Let's Build a Responsible Cyber Society




G Gopalakrishna Working Group (GGWG) on Electronic Banking


Are Vested Interests at Work to manipulate RBI ?

The GGWG was an exercise at revising the 10 year old report of the SR Mittal Group which first addressed the requirements of the Internet Banking Era. Compared to the task which was ahead of the Mittal Group, GGWG was in a far more advantageous position since there was a decade old experience on both technology as well as the legal aspects of Technology Banking.

Not withstanding some good work reflected in the GGWG,  it appears that the GGWG could have done far better than what it has done. This is more glaring in the chapters on Cyber Fraud and Legal Issues.

While Naavi.org will analyse the report in greater detail in subsequent articles, we shall focus on one  issue in the working of such critical working groups of RBI which is a matter of grave concern at this point of time. It is the issue of  vested interests wielding their influence in the final recommendations of the group.

In the SR Mittal Group,(SRMG) there were 10 members. Of these, three were from RBI. One was from IDRBT, One was from IIT, One from i-Flex solutions Ltd, and five from Commercial Banks. Out of the Bank representatives,  one was  from ABN Amro Bank, one was  from SBI  and Two  were from ICICI Bank.

In the GGWG, there are 13 members and 4 more were invitees. Of these 17 persons associated with the working group, 6 were from RBI. There was one from IIT and another from IISc. There was one from KPMG and another from Deloitte. There was one from IDRBT, one from IBA and one from DSCI. There was one from IDBI Intech Ltd . There was one Advocate and the rest two were from Commercial Banks. Of these, one was from SBI and another was from ICICI Bank.

In both the committees it may be seen that there was no representation of the Customers of Banks who are the focus of the Banking business. While RBI is the regulator, academicians were required to add technical inputs, the presence of IT Companies like i-flex or IDBI Intech and commercial banks including SBI, ICICI Bank, ABN Amro Bank has to be viewed as inappropriate in view of the conflicting interests these have on the outcome of the working group recommendations.

In the SRMG, the ICICI Bank had a double representation.  Banks such as Canara Bank or Bank of India or Bank of Baroda etc had no representation in either of the committees. If RBI wanted to broad base the composition of the group, there was a need to accommodate a Customer's representative who is the focus of the recommendations on Cyber Frauds and legal issues.

It is well known that Banks are using Customers as Guinea Pigs in the introduction of technology and IT companies who have supplied  faulty and insecure applications for Banking are forcing Banks to adopt e-Banking which is woefully short of information security from the customer's perspective. Banks such as ICICI Bank are particularly noteworthy for shortchanging the customer's interests for commercial gains. However they seem to have a huge say in the working group.

In the SRMG group, ICICI representative even submitted a dissenting report which was rightly over ruled by the committee. In the recent days, ICICI Bank has been in the forefront of Phishing frauds. Also in the recommendations of this Working group, ICICI Bank was having a direct conflict of interest having lost the Phishing case against S. Umashankar. One can therefore see clear signs of an attempt at manipulation of the working group recommendations which fortunately have not succeeded since law is not on their side.

I will point out specific instances where such an attempt to twist the recommendations in favour of Banks against the interest of Customers inherent in this report.

Firstly, the Working group has blindly incorporated certain statements about the case of S.Umashankar Vs ICICI Bank which are factually incorrect. For example at two places where a mention about the case has been made, it has been stated that ICICI Bank has obtained a stay on the judgement with a deposit of only Rs 50,000/- as against the decreed amount of Rs 12.85 lakhs.

I want to bring to the notice of the Chairman of the Working Group and the Deputy Governor of RBI that  the correct position is that ICICI Bank has been granted a stay subject to the hearing of the appeal against a deposit of Rs 5.50 lakhs. The net unrecovered loss of the customer is Rs 4.95 lakhs and the deposit ordered was higher than the amount of loss. The working group has not verified any documentation before incorporating the erroneous statement indicating as if only a nominal deposit has been made to get the stay.

The working group is also silent on another Phishing fraud that followed this judgement where ICICI Bank agreed to pay up one Mr Dwarak Ethiraj without contest. The report also does not speak of the Nikhil Futan Vs HDFC Bank case in Mumbai District Consumer Forum where the Bank was again made liable. Most of the Consumer forum cases quoted in favour of ICICI Bank were cases where they were dismissed for lack of jurisdiction since the victims did not know that the correct forum was the Adjudicating Officer and not the Consumer forum. Phishing is not a service efficiency issue but is a Cyber Crime issue and though the Mumbai district Forum assumed jurisdiction and went ahead with the trial, rejection is not indicative of the lack of merits of the case. Also most of these cases failed against the Banks due to inadequate representations from the victims.

The quoting of different cases are therefore misleading and the Working group could have exercised better diligence before the details were incorporated in the report. It would be appropriate if the Working group publishes a correction at least to revise the amount of deposit made by ICICI Bank in the case of Umashankar's case from Rs 50,000/- to Rs 5,50,000/-. If not the report would be faulty and misleading.

I had recently filed an RTI application to RBI to know about the number of Phishing cases reported to them through the mandatory fraud reports. Unfortunately RBI refused to provide the information stating in one case that the frauds are not classified to indicate the Phishing frauds separately or that the information is in an application specific format and cannot be provided. This only indicated a reluctance on the part of RBI to reveal to the world at large how many Bank customers are being taken for a ride with the introduction of faulty technology.

Though in most of the Phishing cases Banks try to blame the customer for answering the phishing mail, they fail to disclose that in many cases, there is an insider involvement and even when the customer has not answered the phishing e-mail, fraudulent withdrawals continue to take place.

As an experienced banker I have my own views on how the risks can be mitigated but this is not the place to discuss that in detail.

However, having ICICI Bank as a prominent member of both committees was a grave mistake committed by RBI and it can only be interpreted as successful lobbying by ICICI Bank. Otherwise why HDFC Bank could not have been included in GGWG instead of ICICI Bank and why Canara Bank or Bank of India could not have been used instead of SBI? so that there could have been some new ideas.

Having accommodated the important stake holder like ICICI Bank and SBI, there was no reason why RBI could not have included a representative of a Bank Customer or even a Phishing Victim himself in the working group.

I personally have enough information with me to say that Internet Banking has been rendered extremely risky because Banks are ignoring the ITA 2000/2008 provisions on digital signatures and are also openly flouting the recommendations of the SRMG in many respects. Instead of correcting these anomalies, GGWG appears to have been wrongly guided to include certain recommendations which show a very inadequate understanding of ITA 2008 and its implications when seen along with PMLA and NI Act.

At one place, the report wants to make the 2F authentication as Electronic Signature. At another place the working group laments that there is no punishment for "Attempt" to commit Phishing when in fact it is actually incorporated in ITA 2008. As could be expected the lobbyists have managed a remark that the Government may consider another legislation to absolve the Banks from liabilities of negligence.

All these show that the GGWG has been misdirected probably by some members who had vested interests in supporting a weak IS implementation for commercial considerations.

Unfortunately RBI has not done enough research to find out what was happening in the Phishing scenario and whether it is the Banks who are more negligent and reckless than the hapless customer.

I have already brought to the notice of both RBI and IBA of the lack of proper follow up from their end to tighten the security in electronic banking. Unfortunately neither RBI nor IBA has been responsive enough in this regard.

The GGWG has now suggested setting up a standing committee to take the recommendations forward. I would like to request RBI that at lest now it should not allow vested interests to get into the standing committee. In case it is felt necessary to give representations to the Commercial Banks, the representation should not be limited to ICICI Bank and SBI and the participation of the Banks should be balanced with appropriate representation from the Bank customer's side.

If RBI does not take proper note of this concern they will find that the Standing committee would be infiltrated by organizations with vested interests and dilute the regulatory role of RBI.



January 24, 2011


Role of Adjudicators in Phishing Cases Reiterated

Phishing Risks under G Gopalakrishna Working Group Report

Copy of Full Report:

Copy of Executive Summary

 Comments are Welcome at naavi@vsnl.com