I draw the attention of all the individuals who hold the position of a Director in any of the Scheduled Commercial Banks in India including RRBs as well as Cooperative Banks about the new responsibility thrust on them by RBI through its Circular on Cyber Security Framework released on June 2, 2016 and further by announcing its intentions through the “Draft Circular” on August 11, 2016 to limit Customer liability on Internet/Mobile/Credit Card/Debit Card/ATM Card frauds.
I also draw the attention of all Bank Staff Training establishments, Principals and Faculty Members who have the responsibility to educate the Banking Executives, as well as the well wishers of Banks such as the Auditors and Company Secretaries who have the responsibility to advise the Directors towards compliance of RBI regulations may in turn keep the Directors informed that the new dispensation of RBI hoists inescapable responsibilities on them and cannot be ignored.
Kindly analyze the following and take appropriate steps without any further delay.
Recently, we witnessed an alarming situation where the Bank of Bangladesh lost Rs 90 crores through a hacking of their SWIFT money transfer system. A similar attack also occurred on Union Bank of India system and but for a stroke of luck, Bank could have lost about Rs 1200 crores through a similar fraud. Unlike the earlier major frauds where money of customers have been stolen from the Bank accounts, this time the attack was directly on the Bank’s system. It also demonstrated that there are vulnerabilities within the Banking system and the same vulnerabilities may also cause losses to the customers.
The Legal Implication
What we need to recognize here is that the hacker was able to engineer a money transfer of hundreds of crores of rupees by forging the transfer request of two responsible officials of the Bank entrusted with the Maker-Checker responsibilities before funds can be transferred in the SWIFT system. It is therefore clear that such hackers will not find it difficult to forge the signature of a Branch system administrator who may have powers to create new users, new passwords for their own staff members to create fraudulent access credentials and initiate transfer of substantial amounts from many customer’s accounts.
Banks will therefore not be able to claim that they have good security systems in place and such systems have been audited for standards such as ISO 27001 by one of the Big Four firms etc. and try to convince judicial authorities that whenever a Bank fraud occurs it is the negligence of the customer which is responsible and not that of the Bank.
Cyber Security Framework (CSF-2016)
Taking note of the new risks that the SWIFT attack represented, RBI was quick to come up with a new “Cyber Security Framework” (CSF-2016) as a mandatory recommendation for Banks revising and upgrading the earlier directions contained in the Internet Banking Guidelines of June 2001, and the E Banking Security Guidelines (GGWG) of April 2011 as well as other guidelines on Card transactions released from time to time.
While issuing the new guidelines RBI has placed direct responsibility to the Board of Directors to take cognizance of the gaps that exist in compliance and the road map for mitigation of the gaps.
The suggestions made in the CSF 2016 are much beyond what were contained in the earlier guidelines and include setting up of a Security Operations Center (SOC) and a “Honey Pot” to defend against “Unknown Zero Day Vulnerabilities”.
The current information security systems will not be able to meet the compliance requirements even in the Big Banks and smaller banks will be woefully short of the requirements.
The Board of Directors need to therefore develop strategies of meeting the compliance requirements within the limitations of funds and expertise within their own Banks.
The CSF 2016 also requires that a report has to be sent to RBI as and when a security breach happens by submitting a detailed report within two to six hours of the incident coming to their knowledge. There will therefore be no opportunity to preview the report by holding a board meeting to approve what is being submitted to RBI that may create a liability on the Bank and its Directors.
The situation therefore calls for an urgent action by Directors to safeguard their own interests and that of the Bank. Such action includes training themselves and reviewing the action so far taken in this regard.
Many of the Banks might have already passed a resolution in their previous Board meeting since the deadline for submission of a Board acknowledged Gap report was July 31, 2016.
If the Directors had not fully appreciated the requirements and passed the resolution in good faith that their professional departments must have presented a fair proposition, now is the time for the Directors to look back at the papers which they approved and see if there is a need for review since the next deadline for actual compliance is September 30, 2016 which is hardly 45 days ahead.
Limited Customer Liability
As a further act of follow up towards “Safe E Banking” , RBI has now released a draft circular on August 11, 2016 and indicated its intentions of bringing in the concept of “Limited Liability” to customers in respect of frauds. “Limited Liability” for customers automatically means “More Liability” for the Banks.
According to the proposed system, in all cases of fraud in which the negligence of the Bank is involved, the liability has to be fully boarne by the Bank. In any case, once the Bank has been notified of an unauthorized debit, any further fraudulent withdrawals if any would also be the responsibility of the Bank irrespective of whose negligence caused the loss.
In cases where the fraud has occurred due to the direct negligence of the Customer, he may be held liable.
In cases of third party breaches where neither the customer nor the banker’s negligence is involved, if the customer notifies the the unauthorized transaction within 3 days of it being reported to him by the Bank (Sending an alert is the responsibility of the Bank), the customer will not be liable. If in such cases the Customer reports after a delay, but within 4-7 days, the liability will be limited to Rs 5000/- .
If the customer notifies the unauthorized debit arising out of a third party breach in which there is negligence of neither the customer nor the Bank, beyond 7 days, or fails to report it at all, then the Bank has to state in its policy how much of liability can be hoisted on the customer beyond the R 5000/-. It is difficult to say if RBI would accept a 100% liability in such cases on the customers since the law also may not support it. It has to be a graded system and reasonable under the circumstances. Probably any liability to the customer beyond 50% would be unreasonable even if he has failed to report the unauthorized debit in his own account.
The non compliance of the CSF 2016 and providing a false confirmation to RBI that the bank is compliant would establish “Negligence” and “Complicity” of the Bank in facilitating a fraud and can make it liable for all frauds.
In view of the above, it is time that Directors of Banks immediately take necessary action to ensure that their responsibilities are properly discharged and they are free from personal liabilities. I hope this would a personal resolution that they should take on this 70th Independence day of India.
P.S: I have placed more detailed discussions in the earlier articles and will continue to put more information and invite the Directors of the Bank to peruse the same and take appropriate action.