Let's Build a Responsible Cyber Society




G Gopalakrishna Working Group (GGWG) on Electronic Banking

Additional Comments-Intermediary Status

Chapter IX of the GGWG deals with Legal Issues. There are 18 key recommendations that the group has made  and Naavi.org has already submitted its point by point comments in the Previous Article. Comments have also been made on "Cheques in Electronic Form" in the earlier article. This article provides further comments from the body of the Chapter IX other than the Key Recommendations included in the end.

Impact of ITA2000/8

The committee has deliberated in detail on the impact of ITA 2000/8 and come up with several observations and a few recommendations. Our earlier point by point comment already presents some cryptic views and the comments below contain more details.

In particular, observations have been made on the following aspects.

(i) "Intermediary" as defined in ITA 2008

(ii) Encryption

(iii) Data Protection

(iv) Computer related offences

(v) Banks as Certifying Authority

(vi) Online Nomination Facility

There has been references to select relevant cases to highlight the impact of law on Bankers.

The GGWG has also commented on Industry Wide considerations regarding Digital and Electronic Signatures, Sec 65B of Indian Evidence Act, Use of  Two Factor (2F) authentication. It also discusses data protection aspects in Banking and refers to Data Protection Act of UK(DPA), Gramm Leach Bliley Act (GLBA) and Electronic Fund Transfer Act (EFA) of USA.

We shall examine each of these aspects individually.


It is not clear why GGWG is interested in making an issue of  the definition of "Intermediary" because its relevance to the banks is low.

The GGWG has raised the issue of whether Bank should be considered as an "Intermediary" or not under ITA 2008 and concludes that there is some uncertainty with respect to the meaning. The concern appears to be  that if the Banks are considered an "Intermediary" then they would be exposed to the requirements under Section 79 to practice "Due Diligence".

In respect of contraventions occurring under ITA 2008 attributable to the Bank, the requirement of "Due Diligence" arises out of Section 85 of ITA 2008 and hence, in most cases of Cyber Frauds in Banks, "Due Diligence" would any way be required to avoid liability.

Bank's role as "Intermediary" is therefore not very critical to determine the liability in respect of Cyber Frauds.

Section 79 covers the requirements of an Intermediary to determine the liability arising out of hosting of any third party information, data, or communication link.

In this context, the definition of an "Intermediary" as given in section 2(p) of ITA 2008 which states

"Intermediary" with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engineers, online payment sites, online-auction sites, online market places and cyber cafes"

has no ambiguity. It refers to an organization that receives, stores and transmits information on behalf of another person.

Banks receive information about the Customer and keep the records as owners of the information. Third party information is not received in the normal course of Banking business involving deposit or withdrawal of funds by a customer.

If however, a Bank is providing any other service other than accepting deposits for the purpose of lending, then only the question of the role of the Bank as an intermediary may arise.

In general Banking Bankers often render different services and assume roles other than the "Debtor-Creditor" relationship. Such relationship can be the "Agent-Principal" or "Bailor Bailee" or "Trustee-Beneficiary" etc.

Likewise if  Digital banking services are rendered for other than core banking where the "Debtor-Creditor" relationship persists then only the question of "Whether Bank is an Intermediary?" may arise in respect of such services. Such relationship may co-exist with the "Debtor-Creditor" relationship and hence it has to be examined with reference to the specific facts of the case.

In Credit Card transactions  the relationship between the card holder and the Issuing Bank is one of Debtor-Creditor. In case Bank receives information from a Merchant or from an acquiring bank about the Card holder, it may become "Third Party Information" as to the relationship between the Bank and the merchant or acquiring Bank is concerned. Similar instances may arise if Bank is supporting insurance services or stock broking services etc.

If Banks are providing its infrastructure to other agencies who provide Cross Functional services to the Customers  in  digital space the role as an "Intermediary" may get invoked.

There are a few Banks who are allowing advertisements from third parties to appear on their websites though the earlier guidelines suggested otherwise. Such Banks would be exposed to "Intermediary" risk.

If the concern is for data leakage pertaining to Customer information, it is a "Data Protection" issue covered under Section 43 A and not an "Intermediary Issue".


(... To Be continued)


February 4, 2011

Any Comments on this article can be sent to naavi@vsnl.com

Copy of Full Report of GGWG

Copy of Executive Summary

 Comments are Welcome at naavi@vsnl.com