Bank alone should be liable on RTGS and Phishing Frauds

I refer to an article in Business Standard today titled “Cyber frauds: Experts blame banks; banks find faults with clients”.

One of the views expressed by a Banker is quoted as follows:

“Earlier when internet banking was started, we thought that user name and password is the enough security but then additional security measures were developed,” a banker said, adding, “Even that is now proving futile.”

I would like to remind this Banker that way back on 17th October 2000, the Information Technology Act 2000 became effective. According to this law the only method of authentication of an electronic document recognized in law was “Digital Signature”. If this Banker thought that user name and password was enough security, I must say that he was ignorant of the law of the land.

Again, on June 14, 2001, RBI released the Internet Banking Guidelines and reiterated that if the Banks use any technology other than the “Digital Signature”, then they should assume the legal risk. At that time RBI could not mandate digital signature since no certifying authority was available until February 2002. Since 2002, digital signatures are available and hence Banks have no business to carry on Banking authentication without the use of digital signature. If the Banker was not aware of this position till now I am sorry about his ignorance.

In 2010, the Tamil Nadu Adjudicator gave his award in the Phishing case of S. Umashankar Vs ICICI Bank where he categorically pulled up the Bank for not using digital signatures.

The RBI  circular on GGWG recommendations on Information security on April 29, 2011 again reiterated this fact that if Banks suffer any loss on account of non usage of digital signatures, then they should assume the legal risk which also is an operational risk under Basel II considerations. If the Banker does not know even this, then I donot know what to say.

I am aware that security experts are already warning that soon hackers will break even the digitally signed instructions through Man in the Browser attacks. So Banks are several steps behind the current threat scenario.

There is no point in them blaming the hackers nor the so called “ignorance of the customers”. If Bankers themselves cannot understand the emerging risks, the new trojan behaviour etc, how can they expect their customers to be more informed than them?

Naavi.org has been time and again pointing out that Bankers are bullying the customers into accepting liability arising out of the Banker’s greed to push Internet Banking to unprepared customers.

RBI has reminded them again and again that banks need to introduce real-time transaction behaviour monitoring to stop the kind of frauds that we have seen in the case of Yes Bank. But Banks did not heed.

The recent Rs 250 crore card fraud in which the Indian payment processing companies were hacked is another indication of how hacking can take place at the Bank’s end and innocent customers may lose their money. The same card processors also process transactions of some Indian Banks and hence the customers continue to be at risk.

Unless some Chairpersons of Banks are put in jail for such frauds, Banks will continue to act arrogantly and try to disclaim their responsibility. If minister’s resign for the mistakes of their subordinates, is it not necessary for Bank Chairmen to resign when such major frauds take  place?

I hope Bankers are more responsible when they give press statements in such cases.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Crime, ITA 2008, RBI. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.