Header image alt text


Building a Responsible Cyber Society…Since 1998

After the PNB Fraud in which over Rs  11400 crores are suspected to have been lost came to light, many other frauds are slowly tumbling out the closets of E Banking.

Leaving aside the fact that the lenders of different Banks who lent money to Mr Nirav Modi and Mehul Chokshi failed to check the “End Use” of funds and allowed renewal of LOUs without checking the previous utilization and need for extension, it was also realised that PNB had even allowed the Nirav Modi employees to directly access the SWIFT messaging system of the Bank.

The system of the Bank was so configured that SWIFT system could be accessed from outside the banking network. The operating officials of the Bank gave away passwords of multiple officials  to the Nirav Fraud team.

The system had no control that could detect that the log in was from outside the Bank’s network, multiple passwords were entered from the same computer and the messages did not reflect in the CBS system, nor created vouchers for commission or margin collection.

This was a gross failure of the Bank staff and the information security configuration of the systems.

It is true that any IS control can be defeated if the employees are dishonest. But still, the system design should be such that even if some of the employees are dishonest, the fraud should be detected, if not for the first time, in subsequent times.

Unfortunately the creators of the software in Infosys who sell FINACLE and supply it to a number of Indian Banks, are not aware of the intricacies of Banking transactions and how frauds could be committed. Hence their design is a faulty design and Banks are saddled with this defective product.

Now yet another fraud has come to the open in State Bank of India, Chennai where also it appears that the passwords of the Bank staff has been used by an outsider to divert over Rs 3.2 crores of money (Refer article here) meant for purchase of Cars as an unsecured cash advance which was used for funding a Film production. Here again, the security configurations of the CBS software has failed to recognize that Cars were not purchased, money was not credited to a Car dealer’s account, documents such as RC book etc was not submitted, asset inspection did not take place etc.

In all such cases, it is clear that it is not only the Software that failed, but also the internal audit system.

It is high time that Indian Banks rethink on how their “Internal Auditors” are equipped to conduct audits in the Computerized environment.

If internal audit cannot identify this new generation of Bank frauds where the customer himself is given access to the Bank’s systems to design his own loan sanctions, create approvals of several layers of bank officers and take the money out, then there is no need for such audits.

Where such “Self Loans” are used in the “Kite Flying Mode” and repaid with a roll over loan, it is very difficult for normal audit processes to find out the anomaly. There is definitely a need for Computer Assisted Audit techniques either with in built features of the core banking software or through specialised audit tools.

FINACLE Strengths and Weaknesses

The Banking software like FINACLE which costs a fortune for the Banks should have an inbuilt, non-tamperable audit module that should be effective in preventing such frauds to continue beyond the first couple of occurrences if not the first time.

FINACLE boasts of an Audit module as part of its system but it is clear that it has failed in the context of not only PNB Brady Branch but also SBI Chennai branch and in the many other similar cases that have come to light now.

If the Indian Banking system is in doldrums today, a large part of that responsibility should be boarne by the CBS software suppliers who have supplied defective products to the industry.

RBI has failed to subject the software itself to an audit of IDRBT which is mandatory and hence part of the responsibility for the use of defective software lies on the RBI also.

While checking on the Audit capabilities of FINACLE, I came across an article describing the audit capabilities of FINACLE.

Some key FINACLE menus and their use for an auditor has been described in this article. Some of them are briefly reproduced here.

  1. Account Leger Enquiry (ACLI)
  2. Customer Account Leger Print and Office Account Ledger Print (ACLPCA and ACLPOA)
  3. Audit File Inquiry (AFI)
  4. Average Balance (AVGBAL)
  6. Customer Master Inquiry (CUMI)
  7. Report on Expiring Documentary Credits (DCEXPLST)
  8. Query on Documentary Credit (DCQRY)
  9. Exception Report (EXCPRPT)
  10. Generate Report (GR)
  11. Financial Transaction Inquiry (FTI)
  12. Accounts Due for Review (ACDREV)
  13. Inward/Outware Remittance Maintenance (IRM/ORM)
  14. Outstanding Items Report (MSGOIRP)
  15. NPA Report (NPARPT)
  16. Letter of Acknowledgement of Debt Report (LADRPT)
  17. Loan Overdue Position Inquiry (LAOPI)/Ttemporary OD Report (TODRP)
  18. Print Reports (PR)
  19. Guarantee Issued Liability Register (GILR)
  20. Partywise Overdue Packing Credit (POVDPC)

The above list indicates that there should have been several reports that should have thrown up audit queries in respect of PNB Fraud as well as the SBI Fraud.

Now what we need to check is why did the discrepancies were not thrown up by the audits?

The reasons could be many.

  1. First reason could be that no audit was at all conducted. In PNB we are told that RBI did not audit the branch for more than 9 years. It is not clear if the internal audit was also bypassed. If so was there any declaration in the annual reports to the share holders providing the list of branches which were not audited for the last 1/2/3 or more years?
  2. If an audit was conducted, it is possible that the auditors were not aware of all these modules andhow to use them appropriately
  3. Perhaps there was lack of adequate training of  the auditors.
  4. It is also possible that FINACLE comes with some base module that does not include all features and a higher priced module that may include additional modules and the Bank could have not taken the full module for cost considerations.
  5. It is also possible that the FINACLE system itself might not be able to properly analyze the data in the above modules though it may create some printable reports.

Need for Data Analytics in Audit process

Computer Assisted Audit Techniques that are essential for proper auditing of any Computerized data environment requires a capability to

a) Acquire data of different types from across the network available in different platforms and collate it into a common platform for analysis

b) Extract, Classify and Re-classify data into different groups which create new meanings not visible in the direct report

c) Search data across multiple categories and filter them against some specific risk identifying algorithms

d) Use known statistical methods such as Benford law to check on potential frauds

e) Use Forensic audit tools to discover evidence that has been buried by the fraudsters

f) Use “Checking of Controls” as a part of the audit including the Information Security controls such as “Access Control”, “Log Analysis”, “Incident Management System” etc.

It is clear that the current Internal Audit process in Banks is not equipped to conduct an audit outside what reports are submitted by the Branch to the auditor. If the Auditor audits only what the auditee wants him to see, then the value of such audit is low. Perhaps it is what statutory auditors do. But Internal auditors have to go beyond checking the arithmetic accuracy of the transactions and go into an in-depth fraud possibility analysis.

Cost and Training Hurdle

In examining the solutions that the Auditors could use, it was observed that the tools normally considered as reputed “Computer Assisted Audit Tools” or CAATs are prohibitively expensive and require a rigorous training both of which seem to create a hurdle for Banks.

However, it is possible for RBI to equip itself with such tools (ACL, IDEA, ARBUTUS etc) and use it in its audit as a starting point. Other Banks may start using it depending on their size. Obviously the larger Banks donot have any constraint on budget nor ability to train the auditors, But smaller Banks may have a problem.

I therefore suggest that smaller Banks create a “Technology Resource Pool” in a “Centralized Fraud Investigation Center” which should be equipped with such tools and talent and conduct audits of member Banks as a service.

I hope RBI will take such steps to ensure that in future the audit system is strengthened to such an extent that the frauds such as what we are now seeing does not go undetected before it balloons into a huge scam.


(P.S: I have been an ex-Banker and therefore may not be fully aware of the current situation in the Banks about how audits are conducted in the Computerised environment.

But looking at the frauds that are surfacing, it is clear that the system is not working properly and hence some of the observations made above may be true though I may not be able to give evidence of the same. If we want to clean up the Bank system, Bankers need to do a self evaluation of their systems and check if some of the points made here are relevant or not.

I invite comments and suggestions on how to improve Audit systems in Banks in the computerized environment… Naavi)

Print Friendly, PDF & Email

Cyber Law College will be starting a compressed course on Cyber Laws for the students of BMS Law College, Bangalore starting from March 1st.

This course will cover an over view of Cyber Law in a course that extends to 10 sessions to be conducted in the college to students of different semesters.

In the past, Cyber Law College has conducted 3 courses each in KLE Law College, Bangalore and Hubli, SDM Law College Mangalore and JSS Law College, Mysore. These courses were of a longer duration and extended to about 60 to 70 hours of class room teaching. The BMS law college course is planned as a 25-30 hours of class room teaching.

Naavi is also associated as guest faculty with NLSUI, NALSAR. MSR Law College and other institutions and continues to contribute to the mission of “Cyber Law Awareness”.

Naavi is looking for more initiatives of this nature particularly a “Course for Law Faculty” so that Cyber Law Courses can be started in all Law Colleges in Karnataka.

Naavi is also looking for initiatives on “Cyber Law for IS Professionals” at Bangalore if there is a demand.

Naavi has already created online courses in Cyber Laws and HIPAA through apnacourse.com. Now a Course on GDPR is under preparation and details will shortly be announced.

Comments and suggestions are welcome.


Print Friendly, PDF & Email

In the context of huge regulatory fines envisaged under GDPR, there is a renewed interest in Cyber Insurance among Data Processors everywhere. Since liability under GDPR may arise not only for payment of compensation to data owners but also for making payment of fines that may be imposed by the regulatory authorities, the companies do demand that they should be covered by some Cyber Insurance policy for any liability that comes out of processing of EU citizen’s data.

As for as Indian data processors are concerned, their liability will be restricted to what is indicated in the data processing contract. Some of these contracts may be vague and not determine the exact liability or compliance responsibilities. It may make a reference to the liability that may arise on the Data Controller under GDPR and extend the liability in the form of an “Indemnity” to the associate data processor in India. Indian data processors some times assume that they would be liable directly under GDPR and rush to obtain insurance cover for large amounts. This could hurt the profitability of their operations.

If any data is compromised by an Indian data processing company then it would be as a result of a “Cyber Crime”. The cause of action lies with the persons who have lost money. Most of the time however, data compromise is recorded but the actual loss may not fructify or fructify only to a small extent not commensurate with the number of data elements lost.

Hence out of the total loss, the loss arising out of “Compliance” requirements which may include sending of notices, arranging identity theft protections for all the suspected compromised data subjects would be a huge cost even when not a single of the compromised data might result in actual loss. Similarly in such cases the regulator would impose millions of dollars fine depending on the nature of breach, the attitude shown by the data controller before and after the breach to protect the data subjects etc.

When a Cyber Insurance policy is invoked in such cases, an obvious question that would arise is whether the loss occurred more out of the negligence of the Company as a whole in implementing proper policies etc and whether the company should be protected against its own negligence. If Cyber Insurance routinely covers such breaches, then there will be no incentive for companies to improve their security.

Hence it is necessary and natural that the Cyber Insurance Company raises an objection or try to limit its liability citing that the cause of loss was “Not Insurable”.

A question has therefore arisen on “Whether Regulatory Fines are Insurable at law”. In this context, the article “GDPR Fines and Cyber Insurance”

presents some interesting thoughts as may be relevant in the Great Britain. Since India generally follows the English Law and the Insurance law has dependence on the British practices, it is presumed that the English law is also relevant for the Indian Context. Hence the points mentioned in this article are very much relevant to Indian companies both in the GDPR context as well as in other instances of fines arising out of non compliance of HIPAA, Non Compliance of ITA 2008 and even when there is a ransomware attack due to lack of proper security practices in a company.

One of the concepts discussed here is “illegality of defence” which may prevent a claimant from pursuing a civil claim based on the claimant’s own illegal acts.

The dividing line however is whether there was “Illegality” on the part of a company that caused the fine or there was merely “Negligence” in implementing the regulatory precautions.

As long as the negligence is related to “Best practice suggestions” that are made by sectoral regulatory bodies or industry practice, the cause may be contained within the concept of “negligence” unless the level of negligence is “ridiculous”. But if there is a statutory law which has been ignored then such negligence cannot be called anything other than “Illegal”.

To be more specific, if a Bank ignores RBI guideline, it may be “Negligence”. But if it ignores “ITA 2008”, then it would be “Illegal”.

Secondly what distinguishes “Negligence” from “Gross Negligence” or “Recklessness” is the precautions taken by an organization before an event occurs and also its response immediately after the occurrence of an incident.

If an organization has taken reasonable precautions which any other prudent person under similar circumstances would have undertaken but failed in some minor aspects, then the level of negligence is in the lower end. If however, there was no precaution taken or the precaution was ridiculously low, then the breach would be attributed to callous attitude and may be considered as a “Contributory Negligence” or even a “Passive Assistance” to a fraudster.

If we take the recent incident of PNB fraud and another fraud that followed at City Union Bank, it appears that the negligence at City Union Bank which allowed a compromise of its SWIFT system may fall under the category of “Negligence but Not Recklessness”. On the other hand, the PNB negligence which involved allowance of customer’s executives using the passwords of Bank officials to create their own “Sanction letters” and the sharing of passwords between multiple officers of the Bank can be called an abject complicity in the offence itself.

Even if there was no “Mensrea” at least for some of the executives of the Bank, the “Recklessness” was attributable to all employees of PNB who were aware that SWIFT messaging system was not linked to CBS and passwords were being shared.

The Association of employees in PNB has tried to put the blame on the top management. Similarly, the employees of Mehul Chokshi firm has placed their current loss of jobs to the Mehul Chokshi led Board. But if one is honest, we all know that if a fraud of this magnitude had taken place, then several persons within Mehul Chokshi or Nirav Modi companies as well as PNB, Other lending Banks, RBI, and the Ministry of Finance must have smelt that some thing wrong was going on.

What has collectively failed in the system of “Whistle Blowing” that RBI already has in place but has completely failed to work. The complaint that one franchisee Mr Hari Prasad made to PMO is like many complaints that are forwarded to PMO and are directed to appropriate departments for enquiry.

But each of the Banks had their own Whistle blowing systems and RBI  had a Whistle blowing system for the entire Banking system and it appears no body had the courage to report the possibility of such a fraud. The reason could be that the heads of each Bank involved as well as the Governor of RBI themselves were all friend of the then prevalent political system and personally appointed by Mr P.Chidambaram and hence no body trusted them to take action.

If the Whistle blowing system ensures that the whistle blower is protected, then the skeletons would have tumbled as soon as a junior Bank officer acquires a flat costing Rs 3-4 crores or throws up a fancy party in a five star hotel etc.

In all such cases therefore, the negligence is unpardonable and hence there should be no protection from Cyber Insurance.

Cyber Insurance contract being an  uberrimae fidei contract, the Insurance company is unlikely to discuss these issues with the clients at the time the Insurance policy is bought. But if the liability is huge and the client invokes the insurance, then the legal departments in these insurance companies may certainly raise the “Illegal Defence” clause.

The principle in Insurance is always, “Take as much precautions as you would take as if there was no insurance” and there after, if the loss materializes, it is an “Accident” for which the Insurer should gladly assume liability. If one takes decisions recklessly because there is an insurance to back up, then the insurer would definitely feel cheated and raise objections at the first instance.


Print Friendly, PDF & Email

The SLP order of the Supreme Court in the case of Shafhi Mohammad Vs State of Himachal Pradesh dated 30th January 2018 in which a two member bench of the Court passed an order which was clearly meant to over rule an earlier three member Judgement of the Basheer Case as regards the applicability of Section 65B of Indian Evidence Act is now having its adverse impact on the system of judiciary in India.

The SLP order was delivered by  the two judges namely Justice Adarsh Kumar Goel (Seniority order 11) and Uday Umesh Lalit (Seniority order 15).

This order was conspicuously rebellious  over ruling the earlier judgement passed by three judges namely  Justices RM. Lodha (Then CJI now retired) Kurian Joseph(Seniority order 5) and Normally when a Judge has a different opinion from an earlier judgement Rohinton Fali Nariman (Seniority order 12).

Normally, when a Judge has a difference of opinion with the earlier order of a superior court, the option available to him is to make a reference back to a comparatively bigger bench and seek a review. This is an established convention. It was diligently followed in the Aadhaar case when the question of “Whether Privacy is a Fundamental Right in our constitution or not” came up with a smaller bench which felt that an earlier 5 member bench had a view which could be reviewed. Accordingly the matter was considered by a 9 member bench which gave its clarification after which the earlier bench resumed its hearing.

This process was not followed by the A.K. Goel-U.U.Lalit  bench which preferred to pass its clarification order in derogation of the order of the earlier three member bench. Though there was the next hearing on 13th February 2018, the bench simply continued with other matters and left its earlier order on Section 65B  remain on paper though its validity is questionable.

We consider that the order was erroneous, is amenable to be misused and would open doors of corruption in Judiciary.

It is also infructuous being an order of a smaller bench.

But by not reviewing the order in the next available opportunity the two member bench has shown disregard to the conventions and cyber jurisprudence.

It is necessary for the CJI to take note of this development and if he allows such breaking of conventions go unquestioned, it will be spreading like cancer in the Supreme Court and through out the judicial system.

Some time back we had the Justice Karnan episode where he challenged the Supreme Court and was later convicted for Contempt of Court.

But the current CJI did not take similar contempt action against the four judges who held a press conference. Now if CJI continues to remain quiet without acting against the breaking of convention by the AK Goel-UU Lalit bench,  every judge will ignore every other judgement of a bigger bench and turn  Jurisprudence upside down.

If a lower bench of Supreme Court can over rule a higher bench, a lower court can also over rule a higher Court. We will see chaos and anarchy spreading through the system if proper measures are not initiated by CJI now.

Such a situation will give a free hand for corruption to decide which order of a superior court will be followed as a precedence and which will be ignored under the special precedent set by the AK Goel-UU Lalit bench.

The Order of this bench to turn Jurisprudence upside down is completely illogical and indicates that this could be part of a rebellion developing inside the Supreme Court.

CJI needs to take note and take corrective action. Silence will not be a solution and it may be too late to correct the situation if more such decisions contemptuous of the higher benches can be allowed to be taken.

In the meantime, if any situation arises in Courts where there is an attempt to accept electronic evidence with Section 65B certification on the basis of the SLP order, it has to be challenged first with a request for review, if necessary supported with an expert counter opinion, failing which with an appeal to a higher court specifically on this issue.

It is regrettable that Supreme Court judges are creating anarchy in the system by not being consistent with their commitment to delivery of justice and the poison seeded by the four rebellious judges seems to be having its effect in destroying the revered system. I hope the fear is misplaced and things will turn out well with the bench in its next hearing on 7th march 2018, issuing a clarification that they are not over ruling the earlier judgement.

If the Amicus Curie is unable to find a solution to a practically permissible and legally acceptable solution to the problem on hand (Evidence to be presented by the Police from the crime scene videography), it is necessary for the Court to hold a larger consultation with other experts before passing further orders.


Print Friendly, PDF & Email

During the last week, Bengaluru witnessed a disturbing display of lawlessness by a group led by a son of a Congress MLA. The case involved a brawl in a Pub called “Farzi Cafe” in UB City in which another person was beaten to near death by the group.

Similarly there was another incident of VIP misbehaviour of another Congress worker sprinkling petrol and threatening destruction of a BBMP office also in the same week.

While the discussion on the incidents is outside the scope of this website, I would like to only discuss the role of “Digital Evidence” that plays an important part in both these incidents.

In both the incidents, there is video evidence and in one case the offence is an “Attempt to Murder” and in the other case it is “Threatening to commit arson and destruction of Government property”.  Both are very serious offences and requires a fair trial in a Court. The evidence available would therefore be very important.

But there are unconfirmed media reports indicating that since the offenders in both cases relate to the ruling party, the Police are favouring the accused and are unlikely to pursue the case properly. In the process, there will be a possibility of destruction or manipulation of the digital evidence which is in the form of CCTV footages.

The Video in the case of threat to burn BBMP office has already gone viral and is now in the public space. Courts can take cognizance of the incident even if the Police try to suppress it.

But in the incident related to the brawl in the Pub,  there are two videos one from the Farzi Cafe where the brawl first took place and the other from Mallya Hospital where the accused tried to break in perhaps to cause further hurt to the victim. Initial media reports suggest that the Farzi cafe Video has already been tampered with by the Police and will only show the victim slapping the accused and not the earlier first attack by the accused.

If the report is true, it is expected that the case will eventually not get proved in a Court of law and will be dismissed for lack of evidence. Worse still, the victim himself may be punished for attacking a respectable person who is the present accused and provoking him.

The incident highlights the importance of protecting the digital evidence which is extremely useful in such cases with CCTV cameras spread across the city and in most public establishments. Recently, Bangalore Police solved a case of harassment of a lady in the middle of the night only through the CCTV footage that was available.

But if CCTV footages become only tools of manipulation where at the discretion of the Police it would be used in certain cases and in certain other cases it would simply vanish, then the question of accountability for such CCTVs arise.

There is already an argument that installation of CCTV cameras is a threat to the Privacy of Citizens. This will only gets strengthened. The defence that it helps in “Security” falls flat because of the frequent misuse of the CCTV footage by the law enforcement to suit their political objectives.

I therefore request the Bangalore Police to make public the entire unedited version of the Farzi Cafe incident to the public in the interest of transparency in public life. The Court should also direct for such a disclosure.

I believe that Farzi Cafe owners would be having a copy of the video and unless they want to be called for taking sides in the dispute, should go public with the copy of the video in their hands. Since this Video would be relevant not only to the accused but also to the victim as well as other people who would be in the Cafe at the time of the incident, there is a “Public Interest” in the disclosure and Courts can order for the disclosure.

While some body who has the courage to face the wrath of Congress Government in Karnataka can take up the issue as a public interest litigation, the Courts also can take suo moto action if they consider the matter to be of consequence.

If however Farzi Cafe owners have deleted the evidence then they would be liable for prosecution under Section 65 of ITA 2000/8 and Section 204 of IPC for destruction of evidence. If manipulation of evidence has taken place after the Police took charge of the evidence, similar charge can be made on the police personnel also. Probably the Karnataka Human Rights Commission has the jurisdiction to investigate the matter.

It would be interesting to see how the case proceeds from here and what lessons the police and organizations like Farzi Cafe will take from the current incident on handling of CCTV footages which become “Potential Evidence” in criminal cases.

Our discussion would be incomplete without also highlighting why the recent decision on an SLP by the Supreme Court in the case of Shafhi Mohammad  was called by us as an “Recipie for Corruption…” If the order is to be accepted, then the CCTV footage which the Police will produce may be argued as acceptable as evidence without a Section 65B certificate. If the decision in the Basheer case is followed at least there will be one person who will look into the evidence and certify and while doing so will consider if the evidence is trustworthy or not. This important element of check on fraudulent production of digital evidence for admission would be removed if the Safhi Mohammad decision is to be considered as valid. Fortunately this is a two member order on an SLP where as the Basheer judgement is a three member judgement and hence it would prevail.


Print Friendly, PDF & Email

Where there is Money, there will be Fraud” is a truth which all traditional Bankers know. Hence the essence of Good Banking is building security into the culture of the organization and into its systems. The legacy paper based systems in Banks have been robust enough to ensure that Frauds are detected quickly if and when it happens and no fraud will succeed without collusion of multiple persons and negligence of multiple persons.

Future of Banking

With the change over from paper based banking to electronic banking, the risk has increased many fold since the procedures of Banking have now been subordinated to the “Systems” designed by “IT Professionals” who are not “Bankers”.

I am reminded of one of the early warnings given out (some time around 2005) by Mr A. T. Panneer Selvam, the former Chairman of Union Bank of India (and an Ex DGM of IOB in which the undersigned worked a few decades back) who said “Future of Banking belongs to IT Professionals”. I have quoted this a number of times in my lectures promoting the advent of digital Banking before shifting to the current slogan that “Future of Banking belongs to Information Security Professionals”.

Need for Information Security Culture

The PNB fraud has highlighted this need to develop an “Information Security Culture” in Banks on a priority basis.

People in the Information Security try to design many sophisticated tools to secure the “Confidentiality”, Integrity” and “Availability” of information which they define as the contours of information security. But if an authorized system owner shares his password to another, then the entire system of security built around the system of password crumbles.

In the PNB case, it appears that the Password of an AGM was shared with a Deputy Manager. So far the name of the AGM who shared his Level 5 Password with Mr Gokulnath Shetty has not come to open. He is an abetter for the crime and should also cool his heels in the jail for some time. It may be more than one official of the banks who shared his password with his juniors and all of them should now be held responsible along with  Mr Gokulnath Shetty who shared the password with an outsider client in what can only be said as “Incredible”.

In June 2016, we saw TCS employees sharing passwords issued for an employee of a different company amongst themselves and hacked into a US Company resulting in a legal suit of US $940 million on the Company. Fortunately the Directors and CEO escaped criminal charges and contained the damage to a civil suit.

This menace of “Password Sharing” that has now reached a new dimension with password being shared with an outsider clearly indicates that our Information Security designers are at fault to first of all rely on the system of Passwords and then not have adequate measures to control the risks.

Design Faults

If we have dual keys to our strong room where cash is kept and electronic locks that can be opened only at a certain time by certain biometric authentication etc., why is that the SWIFT systems cannot use digital signatures backed by biometric based cryptographic keys and RFID based identity cards etc to build layers of security which ensures that the system cannot be operated except from within a specific system in the Bank? Why every transaction is not immediately deposited in a different system and audited independently of the maker and checker who might have colluded?

The security design in banks is faulty and I have already said that the makers of FINACLE software for which our Banks have paid a fortune should accept that their security design has left the Indian Banking system vulnerable.

Inaction by RBI

When I spotted and pointed out extreme recklessness of ICICI Bank ,PNB and Axis bank during the adjudication proceedings of some Phishing Frauds,   I had personally represented to RBI that they should suspend the Internet Banking licences of some of the branches involved in the commission of Phishing frauds.

Had RBI atleast sent one harsh letter to the Banks at that time, perhaps this PNB fraud would not have happenned. Mr K.R.Kamat was the Chairman then and he continued to raise to greater heights after the frauds were pointed out.

The fraud in which more than Rs 1.6 crores were lost by an exporter  in PNB was a clear indication of complicity by the Noida branch of PNB but Mr Kamat took no action. This case is still languishing in the Delhi National Consumer Forum and the judges who have been adjourning the case year after year obviously at the instance of the bank will have to introspect if they could have contributed indirectly to the current Rs 11400 crore PNB Fraud.

The Governors, Deputy Governors and other Executives of RBI whom I repeatedly appealed to for action but who did not respond should introspect if they are also responsible for not initiating specific action in time which has caused the present mess.

Appointment of Directors

Without diverting back into the software issue and irritating my friends in IT industry more, and also not again speaking of the RBI as a toothless paper pusher who is good in drafting guidelines without any power to implement them, I would today like to say that the root cause for the malaise lies with the Finance Ministry in their system of appointment of Independent Directors of Banks, Chair persons and other Directors.

The clean up therefore should start here at the Board level appointments in each of the Banks.  For Indian political system  to think of progress we needed a Narendra Modi to succeed Mr Manmohan Singh. Similarly, for any Bank whether it is PNB or SBI, ICICI Bank or HDFC Bank, Allahabad Bank or Union Bank, it is necessary that the head of the institution should be not only efficient from the domain perspective but also scrupulously honest. We cannot expect every Chairman to be an Information Security expert but it is for this reason that he has a Board to assist him. Every member of the Board should therefore be equally honest besides being an expert in some part of the domain.

The constitution of the Board of Directors is the biggest internal and external control for the Banks. Without correcting this, if we try to tinker with our Firewalls, Software and Hardware, we will not be able to achieve the security that we are trying to achieve.

The politicians and media who are questioning Mr Narendra Modi that Mr Hari Prasad’s letter was not acted upon by the PMO must ask why all the public postings at Naavi.org in which Banks like ICICI Bank, PNB, AXIS Bank and SBI in particular were pointed out for lack if information security practices leading to frauds were not acted upon by the respective Banks and RBI.

I had called upon the Independent Directors of the Banks with a request ” If You are a Bank Director.. Your Independence Day Resolution Should be…” after the Bangladesh Bank SWIFT fraud to ensure that the RBI guidelines on the “Cyber Security Framework” should be diligently implemented by the Banks. I am not however sure if any of the independent directors raised the issue in any of the Board meetings.

These Independent Directors have failed to discharge their responsibilities like what Mr Dubey of Allahabad Bank tried to do and therefore should bear the vicarious liability for the PNB fraud.

The Ball is in the Court of Mr Arun Jaitely

If these Directors were incapable of protecting the Banks and the Chair persons were both inefficient but also complicit in the frauds, the responsibility goes upto the Finance Ministry under Mr Aurn Jaitely and the Secretaries in the Finance Ministry who have appointed these Chairmen and Directors for their own considerations. While commenting on the Bitcoin issue, I have repeatedly stated that I have doubts on the culture of the Finance Ministry built under the regime of Mr P Chidambaram and urged Mr Arun Jaitely to take suitable corrective action.

Now we need to repeat this request once again for Mr Arun Jaitely to prove his commitment to clean up the Banks by kicking out non functional Directors and replacing them with vigilant, honest individuals of repute who can ask questions of the Chairmen and Board. Many of the Chairmen themselves need to be eased out though in a manner that does not destabilize the system. All independent Directors in PNB and other Banks which have given loans to Nirav Modi, Mehul Chokshi companies must be removed tomorrow and replaced with appropriate persons.

Will Mr Arun Jaitely have the necessary commitment?


Reference Articles:

Naavi.org has been carrying on a crusade against Bank frauds in the Digital era and discussed many issues in the past. If the authorities had taken some action on these warnings, we would have perhaps not be in the situation we are now in. Some of these warnings were to individual Banks, some to RBI and some to the Government itself. I hope at least now some body will find time to examine how security in Indian Digital Banking industry can be improved with appropriate regulatory action. The ball is the court of Mr Arun Jaitely, the Finance Minister.

For immediate reference some of the past articles are indicated here:

Axis Bank ATM license should be cancelled by RBI

Does SBI Cards pose a special risk for customers because of Incompetence and possible collusion?

Will RBI disclose “Sanction Mechanism” to enforce sanctity of Banking license conditions?

Let RBI show Who is the Boss

1710 Bank Frauds reported by Police..Does RBI have a count?

RBI cannot remain silent.. and so also NPCI, CERT and Ministers of Home, IT and Finance1>

Banks want their negligence to be underwritten by the Customers. Do you agree Mr Urjit Patel?

Yet another Bank Fraud.. What will RBI say?

This credit card fraud should be a lesson to Judges, Adjudicators and Banking Ombudsmen

Another Great E Banking Robbery Could destroy our Banking system

Protect Bank Consumers from Frauds or be prepared for disaster..A warning to BJP Government

90% growth in Credit Card Frauds … Dear Police, How Many Banks have you Charged?

SWIFT Hacking exposes Indian Banks to huge Risks

RBI’s conspiracy by silence

Negligence of Export Promotion Councils, ECGC and Banks lead to Rs 2.35 crore fraud

Has RBI really woken up from its slumber?

What does the new RBI Governor has to say for this?

..The list is endless. May be a search page like this will help

Print Friendly, PDF & Email