Let's Build a Responsible Cyber Society




Regulation of E Banking in India

E Banking frauds have become so common in Banks in India that they soon will not be considered as worthy of discussion. Naavi has been in the forefront of a crusade against Bankers who have jumped into the e-Banking bandwagon throwing all caution to wind and making customers pay for the commercial greed of the Banks. While some Banks learn from their past mistakes and try to improve their security, there are some Banks who tend to remain adamant and challenge the customers.

Naavi has brought to the notice of authorities several Banking frauds. Yesterday a case involving an ATM Fraud in Bangalore in which Bank of India and Canara Bank was involved have been brought to light. Earlier cases against Punjab National Bank and ICICI Bank have also been highlighted. There are other cases involving HDFC Bank, SBI, Axis Bank which have from time to time been reported through Naavi.org.

Press has also been highlighting certain cases from time to time. The latest case of Phishing reported is from Lucknow in which an UP State Government officer has lost around Rs 34361/- from PNB. Victim of this case being a Government official, perhaps PNB may to go for a compromise.

The fraudsters are now adopting "Salaami" tactics of siphoning of less than Rs 50000/- from accounts some time as low as a few thousands safe in the feeling that no body can launch an effective legal battle to recover a small amount. Police normally refuse to entertain such cases and customers are virtually left with no option to forget their losses and move on.

The problem has reached such proportions that there is a need for RBI to take stock of the situation and check of the foundation of Indian Banking system has become shaky. An all India survey of e-Banking frauds has to be undertaken by RBI with the assistance of CBI to identify if certain Banks have deliberately violated KYC norms to establish a network of "mules" who act as conduits for fraud proceeds being passed through. It is necessary to also subject the banking systems to security audits since the current audits have failed to stem the frauds. IDRBT should review the security clearance they have given to some of the Core Banking software since they have not adhered to the required security norms.

When challenged Banks take cover under the fact "Our software is supplied by a reputed software company. It cannot go wrong".. despite evidences to the contrary. Some time they say "Our systems have been audited by a reputed audit firm and therefore our systems are safe and secure.. despite evidences to the contrary".

If the software systems and audits were effective, we would not have seen so many frauds. (P.S: The argument that customers are ignorant, negligent and part with their passwords is not tenable as this does not absolve the banks from their responsibility to use systems which cannot be tampered with easily. Naavi has explained the relative liabilities of Banks and Customers through earlier articles).

RBI has gone into the problem of security in e-banking and way back in June 2001, came up with its Internet Banking Guidelines. Continued defiance of the regulations contained in the circular dated June 14 2001 has caused all the e-banking frauds in India so far. RBI has been clear to understand and accept that Information security cannot be foolproof and Banks cannot avoid completely the losses to their customers on account of hacking, denial of services and other e-frauds. It therefore advised banks to obtain insurance against such losses in its Internet Banking guidelines. It also stated in clear terms that the "legal risk" for not using digital signatures for authentication of electronic documents used by them has to be borne by the banks and not pushed to the customers.

These guidelines were reiterated by the G Gopalakrishna Working group on security in E Banking and fresh instructions were circulated in April 2011.

However, Banks have not given adequate respect to the recommendations of the RBI in the past and we need to wait and see how they respond to the current set of instructions.

In the meantime, a question arises on how RBI should ensure that its guidelines are respected and implemented by the Banks. Can RBI force the Banks to implement the security guidelines or only be satisfied that it has done its duty by sending out the necessary circulars?

In order to end speculation in this regard, Naavi has now placed a request with the Governor of Reserve Bank of India that in three instances of known violation of RBI guidelines brought to their knowledge, RBI should penalize the respective branches of the bank by cancellation of branch licenses. One of the branches involved belongs to PNB and the other to ICICI Bank.

In the past RBI is known to impose financial penalties when its guidelines such as KYC norms are violated. This however has not been a sufficient deterrent for Banks. There is a need for a more effective deterrent to be used by RBI to ensure that Banking does not become a nightmare for the customers.

RBI now has two options before it. One is to refuse the demand made by Naavi and condone the violation of RBI guidelines in the past. Second is to accept the demand and impose a penalty which will bring out the seriousness in the consequences of negligence of the Banks.

In other words the decision will determine...

Whether RBI is with the people? or with the Banks?.

Is its duty to "Regulate e-Banking? or "Promote e-Banking?".

"Is it strong enough to regulate? or Is it meek to only toe the line of Banks".

Which way RBI will move is a matter which will determine the future of e-Banking in India. If RBI chooses to ignore the request, it is for the Citizens of this country, the Customers of different banks, the Legislators, the Finance Ministry, PIL activists, other NGOs and the higher Judiciary to take up the matter and pursue.

[Disclaimer: Naavi is an ex-Banker and has lot of respect to Banking as a Profession and Industry. The current aggressive stand taken by Naavi as a Netizen Activist is not a stand meant to denigrate the Indian Banking system but to strengthen the system. If in pursuance of this noble objective to serve the Banking customers, I express displeasure on several Banks, it is only because most Banks have fallen into a vicious circle of introduction of new technology without adequate consideration of security and I sincerely believes that Technology should not be only a means to make more profit. It should maintain the fundamental nature of Indian Banking as a secure option for the public to park their funds.]


3rd July 2011

 Comments are Welcome at naavi@vsnl.com