Let's Build a Responsible Cyber Society



Another Verdict Goes against Bank in Phishing Case

The trendsetting judgement from the Adjudicator of Tamil Nadu, Sri PWC Davidar on 12th April 2010 on the complaint of Sri Umashankar Sivasubramaniam against ICICI Bank has done yeoman service to the Banking consumers in India by creating a shocking awareness about the insecure Banking practices prevailing in India and how the consumers are being subjected to avoidable risks in the guise of technology introduction in the Banking industry.

Today's Times of India (Bangalore Edition) carries a report about another Consumer Court verdict in Mumbai where a client by name Nikhil Futan has won a compensation of Rs 4.6 lakhs in a Net Banking Fraud case. (P.S: We donot have full details about the case nor the copy of the judgment at this point of time with us and welcome any reader to provide the same for larger circulation through this site).

Earlier Naavi.org has also reported another incident where the Banking Ombudsman of Chennai had ordered repayment of Phished amount with interest to a customer of Bank of India in Bangalore which the Bank had rightfully accepted without demur.

Thus there are now three arms of legislation/regulation who have come to the decision that Banks should be held liable for frauds on its customers. We are sure that we will have more such instances in future....Naavi

What Next?

I am aware that Banks today are like wounded tigers and they will try to muscle their way out of this situation by trying to get the legislation changed if required. The commercial interests are so strong that soon principles may take a back seat and all sorts of vested interests may start influencing the future developments. I would like to therefore start a national debate on this subject so that consumer interests are not short changed in the altar of technology adoption.

While I welcome introduction of technology for the betterment of Banking services, I strongly emphasize that  the primary focus of Banking should be "Safety of Customer Interests". Introduction of technology like Internet Banking or Mobile Banking cannot therefore be with a dilution of the security of Banking from the users's perspective.

Let's explore some thoughts on how different Government and Industry agencies have repeatedly erred in the past to expose the Indian Banking Consumer to grave risks of technology.

In this exploration, I would like to address the responsibilities of the following parties.

a) Banking Software Companies

b) Banks

c) Reserve bank of India

d) Indian Banks Association


f) Consumer Interest Organizations/All India Bank Depositor's Association

g) Media

Kindly note that these are my first thoughts and not a complete analysis of the problem and the expected action. I am placing this note in public domain so that others can join in this debate and we have a good outcome of this situation.

I have already invited the Chairman of IBA, Mr M V Nair to a public debate which I would like to organize in Bangalore (could be at any other place also) and am awaiting his response. This online debate should provide enough background material on the subject for a meaningful debate. I also invite the national TV channels such as NDTV, CNN IBN, Times Now, Headlines Today/aajtak, etc to also take up the debate to the electronic media.

Role of Banking Software Companies:

Indian Bankers today use banking software which are supplied to them by reputed organizations such as Infosys, I Flex, Polaris etc. Many Banks have re-engineered their business process to suit the software. Today it is not the Banking that drives the software but it is the otherway round. None the Banking software providers have embedded the digital signature system of authentication into the core banking software at least when the software was first installed with these Banks. Subsequently Banks have also not insisted on upgradation since like the Y2K issue, this is a problem with a deficient software being provided in the first instance and Banks charged for the upgradation of what  is actually to be treated as "Bug Fixing".

Of course technically the software companies may say that the specifications mutually agreed was for password based authentication and not digital signature based authentication and it is the responsibility of the Bank as a software customer to determine what is required by them.

However it is necessary for the software majors to introspect and see if it was not their responsibility to point out as a "Technology Consultant" that if the legacy system of physical signature based authentication has to be adopted to an IT base the equivalent system can only be with a digital signature system and not a password based system. This law has been in force since 17th October 2000 and even the Internet Banking guidelines of RBI issued in 2001 has in no uncertain terms indicated that not using Digital signatures in authentication will hoist the "Legal Risk" on the Bank.

Should we assume that the software majors were naive not to understand these provisions? Or Should we assume that their CSR did not extend to supply of "Risk Free Software" to their Bank customers who were in awe about the technology and perhaps did not even know how to draw a proper software specification.

I would like socially conscious software persons like Sri N R Narayanamurthy to share with the public why a company like Infosys could not have incorporated digital signatures as a mandatory authentication mechanism to their software and priced their products accordingly when they supplied their first version of Banking software to ICICI Bank?


I accept that the first generation of Banking software was accepted by the Banks on "As is Where Is Basis" supplied by the software experts. However there was enough discussion of the "Non Compliance of Law in Banking industry" even on this one site www.naavi.org for any serious Banker to sit up and take notice. Naavi has personally contacted a number of Banks on a number of occasions (mostly in the seminar environment) and always insisted that Banks are ignoring the legal risk and are even becoming non compliant with Basel 2 norms. If these cries have not been heard, it is because the Bankers have chosen to pay deaf deliberately. Since the passing of the ITA 2008, Naavi has intensified his educative efforts and have directly confronted some Banks and nearly charged them of conducting the business in a manner not approved by law or regulatory advise. Violation of the obligations under Clause 49 were also repeatedly highlighted. I would be surprised if not less than 20 Chairmen of Banks would not have received the communication in no uncertain terms during the last 6 months before the Umashankar judgement.

Regretfully none of the Banks were interested in either conducting an ITA 2008 audit first to understand where they are going short, let alone take a decision to implement the digital signature system.

What is surprising to note is that ICICI Bank which is in the center of the storm today had itself started using digital signature for its e-mails some time back. When Naavi pointed out certain technical deficiencies in the system, instead of correcting the system, they chose to drop the system altogether. The clarification issued by ICICI Bank at that time and Naavi's remarks there on can be read here.

I am surprised that a Bank which has access to the experience of Banking veterans such as Mr K V Kamat and several persons who earlier worked in Canara Bank could not understand that they were behaving in a very Un-Banker manner by choosing to do business deliberately challenging the law.

Reserve Bank of India and IBA

In my previous article I have responded to the number of comments posted on the Economic Times website against the article reporting the Umashankar Case. These comments were posted from techno savvy persons many of them from abroad. Some of them expressed that they were aghast that Bank could be held liable for such a fraud since according to them the customer was "Stupid" and caused the fraud on himself.

In this context, as an Ex-Banker from a Nationalized Bank, having serviced customers who could hardly understand the nature of Banking transactions despite maintaining accounts I would like to request techno savvy customers to spare a thought for the not so tech savvy clientele of the Banks. Today introduction of debit cards and Internet Banking is more for the convenience of the Banks and not for the convenience of the Customers.

When technology was first recommended for Banks by the Narasimhan Committee, the community was given an assurance that technology would increase efficiency and reduce costs.

I would like Indian Bank's Association and RBI to conduct a study of Banking practices in India and share their study results with the public to assess " Whether the technology introduction has either improved efficiency or reduced the costs and if so to what extent".

Today most Banks charge fees even to issue or reissue passwords for the Internet Banking accounts. Internet Banking facility and debit Cards are issued as a matter of routine and charged at the expense of the client. At the same time the facilities provided donot meet the basic security requirements nor the law of the land.

RBI had been wise to clarify in its Internet Banking Guidelines that if Banks donot adopt digital signatures, they have to take the legal risk. This single line is sufficient to say that Banks are responsible for all e-frauds which are happening now and there is no need for each victim to go to the Adjudicator or Consumer Court or Banking Ombudsman.

However one need to also ask RBI if they were not aware that their guidelines were not being adopted by any Bank in India. If not, then their system of Bank audit was faulty. If they did observe and yet decided to turn a blind eye, the Governor of Reserve Bank has to examine if there was dereliction of duty at multiple levels in the RBI.

Are RBI regulations only meant to be on paper? If this is so for Internet Banking guidelines then can Banks also ignore other instructions?  We are aware that Banks are flouting many other established banking norms in the case of Credit Cards. RBI has been content in periodically issuing instructions and press statements but not implementing its own guidelines. On the other hand before securing the Internet Banking, RBI has  gone ahead and approved Mobile Banking and increased the risks to the customers.

I request RBI to constitute a new working group for "Secure Banking in Technology Era" and address all aspects of information and transaction security in Banks.

IBA is a body of the Bankers. It has more interests in commercial matters rather than regulatory matters. However, historically IBA has been pushing the Banks towards better procedures and systems and "Customer Interest" has been the core of IBA working in the past. I am not however sure if the priorities have undergone a change in the recent past or IBA has become impotent as a self regulatory body.

I donot mean to hurt the current Chairman of IBA (whom I had the opportunity to know personally several years back when he was in Corporation Bank) but I would not hesitate to re-iterate that IBA has a big role in ensuring that Banks tighten their security and if they donot act now, history would hold the body responsible for lack of action. I have even pointed out to the IBA Chairman in his capacity as Chairman of Union Bank of India how introduction of digital signature for every Internet Banking customer is feasible and cost effective.

As of today, it is neither a difficult technical problem to implement digital signature in Internet Banking nor it is prohibitively expensive. If Bankers want to have a working proposal on this front, I am willing to request some vendors who can implement the system within the next few months if possible even on a BOLT basis.

If IBA does not respond now, it would be presumed that the "Consumer is the King..respect him" principle has been sacrificed at the altar of modernization. As a Banker who grew up in the era when this quote from Mahatma Gandhi adorned the walls of every Bank Branch, I would be sad that the unwritten wall poster today is "Customer is a Bakra..exploit him".


 Today SEBI has a mandate to protect investors in the stock markets. Since many of the Banks today are listed corporate entities, protection of its share holder interest falls within the domain of SEBI. The listing guidelines particularly the Clause 49 which requires CEO certification of regulatory compliances is a tool designed by SEBI in the same manner SOX tries to regulate the US listed companies.

If Banks are absorbing "Legal Risks" by not adopting "Cyber Law Compliant security measures", and Umashankar type of liabilities keep occurring frequently, then the financial interests of the share holders are seriously affected. Hence the CEO certifications under Clause 49 without ITA 2008 compliance by a Bank would amount to providing a fraudulent declaration to mislead the investors.

It is therefore necessary for SEBI to specially send out an enquiry to all listed companies after they submit the March 31, 2010 annual report if they have taken adequate steps to cover the risks associated with the non compliance of ITA 2008 as effective from October 27, 2009 and take penal action where warranted if the Company is proved to have given a blind certificate in the annual report without ground action. The independent Directors of Banks should also be sent notices if they have taken adequate steps to ensure legal compliance of ITA 2008 provisions by Banks and if not show cause why action cannot be taken against them.

If SEBI fails to discharge its duty in this regard, then Clause 49 compliance is as good as buried and redundant. The current Chairman of SEBI once had a reputation as an "Investor Friendly" regulator in his earlier stint with SEBI and I am sure that he would not allow this image to be tarnished by remaining silent on the brazen non compliance of the spirit of Clause 49 requirement.

Consumer Organizations

For those who have followed Indian Banking industry, the name of late Mr M.R.Pai would be familiar. He was one of the most revered characters in the 1980s in the Banking circles for having started a Consumer awareness movement and fighting for the cause of bank customers. I am sure that the current day Bankers in ICICI Bank who respond to customer queries on Phishing  have never heard of this gentleman who was a pioneer in consumerism in India. He along with late Mr Kannan of Chennai who focussed on retail stock market Investors , had been legends of the 80's in the consumerism movement in the financial services industry in India. I am sure that Mr M V Kamat or Mr Bhave or Mr Vaghul can recall what these men of character stood for and how they tried to protect the consumer interest.

With the growing commercialization of Banks today, there is no body around who can uphold the interests of the investors either in the Banks or in the investment domain. Naavi's own efforts have largely remained as an individual's crusade and not supported adequately by any organizations which hold public interest at heart.

To fill this vacuum, I am now inviting Cyber Society of India (Cysi) of Chennai, CCITO (Cyber Crimes and Insider Threat Obviation) of Maharashtra, R Srikumar (Former DGP of Karnataka and promoter of Crime Stoppers) of Bangalore and a few other organizations to join hands with Naavi/Naavi.org/Digital Society Foundation/Cyber Crime Complaints and Resolution Center to form a new "Cyber Security Consortium of India" and work towards protection of Netizens in India.

Hope this will be a platform which will in due course contribute to a Secure E -Transaction Framework in India.


Media is always on the forefront of any consumer awareness movement. In the current phase of consumer awareness suggested for "Safe Banking", I feel that national media has a strong role. Unfortunately the Umashankar Judgment which should have occupied national headlines are only being discussed on the Internet media as if this is not relevant to the general public. I wish that this aberration is corrected and we see active national debates on the electronic and print media.


April 16, 2010

Related Article:

Land Mark Judgment in Phishing Case

An Open Letter to IBA Chairman

ICICI Bank Phishing Case..comments

More Information on the Consumer Court Decision:

Bank involved HDFC Bank: Main Beneficiaries arrested, part amount recovered and proceeding for balance amount.


Comments are Welcome at naavi@vsnl.com