Let's Build a Responsible Cyber Society




G Gopalakrishna Working Group (GGWG) on Electronic Banking

Additional Comments-on Legal Issues

Chapter IX of the GGWG deals with Legal Issues. There are 18 key recommendations that the group has made  and Naavi.org has already submitted its point by point comments in the Previous Article. Comments have also been made on "Cheques in Electronic Form" in the earlier article,   and Intermediary Status. and Encryption and Data Protection Issues.

The committee has deliberated in detail on the impact of ITA 2000/8 and come up with several observations and a few recommendations. Our earlier point by point comment already presents some cryptic views and the comments below contain more details. In particular, observations have been made on the following aspects.

(i) "Intermediary" as defined in ITA 2008

(ii) Encryption

(iii) Data Protection

(iv) Computer related offences

(v) Banks as Certifying Authority

(vi) Online Nomination Facility

There has been references to select relevant cases to highlight the impact of law on Bankers.

The GGWG has also commented on Industry Wide considerations regarding Digital and Electronic Signatures, Sec 65B of Indian Evidence Act, Use of  Two Factor (2F) authentication. It also discusses data protection aspects in Banking and refers to Data Protection Act of UK(DPA), Gramm Leach Bliley Act (GLBA) and Electronic Fund Transfer Act (EFA) of USA.

We shall examine each of these aspects individually.

Computer Related Offences:

The Working group has considered the civil and criminal liabilities that arise on a Bank on account of ITA 2008 and has made references to various cases. It is interesting to note that most of the cases referred to are cases where Banks have won against their customers in Consumer Courts on account of Jurisdictional issues. The case of S Umashankar Vs ICICI Bank which caused a flutter in the Banking circles in view of the liability fixed on the Bank has been grudgingly mentioned in such a manner as if it is an aberration. In reporting the facts of the case, the committee has betrayed a lack of due diligence in incorporating the particulars. The report mentions that a stay has been granted on the judgment with a payment of Rs 50,000/- as against Rs 12.85 lakhs ordered to be paid by the Adjudicator. The secretary of the working group did not find it necessary to check documentary facts about the case.

Had the working group done some research, they would have found that

a) Stay was granted against a deposit of Rs 5,50,000/- as against the principal loss of Rs 4,95,829/-. The deposit covered the entire loss and a part of the additional compensation granted towards interest loss and expenses. This was a case of Phishing where the proceeds were credited to another customer of the Bank.

b) There was a case of Nikhil Futan Vs HDFC Bank where the District Consumer Court of Mumbai ordered payment of compensation of the loss with interest to the victim of phishing even after the fraudster was arrested by the Police and part amount was recovered from him. Though the ultimate resposnibility for the fraud was that of the arrested person, Court held that Bank was liable to compensate the customer.

c) There was an instance in Bank of India where the Banking Ombudsman ordered payment of amount with interest to another Phishing victim in Bangalore. Though this was not publicized in Press this was an internal record of RBI and was available for the asking. The group does not appear to have collected such vital fraud data from within the bank itself.

d) There was also at least one case where ICICI Bank had repaid a Phishing victim in Chennai without demur immediately after the Umashankar Verdict. Had the Bank reported the disposal of such cases as required in their FMR reports and the group had asked for copies of FMR reports from within the Bank such cases would also have come to the knowledge of the working group.

e) There was also a case in Germany where the Bank had been held liable for a Phishing loss which was not reported in the report.

The working group therefore failed to do adequate research and presented a list of cases to mis represent the situation as if most cases are decided in favour of the bank.

It must be recorded that the Adjudication as a means of grievance redressal has not been invoked prior to the Umashankar Case and hence there were inadequate efforts for grievance Redressal by Phishing victims in the past. Hence the number of such cases reported were less. There were hundreds of cases in which customers did not pursue the legal remedies at all. Some went only upto the Banking Ombudsman where their claims were rejected for technical reasons. Some did go to the Consumer Court but could not represent their cases properly and failed to get remedies sought.

After the news about Umashankar Case was public, there have been a few more such cases which have been filed in different places.  There is no information which the working group gathered about such cases. The Working group also did not refer to one of the biggest Phishing cases that surfaced in Delhi involving nearly Rs 2 crores which was widely reported in the national TV.  The presentation of the incidence of frauds in Internet Banking and how they have jolted the confidence of the public in the Banking system has not been considered by the Working group at all. The working group's analysis of the legal issues involved regarding offences was therefore tainted with lack of serious effort to be truthful to the task. RBI must keep this factor in mind before taking a view on some of the recommendations of the GGWG.

Bank as a Certifying Authority

The working group has recommended that banks should apply for being licensed as Certifying Authorities (CA). While this is a decision to be given a serious consideration since in due course every banking transaction needs to be authenticated by digital signature, and there is a huge business potential involved in being a Certifying Authority, there could be conflict issues arising out of disputes involving digital signatures.

Further, Bank turning into a CA would expose them to additional liabilities arising out of failure in KYC, technical deficiencies, data leakages etc.

It has been observed that Banks have failed in discharging KYC norms in many cases and the Phishing frauds occur because of such fraudulent accounts being opened by them. If the inefficiency continues, then the same fraudsters who are today opening accounts for routing Phishing frauds may start committing frauds involving digital signatures.

The time therefore is not ripe for Banks to assume this responsibility.

Online Nomination Facility

The working group has recommended that provision for online nomination should be facilitated. The working group has however missed the fact that at present a nomination made with the use of electronic documents is not valid by virtue of Section 1(4) of ITA 2008. Unless this is changed there is no way the recommendation can be considered.

It is surprising that the provisions of ITA 2000/8 have not been appropriately examined by the working group before making some of the suggestions and this recommendation about online nomination is one such legal error.


(... To Be continued)


February 5, 2011

Any Comments on this article can be sent to naavi@vsnl.com

Copy of Full Report of GGWG

Copy of Executive Summary

 Comments are Welcome at naavi@vsnl.com