the Customer to the Bank as “Unauthorized” have been recorded in their books.

Some times they simply ask the customer to download the statement from the Internet and read the particulars of the transactions. Police/Customer should reject such response and insist that the branch Manager provides a Certified copy of the statement under the Bankers Book Evidence Act for a drilled down statement which shows the details of the transactions which includes

a) Name of the beneficiary

b) Date, Time upto seconds of the transaction

c) IP address, Mobile Number or other meta data collected with the transaction.

d) Details of the authentication measures used by the Bank to pass the transactions of similar nature.

e) Adaptive authentication measures followed by the Bank and the reasons why they failed in the particular instance

f) Report of the IS team of the Bank on how their system was compromised to pass a forged transaction

g) A Bit image copy of the hard disk where the disputed transactions were authenticated with Section 65B certification

Bank may provide the information in installments since some information may be available with the Manager and for some he has to contact his Core Banking server team .

LHO is only an administrative head and no time should be wasted in simply writing a letter to LHO and waiting for the reply.

If the Manager does not cooperate, Police has the authority to push for action over e-mails for instant information provision failing which they should record that the Bank was not cooperating in collection of evidence and this may be considered as a “Passive Assistance” to the fraudsters.

In some cases, Police may be hesitant to ask the Bank Manager tough questions since he represents an organization as big as say SBI and the customer is a relatively powerless person. Banks are also more resourceful and they can hire more reputed lawyers and even try to influence the investigations to favour them using their contacts in the city and financial power.

In such cases customer should not hesitate to approach the Court to expedite the investigation.

However, we can consider that in most cases Police may want to help the customer but they donot know how to proceed.

It is in this context that we put out a detailed note on what information has to be asked from SBI Musiri Branch in the subject case. I understand that they have dodged the customer on some technical grounds of how the letter was issued which I hope the local advocate would take care.

Additionally, since two days have elapsed when SBI received the knowledge that a fraud might have been committed in their systems it was their duty to preserve the evidence.

I therefore advise the Musiri Customer of SBI to issue another notice to the Bank signed by the advocate that they demand the information forthwith and in the event any evidence which was present in the system as of the time the fraud was first reported over phone or otherwise to the call center of the Bank by the customer is found to have been tampered with, action would be initiated on the Bank and its employees under Section 65 and 67C of ITA 2008 in addition to the current charges of “Conspiring with the Fraudsters and other intermediaries to cheat the customer”.

(P.S: I am sure the advocate can find the necessary sections under IPC for the purpose.. 420? and 120B?)

I was today informed of another incident in Punjab National Bank Pudukottai where the customer has lost Rs 38499/- . The amount appears to have been credited to MobiKwick, Airtel, Make My Trip and other service providers .

My advise to the customer and the Police in Pudukottai is similar to what I have indicated in the Musiri case. Please issue an immediate notice to the Bank holding Bank as the accused since the fraud has occurred within the electronic systems of the Bank. The Intermediaries like MobiKwick, Airtel, Make My Trip etc should also be issued a notice and a case for conspiring along with PNB and some unknown customers of the service providers (like MobiKwik etc) to defraud the customer.

It is the duty of each of these service providers and the Bank to jointly and severally bear the liability and to provide all necessary information that can assist the Police in finding the end users.

If these agencies want my assistance on how they should proceed to collect the evidence required they are free to contact me.

Police on their side should invoke Section 79 and 85 of ITA 2000/8 along with other sections of offence and charge the officials including the branch manager, and other relevant persons responsible for the security of the Banking transactions.

I demand that the RBI and the Bank’s own fraud prevention section should immediately take steps to preserve the evidence and assist the police to bust the case.

I suggest that the Police may also send a notice to the RBI Governor to clarify the validity of the “Limited Liability Circular” issued by them on August 11, 2016 which they have indicated subsequently as being formally issued.

In their replies to RTI queries, RBI has confirmed that this circular is under finalization. But so far they have not made their decision public though they might have conveyed it in their meetings with Banks.

If RBI is holding back the issue of the circular to facilitate the Banks from escaping from the liability, it is necessary for Mr Urjit Patel to come out clean on his inability to get the circular issued.

If as in the previous instances of Damodaran Committee report etc, RBI backs down under the pressure of the commercial banks to protect the customers, they they should atleast stop issuing Circulars with no intention of making them operational to fool the public. Otherwise, the Media may start reporting RBI circulars under the “Fake News” columns rather than in their main news sections.

Naavi

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.