Header image alt text


Building a Responsible Cyber Society…Since 1998

RBI mandates Bank liability for POS frauds

Posted by Vijayashankar Na on September 27, 2013
Posted in BankRBI  | No Comments yet, please leave one

RBI had announced certain risk mitigation measures for Card Present transactions vide 22nd Sept 2011. Under this circular, it had been mandated that Banks should implement commercial readiness of acquiring infrastructure to support PIN based POS systems before June 30, 2013.  (Ref circular of 22nd sept 2011).

RBI again reiterated vide its circular of February 28, 2013 (Refer circular of 28th Feb 2013) along with detailed guidelines for securing card payment transactions.

Unfortunately, Banks were not ready to implement the security measures in time and hence on June 24, 2013, RBI was forced to extend the deadline for implementation from June 30, 2013 to September 30, 2013.

However, RBI has today vide its circular (Refer circular dated 27th September 2013) indicated that   It has been decided not to grant any further extention of time for implementation of technology requirements as indicated in its circulars of Sept 2011 and 28th February 2013.

More importantly, RBI has also indicated that Banks not complying with the requirements shall compensate loss, if any,incurred by the card holder using card at POS terminals not adhereing to the mandatory standards. The responsibility would be that of the acquiring Bank but the card issuing Bank should make the payment to the customer when a fraud is notified and then recover the money from the acquiring Bank.

Procedure for settlement of the claim shall be as under.

(a) The issuing bank would ascertain, within 3 working days from the date of cardholder approaching the bank, whether the respective POS terminal/s where the said transaction/s occurred is/are compliant with TLE and UKPT/DUKPT as mandated.

(b) In the event it is found that the POS terminals are non-compliant as mandated, the issuing bank shall pay the disputed amount to the customer within 7 working days, failing which a compensation of Rs.100 per day will be payable to the customer from the 8th working day.

(c) The issuing bank shall claim the amount paid by it to the customer from the respective bank/s which have acquired the POS transaction/s in question.

(d) The acquiring banks have to pay the amount paid by the issuing bank without demur within 3 working days of the issuing bank raising the claim, failing which the Reserve Bank of India would be constrained to compensate the issuing bank by debiting the account of the acquiring bank maintained with the Bank.

Naavi.org appreciates the spirit behind the circular which for the first time has demonstrated that RBI is willing to impose its authority on the Banks who are refusing to implement security measures as recommended by the regulator and the law.

We hope that RBI will continue to adopt a similar stringent practice for imposing KYC, GGWG recommendations and security of mobile Banking etc.

It may be mentioned here that Naavi has raised the issue of “Face Book Banking App” which ICICI Bank has launched and asked RBI to clarify if this method of Banking is approved and whether the security audits have been undertaken before the app was launched etc.

Hope RBI will respond to this query and exhibit the same tenacious approach that it has now displayed for securing the Card Not Present transactions even in respect of Internet and Face Book Banking.

It has been the continuing demand of Naavi that RBI should mandate Cyber Crime insurance for all internet and mobile banking transactions and it is reiterated in the current context.


Facebook Banking application from ICICI Bank

Posted by Vijayashankar Na on September 27, 2013
Posted in Bank  | No Comments yet, please leave one

The ICICI Bank application on Face Book that facilitates money transfers to “Friends” is reported to have the following functionality. The application is called “Pockets”

-Split & Share that allows customers to split and track expenses and share them with friends on Facebook. It also allows one to send reminder on pending payments. This is a very interesting feature as it’s usually cumbersome to keep a track of expenses when you’re out with friends.

– The app also allows one to make a payment to friend, recharge prepaid mobile, book movie tickets. Another interesting feature is one does not need to know bank account details of their friends to make a transfer, users can create a coupon which can be redeemed by their friends.

– One can also carry out non-financial transactions such as accessing a mini statement of savings bank account, getting demat holding statements, open fixed or recurring deposit, order a cheque book, stop a cheque payment, upgrade debit card, among others.

Details available at: Medianama : ICICI Bank : ICICI Bank2

A security review of the product is due.


Discussion Paper on Future Banking Structure in India

Posted by Vijayashankar Na on September 27, 2013
Posted in Cyber Law  | No Comments yet, please leave one

RBI had released a discussion paper on the Indian Banking Structure-Future Way Ahead. Comments can be sent upto October 31 2013.

Copy of the discussion paper is available here

The discussion paper has many points of debate such as Small Banks Vs Big Banks, Universal Banks, Licenses on tap etc. However the emphasis on “Safe Banking” appears to be inadequate.


RBI may very well disclose its favourite Bank Licensee

Posted by Vijayashankar Na on September 26, 2013
Posted in RBI  | No Comments yet, please leave one

In a series of changes announced by RBI on the criteria for selecting Bank licensees, one more statement has come out today stating that “RBI may dilute the initial Capital Requirement to accommodate more licenses”.


Coming after addition of a late applicant and pre-poning the license issue date to meet the deadline of declaration of the Loksabha elections and expansion of the original RBI policy to restrict the number of licenses, it is clear that RBI is trying to accommodate political vested interests in the issue of new licenses.

It is unfortunate that the term of a professional RBI Governor with US citizenship is starting under such strange circumstances.

Instead of this round about way of showing preferences of various kind to the new licensees, RBI may very well admit that it has some favourite applicant  and to accommodate him, it does not mind granting licenses to all the 27 applicants. Some of these will make money on the stock market now before dropping out of the responsibilities. 

God save the Indian Bank customers!


Khayaal aapka..loss bhi aapka..laabh to hamara

Posted by Vijayashankar Na on September 25, 2013
Posted in ITA 2008RBI  | 1 Comment

In an interesting technology innovation, ICICI Bank has announced introduction of a “Face Book” application which can enable you transfer funds from your account to your face book friends.

According to information available, in order to  make a payment to any friend on Facebook using the Pockets app customers fill in a short form, choosing which account to send the money from, the recipient’s name and the amount to be transferred. Once the transaction is confirmed, both the sender and the recipient receive a ‘coupon ID’ and a passcode. Then  the recipient has to click a link in an e-mail, which takes them to a page where they have to enter the coupon number, their name and bank account details and, finally, the passcode, to accept the payment.

According to the CEO of ICICI Bank, Mrs Chanda Kochchar,  “This innovation is in line with our philosophy of Khayaal Aapka wherein we offer products and services which make banking easier and more convenient for our customers. ‘Pockets by ICICI Bank’ will enable the young consumers, who spend a lot of time on Facebook, to carry out a wide set of transactions without having to leave the social media site.”

Refer report

This is fine. But what ICICI Bank needs to disclose is the “Risk” that this new application will pose to the users and who is responsible for the loss if any which may arise due to either phishing or a trojan on the mobile.

I also urge RBI to clarify if this form of banking is approved from their end taking into account any risk assessment that has been made. I would like some body in Mumbai to apply for an RTI with RBI to find out if a risk assessment has been done by RBI before permitting this  Facebook app and if not whether the system of Internet Banking as approved by RBI can be extended to such methods. If the risk in such applications is higher than the current Internet Banking or Mobile Banking methods, will RBI clarify what steps it has taken to ensure safety of Bank Customers.

We would like to draw the attention of the new Governor Mr Raghuram Rajan that while he is correct in identifying the inflaiton control as a priority, he should also bestow attention on preserving the integrity of the Indian Banking system.


Revenge Porn Law Contemplated in California

Posted by Vijayashankar Na on September 25, 2013
Posted in Cyber CrimeITA 2008  | No Comments yet, please leave one

A Bill to criminalize acts of vengence by ex-spouses/ex-boy/girl friends posting obscene pictures on the Internet is contemplated to be punished under a new law proposed in California. The proposed punishment is 6 months jail and/or US $1000 as fine.

ITA 2008 also has a section 66E which addresses video voyeurism and along with Section 67 makes it an offence to capture obscene pictures of another person and posting it on the web. The punishment is 3 years for each of the offences.

The Californian bill also makes “solicitation” an offence by the provision that holds a person guilty, “Who solicits or who agrees to engage in or who engages in any act of prostitution”. In India it is considered that ITA 2008 is inadequate to address the problem of “Solicitation”.