Yesterday, I highlighted the plight of a customer of State Bank of India Musiri branch in Tamil Nadu who lost Rs 49773/- through a fraud. We can recall here the decision of the Adjudicator of Tamil Nadu in the case of S.Umashankar Vs ICICI Bank that even in the case where the customer has compromised the credentials in a phishing attack, the Bank is liable for its negligence and is liable to pay the customer for his loss.
I want State Bank of India, Musiri branch manager read this judgement when he contemplates replying to our open letter of yesterday.
The logic is very clear. A fraud happens when there are is an ultimate victim who is out of pocket and the ultimate fraudster who has enriched himself with a wrongful gain. In between there are different entities some of whom have participated in the chain of transactions which together form a “Money Laundering Exercise” where money is stolen from an honest person and the tainted money is passed through different filters leading to a clean possession of an asset in the hands of the fraudster .
The intermediaries facilitating the fraud who are all “Partners in Crime” include the Banks, Mobile service providers and the PPI and even the E Commerce Site where the fraudster uses the stolen
money to buy products and services. The Mules who function as Phishing agents and the BPOs that run in Noida/Gaziabad area where IT companies are set up as “Phishing Call Centers” are directly involved in cheating the Bank customer.
There is no doubt that the Phishing mules are no longer innocent youngsters who are earning their daily meal by creating phishing websites and making calls etc. They are using all their social engineering skills to cheat innocent victims and their masters are like mafia gang leaders. These people deserve to be put behind bars for a long long time. Though some of these are arrested from time to time, I presume the Courts and the Criminal lawyers ensure that they are out on bail soon to continue their nefarious activities.
As far as the victim is concerned, he does not have the resources to fight the mafia network and therefore is at a disadvantage having to fight the crime mafia.
On the other hand, the intermediaries like the Banks, the Mobile Service Providers and PPI service providers have no business to be assisting the fraudsters with their own negligence.
The E Commerce service providers who actually deliver goods against such fraudulent payments some time fail to cooperate with the law enforcement by not sharing the product delivery addresses or delivering products on street corners instead of at an identifiable address of the buyer. To that extent of negligence they also have to take the blame for letting the frauds perpetuate.
However, the greater responsibility lies on the other intermediaries who help in the money laundering scheme of the fraud gang. None of the phishing fraudsters will be able to encash their crime booty except with the assistance of the intermediaries. Without opening a Bank account or a PPI account in a mobile, it is impossible for these frauds to be successful.
Hence these financial intermediaries are the key to controlling such frauds and their negligence is unpardonable.
The most visible form of the negligence of these financial intermediaries is in not having a robust KYC system and enabling the fraudsters to open fake accounts either in the Bank or in obtaining SIM cards. As a genuine customer we all know that when we want to open a Bank account or obtain a SIM card, we are subject to all forms of rigorous checks and if this is a common practice, it should not normally be possible for fraudsters to open fake accounts. But it is a fact that fraudsters do succeed in opening fake accounts and use the account repeatedly to commit frauds on others.
This only proves that these financial intermediaries have moles in their own organizations who enable fraudsters to open fake accounts by tampering with the KYC documents. In most cases, the KYC documents of a genuine customer may be used for the fake accounts putting the genuine customer also at the risk of being accused of a fraud at a later time. Since these moles are employees or contractors of the financial intermediaries, the vicarious responsibility for their fraudulent activities lies with the financial intermediaries.
It is in this context that financial intermediaries need to develop rigorous KYC practices starting not with their technology hardening but with the hardening of their processes in appointment and management of KYC agents.
Until such time these Banks and Mobile operators understand their responsibilities and discharge them with a sense of duty to the public, we will continue to say that India is not ready for financial innovation and introduction of products such as Aadhar Enabled Payment Systems.
We also continue to hold that these intermediaries should be not only made to pay for their negligence by picking up the fraud liabilities but also be criminally charged for reckless handling of the financial systems putting the society at stake.
I therefore call for Police in Musiri to file a criminal charge on State Bank of India, Musiri for defrauding their customer by adopting inadequately secured authentication methods which have enabled in the commission of the fraud.
In case SBI tries to divert the charge to various PPI operators such as PayTM, mPesa, one97.com, Oxigen, who are the companies which SBI appears to have pointed out as beneficiaries of the above fraud, Police should file cases against these operators also since their KYC could have failed.
If some of these are non KYC accounts, still the log records of these operators would be useful and they should be called for. If they are not able to provide log records, they should be charged for negligence and non compliance of ITA 2000/8.
Today, Banks want to continue their present approach to digital Banking where they want to pocket their commissions and service charges and expect Customers to underwrite the risks. This is unacceptable. Banks should pay for their negligence and if necessary cover themselves with Cyber Insurance.
Any system of electronic banking that does not protect the customer against “Phishing” is not a secure system and must be abandoned.
Unless we try to make an example of this case which represents instance of an ignorant customer being provided with an unwanted banking facility which he is unable to understand and therefore becomes a victim of a fraud, we will not be able to make progress in improving the security eco- system.
Since it is a policy decision of the RBI that such services are being pushed to ordinary people in a false sense of digital progress, the RBI Governor Mr Urjit Patel is also answerable for lack of proper understanding of the Banking customer.
It appears that the current state of affairs where “Insecure Banking” has become the accepted norm, is also a result of RBI being managed by “Economists” instead of “Bankers”. These economists know only how to tinker with interest rates and appear to have inadequate understanding of the retail Banking system.
It is difficult not to also blame our Finance Minister and Prime Minister who are being mislead into promoting digital habits as a part of the digital revolution and driving the Indian Banking customers towards a day when Indian Banking system will collapse.
For the time being, my advise to rural Banking customers is to ignore the call of the politicians to go digital and stay at transactions which they can understand. If they are comfortable in going to the Bank and meeting the Bank manager to deposit and withdraw your money, they should stick to it and not go for mobile Banking. If they are comfortable in dealing with cash, they should stick to it and return your debit cards today to the bank and obtain an acknowledgement.
I know that this message may not directly reach the target customers who are illiterate villagers but I am placing it here so that NGOs may pick it up and spread the message.
I have already placed these suggestion with Mr Modi stating that until he is able to introduce mandatory Cyber Insurance, he should stop promoting digital payment systems as he is knowingly or unknowingly committing the Indian society to doom.
The dream of “Less Cash Society” cannot be pushed without a mandatory Cyber Insurance protection for all customers of digital payment system. If the Government is not ready for this, they should stop talking of “Less cash society”. Such Cyber Insurance cover should come at the cost of the Banks and should not be loaded on to the customer.
As some economists have pointed out, the system of digital payment replacing the cash transactions where every transaction is loaded with a service cost would erode the wealth of the transferor with each transaction until the “Cash in digital form becomes zero after successive deductions of service charges”.
Hence it is not feasible to load costs onto digital transfer and it has to be boarne by the Banking system out of the efficiency related savings and benefits.
Hope these words of wisdom from an ex-Banker, E-Business Consultant and Techno Legal Information Security observer reaches the right persons and they act in the right direction without branding me as “Anti Developmental” or “Anti BJP” since I am neither.
I am one who believes that technology can be harnessed in a manner that does not endanger the financial system but technologists who donot care about the society and the regulators who donot understand the risks along with Politicians who look for short term gains are not using technology in a responsible manner.
I presently trust Mr Modi to be able to take corrective action but he has left this responsibility to Mr Arun Jaitely who is too busy to identify where the shoe pinches for the ordinary people and apply corrections. Others donot seem to matter.