Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Cyber Law College will be starting a compressed course on Cyber Laws for the students of BMS Law College, Bangalore starting from March 1st.

This course will cover an over view of Cyber Law in a course that extends to 10 sessions to be conducted in the college to students of different semesters.

In the past, Cyber Law College has conducted 3 courses each in KLE Law College, Bangalore and Hubli, SDM Law College Mangalore and JSS Law College, Mysore. These courses were of a longer duration and extended to about 60 to 70 hours of class room teaching. The BMS law college course is planned as a 25-30 hours of class room teaching.

Naavi is also associated as guest faculty with NLSUI, NALSAR. MSR Law College and other institutions and continues to contribute to the mission of “Cyber Law Awareness”.

Naavi is looking for more initiatives of this nature particularly a “Course for Law Faculty” so that Cyber Law Courses can be started in all Law Colleges in Karnataka.

Naavi is also looking for initiatives on “Cyber Law for IS Professionals” at Bangalore if there is a demand.

Naavi has already created online courses in Cyber Laws and HIPAA through apnacourse.com. Now a Course on GDPR is under preparation and details will shortly be announced.

Comments and suggestions are welcome.

Naavi

In the context of huge regulatory fines envisaged under GDPR, there is a renewed interest in Cyber Insurance among Data Processors everywhere. Since liability under GDPR may arise not only for payment of compensation to data owners but also for making payment of fines that may be imposed by the regulatory authorities, the companies do demand that they should be covered by some Cyber Insurance policy for any liability that comes out of processing of EU citizen’s data.

As for as Indian data processors are concerned, their liability will be restricted to what is indicated in the data processing contract. Some of these contracts may be vague and not determine the exact liability or compliance responsibilities. It may make a reference to the liability that may arise on the Data Controller under GDPR and extend the liability in the form of an “Indemnity” to the associate data processor in India. Indian data processors some times assume that they would be liable directly under GDPR and rush to obtain insurance cover for large amounts. This could hurt the profitability of their operations.

If any data is compromised by an Indian data processing company then it would be as a result of a “Cyber Crime”. The cause of action lies with the persons who have lost money. Most of the time however, data compromise is recorded but the actual loss may not fructify or fructify only to a small extent not commensurate with the number of data elements lost.

Hence out of the total loss, the loss arising out of “Compliance” requirements which may include sending of notices, arranging identity theft protections for all the suspected compromised data subjects would be a huge cost even when not a single of the compromised data might result in actual loss. Similarly in such cases the regulator would impose millions of dollars fine depending on the nature of breach, the attitude shown by the data controller before and after the breach to protect the data subjects etc.

When a Cyber Insurance policy is invoked in such cases, an obvious question that would arise is whether the loss occurred more out of the negligence of the Company as a whole in implementing proper policies etc and whether the company should be protected against its own negligence. If Cyber Insurance routinely covers such breaches, then there will be no incentive for companies to improve their security.

Hence it is necessary and natural that the Cyber Insurance Company raises an objection or try to limit its liability citing that the cause of loss was “Not Insurable”.

A question has therefore arisen on “Whether Regulatory Fines are Insurable at law”. In this context, the article “GDPR Fines and Cyber Insurance”

presents some interesting thoughts as may be relevant in the Great Britain. Since India generally follows the English Law and the Insurance law has dependence on the British practices, it is presumed that the English law is also relevant for the Indian Context. Hence the points mentioned in this article are very much relevant to Indian companies both in the GDPR context as well as in other instances of fines arising out of non compliance of HIPAA, Non Compliance of ITA 2008 and even when there is a ransomware attack due to lack of proper security practices in a company.

One of the concepts discussed here is “illegality of defence” which may prevent a claimant from pursuing a civil claim based on the claimant’s own illegal acts.

The dividing line however is whether there was “Illegality” on the part of a company that caused the fine or there was merely “Negligence” in implementing the regulatory precautions.

As long as the negligence is related to “Best practice suggestions” that are made by sectoral regulatory bodies or industry practice, the cause may be contained within the concept of “negligence” unless the level of negligence is “ridiculous”. But if there is a statutory law which has been ignored then such negligence cannot be called anything other than “Illegal”.

To be more specific, if a Bank ignores RBI guideline, it may be “Negligence”. But if it ignores “ITA 2008”, then it would be “Illegal”.

Secondly what distinguishes “Negligence” from “Gross Negligence” or “Recklessness” is the precautions taken by an organization before an event occurs and also its response immediately after the occurrence of an incident.

If an organization has taken reasonable precautions which any other prudent person under similar circumstances would have undertaken but failed in some minor aspects, then the level of negligence is in the lower end. If however, there was no precaution taken or the precaution was ridiculously low, then the breach would be attributed to callous attitude and may be considered as a “Contributory Negligence” or even a “Passive Assistance” to a fraudster.

If we take the recent incident of PNB fraud and another fraud that followed at City Union Bank, it appears that the negligence at City Union Bank which allowed a compromise of its SWIFT system may fall under the category of “Negligence but Not Recklessness”. On the other hand, the PNB negligence which involved allowance of customer’s executives using the passwords of Bank officials to create their own “Sanction letters” and the sharing of passwords between multiple officers of the Bank can be called an abject complicity in the offence itself.

Even if there was no “Mensrea” at least for some of the executives of the Bank, the “Recklessness” was attributable to all employees of PNB who were aware that SWIFT messaging system was not linked to CBS and passwords were being shared.

The Association of employees in PNB has tried to put the blame on the top management. Similarly, the employees of Mehul Chokshi firm has placed their current loss of jobs to the Mehul Chokshi led Board. But if one is honest, we all know that if a fraud of this magnitude had taken place, then several persons within Mehul Chokshi or Nirav Modi companies as well as PNB, Other lending Banks, RBI, and the Ministry of Finance must have smelt that some thing wrong was going on.

What has collectively failed in the system of “Whistle Blowing” that RBI already has in place but has completely failed to work. The complaint that one franchisee Mr Hari Prasad made to PMO is like many complaints that are forwarded to PMO and are directed to appropriate departments for enquiry.

But each of the Banks had their own Whistle blowing systems and RBI  had a Whistle blowing system for the entire Banking system and it appears no body had the courage to report the possibility of such a fraud. The reason could be that the heads of each Bank involved as well as the Governor of RBI themselves were all friend of the then prevalent political system and personally appointed by Mr P.Chidambaram and hence no body trusted them to take action.

If the Whistle blowing system ensures that the whistle blower is protected, then the skeletons would have tumbled as soon as a junior Bank officer acquires a flat costing Rs 3-4 crores or throws up a fancy party in a five star hotel etc.

In all such cases therefore, the negligence is unpardonable and hence there should be no protection from Cyber Insurance.

Cyber Insurance contract being an  uberrimae fidei contract, the Insurance company is unlikely to discuss these issues with the clients at the time the Insurance policy is bought. But if the liability is huge and the client invokes the insurance, then the legal departments in these insurance companies may certainly raise the “Illegal Defence” clause.

The principle in Insurance is always, “Take as much precautions as you would take as if there was no insurance” and there after, if the loss materializes, it is an “Accident” for which the Insurer should gladly assume liability. If one takes decisions recklessly because there is an insurance to back up, then the insurer would definitely feel cheated and raise objections at the first instance.

Naavi

The SLP order of the Supreme Court in the case of Shafhi Mohammad Vs State of Himachal Pradesh dated 30th January 2018 in which a two member bench of the Court passed an order which was clearly meant to over rule an earlier three member Judgement of the Basheer Case as regards the applicability of Section 65B of Indian Evidence Act is now having its adverse impact on the system of judiciary in India.

The SLP order was delivered by  the two judges namely Justice Adarsh Kumar Goel (Seniority order 11) and Uday Umesh Lalit (Seniority order 15).

This order was conspicuously rebellious  over ruling the earlier judgement passed by three judges namely  Justices RM. Lodha (Then CJI now retired) Kurian Joseph(Seniority order 5) and Normally when a Judge has a different opinion from an earlier judgement Rohinton Fali Nariman (Seniority order 12).

Normally, when a Judge has a difference of opinion with the earlier order of a superior court, the option available to him is to make a reference back to a comparatively bigger bench and seek a review. This is an established convention. It was diligently followed in the Aadhaar case when the question of “Whether Privacy is a Fundamental Right in our constitution or not” came up with a smaller bench which felt that an earlier 5 member bench had a view which could be reviewed. Accordingly the matter was considered by a 9 member bench which gave its clarification after which the earlier bench resumed its hearing.

This process was not followed by the A.K. Goel-U.U.Lalit  bench which preferred to pass its clarification order in derogation of the order of the earlier three member bench. Though there was the next hearing on 13th February 2018, the bench simply continued with other matters and left its earlier order on Section 65B  remain on paper though its validity is questionable.

We consider that the order was erroneous, is amenable to be misused and would open doors of corruption in Judiciary.

It is also infructuous being an order of a smaller bench.

But by not reviewing the order in the next available opportunity the two member bench has shown disregard to the conventions and cyber jurisprudence.

It is necessary for the CJI to take note of this development and if he allows such breaking of conventions go unquestioned, it will be spreading like cancer in the Supreme Court and through out the judicial system.

Some time back we had the Justice Karnan episode where he challenged the Supreme Court and was later convicted for Contempt of Court.

But the current CJI did not take similar contempt action against the four judges who held a press conference. Now if CJI continues to remain quiet without acting against the breaking of convention by the AK Goel-UU Lalit bench,  every judge will ignore every other judgement of a bigger bench and turn  Jurisprudence upside down.

If a lower bench of Supreme Court can over rule a higher bench, a lower court can also over rule a higher Court. We will see chaos and anarchy spreading through the system if proper measures are not initiated by CJI now.

Such a situation will give a free hand for corruption to decide which order of a superior court will be followed as a precedence and which will be ignored under the special precedent set by the AK Goel-UU Lalit bench.

The Order of this bench to turn Jurisprudence upside down is completely illogical and indicates that this could be part of a rebellion developing inside the Supreme Court.

CJI needs to take note and take corrective action. Silence will not be a solution and it may be too late to correct the situation if more such decisions contemptuous of the higher benches can be allowed to be taken.

In the meantime, if any situation arises in Courts where there is an attempt to accept electronic evidence with Section 65B certification on the basis of the SLP order, it has to be challenged first with a request for review, if necessary supported with an expert counter opinion, failing which with an appeal to a higher court specifically on this issue.

It is regrettable that Supreme Court judges are creating anarchy in the system by not being consistent with their commitment to delivery of justice and the poison seeded by the four rebellious judges seems to be having its effect in destroying the revered system. I hope the fear is misplaced and things will turn out well with the bench in its next hearing on 7th march 2018, issuing a clarification that they are not over ruling the earlier judgement.

If the Amicus Curie is unable to find a solution to a practically permissible and legally acceptable solution to the problem on hand (Evidence to be presented by the Police from the crime scene videography), it is necessary for the Court to hold a larger consultation with other experts before passing further orders.

Naavi

During the last week, Bengaluru witnessed a disturbing display of lawlessness by a group led by a son of a Congress MLA. The case involved a brawl in a Pub called “Farzi Cafe” in UB City in which another person was beaten to near death by the group.

Similarly there was another incident of VIP misbehaviour of another Congress worker sprinkling petrol and threatening destruction of a BBMP office also in the same week.

While the discussion on the incidents is outside the scope of this website, I would like to only discuss the role of “Digital Evidence” that plays an important part in both these incidents.

In both the incidents, there is video evidence and in one case the offence is an “Attempt to Murder” and in the other case it is “Threatening to commit arson and destruction of Government property”.  Both are very serious offences and requires a fair trial in a Court. The evidence available would therefore be very important.

But there are unconfirmed media reports indicating that since the offenders in both cases relate to the ruling party, the Police are favouring the accused and are unlikely to pursue the case properly. In the process, there will be a possibility of destruction or manipulation of the digital evidence which is in the form of CCTV footages.

The Video in the case of threat to burn BBMP office has already gone viral and is now in the public space. Courts can take cognizance of the incident even if the Police try to suppress it.

But in the incident related to the brawl in the Pub,  there are two videos one from the Farzi Cafe where the brawl first took place and the other from Mallya Hospital where the accused tried to break in perhaps to cause further hurt to the victim. Initial media reports suggest that the Farzi cafe Video has already been tampered with by the Police and will only show the victim slapping the accused and not the earlier first attack by the accused.

If the report is true, it is expected that the case will eventually not get proved in a Court of law and will be dismissed for lack of evidence. Worse still, the victim himself may be punished for attacking a respectable person who is the present accused and provoking him.

The incident highlights the importance of protecting the digital evidence which is extremely useful in such cases with CCTV cameras spread across the city and in most public establishments. Recently, Bangalore Police solved a case of harassment of a lady in the middle of the night only through the CCTV footage that was available.

But if CCTV footages become only tools of manipulation where at the discretion of the Police it would be used in certain cases and in certain other cases it would simply vanish, then the question of accountability for such CCTVs arise.

There is already an argument that installation of CCTV cameras is a threat to the Privacy of Citizens. This will only gets strengthened. The defence that it helps in “Security” falls flat because of the frequent misuse of the CCTV footage by the law enforcement to suit their political objectives.

I therefore request the Bangalore Police to make public the entire unedited version of the Farzi Cafe incident to the public in the interest of transparency in public life. The Court should also direct for such a disclosure.

I believe that Farzi Cafe owners would be having a copy of the video and unless they want to be called for taking sides in the dispute, should go public with the copy of the video in their hands. Since this Video would be relevant not only to the accused but also to the victim as well as other people who would be in the Cafe at the time of the incident, there is a “Public Interest” in the disclosure and Courts can order for the disclosure.

While some body who has the courage to face the wrath of Congress Government in Karnataka can take up the issue as a public interest litigation, the Courts also can take suo moto action if they consider the matter to be of consequence.

If however Farzi Cafe owners have deleted the evidence then they would be liable for prosecution under Section 65 of ITA 2000/8 and Section 204 of IPC for destruction of evidence. If manipulation of evidence has taken place after the Police took charge of the evidence, similar charge can be made on the police personnel also. Probably the Karnataka Human Rights Commission has the jurisdiction to investigate the matter.

It would be interesting to see how the case proceeds from here and what lessons the police and organizations like Farzi Cafe will take from the current incident on handling of CCTV footages which become “Potential Evidence” in criminal cases.

Our discussion would be incomplete without also highlighting why the recent decision on an SLP by the Supreme Court in the case of Shafhi Mohammad  was called by us as an “Recipie for Corruption…” If the order is to be accepted, then the CCTV footage which the Police will produce may be argued as acceptable as evidence without a Section 65B certificate. If the decision in the Basheer case is followed at least there will be one person who will look into the evidence and certify and while doing so will consider if the evidence is trustworthy or not. This important element of check on fraudulent production of digital evidence for admission would be removed if the Safhi Mohammad decision is to be considered as valid. Fortunately this is a two member order on an SLP where as the Basheer judgement is a three member judgement and hence it would prevail.

Naavi


Where there is Money, there will be Fraud” is a truth which all traditional Bankers know. Hence the essence of Good Banking is building security into the culture of the organization and into its systems. The legacy paper based systems in Banks have been robust enough to ensure that Frauds are detected quickly if and when it happens and no fraud will succeed without collusion of multiple persons and negligence of multiple persons.

Future of Banking

With the change over from paper based banking to electronic banking, the risk has increased many fold since the procedures of Banking have now been subordinated to the “Systems” designed by “IT Professionals” who are not “Bankers”.

I am reminded of one of the early warnings given out (some time around 2005) by Mr A. T. Panneer Selvam, the former Chairman of Union Bank of India (and an Ex DGM of IOB in which the undersigned worked a few decades back) who said “Future of Banking belongs to IT Professionals”. I have quoted this a number of times in my lectures promoting the advent of digital Banking before shifting to the current slogan that “Future of Banking belongs to Information Security Professionals”.

Need for Information Security Culture

The PNB fraud has highlighted this need to develop an “Information Security Culture” in Banks on a priority basis.

People in the Information Security try to design many sophisticated tools to secure the “Confidentiality”, Integrity” and “Availability” of information which they define as the contours of information security. But if an authorized system owner shares his password to another, then the entire system of security built around the system of password crumbles.

In the PNB case, it appears that the Password of an AGM was shared with a Deputy Manager. So far the name of the AGM who shared his Level 5 Password with Mr Gokulnath Shetty has not come to open. He is an abetter for the crime and should also cool his heels in the jail for some time. It may be more than one official of the banks who shared his password with his juniors and all of them should now be held responsible along with  Mr Gokulnath Shetty who shared the password with an outsider client in what can only be said as “Incredible”.

In June 2016, we saw TCS employees sharing passwords issued for an employee of a different company amongst themselves and hacked into a US Company resulting in a legal suit of US $940 million on the Company. Fortunately the Directors and CEO escaped criminal charges and contained the damage to a civil suit.

This menace of “Password Sharing” that has now reached a new dimension with password being shared with an outsider clearly indicates that our Information Security designers are at fault to first of all rely on the system of Passwords and then not have adequate measures to control the risks.

Design Faults

If we have dual keys to our strong room where cash is kept and electronic locks that can be opened only at a certain time by certain biometric authentication etc., why is that the SWIFT systems cannot use digital signatures backed by biometric based cryptographic keys and RFID based identity cards etc to build layers of security which ensures that the system cannot be operated except from within a specific system in the Bank? Why every transaction is not immediately deposited in a different system and audited independently of the maker and checker who might have colluded?

The security design in banks is faulty and I have already said that the makers of FINACLE software for which our Banks have paid a fortune should accept that their security design has left the Indian Banking system vulnerable.

Inaction by RBI

When I spotted and pointed out extreme recklessness of ICICI Bank ,PNB and Axis bank during the adjudication proceedings of some Phishing Frauds,   I had personally represented to RBI that they should suspend the Internet Banking licences of some of the branches involved in the commission of Phishing frauds.

Had RBI atleast sent one harsh letter to the Banks at that time, perhaps this PNB fraud would not have happenned. Mr K.R.Kamat was the Chairman then and he continued to raise to greater heights after the frauds were pointed out.

The fraud in which more than Rs 1.6 crores were lost by an exporter  in PNB was a clear indication of complicity by the Noida branch of PNB but Mr Kamat took no action. This case is still languishing in the Delhi National Consumer Forum and the judges who have been adjourning the case year after year obviously at the instance of the bank will have to introspect if they could have contributed indirectly to the current Rs 11400 crore PNB Fraud.

The Governors, Deputy Governors and other Executives of RBI whom I repeatedly appealed to for action but who did not respond should introspect if they are also responsible for not initiating specific action in time which has caused the present mess.

Appointment of Directors

Without diverting back into the software issue and irritating my friends in IT industry more, and also not again speaking of the RBI as a toothless paper pusher who is good in drafting guidelines without any power to implement them, I would today like to say that the root cause for the malaise lies with the Finance Ministry in their system of appointment of Independent Directors of Banks, Chair persons and other Directors.

The clean up therefore should start here at the Board level appointments in each of the Banks.  For Indian political system  to think of progress we needed a Narendra Modi to succeed Mr Manmohan Singh. Similarly, for any Bank whether it is PNB or SBI, ICICI Bank or HDFC Bank, Allahabad Bank or Union Bank, it is necessary that the head of the institution should be not only efficient from the domain perspective but also scrupulously honest. We cannot expect every Chairman to be an Information Security expert but it is for this reason that he has a Board to assist him. Every member of the Board should therefore be equally honest besides being an expert in some part of the domain.

The constitution of the Board of Directors is the biggest internal and external control for the Banks. Without correcting this, if we try to tinker with our Firewalls, Software and Hardware, we will not be able to achieve the security that we are trying to achieve.

The politicians and media who are questioning Mr Narendra Modi that Mr Hari Prasad’s letter was not acted upon by the PMO must ask why all the public postings at Naavi.org in which Banks like ICICI Bank, PNB, AXIS Bank and SBI in particular were pointed out for lack if information security practices leading to frauds were not acted upon by the respective Banks and RBI.

I had called upon the Independent Directors of the Banks with a request ” If You are a Bank Director.. Your Independence Day Resolution Should be…” after the Bangladesh Bank SWIFT fraud to ensure that the RBI guidelines on the “Cyber Security Framework” should be diligently implemented by the Banks. I am not however sure if any of the independent directors raised the issue in any of the Board meetings.

These Independent Directors have failed to discharge their responsibilities like what Mr Dubey of Allahabad Bank tried to do and therefore should bear the vicarious liability for the PNB fraud.

The Ball is in the Court of Mr Arun Jaitely

If these Directors were incapable of protecting the Banks and the Chair persons were both inefficient but also complicit in the frauds, the responsibility goes upto the Finance Ministry under Mr Aurn Jaitely and the Secretaries in the Finance Ministry who have appointed these Chairmen and Directors for their own considerations. While commenting on the Bitcoin issue, I have repeatedly stated that I have doubts on the culture of the Finance Ministry built under the regime of Mr P Chidambaram and urged Mr Arun Jaitely to take suitable corrective action.

Now we need to repeat this request once again for Mr Arun Jaitely to prove his commitment to clean up the Banks by kicking out non functional Directors and replacing them with vigilant, honest individuals of repute who can ask questions of the Chairmen and Board. Many of the Chairmen themselves need to be eased out though in a manner that does not destabilize the system. All independent Directors in PNB and other Banks which have given loans to Nirav Modi, Mehul Chokshi companies must be removed tomorrow and replaced with appropriate persons.

Will Mr Arun Jaitely have the necessary commitment?

Naavi


Reference Articles:

Naavi.org has been carrying on a crusade against Bank frauds in the Digital era and discussed many issues in the past. If the authorities had taken some action on these warnings, we would have perhaps not be in the situation we are now in. Some of these warnings were to individual Banks, some to RBI and some to the Government itself. I hope at least now some body will find time to examine how security in Indian Digital Banking industry can be improved with appropriate regulatory action. The ball is the court of Mr Arun Jaitely, the Finance Minister.

For immediate reference some of the past articles are indicated here:

Axis Bank ATM license should be cancelled by RBI

Does SBI Cards pose a special risk for customers because of Incompetence and possible collusion?

Will RBI disclose “Sanction Mechanism” to enforce sanctity of Banking license conditions?

Let RBI show Who is the Boss

1710 Bank Frauds reported by Police..Does RBI have a count?

RBI cannot remain silent.. and so also NPCI, CERT and Ministers of Home, IT and Finance1>

Banks want their negligence to be underwritten by the Customers. Do you agree Mr Urjit Patel?

Yet another Bank Fraud.. What will RBI say?

This credit card fraud should be a lesson to Judges, Adjudicators and Banking Ombudsmen

Another Great E Banking Robbery Could destroy our Banking system

Protect Bank Consumers from Frauds or be prepared for disaster..A warning to BJP Government

90% growth in Credit Card Frauds … Dear Police, How Many Banks have you Charged?

SWIFT Hacking exposes Indian Banks to huge Risks

RBI’s conspiracy by silence

Negligence of Export Promotion Councils, ECGC and Banks lead to Rs 2.35 crore fraud

Has RBI really woken up from its slumber?

What does the new RBI Governor has to say for this?

..The list is endless. May be a search page like this will help

After the surfacing of the Nirav Modi-Mehul Chokshi scam in PNB, media is on its own interpretation some of which are politically motivated and some are born out of lack of information. According to NDTV and some other media, the loss may be over Rs 20000/- crores. Rahul Gandhi who may think he belongs to the Mahatma Gandhi family but he is still struggling to distinguish if Nirav Modi is the cousin of Narendra Modi. Mr Singhvi is caught in the “Unaccounted Money” allegations. The Alpha files and deep throat are also in the fray making this a great time for TRP oriented media.

Negligence in Banking is universal

The Dinesh Dubey revelations may appear sensational to Mr Arnab Goswami but the fact that Bank Boards are manipulated by the politicians is well known. The UPA Government which had mastered the art of making money by exploiting the land, see, air and even the spectrum, could not have missed an opportunity to take money directly from the Bank. Hence if Mr Narendra Modi says that when he took over, NPAs were more than 126000 crores and he could not have publicised it without hurting the industry, it does not come as a surprise to observers like us. From the old Indian Bank fraud to Harshad Mehta Fraud, we have seen enough of frauds in the Banks to believe that if Digital Banking is indiscriminately promoted, fraudsters will make merry.

If Global Bankers have a system where by  SWIFT message from a deputy manager of a Bank can be used to lend Thousands of Crores to one company by several banks, then the problem is that Digital Bankers of the day donot know the Risks inherent in Banks. This includes even the wisemen in RBI who are good paper pushers.

Naavi.org had its own share of “Dooms day predictions” in Banking and there are plenty of articles in the past highlighting a day of this nature when Cyber Frauds or Frauds in the Cyber Banking scenario could be huge enough to wipe out even big Banks.

For a long time we have held that RBI has no control over influential Commercial bank Chairmen. We have stated this in the context of ICICI Bank, State Bank of India, PNB and  Axis bank where we had observed frauds, brought it to the notice of RBI and found no action was taken. We had even demanded that some branch licenses of ICICI Bank and PNB should be suspended as a deterrent. Some of these Chair persons have held influential positions in IBA which has been more powerful than RBI. Hence many security guidelines of RBI are simply ignored by IBA and RBI has done nothing to enforce its authority.

As a result, the negligence and apathy in the Banking industry continues. Security is always subordinated to profits and hence we see weak IT systems and opportunities for frauds increasing by the day.

Yesterday, City Union Bank has also been confronted with the SWIFT fraud in which three fraudulent remittances seem to have been attempted. One of this has been prevented. One more may be retrieved quickly. Other may require some effort. But the fact that CUB faced the same problem which Bank of Bangladesh suffered long ago shows that our Banks donot learn lessons.

There is presently no doubt that officials of PNB were involved in the fraud to favour Nirav Modi-Mehul Chokshi. They might have been pressurized politically at the Chairman level. It is only when Mr K.R.Kamat the former Chairman of PNB is queried about some of these transactions, that the truth may come out.

In this confusion, we should not forget that it is not only PNB that should be hauled up, but each of the Banks which gave funded loans to Nirav Modi-Mehul Chokshi firms based on a SWIFT message from a junior officer without following the 90 day RBI norm or examining the end-use of funds and feasibility of the operations.

As Mr Dinesh Dubey’s statements indicate, there was political conspiracy where by multiple Bank Chiarmen were made to provide funded loans against the PNB’s LOUs. Hence all these Banks are part of the conspiracy to siphon off Rs 11000 crores or whatever amount we finally end up with as the loss in the funded accounts. It is for this reason that RBI should not force PNB to take all the liability and leave out the other Banks from the conspiracy. If this is forced, it would mean that RBI itself would be guilty of abetting the fraud.

The other independent Directors who were complicit with these frauds should also be questioned in each of these Banks.

The contribution of Finacle sofware

Another neglected aspect is the Company that is responsible for the Core Banking Software used in Indian Banking system which happens to be our beloved Infosys. The system is FINACLE. After the few PNB phishing frauds that I had come across, I have raised my voice against FINACLE not being Cyber Law Compliant. Now this PNB fraud indicates some of the systemic weaknesses in the Finacle software.

I am sure that my friends in Infosys will immediately object to my drawing their name into this controversy. When I objected to Finacle Marketing chief hailing it as a platform for Bitcoin usage, I had many of my friends displeased. But the reason why Infosys should find itself reviewing its own contributory role in this Banking fraud is because it appears that the software is not built by design to prevent such frauds.

Software developers may conveniently say that it is for the software user to provide specifications and the developer will provide a solution as desired. If the solution facilitates frauds, it should not be the responsibility of the software developer.

They may say that “Releasing a Software with Bugs is their right” and what conventional Bankers like the undersigned may dub as “Fraud friendly specifications”, is the responsibility of the Bank using their software.

I am aware that in the past developers of the Accounting software “Tally”  telling me that some security features in the software was deliberately removed in subsequent versions because the users wanted “Flexibility” in the accounting. The flexibility wanted by the users was the ability to manipulate accounts so that false accounts can be created without the log system capturing the manipulations. This facilitated a fraud in an Exporter’s firm in Chennai in whose investigation, I had participated. Tally succumbed to this marketing pressure and fell into the practice of “Customization for Customer Convenience”.

It is possible that Infosys might be in the same situation where for commercial reasons, they have to configure FINACLE to facilitate convenience even though it makes it easy for fraudsters to misuse the system.

Today everybody is asking why The PNB’s SWIFT messaging system works outside CBS.

If certain messages sent out of SWIFT creates liabilities (contingent or otherwise) for PNB, and has to generate a corresponding “Margin Money Demand” and “Guarantee Commission Credit”, then FINACLE should have ensured that the messages are generated only from within FINACLE only.

If PNB officials did not want it this way, Infosys should have documented the request with the reasons. If Infosys developers were aware of “Banking” in depth, they would have immediately sensed that the request is made only to keep a “Backdoor for fraud” that can be exploited.

Infosys failed to show the commitment to prevent a “Fraud Friendly Configuration” to prevail which could hurt the society.

I would be happy to receive a clarification from the FINACLE team if my conjecture is wrong. I would expect Mr Nandan Nilekani to order a review of the security features of Finacle without restricting the definition of security to only the CIA principle of technical security but extending it to “Security of the underlying business which the software supports”, which is the “Total Information Assurance” principle.

Role of Auditors

We can now shift our attention to the auditors and Information Security department of PNB. Should they not have seen the “Vulnerability” in the CBS system and flagged it as a risk?.

Probably these are auditors did not understand how the IT system of Financle could be misused. Even if they were not IS experts and had to believed the management statements, the nature of financial transactions, the 365 day window provided for the LOUs, the frequent roll overs etc should have given them the clue.

Internal auditors who should be Techno Banking specialists also failed to note the suspicious patterns.

I am sure that SWIFT messages are separately audited and at least it should have been reconciled with margin money and guarantee commission account which the auditors ignored.

The Board which should provide an annual declaration under clause 49 of the listing requirements in the annual report stating that there are “Adequate Controls and the correct financial statements are reflected” have made false statement for which the entire board of directors are responsible.

The same questions of internal controls of auditing failures applies in each of the other Banks who are today claiming that they trusted the LOU of PNB and blindly paid out money in thousands of crores to beneficiaries. We are not fools to accept this argument.

I consider that the issue of loans by all these Banks under circumstances where the business feasibility was doubtful and known norms flouted, is a prima-facie evidence of the involvement of employees/Directors/CMDs in all these Banks (6 or 32?) in a great Banking fraud conspiracy.

CBI must enquire all these employees starting with Allahabad Bank Board members on whom specific information is now available.

Demoralization Effect

As an ex-banker, I am aware that this fraud which cuts across many Banks will have a demoralizing impact on the employees when CBI extends it’s net wide. We have seen this happen after the Indian Bank fraud surfaced two decades ago.

It is for this reason that Media should stop creating panic and putting pressure on BJP Government. Instead, they should try to instill confidence in the public that what the Government is trying to do is a very sensitive operation and has to be done discretely.

While the anti national forces which includes the present version of the Congress party would like to create more confusion with its demand for JPC so that the thieves can themselves be the judges, Government of India should resolutely move towards cleaning up the mess. Less they talk, better it is.

Only one word of comfort from Mr Arun Jaitely or Narendra Modi that proper action would be taken should suffice. All the spokes persons should stop talking on this scam even if they are tempted to do so because of the utterances of the opposition. The “Professional Panelists” like Sumant Sriram et.al, should be kept out of the channels for some time so that a sense of responsible reporting returns to the media rather than shouting for political gains.

In the process,  we need to root out corruption in Banking and ensure that the future of Banking is saved. Let more heads roll and more bodies go behind the bars. It will be in good cause.

Indian Banking system has many honest individuals who can raise to meet the challenge, fill the void even if 25% of the top management in Banks are removed and manage the turmoil. All the independent directors of the 6-32 Banks who were complicit in the conspiracy should be removed forthwith and brought into the enquiry process.

This will have its share of demoralization in the industry. But it will spur the honest Bankers in the next level to work more honestly than before and restore the Banks back to health.

This is like the Kargil fight. We might have lost the battle but let us fight to win the War. Just as in the demonetization days, the public supported Mr Narendra Modi, they will support him even now.

Let’s therefore tighten our seat belts and let Mr Narendra Modi shake up the Banking system.

May be the above ad from PNB on its home page is meaningful in the current context.


P.S: It is now reported that Level 5 password for SWIFT which only AGMs could use was shared by Mr Shetty who was a deputy manager with the officials of Nirav Modi so that they could issue their own LOUs.

This means that the password was first shared by the AGM with Mr Shetty and the system was not configured to link the hardware ID from which the SWIFT could be accessed. Normally the adaptive authentication system should prevent logging in to SWIFT except from a designated computer. The IT Manager, the IS manager, the AGM himself all deserve to be put to jail for giving away the key to the strong room to the fraudster.

If the software had been designed with this possible use case in picture, such logging in would not have been allowed even if the fraudsters had come to Mr Shetty’s cabin and operated his computer since the AGM’s password should have been linked to his computer.

It also means that there was no digital signature or biometric authentication either to the SWIFT application or to the computers authorized to access SWIFT application. (Refer India Today article)

…Disgusting

Naavi