Let's Build a Responsible Cyber Society




When Banks in India don't use Digital Signatures

..It would be a Clause 49 Non Compliance

Corporate Governance is an important responsibility of top management in any listed  corporate entity in India. An offshoot of this responsibility is the written commitment given by the Management in the annual report. This written commitment commits the Chairman as well as the Independent Directors besides the executive directors.

Normally while signing the annual report, the focus would be on matters concerning financial reporting of the Company. However, since any activity of the company may ultimately reflect on the integrity of the financial status reported in the annual report, the management is expected to include in its Corporate Governance disclosures, any activity of the organization which is likely to have impact on the financial status of the Company.

Since the Company works under a legal regime where carrying out certain activities or not carrying out certain activities may result in financial liabilities, current or contingent, all such activities are expected to be examined by the Company and properly disclosed along with the measures taken to control the adverse impact of such activities.

In other words, any matter which is likely to result in a vicarious liability to the Company should get disclosed in the annual report along with the "Controls" instituted by the Company to reduce or eliminate the financial risks associated with them.

The revised clause 49 requires the Independent Director to periodically review legal compliance reports prepared by the company and any steps taken by the company to cure any taint. The revised clause specifies that no defence shall be permitted that the independent director was unaware of this responsibility in case of any proceedings against him in connection with the affairs of the company.

Certification by CEO/CFO

Under Clause 49, the CEO (either the Executive Chairman or the Managing Director) and the CFO (Whole-Time Finance Director or other person discharging this function) of the company has been put under an obligation to certify that, to the best of their knowledge and belief, they have reviewed the balance sheet and profit and loss account and all its schedules and notes on accounts, the cash flow statements as well as the Directors’ Report and these statements do not contain any materially untrue statement, omits any material fact or do they contain statements that might be misleading. Further they are required to certify that these statements together present a true and fair view of the company, and are in compliance with the existing accounting standards and/or applicable laws/regulations.

The revised clause requires them to be responsible for establishing and maintaining internal controls, to evaluate the effectiveness of internal control systems of the company, and to disclose to the auditors and the Audit Committee, deficiencies in the design or operation of internal controls, if any. They are also required to disclose to the auditors as well as the Audit Committee, instances of significant fraud, if any, that involves management or employees having a significant role in the company’s internal control systems, whether or not there were significant changes in internal control and / or of accounting policies during the year.

While providing such a certification, auditors are more focused on the regulatory compliances regarding accounting systems such as GAPP compliance if required. However auditors are not equipped to check if the regulatory compliance requirements need to be checked from the point of view of a law such as ITA 2008 and leave it to the management to certify compliance in this regard.

For example, under Section 3 and 3A of ITA 2008 any electronic document that requires authentication needs to be authenticated using Digital Signatures. Since many of the Company's transactions are done using electronic documents and liabilities are being created far and against the Company through such electronic documents, if the electronic documents are not authenticated in a "Non Repudiable Mannner" there would be an adverse impact on the Company.

Hence if there is no compliance of Section 3/3A of ITA 2008, there would be  deficiency in Compliance.  If this is not properly disclosed, there would be "untrue" declarations in the annual report to which all the Directors, the CEO and the auditors would be responsible.

In Banks, RBI has through its Internet Banking Guidelines clearly stated that if the Banks donot use digital signatures for authentication it must be considered as a "Legal risk". Not using digital signatures directly result in "Phishing" and if the Bank of India decision of the Banking Ombudsman is any indication, there would be a number of Phishing related liabilities on the Banks. Since this is having an impact on the financial aspects, it becomes a mandatory area for the auditors to verify. The CEO's certification that "there are adequate internal controls" fails the conviction test.

 Some Banks may try to hide behind confirmations from CRISIL or ICRA that their Corporate Governance is adequate and satisfactory. However, even the CRISIL or ICRA systems of evaluation of Corporate Governance fail to properly take note of non compliance of ITA 2008 and its impact on the financial reporting of Banks. If so, they would not have ignored the lack of use of digital signatures as a means of authentication in Internet Banking for over 8 years since digital signatures became available.

Now with the Phishing liabilities coming up on Banks, the negligence of the auditors in ensuring adequate regulatory compliance under Clause 49 will start coming into the open.

In our opinion it is the duty of the auditors to confirm through a CEO certification that all regulatory requirements including under ITA 2008 have been complied with and make a reasonable verification of the correctness of the statement. The lack of digital signature usage in Banks is too glaring to require any special verification. The auditors are fully aware of the status though they may be ignorant if this is a compliance requirement or not.


December 24, 2009

Related Articles:

Copy of the SEBI circular



 Comments are Welcome at naavi@vsnl.com