Chapter IX of the GGWG
deals with Legal Issues. There are 18 key recommendations that the group
has made and our comments are given below.
These are preliminary
observations and are subject to be modified before submission to RBI.
Public may send their comments on this note if required.
Recommendation of the Group
The Risk Management
Committee at the Board level needs to put in place processes to
ensure that legal risks arising from cyber laws are identified
and adequately addressed. It also needs to ensure that the
concerned functions are adequate staffed and the human resources
are trained sufficiently to carry out the above. The Operational
Risk Group need to incorporate legal risks as part of
operational risk framework and take steps to mitigate the risks
involved. The legal function within the bank needs to advise the
business groups on the legal issues arising out of use of
This is a
necessary step and needs to be endorsed in full
It is necessary that
banks have a robust system of keeping track of the transactions
of the nature referred to in PMLA and PMLR and report the same
within the prescribed period. Apart from the risk of penalty,
this involves reputational risk for such entities.
provision is already in place under PMLA as well as the Cyber
Fraud reporting guideline but the implementation appears to be
lacking. In several instances of Phishing there is clear
indication of money laundering. However, Banks have not been
reporting such frauds. There is need to review the
implementation mechanism and also increase the penalties for
deviance. Individual officers responsible for deviance should be
identified and penalized.
A cheque in the
electronic form has been defined as "a mirror image" of a paper
cheque. The expression 'mirror image' is not appropriate. The
expression, "mirror image of" may be substituted by the
expression, "electronic graphic which looks like" or any other
expression that captures the intention adequately
There are several
grey areas in law regarding “Cheques in Electronic Form”. These
cannot be corrected except by making some changes to the NI Act.
Since RBI has already implemented the truncated cheque system on
a pilot basis, there is no problem in introducing the “Cheque in
Electronic Form” also with appropriate devices. This requires a
separate technical discussion and is outside the current scope
of this comment. Suffice it to say that the law as it is can be
given effect to and the suggested change is not immediately
required and can be deferred.
The definition of a
cheque in electronic form contemplates digital signature with or
without biometric signature and asymmetric crypto system. Since
the definition was inserted in the year 2002, it is
understandable that it has captured only digital signature and
asymmetric crypto system dealt with under Section 3 of IT Act,
2000. Since IT Act,2000 has been amended in the year 2008 to
make provision for electronic signature also, suitable amendment
in this regard may be required in NI Act so that electronic
signature may be used on cheques in electronic form.
Extension of what
is applicable to Digital Signatures in NI Act to Electronic
Signatures is required. However as of now there is no
“Electronic Signature” other than “Digital Signature” in place
and hence decision on this can be deferred.
There is uncertainty
with respect to the meaning of a crucial expression such as,
'intermediary" as per IT Act 2000 and as amended by IT Amendment
Act, 2008. As such, it is necessary, that clarity is brought
about by statutory amendment with respect to the meaning of the
expression 'intermediary' in so far as banks and financial
institutions are concerned.
immemorial Banker Customer relationship consisted of multiple
roles such as Debtor-Creditor, Agent-Principal, Bailor-Bailee,
Trustee-Beneficiary etc. Similarly Bankers will have the role as
“Intermediary” in certain respect and as “Data/Information
Owners” in certain other respects. The traditional relationship
such as Debtor-Creditor etc continues.
Hence there is no
“ambiguity” as regards the “Intermediary” definition in ITA
2008. The recommendation needs to be ignored.
A combined reading
of Section 2(p) and sub-sections (1) and (2) of Section 3 of IT
Act makes it clear that in terms of the Act an electronic record
may be authenticated by affixing 'digital signature' and if a
party wants to authenticate the electronic record by affixing
digital signature, the electronic method or procedure for
affixing digital signature shall be asymmetric crypto system and
hash function. While authentication of an electronic record by
affixing digital signature is optional, the procedure for
affixing digital signature, namely, use of asymmetric crypto
system and hash function, is mandatory.
The group seems
to lack full clarity on this issue. ITA 2000/8 does not say
whether signature for an electronic document is mandatory or
optional. It only states that there is a method of
authentication that is equivalent to “Signature”. If any other
law requires a signature, and it has to be given effect to in
electronic form, then only digital signature becomes mandatory.
If an electronic document is not digitally signed and if the law
accepts oral or unsigned documents then the users of electronic
documents can leave the document un-digitally signed. What
cannot be done is “Not affixing digital signature to an
electronic document and trying to provide legal sanctity to such
a document as equivalent to a signed paper document”.
If therefore a
“Cheque” requires “Signature” in paper form, it requires
“Digital Signature” in digital form. If any material instruction
from a customer has to be acted upon and in the paper based
banking it would have required a signature, such an electronic
document requires digital signature (or an approved electronic
signature if there is any).
RBI should not
try to re-draft age old Banking laws just to accommodate the
commercial convenience of a few Bankers. This will be
ultra-vires the objectives of RBI as a “Regulator of the Banking
Systems in India”.
The question that
arises for consideration is whether a party may be bound by the
transactions entered into through electronic means (whether
through ATMs, Internet or otherwise) though the electronic
records in question are not authenticated by using
digital/electronic signature. On a reading of Section 65B (1) of
Indian Evidence Act, it is clear that electronic records may be
proved in courts even though they are not authenticated by using
digital or electronic signature if the conditions mentioned
therein are satisfied. The difficulty in proving the various
conditions set forth in sub- sections (2) and (3) of section 65B
of Indian Evidence Act is ameliorated to a great extent by
sub-section (4) thereof under which the certificate of a person
occupying a responsible official position in relation to the
operation of the relevant device or the management of the
relevant activities (whichever is appropriate) shall be evidence
of any matter stated in the certificate.
This is another
indication that the group has not clearly understood the ITA
2008. Section 65B is not meant to substitute digital signatures
for authentication of electronic document. It is a forensic
support to make electronic documents admissible in law. There is
similarity in Sec 65B provisions and the provisions of the
Banker’s Book Evidence Act regarding presentation of evidence.
Just because it is admissible to provide a certified copy of an
electronic document as an evidence, it is not possible to use it
in replacement of signature. It will be like saying that since a
third party affidavit is an admissible document for a certain
fact, public can present an affidavit stating that so and so
order the Bank to make payment of such an such amount to such
and such person, get it notarized and present it as a “Cheque”.
recommendation should be ignored.
specify sufficient number of agencies under section 79A of the
Indian Evidence Act to assist courts in arriving at a decision
on the evidentiary value of electronic records irrespective of
whether digital or electronic signature is affixed or not.
recommendation should be ignored because of what is stated
above. It betrays an erroneous reading of the provisions of ITA
2008 by the group.
transactions such as, operation of bank accounts and credit card
operations are being
carried on by banks in a big way by using cards, pin numbers and
passwords, etc. Banks are using many security features to
prevent frauds to the extent possible. The proposed 'two factor
authentication method' (2F method) is also a step in the same
direction. It may not be ideal and practically feasible to
insist on using a particular technology for all retail
transactions of the customers with their banks.
The group has not
understood the basics of digital signature which is a
combination of data confirmation and entity identification.
authentication is a shade ahead of password based authentication
but cannot replace the characteristics of a digital signature.
If an appropriate
2F system is created which satisfies the requirements of Section
3A of the ITA 2008, there is no problem in getting it approved
as provided in ITA 2008 as one of the new electronic signature
method of authentication.
are only adding a mobile based PIN or an RSA token generated
random key as the second factor. It is nothing but a double
password system and cannot satisfy the legal requirements of a
This is a
suggestion which is ultra vires the ITA 2000/8. RBI does not
have the legal right to validate what is not permitted in law.
The suggestion is therefore untenable and has to be summarily
If recommended, RBI would create a situation where Banks will be
acting illegally under the sanction of RBI. RBI will therefore
be legally liable for violations of law.
As a short term
measure it is recommended that Rules may be framed by the
Central Government under Section 5 of the Act, to the effect
that, with respect to internet or e- banking transactions, 2F
method or any other technique of authentication provided by
banks and used by the customers shall be valid and binding with
respect to such transactions, though 'digital signature' or
'electronic signature' is not affixed.
restricts the level of encryption for individuals, groups or
organizations to a key length of only 40 bits in symmetric key
algorithms or equivalents. RBI has stipulated SSL / 128 bit
encryption as minimum level of security. SEBI has stipulated
64/128 bit encryption for Internet Based Trading and Services.
Information Technology (Certifying Authorities) Rules, 2000
requires 'internationally proven encryption techniques' to be
used for storing passwords. An Encryption Committee constituted
by the Central Government under Section 84A of the IT Act, 2000
is in the process of formulating Rules with respect to
encryption. Allowance for higher encryption strength may be
allowed for banks based on recommendations of RBI
ISP guideline is
a direction to ISPs for inter-ISP transactions. It need not be
considered as restricting the data encryption which is either
before or after transmission of data through an ISP. There
should be no difficulty in Banks adopting higher strength
encryption if required.
Section 43A of IT
Act deals with the aspect of compensation for failure to protect
data. The Central Government has not prescribed the term
"sensitive personal data," nor has it prescribed a "standard and
reasonable security practice". Until these prescriptions are
made, data is afforded security and protection only as may be
specified in an agreement between the parties or as may be
specified in any law
The points 12,
13, 14 contain only observations which donot require any action
Point number 15
is an erroneous statement since Section 84C of ITA 2008 provides
for punishment for “Attempt” to commit an offence. It is
surprising that the committee could make such a blatant error.
intention of the elaborate presentation of points 12 to 15 is
betrayed by the recommendation number 16 which suggests that it
is necessary to provide “Protection to Banks against any
fraudulent or negligent act of customer”.
At present any
fraudulent act of a customer does not require any separate
legislation to protect the Bank. In such cases the customer is a
fraudster and should be punished and is being punished.
It is necessary
to analyze this recommendation along with the presence of a
reference to the case of S. Umashankar Vs ICICI Bank where the
Bank was held liable to pay compensation to the victim customer
in which the status of the case is falsely depicted.
It is clear from
the circumstances that there is an attempt by one of the
participating banks to suggest a new law that exempts it from
the liabilities contemplated under ITA 2008.
If RBI makes such
a suggestion, it would be a fraud on the public and may be
opposed as a matter of principle in the appropriate judicial
are a matter of serious concern to Bank customers and in most
cases there will be one fraudulent customer of the bank cheating
another genuine victim of Phishing making use of the insecure
information systems and policies used by the Bank. There could
be instances where Bank employees are hands in glove with
fraudulent customer particularly in opening of accounts with no
KYC and complete violation of PMLA provisions.
In case Banks are
exempted from liability in Phishing as is suggested by the
group, it will be a free license to criminal gangs to rob money
in the bank belonging to a number of innocent customers.
recommendation should be dismissed since it is an attempt to
help criminal customers at the cost of genuine customers.
Apart from affording
protection to personal data ("sensitive personal data'- 43A),
The IT Act, 2000 also prescribes civil and criminal liabilities
(Section 43 and Section 66 respectively) to any person who
without the permission of the owner or any other person who is
in charge of a computer, computer system etc., inter alia,
downloads, copies or extracts any data or damages or causes to
be damaged any computer data base etc. In this context Section
72 and 72A of the amended IT Act, 2000 are also of relevance.
Section 72 of the Act prescribes the punishment if any person
who, in pursuance of the powers conferred under the IT Act,
2000, has secured access to any electronic record, information
etc and without the consent of the person concerned discloses
such information to any other person then he shall be punished
with imprisonment upto two years or with fine upto one lakh or
with both. Section 72A on the other hand provides the punishment
for disclosure by any person, including an intermediary, in
breach of lawful contract. The purview of Section 72A is wider
than section 72 and extends to disclosure of personal
information of a person (without consent) while providing
services under a lawful contract and not merely disclosure of
information obtained by virtue of 'powers granted under IT Act,
The IT Act, 2000 as
amended, exposes the banks to both civil and criminal liability.
The civil liability could consist of exposure to pay damages by
way of compensation upto Rs 5 crore under the amended
Information Technology Act before the Adjudicating Officer and
beyond Rs five crore in a court of competent jurisdiction.
There could also be
exposure to criminal liability to the top management of the
banks given the provisions of Chapter XI of the amended
Information Technology Act. Further, various computer related
offences are enumerated in the various provisions.
Of late there have
been many instances of 'phishing' in the banking industry
whereby posing a major threat to customers availing internet
banking facilities. Though Section 66D of the amended IT Act
could broadly be said to cover the offence of phishing, attempt
to commit the act of phishing is not made punishable. It is
suggested that there is a need to specifically provide for
punishment for attempt to phish as well in order to deter
persons from attempting it.
It is necessary to
balance the interests of customers and that of banks and provide
protection to banks against any fraudulent or negligent act of
customer. It is not appropriate to leave such an important issue
to be dealt with in documentation. Appropriate statutory
provision needs to be enacted in this regard.
Whether Section 43A
read with Section 72 and 72A of the IT Act, 2000 presently
address the issue of data protection adequately or they need to
be duly supplemented by long-term provisions which can help
facilitate effective and efficient protection and preservation
of data would depend on the prescriptions of the Central
Government. Various suggestions have been offered in this report
to address issues in this regard.
This is an
observation which appears to have been inserted only to divert
the attention of the public from the fraudulent suggestion made
in the earlier paragraphs.
Even now Banks do follow the principle of secrecy regarding
customer information. Such secrecy is breached only in the
instance of police inquiry or judicial orders.
Effect of 43A etc could affect Banks giving away customer
details to their insurance partners and provide a remedy
to the victim.
In India though
there is no specific legislation which deals only with
'electronic fund transfer' and which is consumer protection
driven, certain concerns have been dealt with in the Payment and
Settlement Systems Act, Rules, Regulations, directions etc
issued there under as well as the provisions of general law.
However, it may be apposite to have some provisions similar to
those in EFT Act which exempts the bank from liability in the
event of fraud by the customer or a technical failure etc (for
example, provisions dealing with 'unauthorized electronic fund
transfers' and consumers liability for unauthorized transfers).
recognize that it is a “Regulator” of the Banking system in the
interest of the economy and the citizens of India. RBI is not a
“Promoter of Banks”.
There is therefore no need to
suggest introduction of provisions that exempt Banks from liabilities which
arise because of the general law of the land.
If a similar
approach is taken by other regulators and each industry
sector attempts to protect its members, then SEBI can protect
share brokers from online frauds, TRAI can protect telecom
operators from telecom frauds. Ultimately the suffering
customers will be left to fight it out with the fraudulent
customers while the establishments will keep making commercial
gains at the cost of public.
If an attempt is
made by RBI to introduce or recommend any provisions that
provides immunity to Bankers against the liabilities they face
in laws such as ITA 2008 or IPC, RBI will be open to the charge
of acting against its constitutional obligations and the
officials responsible for such recommendations could be open to
be charged with malicious intentions.
It is recommended that
RBI should not take any action that is aimed at protecting the banks
against the interests of genuine customers who are being exposed to
technology risks because Banks have been using untested technology and
restricting their security efforts to what is "Commercially viable".
Some of the recommendations appear to be motivated by an intention to
provide uncalled for legal immunity to erring Bankers causing loss to
public and such recommendations should be recognized and rejected.
Digital Signature as a
means of authentication of an electronic document is the law of the land. With the
amendments in ITA 2008 there is a possibility of variants of "Electronic
Signature" coming into place. RBI cannot therefore take any stand to
endorse 2F authentication as even a temporary substitute measure.
Vicarious liabilities to
officials of Banks for lack of "Due Diligence" is also part of the
common law and RBI cannot interefere in the operation of law through its
The S.R Mittal Group had
made the correct suggestion that Banks should bear legal risk for not
using the legally approved form of authentication and obtain insurance to cover
the losses arising out of hacking etc crimes.
The need for insurance should be
further extended even to losses arising out of failure of technology.
Such insurance should be
at the cost of the Bank and not at the cost of the customer. In certain
cases in Credit Card business, Banks are asking Customers to obtain
insurance against encashment of lost credit cards. Banks should avoid
passing on costs of such insurance to the customers.
instance where a customer should take the liability is when he himself
is part of the fraud. It is open to the Banks to charge any of their
Phishing victims as fraudsters if they so desire and try to prove it in
the Court of law and also face defamation charges if their charge is not
founded on sound reasons.
RBI should mandate that
the annual report of every bank should contain a paragraph where the
directors report on the Legal Compliance measures taken by the Bank in
their Electronic Banking divisions.
RBI should conduct a
special investigations of Banks particularly in Mumbai, Pune and Delhi
from where frequent instances of Phishing beneficiaries opening accounts with Banks in total disregard of KYC norms
are occuring. According to
Police intelligence reports there are organized gangs of criminals
operating in these places who hire hackers to steal Bank customer's
passwords and organize Phishing attacks. There have even been instances
where a gang appears to have organized a Phishing attack so that one of
their debtors could get a huge amount through Phishing and then hand it
over to them. Many of these fraudster's accounts have been maintained
for years and repeatedly used for encashing fraud benefits when
the recent Phishing cases were filed without the Bank discovering the
fraudulent use. There have been many instances
where zero balance accounts received a few lakhs of rupees in internet
transfer during the midnight and the person withdrew the amount in the
morning through cash at the counters. Such instances have to be
interpreted as a collusion of the bank employees and cannot be dismissed
as mere negligence.
RBI should also review
the banking software being used and the Risk Analysis capabilities of
such software so that IT Companies donot get away supplying non cyber
law compliant software with inadequate security.
Banks are often driving
their phishing customers to file police complaints and take their own
action against ultimate beneficiaries. Though RBI has issued clear
directions to the Banks to file police complaints whenever frauds take
place, Banks have not been doing so. Banks should be penalized if they
push customers to file their own private complaints for frauds that
occur within the Bank unless the customer wants to file the Police
complaint against the Bank officials.
Top management in most
Banks are ignorant of the provisions of ITA 2008 and all Directors of
the Banks including the Chairman and Executive Directors should be
suitably educated by RBI. It is reasonable to expect that the heads of
Banks which want to do digital banking must be aware of the laws of
Digital Banking. Before appointing any person as Chairman or Executive
Director of a Bank, RBI should take care that his or her knowledge of
Digital Banking laws is adequate to meet the responsibilities.
RBI cannot be oblivious
to such instances and has to work out a suitable fraud management structure along with
the Police to double check the credentials of the customers in Banks and
make Banks liable for violation of KYC both at the time of opening of
the account as well as monitoring suspicious transactions in the
accounts any time later.