In a long awaited but highly welcome move, RBI has released a “Draft Circular” for public comments on “Limited Liability” for customers in case of frauds in Internet Banking and Card transactions.
Suggestions/comments, if any, on the Draft Circular may be sent by post to the Chief General Manager, Department of Banking Regulation, Reserve Bank of India, Central Office, 12th Floor, Shahid Bhagat Singh Marg, Mumbai-400 001, or by E-Mail: ( Click Here to send email) (firstname.lastname@example.org) on or before August 31, 2016.
I urge all visitors to go through the circular and provide their feedback to RBI taking into account the following points.
- The recommendations in the Circular are welcome in the context of increased use of electronic mode of payments by Banks as a part of its effort to improve efficiency and reduce costs and the growing cyber threats from organised cyber criminals.
- The frauds are being facilitated by use of “Password” for most of the authentication requirements though use of passwords is legally not recognized as “Signature” for banking transactions.
- The marginal improvements in security sought with the 2 Factor authentication is considered inadequate to protect the consumers against the current set of frauds.
- The increased use of cloned cards for Credit/Debit Card and ATM cards through card merchant side compromises has placed the customers in a defenseless position against frauds.
- The system of limited liability to customers has already been in vogue in USA and other countries and was also recommended by the Damodaran Committee on Customer Service which gave its report way back in 2011 and was sidelined due to opposition from influential Banks.
The suggested recommendation from RBI is therefore welcome and needs to be notified at the earliest.
As regards some of the conditions that have been indicated in the circular, the following may be noted.
|Banks must ask their customers to mandatorily register for alerts for electronic banking transactions.
The alerts shall be sent to the customers through different channels (email or SMS) offered by the banks.
|Where the customer is able to provide both SMS and E-Mail addresses, the alert should be sent through both channels.
Hence the circular may be modified to read as (email and/or SMS) instead of (email or SMS)
|The customers must be advised to notify the bank concerned of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction.||Banks must provide for response by “Reply” to the SMS and E Mail and should not be required to search for a web page or an e-mail address to notify the objection if any.
Necessary change may be made to the circular in this regard
|A customer shall be liable for the loss occurring due to fraudulent transactions in the following cases:
(a) In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.
|When the credentials of the customer is stolen by a fraudster by the use of “malware”, it should not be construed as “sharing” of the credentials in as much as the customer is a victim of the systemic problem.
Such instances may be classified as “Arising due to neither the negligence of the bank nor the customer”.
In order to ensure that malware in the browser software does not result in a fraud, Bankers should provide “Secure Browsing Environment” for all Banking transactions through an appropriate security software.
Presently, most anti virus software such as Kasparesky provides such “Safe Browsing” for Banking transactions but such session requests are some times are rejected by the Banking systems due to improper configuration.
Not enabling such “Safe Browsing” environment should be considered as a “Negligence” by the Bank.
Under Indian law (ITA 2000), the only legally recognized form of authentication which also applies to the Banking transaction is in the form of Digital Signatures (or eSign).
Banks should mandatorily enable their systems for the use of Digital Signatures and eSign so that customers who intend to use digital signature based log-in may be able to use them.
Not providing such options should be considered as “Negligence” by the Banks.
(P.S: This was stated in the Internet Banking Guidelines of June 2001 where the Banks were expected to assume the legal risk in such cases)
|In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction the customer liability shall be limited to the transaction value or ₹ 5000/-||In the case of mobile transactions through apps where there is a monthly transaction limit of Rs 10000/- and no KYC obligation, the liability limit may be reduced to Rs 2000/-|
|The policy must be transparent, non-discriminatory||In the past Banks have easily refunded fraud losses to some celebrities and even the police personnel but have taken the genuine normal customers to Court through a process of lengthy litigation which the customers are unable to sustain.
Examples of cases pending in Cyber Appellate Tribunal involving ICICI Bank, SBI , PNB and Axis Bank are available for this. All these cases involved serious KYC lapses on the part of Banks but are going through needless litigation because Banks can throw money to lawyers for dragging the cases for years.
RBI should therefore review all the pending cases and open a window for mediating compromise solutions based on the new policy.
|The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank. The bank’s above policy shall also specify the maximum time period for establishing customer liability after which the bank shall compensate the customer.||Welcome move since all the evidences are with the Bankers within their system and are capable of being manipulated.
Bankers should be advised to archive fraud related log data as “Evidence” and make it available to the law enforcement authorities even when the dispute with the customer is settled through this suggested mechanism or otherwise.
|The banks shall put in place a suitable mechanism and structure for reporting of the customer liability cases to the Board or its Committee. The reporting shall, inter-alia, include volume/number of cases and the aggregate value involved and distribution across various categories of cases viz., card present transactions, card not present transactions, internet banking, mobile banking, ATM transactions, etc. The Standing Committee on Customer Service in each bank shall review, on a monthly basis, the unauthorised electronic banking transactions reported by customers or otherwise, as also the action taken thereupon, the functioning of the grievance redress mechanism and take appropriate measures to improve the systems and procedures.||A summary of incidents settled under this mechanism should be made available on the website of the Bank.|
I request visitors to send their comments to RBI without fail both appreciating their efforts towards Consumer protection as well as making suggestions if any.
Once this system comes into practice, I suppose Cyber Insurance Providers will feel bold enough to provide Cyber Fraud insurance cover to Bank customers to cover the balance risk that is left uncovered by this system (Rs 5000/- )
Suggestions/comments, if any, on the Draft Circular may be sent by post to the Chief General Manager, Department of Banking Regulation, Reserve Bank of India, Central Office, 12th Floor, Shahid Bhagat Singh Marg, Mumbai-400 001, or by E-Mail: ( Click Here to send email )on or before August 31, 2016.