Let's Build a Responsible Cyber Society




G Gopalakrishna Working Group (GGWG) on Electronic Banking

Additional Comments-on Legal Issues

Chapter IX of the GGWG deals with Legal Issues. There are 18 key recommendations that the group has made  and Naavi.org has already submitted its point by point comments in the Previous Article. Comments have also been made on "Cheques in Electronic Form" in the earlier article,   and Intermediary Status.

The committee has deliberated in detail on the impact of ITA 2000/8 and come up with several observations and a few recommendations. Our earlier point by point comment already presents some cryptic views and the comments below contain more details. In particular, observations have been made on the following aspects.

(i) "Intermediary" as defined in ITA 2008

(ii) Encryption

(iii) Data Protection

(iv) Computer related offences

(v) Banks as Certifying Authority

(vi) Online Nomination Facility

There has been references to select relevant cases to highlight the impact of law on Bankers.

The GGWG has also commented on Industry Wide considerations regarding Digital and Electronic Signatures, Sec 65B of Indian Evidence Act, Use of  Two Factor (2F) authentication. It also discusses data protection aspects in Banking and refers to Data Protection Act of UK(DPA), Gramm Leach Bliley Act (GLBA) and Electronic Fund Transfer Act (EFA) of USA.

We shall examine each of these aspects individually.


GGWG has made reference to the provisions of DOT guidelines which prescribe encryption  of not more than 40 bits while in practice, encryption of higher strength is used by the industry. It suggests that a "Minimum and reasonable level of encryption may be suggested for the Banking sector"

The DOT guidelines apply to data transmitted by an ISP. It states

"Individuals/Groups/Organizations are permitted to use encryption upto 40 bit key length in the RSA algorithms or its equivalent in other algorithms without having to obtain permission. "However, if encryption equipments higher than this limit are to be deployed, individuals/groups/organizations shall do so with the permission of the Telecom Authority and deposit the decryption key, split into two parts, with the Telecom Authority"

This instruction may be treated as binding for the ISP and may not impose any liability to impose  encryption standards at the end user level. As far as the ISP is considered, they receive certain information as binary data and transmit as binary data. Whether it contains plain text or encrypted plain text or an image or a sound may not be a matter of regulation at the ISP level.

We may therefore consider that the Government is free to introduce any encryption standard that they may consider necessary under Sec 84C of ITA 2008 for the Banking industry. In fact there is no need for the Government to specifically suggest an encryption standard for the Banking industry. The concept of "Due Diligence" includes reasonable steps required for securing information and the Bank is free to use encryption standard that it may deem fit to secure data in its custody. This refers to security of data in storage.

As regards security of data transmitted, the use of digital signature may be considered as "Due Diligence" since it at least ensures verification of data integrity at the recipient's end. If in addition, public key encryption is used, Banks can adopt an end to end security from the Bank to the customer irrespective of the carrier.

The recommendation on Encryption is therefore not of much significance.

Data Protection:

GGWG has made a reference to Sections 43A, 72 and 72A of ITA 2008 and has raised one valid question whether "Reasonable Security Practices" under section 43A could be interpreted as determining the security requirements entirely on the basis of the contractual obligations between the data owner and the data processor.

RBI should recognize that Section 43A has been framed for a Business to Business Data processing contracts and not for the Banker-Customer relationship. Banker-Customer contracts are between two parties with unequal bargaining powers and contracts are mostly of the "Standard Form" type. In such contracts the customer has no say on what he can prescribe as a security procedure. Hence "Due Diligence" automatically has to be determined on the basis of International norms and other laws. The role of RBI is very important in prescribing the necessary standards of security in the interest of the customer.

RBI cannot even delegate this responsibility to IBA since IBA is a body of the Bankers which is a stakeholder interested in minimizing the security responsibilities. RBI is a "Regulator" with a constitutional responsibility to protect the system and the interests of the Customers. Bankers are expected to be driven by commercial considerations and if a choice is given to them they will opt for "Buyer Beware" option and will be happy to avoid any responsibility for security.

It is not out of place to mention that one of the member Banks to the GGWG has a stated policy that they would provide security only to the extent it is commercially viable... and of course they will determine what is commercially viable for them. It was a big mistake for RBI to have included such brazenly customer unfriendly Bank as a member of the working group.

RBI should realize that they are dealing with such sharks who are out there to get their pound of flesh even from their customers. Unless RBI either represents the Customers or ensures that the customer's voice is reflected in all such Working groups in future, justice would not be considered as being done for the Bank customers nor to the constitutional obligations of RBI.

Internationally there are certain principles of "Privacy Protection" and customer's of Indian Banks expect that these are taken into consideration in framing the security requirements of Internet Banking.

The  universally acceptable privacy principles such as "Collect only what is required", "Use only for the purpose it is collected", "Ensure accuracy", "Destroy when no longer required" and "Secure when in storage" are applicable for any personal information that a Bank collects from the Customer.

At present, Banks donot adhere to any of these principles. Banks share critical financial data with CIBIL and often the data with CIBIL is not updated. As a result incorrect data of a customer is held by CIBIL and used in a manner that is detrimental to the interests of the Customer. Most Customers donot know what is CIBIL and what information is shared with them. CIBIL again does not have a direct interaction with the customers and hence the sharing of information with CIBIL is entirely an "Agency" responsibility of the Bank. Hence the Bank is responsible for any inaccurate information with CIBIL and for the consequences thereof. CIBIL does not share the data with the Customer who is the owner of the data except at a price. It is highly unethical and unfair that a customer of a Bank has to pay for his own data even to check if it is correctly recorded or not.

It is surprising that none of the members of the Working Group thought it necessary to discuss the issue of data sharing with CIBIL and that indicates the level of awareness of the issues and the concern for Privacy of members of the group. Had RBI considered providing representation of Bank customers or appropriate NGOs aware of the Customer's problems such as the CCHAI, the working group could have done a better job in fulfilling its objectives.

The working group was more interested in expressing its concern on the liabilities that may arise on the bankers on account of breach of data secrecy rather than looking at what "Privacy" means to the Data Subject. In recommending measures for "Data Protection" the committee made references to DPA  and GLBA. In India, ITA 2008 has created the office of an Adjudicator who is capable of examining violations of  sections 43A and other sections. There is no reason at this point of time to doubt the ability of the Adjudication system to meet the requirements of Data Protection in respect of Bank customers. Working group also did not think of reviewing the performance of the Banking Ombudsman function or the Whistle Blower system in RBI and whether some solution can be found through these agencies in protecting the Privacy of Customer data and to address grievances regarding wrongful use of such information.

GGWG therefore failed to address the issue of Data Protection and Privacy of Customer data in the proper perspective and in the required depth.

The Working Group on the other hand draws attention to the Electronic Fund Transfer Act  (EFTA) of USA  and suggests that some measures of EFTA regarding exemption of Banks from liability in the event of a fraud by the customer or a technical failure should be considered in India.

It is necessary to appreciate that in a fraud committed by  the Customer initiating a transaction for his own benefit, the current laws make the person liable and Banks do not need any law for avoiding liability against the customer who originated the fraudulent transaction.

However if the  fraudulent transaction results in a wrongful loss to another customer who was not the person who initiated the transaction, Bank cannot absolve its liability against such an innocent customer. The working group is trying to twist the provisions of EFTA to get a statement from RBI that Bank is exempted from liability against a customer without distinguishing the customer who had suffered a wrongful loss and a customer who made a wrongful gain with the assistance of the weakness in the Bank's security system or due to the lack of due diligence on their part. Also if the loss arises due to technical failure, some body other than the customer has to bear the loss. Why should the Customer need to bear the loss when he has no control on the technology?. The only solution in such cases is for the technology owner namely the Bank to assume the loss and cover it with appropriate insurance. This is precisely what S R Mittal Group suggested and needs to be pursued.

The GGWG has tried to find means of reducing the responsibilities of the bank in terms of implementing a robust technology and back it up with adequate security and make the Customer a Guinea Pig in technology experimentation where as the gains of technology goes entirely to the Bank.

(... To Be continued)


February 4, 2011

Any Comments on this article can be sent to naavi@vsnl.com

Copy of Full Report of GGWG

Copy of Executive Summary

 Comments are Welcome at naavi@vsnl.com