Header image alt text


Building a Responsible Cyber Society…Since 1998

Reserve Bank of India has released the list of 26 Banking license applicants who have sought licences under the new licenses to be released.

The list of aspirants is as follows.

1. Aditya Birla Nuvo Ltd., Mumbai.
2. Bajaj Finserv Ltd., Pune.
3. Bandhan Financial Services Pvt. Ltd., Kolkata.
4. Department of Posts, New Delhi.
5. Edelweiss Financial Services Limited, Mumbai.
6. IDFC Limited, Mumbai.
7. IFCI Limited, New Delhi.
8. Indiabulls Housing Finance Limited, New Delhi.
9. India Infoline Ltd., Mumbai.
10. INMACS Management Services Limited, Gurgaon.
11. Janalakshmi Financial Services Pvt. Ltd., Bangalore.
12. J M Financial Limited, Mumbai.
13. LIC Housing Finance Ltd., Mumbai.
14. L & T Finance Holdings Limited, Mumbai.
15. Magma Fincorp Limited, Kolkata.
16. Muthoot Finance Limited, Kochi.
17. Reliance Capital Limited, Mumbai.
18. Religare Enterprises Limited, New Delhi.
19. Shriram Capital Limited, Chennai.
20. Smart Global Ventures Pvt. Ltd., Noida.
21. SREI Infrastructure Finance Limited, Kolkata.
22. Suryamani Financing Company Limited, Kolkata.
23. TATA Sons Limited, Mumbai.
24. Tourism Finance Corporation of India Limited, New Delhi.
25. UAE Exchange & Financial Services Ltd., Kochi.
26. Value Industries Limited, Aurangabad.

RBI appears to be indicating that only 5 or 6 licenses are likely to be granted. The list contains several large corporates as well as Government owned and public sector organizations. It would therefore be a tough time for RBI to prune the list of 26 to around 6.

From the days of Bank nationalization in 1969 and subsequent partial de-regulation, Indian Banking industry has undergone a significant change of character and the new licenses are likely to be another mile stone in the history of Banking in India. The earlier Banks were born in the era where human interface was predominant and “Service” was a virtue. But the present environment is different. We are today living in a digital world where Bankers would not like to see and interact with its customers face to face and rather prefer to deal with them as “Numbers” or “Log in IDs”. Also “Service” is only a “Tool to make profit”. The new licensees will be born in an era where “Profit” is likely to be the only goal. This could seriously destabilize the Banking system as we know in India.

Naavi.org has time and again emphasized that RBI should not allow distortion of “Banking” as a concept of business developed over time with a focus on “Channelizing public savings fro productive use” and use “E-Money Shop” license as a separate category to feed the desires of the modern day “profit at any cost” Bankers. It is such a “Profit First Customer Next” approach which has made current Banking system extremely unsafe for common Bank customers and forced Naavi to take up a crusade for “Safe E Banking”

At a time when the Indian Banking system is reeling under the pressures of an in-secure technology system entry of several new entities will pose further risks to the Indian Banking consumers. Unless RBI ensures that new licenses are issued strictly on “Public Welfare Criteria”, Indian Banking is likely to permanently lose its character as a “Preferred Destination of Small Savings”.

The approach of the new generation banks have been to cater to the “Elite” category of customers and neglect the needs of the common man. Cost of Banking has been n the increase despite large scale automation. There is widespread “Money Laundering” and “Fake Currency Exchange” occurring within the banking system. The “Commercial” nature of the Banks have made them “Greedy” Banks and the customer has been bullied into accepting services at a cost and security level that are unreasonable from the user’s perspective. “Service to community” is no longer an objective of Banking.

In fact going by the arguments I have personally heard in many of the Bank fraud cases, most Banks consider themselves as “Money Shops” and they donot even appreciate the meaning of “Banking” as an institution to channelize public savings to productive areas.

In recent days, RBI is losing control of the industry and has become a pawn in the hands of influential commercial Bankers. The fact that recently most Banks have reverted to levying extra charges for SMS alerts of transactions, use of Cheques, Drawing of Cash from Banks, and also charge usurious penalties for unintended delays in loan or credit card repayments, use draconian methods of recovery of loans, associate themselves with property mafias and underground criminals in black money transactions and property seizures etc makes one wonder if the Indian Banking system has become a huge extortion racket where depositors are driven out of the system to other more risky investment channels.

The list of aspirants contain some names which are bound to evoke a fear that managements which are already thriving in black money wealth are interested in Banking license so as to convert their own black money into Bank deposits rather than mobilize savings from the public.

RBI should therefore consider “Ability to mobilize savings from grass roots” as the basic criteria for selection.

Secondly, large corporates already have many banks wedded to them and hence another criteria for selection should be “Ability and Orientation” to engage in “Retail Productive Banking”. Retail Banking does not only mean financing Luxury Cars and real estate but financing small trade and entrepreneurial activities.

Above all, “Commitment to Serve” as embodied by the Gandhian principles encapsulated in the following statements is to be considered as the key determinant for selecting the successful licensees.

“A customer is the most important visitor on our premises.
He is not dependent on us. We are dependent on him.
He is not an interruption in our work. He is the purpose of it.
He is not an outsider in our business. He is part of it.
We are not doing him a favor by serving him. He is doing us a favor by giving us an opportunity to do

……………………………………………………………………..Mohandas Karamchand Gandhi

I wish RBI adopts the right approach to new Bank licensing and uses this opportunity to correct some of the imbalances that have crept into the Banking system in recent days and ensures that “Safe and economic Banking for the Common man” is the key goal of the new Bankers. There is need to look for managements which are “People Oriented” rather than focusing only on “Profit at any cost”. 


Print Friendly, PDF & Email

The controversy surrounding the PRISM program of US Government under which the US intelligence agency intercepted the communication of billions of foreigners assumed a twist today with the Hong Kong Government accusing the US Government virtually of hacking.

The whistleblower Mr Snowden who had first made public the US program was known to be in Hong Kong and the US Government had issued a request for his arrest. However it is now learnt that he has been allowed to move out of Hong Kong to a safer country and the Hihg Kong Government has issued a press release that he was allowed to move out since the US request for arrest did not meet its legal requirements.

Copy of the press release issued by the Hong Kong Government in this connection is available here.

What is interesting is that the Hong Kong Government has stated in the press release as follows.

” Meanwhile, the HKSAR Government has formally written to the US Government requesting clarification on earlier reports about the hacking of computer systems in Hong Kong by US government agencies. The HKSAR Government will continue to follow up on the matter so as to protect the legal rights of the people of Hong Kong.”

This appears to be a veiled threat that international legal action may be initiated on the US Government if necessary. This should indicate the stand some other Governments may also take. In India perhaps the Government will await for the Supreme Court judgement on the related PIL before taking any stand.


Print Friendly, PDF & Email

Use of Aadhar for Cardholder authentication

Posted by Vijayashankar Na on June 13, 2013
Posted in BankRBIUncategorized  | No Comments yet, please leave one

It is reported that RBI is considering use of Aadhar as a second factor authentication for Credit Card transactions.

Report in TOI here

The cost of upgrading the card swipe mechanism at the merchants with a biometric capable instrument is being held as a stumbling block. However it is also necessary to examine if the move has legal sanction.

First of all the UIDAI bill is yet to become law. A case is before the Supreme Court to decide the examine the validity of the scheme. But the Government is going ahead with the scheme to render it more and more difficult for Courts to cancel the scheme.

Further the current move talks of using aadhar for “authentication”. It is to be noted that “Authentication” of a customer’s instructions is the prime responsibility of the Bank.

The move proposed by RBI  means that UIDAI will be used as an outsource partner of the Bank to examine and authenticate a customer of the Bank. This raises the question as to whether in this process the “UIDAI” will act as an “Officer” of the Bank and “Pass Payment Instructions of the customer” and if so whether this is legally within the mandate of Banking.

If however this system of “Outsourcing” is to be legitimized, the Bank has to execute an SLA with the UIDAI authorities and follow the instructions on information security issued by RBI for “Outsourcing”.

If these considerations are not taken into account, the move will be contradicting RBI’s own earlier instructions.


Print Friendly, PDF & Email

P.S: Karnataka High Court has given a decision on 27th May 2013 in a writ petition filed by Axis Bank which has a huge implication on Cyber Crime victims in Karnataka and elsewhere in India. Hence in the general public interest of the Citizens of India (of which citizens of Karnataka are a part), the implications of the decision are being analyzed here.  These are the personal views of the author only. I request students of law to study the implications and seek appropriate remedies….Naavi, Netizen Activist

This decision has an adverse impact on all Cyber Crime Victims in India

In a decision delivered on 27th May 2013, in the Writ Petition WP No 21049 of 2013 (GM-RES), Karnataka High Court has  provided a relief to Axis Bank. Though the dispute is between Axis Bank and the Adjudicator of Karnataka, the adverse effect of the decision falls on all the Cyber Crime Victims in India.

The Background Facts

In the underlying matter, there are two orders of the Adjudicator of Karnataka. Order 1 dated 27th December 2011 which was in favour of Axis Bank and Order 2 dated 26th April 2013 which cancelled the earlier order of 27th December 2011.

The aggrieved party of the order dated 27th December 2011, namely the complainant of an Adjudication application had approached the adjudicator immediately with a request for review of the order on 29th December 2011 on the premise that the order was faulty.

The adjudicator however did not respond.

The aggrieved party was therefore put in a situation where while it waited for the review, if it did not act it could lose its right of appeal to CAT. It therefore registered its application for appeal at CAT within the permitted time though CAT was not functional at that time. Since CAT has not been functioning from around June 2011 even upto today,  CAT is yet to consider the application.

The Cyber Crime victim was therefore forced to suffer under the inaction of the Adjudicator and inaction of the CAT. This also translated into a “Human Rights Issue” since the precedence set by the adjudicator by his order of 27th December 2011 had denied almost all Cyber Crime Victims in Karnataka, access to both Civil and Criminal liabilities. The height of the absurdity of the order is evident when it indicates that under the principles set by the order, RPG group could not initiate action against Yes Bank for its loss of Rs 2.41 crores in the Mumbai fraud. It also meant that no Company such as Infosys or Wipro could file a case of hacking, unauthorized access, denial of access, virus introduction etc under Section 66 of ITA 2000/8. It rendered relief given by other Adjudicators of the country in similar circumstances erroneous. It even challenged the legality of the earlier proceedings in CAT. It could even be interpreted as to negate the validity of over 15 lakh digital signature certificates issued in the Country etc.

In summary it was an order which negated the entire Information Technology Act 2000/8 for the sole benefit of Axis Bank.

(The fact that such a blatantly erroneous order was ever passed is so surprising that it needs a separate enquiry by Lok Ayukta of Karnataka.)

Intervention by Karnataka Human Rights Commission

Under the circumstances explained in the previous paragraphs, it was  apt that while the “Review request” was pending with the Karnataka Adjudicator, the “Appeal Request” was pending at the CAT, and the Cyber Crime victim was left to keep helplessly cursing the Indian judicial system on how it can be misused to the advantage of the rich and powerful and to the disadvantage of the common Citizen,  the Karnataka Human Rights Commission took notice of the effect of the defective order on the public of Karnataka and issued a notice to the Adjudicator on 21st March 2013.

The Adjudicating office then referred the matter to the State Law department which confirmed that the order of 27th December 2011 was prima facie defective in law and therefore the request for review was justified. After these compelling circumstances,  the Adjudicator proceeded to issue his order of 26th April 2013 cancelling the earlier order of 27th December 2011 and calling for a hearing on 15th May 2013. 

Axis Bank attended the hearing and submitted its objections. The Adjudicator explained the circumstances under which the order of 26th April 2013 was issued and fixed the next hearing on 31st May 2013 for Axis Bank to submit its reply.

High Court May be Unaware

The High Court order of  27th May 2013, does not document the above facts and appears to have been issued under the false premise that

a) The second respondent had approached the Adjudicator for review of the decision during the pendency of the appeal with CAT

b) The adjudicator ignored the principles of natural justice and acted in a biased manner in issuing the order of 26th April 2013.

c) The Adjudicator had no rights to decide his own procedure as to the conduct of enquiry under the powers vested on him by ITA 2000/8 and the notification dated 25th march 2003 on the procedures to be adopted for such an enquiry

d) The order of 26th April 2013 had a certain level of finality that irrevocably affected Axis Bank’s interests.

e) The order of 26th April 2013 of the Adjudicator was malafied where as the order of 27th December 2011 was lawful.

f) Quashing of the order of 26th April 2013 did not have any adverse impact on the society at large.

It is considered possible that Axis Bank had deliberately withheld vital information from the Honourable court which prompted the Court to come to the current decision.

Why there is Public Interest involved in this Case

It must be noted that the order of 27th December 2011 had rejected the complaint of the cyber crime victim on the grounds that Complaint cannot be considered under Section 43 of Information Technology Act 2000 (ITA 2000/8) since the section was not applicable for “Companies” and Companies can neither invoke the section as “Victims of a wrongful loss” nor the section be invoked against Companies as “Respondents”.

The order was also defective since it stated that the dispute came under Section 43A only ,  that the complainant did not invoke Section 43A,  instead invoked 43 which was not applicable and the Adjudicator was required to look at any section other than one specifically invoked by the complainant

This view was based on the contention that Section 43 used the word “Person” and 43A used the word “Body Corporate” and hence Section 43 should be used for individuals and 43A should be used by Companies.

The Adjudicator failed to note that the cause of action for Section 43 and 43A were different and the word “Person” used in Section 43 included by legal definition any association of persons and a “Company”.

The decision of the Adjudicator dated 27th December 2011 was indicative of a blatant mistake of law as the General Clauses Act defined that a “Person” as including a “Company”.

Further, this absurd decision created unexpected and untenable contradictions in the interpretation of ITA 2000/8.

The request for review was therefore not only justified but was a duty cast on any person who cared for the rule of law in the Country.

The order of 26th April 2013 was trying to correct this defective order. The effect of this order of 26th April 2013 (Which the High Court has now quashed) was only to re-establish the legal process of the enquiry which had been illegally terminated. This order of 26th April did not express any final conclusion that Axis Bank was liable for any fraud based on the complaint. It only stated that the Adjudicator would continue from where the case was left earlier.

The decision of the Karnataka High Court dated 27th May 2013 has in effect cancelled the “Correction of the defect” and made the “Defective Order of 27th December 2011” operative.

This means that Karnataka High Court has upheld the view that Section 43 cannot be invoked by a Company or against a Company.

The order fails to take note of the long term implications of this decision on the community.

What is also disturbing is to note the contradictions within the order.

For example,

The Court has held that the Cyber Crime Victim may approach the Cyber Appellate Tribunal (CAT) ,(which everyone knows is not functional for the last two years,) for relief against any adjudicator “as per law”. However the Court has not under the same “law” thought it necessary that  Axis Bank  should have approached the CAT for its grievance against the Adjudicator’s decision instead of approaching the High Court.

Again, the Court says that the Adjudicator did not provide an opportunity for Axis Bank to oppose the review request made by the second respondent. At the same time the High Court delivered its decision on a “short point” without giving an opportunity to the second respondent to explain the adverse effect of the defective order.

If these contradictions are not removed, the citizens of India will feel that law applies differently between a Cyber Crime Victim and the Axis Bank.

Call for a PIL

Since this decision has affected all Cyber Crime Victims of the Country, there is an urgent need that this decision is reviewed either by the same Judge or by a higher bench of the Karnataka High Court.

I appeal to public spirited advocates in Bangalore to take up the issue as a Public Interest Litigation and ensure justice is restored to the Cyber Crime victims of the Country.

Naavi as a Netizen Activist

Print Friendly, PDF & Email

Naavi has been following the developments in the Indian Banking scenario for the last 4 decades and has closely been associated with the industry as an employee of the Banking industry as well as a consultant and critique. In the background of this experience and in the environment of growing Cyber Crime threats around us, Naavi expresses his concern that Indian Banking industry is heading for a crisis created by  hasty introduction of technology without appropriate security initiatives being put in place.

Though the GGWG (G.Gopalakrishna Working Group ) recommendations provided a comprehensive guideline to the Banks, there is still a glaring shortfall in its implementation. At the same time there is an immense pressure on the regulator to further ease the controls on Mobile Banking and expanding the services of the Banks into non-Banking areas.

In the light of these developments, Naavi places before the public and the industry some requirements which appear to be needing immediate attention.

Recently, the Governor of RBI commented that no institution other than the “Bank” should be allowed to accept deposits from the public. This was in the context of the fraud in Chit Companies in West Bengal which resulted in a loss to several investors. We may recall here that it was a move against CRB Capital in the alte 90s that  prompted RBI to take steps to introduce mandatory Credit Rating for NBFCs accepting deposits. (Refer article “Don’t Massacre the NBFCs” and other articles around that time in Naavi.org). It is nearly 15 years since this decision which killed the NBFC industry as it was known at that time and was flourishing. If we look back on this decision, it is difficult to say that the move actually helped general investors. The failure of CRB Capital was a reflection of the failure of the regulatory agency itself but the corrective action taken by RBI at that time instead of helping the investor community at large actually killed a beautiful investment option available to middle class investors in India. The investors driven out of NBFCs at that time lost more money when other honest companies closed down under the artificial pressure created by the measures taken by RBI. They also tried to find alternative places for investments and since Bank interest rates were too low, they went to mutual funds and lost more money. It is a valid debate even today if these losses are to be attributed to wrong policies on the part of RBI.

A similar situation is developing now in the Banking industry today regarding some policies associated with the promotion of Technology use in Banks. I need to record my apprehension that some of the policy initiatives require immediate retraction as they are likely to affect the future of Banking in India. If the depositors who are depositing their money with banks for an interest rate of 7.5% p.a. as against 15% p.a.they were used to during the NBFC days, are to be disillusioned again, it is not clear where they can run to?

This time it will not end up with the depositors losing their money but they will take down the Indian Bank industry with them.

There are two important threats that are looming large now in the regulatory policies. The first is the information security risks from the Mobile Banking initiatives. The second is the diversification of Banks into ancillary services such as “Insurance Marketing”.

The Banking industry is yet to present a secure banking platform for Internet Banking and we are struggling to make them adopt security measures that were first suggested way bank in 2001 by RBI. Banks instead of improving the security of their systems are trying to persuade the RBI to dilute the security requirements. This is evident in the actions initiated by Payments and Settlement department and the promotion of Mobile Banking. it appears that the resources of IDRBT is being spent more in facilitating use of mobile banking applications rather than finding vulnerabilities in the systems and finding solutions. in my opinion, “Mobile Banking” is the poison which will completely destroy the confidence and trust which customers today have on an institution called “Bank”. It is therefore necessary for RBI to call for an all India virtual seminar on Mobile vulnerabilities and invite Cyber Security Experts to participate and express their views. From the RBI side the representatives of the payments and settlement department and IDRBT should participate with an open mind and assess the risk profiles which the cyber security experts may express.

The second aspect which is changing the profile of Banking in India is the loading of ancillary responsibilities such as “Insurance Marketing” to Bankers. RBI has indicated that it is under pressure to allow multi brand marketing where one bank could market several insurance company products where as RBI is insisting that they can market only a single brand. Whether it is multi brand or a single brand, Insurance product is a financial product and is in conflict with Bank’s own business and hence there is no logic in allowing Banks to cannibalize on its own business. By allowing Banks to become insurance marketing agencies, Banks will gradually cease to be “Banks” and become “Finance Houses”.

This will mean that one the one hand RBI does not want non Banks to accept deposits, Banks themselves will become “Non Banks” in course of time. The fact that other policies of RBI such as “Disincentivisation of cheques” also are aimed at changing the traditional Banking activities, the cumulative effect will accelerate the change in the profile of Banking business in due course.

Additionally the Payments and Settlement department is thinking of new system of consumer to consumer payments through the mobile network which is again a business which is not “Banking”.

I therefore suggest that RBI should formulate a new category of Financial institution such as “E-NBFC” and provide a separate license to deal with C2C mobile payments in addition to the relatively insecure mobile banking business. The mobile banking business itself should not be a direct link to the regular bank account and should be handled in a subsidiary account similar to the way margin money account on share trading accounts are handled.


Related Article 1:

Print Friendly, PDF & Email

Cyber Policing Initiatives in Kerala

Posted by Vijayashankar Na on June 8, 2013
Posted in Uncategorized  | No Comments yet, please leave one

Kerala Police have initiated a unique step to strengthen the Cyber Crime mitigation effortsby involving select members of public as “Honorary Police Officers”.

It may be recalled here that in Chennai, a senior Police officer by name Mr Prateep Phillip had initiated the “Friends of Police” program which had received international acclaim. Naavi has been suggesting that this concept should be extended to Cyber Policing also. The Kerala initiatve appears to be a step in this direction and could be useful in getting the much needed assistance from Cyber Security experts in tackling the menace of Cyber Crimes.

Related Story


Print Friendly, PDF & Email