Let's Build a Responsible Cyber Society




G Gopalakrishna Working Group (GGWG) on Electronic Banking

Comments-on Cyber Fraud Issues

Chapter VI of the GGWG deals with Cyber Frauds. Some of the recommendations of this group overlaps with recommendations on Customer Education and also on Legal issues.

The group has made 21 key recommendations as briefly commented  below.

Sl No Recommendation Comment


Most retail cyber frauds and electronic banking frauds would be of values less than 1 crore and hence may not attract the necessary attention of the Special Committee of the Board. Since these frauds are large in number and have the potential to reach large proportions, it is recommended that the Special Committee of the Board be briefed separately on this to keep them aware of the proportions of the fraud and the steps taken by the bank to mitigate them. The Special Committee should specifically monitor the progress of the mitigating steps taken by the bank in case of electronic frauds and the efficacy of the same in containing fraud numbers and values. Currently, RBI is only focussing on large frauds which arise out of loans and advances. What is being neglected is frauds including cyber crimes committed with or without the assistance of bank staff and with or without negligence of banks.

These small frauds affect common people. Cyber Criminals have been trying to adopt a strategy of effecting small amount frauds on large number of people so that the intensity of follow up is low. After introduction of mobile banking there will be more such micro frauds. RBI and the Banks cannot ignore the incidence of such frauds.

There is a need for RBI therefore to create a separate infrastructure for prevention, detection and resolution of  small frauds issues.

Banks have been ignoring the S R Mittal Group recommendation on obtaining insurance for frauds. RBI should penalize Banks for not covering themselves with insurance. With or without insurance, any innocent victim of a Bank fraud should be  protected from the loss by the Bank.

2 The activities of fraud prevention, monitoring, investigation, reporting and awareness creation should be owned and carried out by an independent group in the bank. The group should be adequately staffed and headed by a senior official of the Bank, not below the rank of General Manager/DGM. No Comments.
3 Fraud review councils should be set up by the above fraud risk management group with various business groups in the bank. The council should comprise of head of the business, head of the fraud risk management department, the head of operations supporting that particular business function and the head of information technology supporting that business function. The councils should meet every quarter to review fraud trends and preventive steps taken that are specific to that business group. No Comments
4 Various fraud prevention practices need to be followed by banks. These include fraud vulnerability assessments, review of new products and processes, putting in place fraud loss limits, root cause analysis for actual fraud cases above Rs.10 lakhs, reviewing cases where a unique modus operandi is involved, ensuring adequate data/information security measures, following KYC and Know your employee/vendor procedures, ensuring adequate physical security, sharing of best practices of fraud prevention and creation of fraud awareness amongst staff and customers. No Comments other than that similar system should be in place for Small Frauds
5 Banks have started sharing negative/fraudulent lists of accounts through CIBIL Detect. Banks should also start sharing the details of employees who have defrauded them so that they do not get hired by other banks/financial institutions Functioning of CIBIL has not been in accordance with the Privacy norms accepted world wide. Often honest Customers are penalized by a Bank reporting the credit and not reporting repayments. Accountability should be fixed for such lapses.

Every customer whose data is shared with CIBIL should be individually informed of the data shared and should be provided continuous free access to the information in CIBIL hands so that its accuracy can be checked directly by the data owner.

In case the data owner reports any errors, there should be a system in place to correct the inaccuracies.

There are many instances of Banks misusing DRT and trying to knock of immovable properties in collusion with criminals.

RBI does not have a proper mechanism to control the misuse of DRT. A solution should be found for this menace of Banks committing frauds on Customers.

Similar frauds are committed by Banks on personal loan customers and credit card customers. "Fraud Management" at RBI should take such frauds also into consideration.

RBI may for this purpose dedicate an officer who can act as an "Ombudsman for Loan Disputes"

6 Quick fraud detection capability would enable a bank to reduce losses and can also serve as a deterrent to fraudsters. Various important requirements recommended in this regard include setting up a transaction monitoring group within the fraud risk management group, alert generation and redressal mechanisms, dedicated e-mail id and phone number for reporting suspected frauds, mystery shopping and reviews No Comments
7 Banks should set up a transaction monitoring unit within the fraud risk management group. The transaction monitoring team should be responsible for monitoring various types of transactions, especially monitoring of potential fraud areas, by means of which, early alarms can be triggered. This unit needs to have the expertise to analyse transactions to detect fraud trends. This unit should work in conjunction with the data warehousing and analytics team within banks for data extraction, filtering, and sanitisation for transaction analysis for determining fraud trends. Banks should put in place automated systems for detection of frauds based on advanced statistical algorithms and fraud detection techniques This is an urgent requirements. This requires upgradation of software. Software suppliers must be held responsible for providing regular updates in terms of fraud management and legal compliance. Current software supplied by otherwise reputed brands are deficient in this respect and a time bound plan to replace such software should be initiated.
8 It is widely accepted that fraud investigation is a specialised function. Thus, the fraud risk management group should undergo continuous training to enhance its skills and competencies No Comments
9 Apart from the categories of fraud that need to be reported as per RBI circular dated July 2, 2010 , it is recommended that this should also include frauds in the electronic channels and the variants of plastic cards used by a bank and its customers for concluding financial transactions RBI in response to a recent RTI application replied that they are not classifying the frauds particularly of the Phishing types and clubbing them all with credit card frauds. Hopefully in future the reporting system is suitably modified.
10 It has been noted that there is lack of uniformity regarding the amount of fraud to be reported to RBI. Some banks report the net loss as the fraud amount (i.e. fraud amount minus recovery), while others report the gross amount. Some do not report a fraud if the entire amount is recovered. In the case of credit card frauds, some banks follow the practice of reporting the frauds net of chargeback credit received while others report the amount of the original transactions. To overcome such inconsistency, a uniform rule of reporting amounts involved in frauds is being recommended RBI has been lenient on Banks defaulting in providing appropriate FMR returns. Situation should be corrected with some penalties for improper or lack of reporting.

The Board should be held responsible for non reporting of frauds as per RBI guidelines.

11 A special mention needs to be made here of frauds done by collusive merchants who use skimmed/stolen cards on the POS terminals given to them by banks and then abscond with the money before the chargeback is received on the transaction. Many banks do not report such cases stating that the banks which have issued the cards are the ones impacted. However, in these cases, the merchants cause undue loss to the bank, by siphoning off the credit provided. Hence such cases should be reported as frauds Where there is more than one Bank which is involved the fraud reporting mechanism can include reporting from both ends with appropriate mechanism for marking contra. This would help in the identification of lack of reporting by any of the banks and the resposnible official should be penalized.
12 Also, it has been observed that in a shared ATM network scenario, when the card of one bank is used to perpetrate a fraud through another banks' ATM, there is a lack of clarity on who should report such a fraud. It is the bank acquiring the transaction that should report the fraud. The acquiring bank should solicit the help of the issuing bank in recovery of the money. Same as above
13 In the case of online frauds, since the jurisdiction is not clear, there is ambiguity on where the police complaint should be filed and customers/banks have to shuttle between different police units on the point of jurisdiction. Cybercrime cells are not present in every part of the country. The matter of having a separate cell working on bank frauds in each state police department authorised to register complaints from banks and get the investigations done on the same needs to be taken up with the respective police departments In all events of frauds in the Banking system, it is the bank which should file a Police complaint with or without the customer also filing a report. This has been the suggestion of the earlier Fraud guidelines from RBI and often not implemented in practice. Any Branch manager who fails to file a police complaint in respect of any fraud reported by either a Phishing victim or a Credit Card victims should be penalized.
14 Customer awareness is one of the pillars of fraud prevention. It has been seen that alert customers have enabled prevention of several frauds and in case of frauds which could not be avoided, helped in bringing the culprit to book by raising timely alerts. Banks should thus aim at continuously educating its customers and solicit their participation in various preventive/detective measures. It is the duty of all the groups in banks to create fraud risk awareness amongst their respective customers No Comments. Specific comments have already been made while discussing the customer education related suggestions under Chapter VIII
15 Employee awareness is crucial to fraud prevention. Training on fraud prevention practices should be provided by the fraud risk management group at various forums No Comments.
16 A positive way of creating employee awareness is to reward employees who have gone beyond their call of duty, and prevented frauds. Awards may be given to employees, who have done exemplary work in preventing frauds. Details of employees receiving such awards may be published in the fraud newsletters No Comments. Same time, negligence and apathy should be appropriately penalized.
17 To enhance investigation skills of the staff in the fraud risk management group, a training institute for financial forensic investigation may be set up by banks under the aegis of IBA No Comments
18 The experience of controlling/preventing frauds in banks should be shared between banks on a regular basis. The standing forum provided by the Indian Bank's Association (IBA) can be used to share best practices and further strengthen internal controls at the respective ban No Comments. Specific suggestions have been made under Chapter VIII.
19 There should be a general agreement on the process among all banks to refund monies lying in a fraudulent beneficiary's account Banks cannot enrich themselves with the residual fraud proceeds. There is no excuse for retaining any part of the money identified as fraud proceeds. Though Banks and RBI may not like it, keeping stolen property is always an offence and such act will expose the personnel of Banks to a criminal liability. Hence the procedure should be to check if the complainant is an innocent victim who has suffered a wrongful loss and immediately return the money transferred from his account. Bank should hold the liability on its own account until recovery is made through insurance or from the end fraudster who has used the Bank as a conduit for committing the fraud.
20 There needs to multi-lateral arrangements amongst banks to deal with on-line banking frauds. Presently, it is noticed that there is lack of such an arrangement amongst banks and the customer is required to interact with different banks/ organizations when more than one bank is involved. IBA could facilitate such a mechanism Customer who has suffered a loss is having a Banker-Customer relationship with one bank which should alone deal with the issue. Customer cannot be expected to run behind other Banks except when he launches a recovery proceeding against them.

Some of the requirements under Cyber Frauds have a relation with the comments made in detail under the chapter on "Legal issues".

RBI cannot give any instructions that is contrarian to legally accepted norms and should be vary of suggesting a rigid system when it comes to dealing with the complainant or the law enforcement agencies. This may lead to Bank officials committing violations of law under the mistaken impression that their act is sanctioned by or mandated by RBI. In such cases, RBI itslef may be exposed to the risk of being held liable for legally untenable procedures.

21 At each state, a Financial Crime Review Committee needs to be set up on frauds along the lines of Security Committee that has been set up by the RBI to review security issues in banks with the law enforcement authorities. The Committee can oversee the creation of awareness by banks among law enforcement agencies on new fraud types, especially technology based fraud No Comments.

In summary, it may be stated that Cyber Frauds represent violations of law and there is a certain expectation of what a citizen has to do when he becomes aware of an offence. This requires "Reporting" to Police and taking action to return the "Stolen Property" to the rightful owner without demur. If any of the Bank takes action to the contrary, there will be liabilities on the individuals responsible for the violation. RBI does not have the power to modify the expectations of criminal laws such as IPC or CrPc or ITA 2008 and any instructions that may be interpreted as contrarian to the established laws will expose RBI and its officials to a liability arising out of such legally untenable directions.


February 8, 2011

Any Comments on this article can be sent to naavi@vsnl.com

Copy of Full Report of GGWG

Copy of Executive Summary

 Comments are Welcome at naavi@vsnl.com