At the cost of repetition, we must congratulate RBI on its recent circular of August 11, on Customer Service in which they have proposed that customer’s liability on cyber frauds should be limited.
Presently, a draft circular has been issued and RBI is awaiting public comments before confirming the circular. I urge all visitors to peruse the circular and provide a strong positive feedback to RBI. (Refer this earlier article for details).
The reason why I advocate strong positive support for this move of RBI from all consumers and consumer organizations (without remaining silent supporters) is that there is every possibility that vested interests in Banks would try their best to scuttle this move of RBI and let the circular remain in draft form and not see the light of the day. The Indian Banks Association which is an industry body is often swayed by the leading Banks such as SBI and ICICI Bank to adopt practices which are not always consumer interest protective. We therefore need a balancing pressure on RBI to maintain its poise and let the circular become a reality.
I recall that way back in 2002, in a circular dated April 8, 2002, RBI had stated
“…we continue to receive complaints of fraudulent encashment by unscrupulous persons opening deposit accounts in the name/s similar to already established concern/s resulting in erroneous and unwanted debit of drawers’ accounts…..Besides, in cases of the above kind, the banks have also not restored funds promptly to customers even in bona-fide cases but deferred action till completion of either departmental action or police interrogation…..
With a view to redressing the grievances of the customers in this regard, we have reviewed the position and advise that (i) in cases where banks are at fault, the banks should compensate customers without demur, and (ii) in cases where neither the bank is at fault nor the customer at fault but the fault lies elsewhere in the system, then also the banks should compensate the customers ( upto a limit) as part of a Board approved customer relations policy.”
However, we have not seen Banks following this instructions from RBI. I can personally vouch for the same having represented many Cyber Crime victims in Banks against Banks such as ICICI Bank, PNB and Union Bank of India”. Other Banks will not be better since the big brother SBI is leading this anti-customer attitude and making RBI look like a paper tiger good only for issuing circulars which can be safely ignored.
In August 2011, the D.Damodaran Committee on Customer Service in Banks had made some far reaching customer friendly recommendations. But the influential Banks forced RBI to forget the report and not issue any operative circular as a follow up.
It is in this context that we the consumers need to stand up and support RBI in its latest efforts and not let our vigil drop.
Now it appears that RBI has once again issued a circular which will have far reaching protective influence on Bank customers. It puts a cap on the liability that a Bank customer may suffer on account of a Cyber fraud which may happen with a Phishing Attack or a Credit Card Cloning or an ATM hack, or hacking of the Bank systems. In most of these cases, involvement of Bank staff may be implied though not proved. But in almost all cases, negligence of the Bank can be identified as the “Proximate Cause” of the loss that a customer suffers.
The recent circular has classified the losses into the following categories:
- When a customer brings to the notice of the Bank the fraudulent transaction within 3 working days of him coming to know, there would be “Zero Liability” for the customer
- Where the report is delayed and made within 4-7 days the customer’s loss will be limited to Rs 5000/-
- Where the delay is more, the Bank’s Board shall have a policy on how to deal with the customer’s liability.
Once notified, the bank shall credit the amount from their suspense debit within 10 working days.
There is however a possibility that Banks may try to find a loophole in the RBI guideline and try to avoid the liability on themselves.
I have even seen one argument from a Bank that they cannot pay back the fraudulent money because it is “Public Money” as if the customer’s own money does not belong to that category. We have also seen Banks trying to hide behind “Privacy” and refusing to reveal information of fraudster’s accounts through which an honest customer’s money has been withdrawn forgetting that opening such accounts with defective KYC was part of the offence under AML.
Such unscrupulous Banks can go to any extent to refuse relief to Cyber Crime victims under one pretext or the other unless strong penalties are imposed for non compliance of RBI’s orders.
In the circular, the frauds have been categorized into three categories as follows.
- Fraud/ negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not)
- cases involving negligence by a customer, such as where he has shared the payment credentials,
- . Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.
In the first type involving fraud or negligence on the part of the Bank, (including where staff of Bank may be involved), there would obviously be no liability for the Customer.
At the same time legal proceedings can be initiated on the Bank and its executives including the Chairperson and Directors for civil and criminal action under ITA 2000/8.
I wish RBI also imposes “Sanctions” on such a Bank and its key executives without waiting for the law to grind to a conclusion.
The third type is self explanatory once we understand the implications of the second type “cases involving negligence of the customer”.
What is Negligence of a Customer
Banks have been struggling for generations to decipher the meaning of “Negligence” under Section 131 or Section 10 of Negotiable Instruments Act. We often leave it to be judged by the circumstances of the case to define “negligence” as “What a Prudent man under similar circumstances would have done” or “What a prudent man under similar circumstances would not have done” without being clear about who is that “Prudent Man”.
It is the Courts who have in different occasions defined what is negligence. In the E-Banking environment we need to accept that the Judiciary has not matured enough to provide a good guidance of what is “Negligence” on the part of a Customer.
Looking back on some of the instances we can identify the following types of behaviour which could come for discussion as “Negligence”.
- Keeping the ATM card along with its PIN written down in one place.
- Acting on a Phishing E-Mail and logging into a “Pseudo Bank Site” failing to recognize impersonation in the e-mail and the website, thereby providing the credentials on the pseudo bank site.
- Allowing Trojans and viruses to attack their access devices such as a computer or mobile which could be a Key logger virus or a Man in the browser virus, Coat tailing virus etc
- Answering a Vishing Call and providing credentials like the OTP
- Using very weak passwords such as “1234” etc.
- Downloading malicious apps on the mobile or on the computer
- Not updating or installing an effective malware protection software
- Sharing their cards and passwords with family members or others whom they otherwise think are trustworthy
- Not using secure mode of accessing Bank accounts with the use of Digital Signatures or the Secure Browsing Mode provided by their anti virus software.
At the same time, we need to recognize that some of the above acts of potential negligence could be prevented if Bankers are “Not Negligent” or are “Security Conscious”.
- Banks can introduce a mandatory face recognition system for all ATMs so that there is also a record of who visited the ATM
- Defined weak passwords can be deactivated (most banks do it at present)
- Phishing sites need to be brought down at the earliest. How early depends on what Banks spend on such security. But customers using a web protection feature in their anti virus software or a netcraft anti phishing extension for their browsers may be able to identify phishing reasonably quickly. But when can we consider “Non Installation of Netcraft extention” as “Negligence” depends on an evaluation of the minimum level of awareness in the Bank customers. This also depends on what “Awareness Building” efforts have been taken by the Bank (and documented).
- Using of Passwords and OTP instead of ITA 2008 approved digital signatures/eSign for the purpose of authentication and not even providing an option for interested customers.
- Ignoring the June 2001 Internet Banking Guidelines of RBI and absorbing the legal risk for not using digital signatures.
- Ignoring the judicial award of the Adjudicator of Tamil Nadu in the S Umashankar Vs ICICI Bank case advising use of digital signatures for bank statements distributed to customers.
In the case of sophisticated spear phishing attacks, many of the technology aware as well as security aware users have fallen prey in the past.
Hence the level of expertise required to identify and eliminate phishing attacks should not be considered as a base line skill level that can be expected of an ordinary Bank customer. When Trojans and Viruses are installed while visiting otherwise respected websites or downloading of apps and software programs and the available malware protection has also failed, it is too much to expect every Bank Customer to have the necessary expertise to identify the signature of a malware and take steps to prevent its malicious action.
Hence the burden of “Negligence” should not be thrust on the customer in the case of phishing and installation of malware where the customer himself is a “Victim” of an identity theft crime. Making an identity theft victim liable because he allowed himself to be a victim, is like telling a pick pocket victim why did you keep your money in the pocket and not in the locked brief case or underwear pocket?
Bankers will however advance an argument that if in the case of “Phishing” the customer is not made to bear the burden, they will collude and commit frauds on the Bank. I therefore suggest that in cases of “Phishing” (and Vishing) where the customer has in fact parted with his credentials, if the “Customer” and the “Beneficiary” donot have any nexus (Such as one being a family member or a friend), his contention that he was cheated should be given credence and the fraud should be considered as arising not due to the negligence of the customer. Even then, I suggest that the customer could be penalized even 10% of the total loss. This can be part of the mediation between the customer and the bank where the mediator adjudicates if the customer was in deed negligent or not.
Presently RBI has a scheme of Ombudsman to resolve disputes arising out of “Non Adherence to RBI regulations”. However Ombudsman often refuse to take responsibility to mediate and function more like “Adjudicators” and often have a soft corner with the Banks. Customers have often been at the wrong end of the decisions of Ombudsman and hence this system requires a serious rethinking. One suggestion is to make the Ombudsman adopt a mediation strategy and include a member of public who has knowledge of Cyber Fraud issues in the mediation team.
In all cases of “Alleged Negligence” by the customer where the Bank wants to refuse payment under the proposed scheme, the Ombudsman may step in to resolve the dispute.
We need to continue our discussions and debate this issue of “What Constitutes Negligence” of the Customer in cases of E Banking frauds before making the customer pay for the technological advances of the financial market. I invite comments and suggestions in this regard.