What is Negligence of the Customer under RBI’s circular on Limited Customer Liability?

At the cost of repetition, we must congratulate RBI on its recent circular of August 11, on Customer Service in which they have proposed that customer’s liability on cyber frauds should be limited.

Presently, a draft circular has been issued and RBI is awaiting public comments before confirming the circular. I urge all visitors to peruse the circular and provide a strong positive feedback to RBI. (Refer this earlier article for details).

The reason why I advocate strong positive support for this move of RBI from all consumers and consumer organizations (without remaining silent supporters) is that there is every possibility that vested interests in Banks would try their best to scuttle this move of RBI and let the circular remain in draft form and not see the light of the day. The Indian Banks Association which is an industry body is often swayed by the leading Banks such as SBI and ICICI Bank to adopt practices which are not always consumer interest protective. We therefore need a balancing pressure on RBI to maintain its poise and let the circular become a reality.

I recall that way back in 2002, in a circular dated April 8, 2002, RBI had stated

“…we continue to receive complaints of fraudulent encashment by unscrupulous persons opening deposit accounts in the name/s similar to already established concern/s resulting in erroneous and unwanted debit of drawers’ accounts…..Besides, in cases of the above kind, the banks have also not restored funds promptly to customers even in bona-fide cases but deferred action till completion of either departmental action or police interrogation…..

With a view to redressing the grievances of the customers in this regard, we have reviewed the position and advise that (i) in cases where banks are at fault, the banks should compensate customers without demur, and (ii) in cases where neither the bank is at fault nor the customer at fault but the fault lies elsewhere in the system, then also the banks should compensate the customers ( upto a limit) as part of a Board approved customer relations policy.”

However, we have not seen Banks following this instructions from RBI. I can personally vouch for the same having represented many Cyber Crime victims in Banks against Banks such as ICICI Bank, PNB and Union Bank of India”. Other Banks will not be better since the big brother SBI is leading this anti-customer attitude and making RBI look like a paper tiger good only for issuing circulars which can be safely ignored.

In August 2011, the D.Damodaran Committee on Customer Service in Banks had made some far reaching customer friendly recommendations. But the influential Banks forced RBI to forget  the report and not issue any operative circular as a follow up.

It is in this context that we the consumers need to stand up and support RBI in its latest efforts and not let our vigil drop.

Now it appears that RBI has once again issued a circular which will have far reaching protective influence on Bank customers. It puts a cap on the liability that a Bank customer may suffer on account of a Cyber fraud which may happen with a Phishing Attack or a Credit Card Cloning or an ATM hack, or hacking of the Bank systems. In most of these cases, involvement of Bank staff may be implied though not proved. But in almost all cases, negligence of the Bank can be identified as the “Proximate Cause” of the loss that a customer suffers.

The recent circular has classified the losses into the following categories:

  1. When a customer brings to the notice of the Bank the fraudulent transaction within 3 working days of him coming to know, there would be “Zero Liability” for the customer
  2. Where the report is delayed and made within 4-7 days the customer’s loss will be limited to Rs 5000/-
  3. Where the delay is more, the Bank’s Board shall have a policy on how to deal with the customer’s liability.

Once notified, the bank shall credit the amount from their suspense debit within 10 working days.

There is however a possibility that Banks may try to find a loophole in the RBI guideline and try to avoid the liability on themselves.

I have even seen one argument from a Bank that they cannot pay back the fraudulent money because it is “Public Money” as if the customer’s own money does not belong to that category. We have also seen Banks trying to hide behind “Privacy” and refusing to reveal information of fraudster’s accounts through which an honest customer’s money has been withdrawn forgetting that opening such accounts with defective KYC was part of the offence under AML.

Such unscrupulous Banks can go to any extent to refuse relief to Cyber Crime victims under one pretext or the other unless strong penalties are imposed for non compliance of RBI’s orders.

In the circular, the frauds have been categorized into three categories as follows.

  1. Fraud/ negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not)
  2. cases involving negligence by a customer, such as where he has shared the payment credentials,
  3. . Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.

In the first type involving fraud or negligence on the part of the Bank,  (including where  staff of Bank may be involved), there would obviously be no liability for the Customer.

At the same time legal proceedings can be initiated on the Bank and its executives including the Chairperson and Directors for civil and criminal action under ITA 2000/8.

I wish RBI also imposes “Sanctions” on such a Bank  and its key executives without waiting for the law to grind to a conclusion.

The third type is self explanatory once we understand the implications of the second type “cases involving negligence of the customer”.

What is Negligence of a Customer

Banks have been struggling for generations to decipher the meaning of “Negligence” under Section 131 or Section 10 of Negotiable Instruments Act. We often leave it to be judged by the circumstances of the case to define “negligence” as “What a Prudent man under similar circumstances would have done” or “What a prudent man under similar circumstances would not have done” without being clear about who is that “Prudent Man”.

It is the Courts who have in different occasions defined what is negligence. In the E-Banking environment we need to accept that the Judiciary has not matured enough to provide a good guidance of what is “Negligence” on the part of a Customer.

Looking back on some of the instances we can identify the following types of behaviour which could come for discussion as “Negligence”.

  1. Keeping the ATM card along with its PIN written down in one place.
  2. Acting on a Phishing E-Mail and logging into a “Pseudo Bank Site” failing to recognize impersonation in the e-mail and the website, thereby providing the credentials on the pseudo bank site.
  3. Allowing Trojans and viruses to attack their access devices such as a computer or mobile which could be a Key logger virus or a Man in the browser virus, Coat tailing virus etc
  4. Answering a Vishing Call and providing credentials like the OTP
  5. Using very weak passwords such as “1234” etc.
  6. Downloading malicious apps on the mobile or on the computer
  7. Not updating or installing an effective malware protection software
  8. Sharing their cards and passwords with family members or others whom they otherwise think are trustworthy
  9. Not using secure mode of accessing Bank accounts with the use of Digital Signatures or the Secure Browsing Mode provided by their anti virus software.

At the same time, we need to recognize that some of the above acts of potential negligence could be prevented if Bankers are “Not Negligent” or are “Security Conscious”.

For example,

  1. Banks can introduce a mandatory face recognition system for all ATMs so that there is also a record of who visited the ATM
  2. Defined weak passwords can be deactivated (most banks do it at present)
  3. Phishing sites need to be brought down at the earliest. How early depends on what Banks spend on such security. But customers using a web protection feature in their anti virus software or a netcraft anti phishing extension for their browsers may be able to identify phishing reasonably quickly. But when can we consider “Non Installation of Netcraft extention” as “Negligence” depends on an evaluation of the minimum level of awareness in the Bank customers. This also depends on what “Awareness Building” efforts have been taken by the Bank (and documented).
  4. Using of Passwords and OTP instead of ITA 2008 approved digital signatures/eSign for the purpose of authentication and not even providing an option for interested customers.
  5. Ignoring the June 2001 Internet Banking Guidelines of RBI  and absorbing the legal risk for not using digital signatures.
  6. Ignoring the judicial award of the Adjudicator of Tamil Nadu in the S Umashankar Vs ICICI Bank case advising use of digital signatures for bank statements distributed to customers.

In the case of sophisticated spear phishing attacks, many of the technology aware  as well as security aware users have fallen prey in the past.

Hence the  level of expertise required to identify and eliminate phishing attacks should not be considered as a base line skill level that can be expected of an ordinary Bank customer. When Trojans and Viruses are installed while visiting otherwise respected websites or downloading of apps and software programs and the available malware protection has also failed, it is too much to expect every Bank Customer to have the necessary expertise to identify the signature of a malware and take steps to prevent its malicious action.

Hence the burden of “Negligence” should not be thrust on the customer in the case of phishing and installation of malware  where the customer himself is a “Victim” of an identity theft crime. Making an identity theft victim liable because he allowed himself to be a victim, is like telling a pick pocket victim why did you keep your money in the pocket and not in the locked brief case or underwear pocket?

Bankers will however advance an argument that if in the case of “Phishing” the customer is not made to bear the burden, they will collude and commit frauds on the Bank. I therefore suggest that in cases of “Phishing” (and Vishing) where the  customer has in fact parted with his credentials, if the “Customer” and the “Beneficiary” donot have any nexus (Such as one being a family member or a friend), his contention that he was cheated should be given credence and the fraud should be considered as arising not due to the negligence of the customer.  Even then, I suggest that the customer could be penalized  even 10% of the total loss. This can be part of the mediation between the customer and the bank where the mediator adjudicates if the customer was in deed negligent or not.

Presently RBI has a scheme of Ombudsman to resolve disputes arising out of “Non Adherence to RBI regulations”. However Ombudsman often refuse to take responsibility to mediate and function more like “Adjudicators” and often have a soft corner with the Banks. Customers have often been at the wrong end of the decisions of Ombudsman and hence this system requires a serious rethinking. One suggestion is to make the Ombudsman adopt a mediation strategy and include a member of public who has knowledge of Cyber Fraud issues in the mediation team.

In all cases of “Alleged Negligence” by the customer where the Bank wants to refuse payment under the proposed scheme, the Ombudsman may step in to resolve the dispute.

We need to continue our discussions and debate this issue of “What Constitutes Negligence” of the Customer in cases of E Banking frauds before making the customer pay for the technological advances of the financial market. I invite comments and suggestions in this regard.

Naavi

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

3 Responses to What is Negligence of the Customer under RBI’s circular on Limited Customer Liability?

  1. PIYALI DAS says:

    I have been cheated by Goibibo regarding the booking of hotel landmark in puri.Inspite if previous booking hotel authrity refused to let us stay in hotel on 01.05.18 which was informed by us to Puri Police Station.Hotel Authority insisted us to talk to Goibibo customer care provided by the no. by them.During the conversation they make us assured that they will settle the payment with hotel if we share the OTP.We had been panic and instantly shared this otherwise hotel was desperate to throw us outside of the hotel.Then and then through few transactions near about Rs.30,000/- was debited to 3 Merchant Wallets from my account.

    So if you please guide me how to retrive my money back as my respective UCO bank is not taking the responsibility further.

    now what are the procedures if can be shared.FRom local thana it has been intimated to the respective Merchant’s app.

    • You should try filing a criminal case including the Hotel and Goibibo as main accused and stating conspiracy.

      You may however need proper evidence to carry forward.

      If the Police are honest and act quickly, it is possible for them to trace the beneficiary of the payment and book a serious money laundering case.

      UCO Bank may defend themselves because you have shared OTP. But they should provide you the details of the beneficiary and if they fail to cooperate in the investigation, they may expose themselves to the charge of “Negligence” making them also a party to the conspiracy to cheat you.

      I am not sure if you had originally made the booking at the genuine Goibibo app or site or in a fake Goibibo app. This should be revealed in the investigation. Goibibo should provide necessary evidence in their defence for the police to continue the investigation. If so it will reflect on the negligence of Goibibo to have allowed such impersonation and not observing the presence of fake apps or fake web sites.

      It appears that this could be a new fraud in which a fake App/phishing in the name of Goibibo has been used systematically. If so, we need to create a greater awareness.

      Please do share with me the reply you receive from Goibibo.

      For your immediate requirement, please contact a good criminal lawyer who is public spirited and Cyber law aware…. if you can find one in your location.

      • PIYALI DAS says:

        No help was received from Bank as they waited for the order from Police to take out the details of respective wallets but I asked for the immediate help as if the money would release from the wallet then tere is no need of help.But they did nt cooperate for the sudden help.At last Police station also informed me to loose the hope f getting money.From Cyber Crime Dept. told me that they mailed to the wallet but no response was received.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.