Naavi.org

Role of Potential Digital Evidence in criminal investigations

Posted on February 22, 2018 by Vijayashankar Na

During the last week, Bengaluru witnessed a disturbing display of lawlessness by a group led by a son of a Congress MLA. The case involved a brawl in a Pub called “Farzi Cafe” in UB City in which another person was beaten to near death by the group.

Similarly there was another incident of VIP misbehaviour of another Congress worker sprinkling petrol and threatening destruction of a BBMP office also in the same week.

While the discussion on the incidents is outside the scope of this website, I would like to only discuss the role of “Digital Evidence” that plays an important part in both these incidents.

In both the incidents, there is video evidence and in one case the offence is an “Attempt to Murder” and in the other case it is “Threatening to commit arson and destruction of Government property”. Both are very serious offences and requires a fair trial in a Court. The evidence available would therefore be very important.

But there are unconfirmed media reports indicating that since the offenders in both cases relate to the ruling party, the Police are favouring the accused and are unlikely to pursue the case properly. In the process, there will be a possibility of destruction or manipulation of the digital evidence which is in the form of CCTV footages.

The Video in the case of threat to burn BBMP office has already gone viral and is now in the public space. Courts can take cognizance of the incident even if the Police try to suppress it.

But in the incident related to the brawl in the Pub, there are two videos one from the Farzi Cafe where the brawl first took place and the other from Mallya Hospital where the accused tried to break in perhaps to cause further hurt to the victim. Initial media reports suggest that the Farzi cafe Video has already been tampered with by the Police and will only show the victim slapping the accused and not the earlier first attack by the accused.

If the report is true, it is expected that the case will eventually not get proved in a Court of law and will be dismissed for lack of evidence. Worse still, the victim himself may be punished for attacking a respectable person who is the present accused and provoking him.

The incident highlights the importance of protecting the digital evidence which is extremely useful in such cases with CCTV cameras spread across the city and in most public establishments. Recently, Bangalore Police solved a case of harassment of a lady in the middle of the night only through the CCTV footage that was available.

But if CCTV footages become only tools of manipulation where at the discretion of the Police it would be used in certain cases and in certain other cases it would simply vanish, then the question of accountability for such CCTVs arise.

There is already an argument that installation of CCTV cameras is a threat to the Privacy of Citizens. This will only gets strengthened. The defence that it helps in “Security” falls flat because of the frequent misuse of the CCTV footage by the law enforcement to suit their political objectives.

I therefore request the Bangalore Police to make public the entire unedited version of the Farzi Cafe incident to the public in the interest of transparency in public life. The Court should also direct for such a disclosure.

I believe that Farzi Cafe owners would be having a copy of the video and unless they want to be called for taking sides in the dispute, should go public with the copy of the video in their hands. Since this Video would be relevant not only to the accused but also to the victim as well as other people who would be in the Cafe at the time of the incident, there is a “Public Interest” in the disclosure and Courts can order for the disclosure.

While some body who has the courage to face the wrath of Congress Government in Karnataka can take up the issue as a public interest litigation, the Courts also can take suo moto action if they consider the matter to be of consequence.

If however Farzi Cafe owners have deleted the evidence then they would be liable for prosecution under Section 65 of ITA 2000/8 and Section 204 of IPC for destruction of evidence. If manipulation of evidence has taken place after the Police took charge of the evidence, similar charge can be made on the police personnel also. Probably the Karnataka Human Rights Commission has the jurisdiction to investigate the matter.

It would be interesting to see how the case proceeds from here and what lessons the police and organizations like Farzi Cafe will take from the current incident on handling of CCTV footages which become “Potential Evidence” in criminal cases.

Our discussion would be incomplete without also highlighting why the recent decision on an SLP by the Supreme Court in the case of Shafhi Mohammad was called by us as an “Recipie for Corruption…” If the order is to be accepted, then the CCTV footage which the Police will produce may be argued as acceptable as evidence without a Section 65B certificate. If the decision in the Basheer case is followed at least there will be one person who will look into the evidence and certify and while doing so will consider if the evidence is trustworthy or not. This important element of check on fraudulent production of digital evidence for admission would be removed if the Safhi Mohammad decision is to be considered as valid. Fortunately this is a two member order on an SLP where as the Basheer judgement is a three member judgement and hence it would prevail.

Naavi

Posted in Cyber Law | Tagged CCTV, digital evidence, Farzi cafe, mallya hospital, mohammad nalpad, narayanaswamy, privacy, section 65B, Shafhi Mohammad | Leave a comment

Appointment of Chairmen and Directors of Banks is the Weak link that caused PNB fraud

Posted on February 20, 2018 by Vijayashankar Na

“Where there is Money, there will be Fraud” is a truth which all traditional Bankers know. Hence the essence of Good Banking is building security into the culture of the organization and into its systems. The legacy paper based systems in Banks have been robust enough to ensure that Frauds are detected quickly if and when it happens and no fraud will succeed without collusion of multiple persons and negligence of multiple persons.

Future of Banking

With the change over from paper based banking to electronic banking, the risk has increased many fold since the procedures of Banking have now been subordinated to the “Systems” designed by “IT Professionals” who are not “Bankers”.

I am reminded of one of the early warnings given out (some time around 2005) by Mr A. T. Panneer Selvam, the former Chairman of Union Bank of India (and an Ex DGM of IOB in which the undersigned worked a few decades back) who said “Future of Banking belongs to IT Professionals”. I have quoted this a number of times in my lectures promoting the advent of digital Banking before shifting to the current slogan that “Future of Banking belongs to Information Security Professionals”.

Need for Information Security Culture

The PNB fraud has highlighted this need to develop an “Information Security Culture” in Banks on a priority basis.

People in the Information Security try to design many sophisticated tools to secure the “Confidentiality”, Integrity” and “Availability” of information which they define as the contours of information security. But if an authorized system owner shares his password to another, then the entire system of security built around the system of password crumbles.

In the PNB case, it appears that the Password of an AGM was shared with a Deputy Manager. So far the name of the AGM who shared his Level 5 Password with Mr Gokulnath Shetty has not come to open. He is an abetter for the crime and should also cool his heels in the jail for some time. It may be more than one official of the banks who shared his password with his juniors and all of them should now be held responsible along with Mr Gokulnath Shetty who shared the password with an outsider client in what can only be said as “Incredible”.

In June 2016, we saw TCS employees sharing passwords issued for an employee of a different company amongst themselves and hacked into a US Company resulting in a legal suit of US $940 million on the Company. Fortunately the Directors and CEO escaped criminal charges and contained the damage to a civil suit.

This menace of “Password Sharing” that has now reached a new dimension with password being shared with an outsider clearly indicates that our Information Security designers are at fault to first of all rely on the system of Passwords and then not have adequate measures to control the risks.

Design Faults

If we have dual keys to our strong room where cash is kept and electronic locks that can be opened only at a certain time by certain biometric authentication etc., why is that the SWIFT systems cannot use digital signatures backed by biometric based cryptographic keys and RFID based identity cards etc to build layers of security which ensures that the system cannot be operated except from within a specific system in the Bank? Why every transaction is not immediately deposited in a different system and audited independently of the maker and checker who might have colluded?

The security design in banks is faulty and I have already said that the makers of FINACLE software for which our Banks have paid a fortune should accept that their security design has left the Indian Banking system vulnerable.

Inaction by RBI

When I spotted and pointed out extreme recklessness of ICICI Bank ,PNB and Axis bank during the adjudication proceedings of some Phishing Frauds, I had personally represented to RBI that they should suspend the Internet Banking licences of some of the branches involved in the commission of Phishing frauds.

Had RBI atleast sent one harsh letter to the Banks at that time, perhaps this PNB fraud would not have happenned. Mr K.R.Kamat was the Chairman then and he continued to raise to greater heights after the frauds were pointed out.

The fraud in which more than Rs 1.6 crores were lost by an exporter in PNB was a clear indication of complicity by the Noida branch of PNB but Mr Kamat took no action. This case is still languishing in the Delhi National Consumer Forum and the judges who have been adjourning the case year after year obviously at the instance of the bank will have to introspect if they could have contributed indirectly to the current Rs 11400 crore PNB Fraud.

The Governors, Deputy Governors and other Executives of RBI whom I repeatedly appealed to for action but who did not respond should introspect if they are also responsible for not initiating specific action in time which has caused the present mess.

Appointment of Directors

Without diverting back into the software issue and irritating my friends in IT industry more, and also not again speaking of the RBI as a toothless paper pusher who is good in drafting guidelines without any power to implement them, I would today like to say that the root cause for the malaise lies with the Finance Ministry in their system of appointment of Independent Directors of Banks, Chair persons and other Directors.

The clean up therefore should start here at the Board level appointments in each of the Banks. For Indian political system to think of progress we needed a Narendra Modi to succeed Mr Manmohan Singh. Similarly, for any Bank whether it is PNB or SBI, ICICI Bank or HDFC Bank, Allahabad Bank or Union Bank, it is necessary that the head of the institution should be not only efficient from the domain perspective but also scrupulously honest. We cannot expect every Chairman to be an Information Security expert but it is for this reason that he has a Board to assist him. Every member of the Board should therefore be equally honest besides being an expert in some part of the domain.

The constitution of the Board of Directors is the biggest internal and external control for the Banks. Without correcting this, if we try to tinker with our Firewalls, Software and Hardware, we will not be able to achieve the security that we are trying to achieve.

The politicians and media who are questioning Mr Narendra Modi that Mr Hari Prasad’s letter was not acted upon by the PMO must ask why all the public postings at Naavi.org in which Banks like ICICI Bank, PNB, AXIS Bank and SBI in particular were pointed out for lack if information security practices leading to frauds were not acted upon by the respective Banks and RBI.

I had called upon the Independent Directors of the Banks with a request ” If You are a Bank Director.. Your Independence Day Resolution Should be…” after the Bangladesh Bank SWIFT fraud to ensure that the RBI guidelines on the “Cyber Security Framework” should be diligently implemented by the Banks. I am not however sure if any of the independent directors raised the issue in any of the Board meetings.

These Independent Directors have failed to discharge their responsibilities like what Mr Dubey of Allahabad Bank tried to do and therefore should bear the vicarious liability for the PNB fraud.

The Ball is in the Court of Mr Arun Jaitely

If these Directors were incapable of protecting the Banks and the Chair persons were both inefficient but also complicit in the frauds, the responsibility goes upto the Finance Ministry under Mr Aurn Jaitely and the Secretaries in the Finance Ministry who have appointed these Chairmen and Directors for their own considerations. While commenting on the Bitcoin issue, I have repeatedly stated that I have doubts on the culture of the Finance Ministry built under the regime of Mr P Chidambaram and urged Mr Arun Jaitely to take suitable corrective action.

Now we need to repeat this request once again for Mr Arun Jaitely to prove his commitment to clean up the Banks by kicking out non functional Directors and replacing them with vigilant, honest individuals of repute who can ask questions of the Chairmen and Board. Many of the Chairmen themselves need to be eased out though in a manner that does not destabilize the system. All independent Directors in PNB and other Banks which have given loans to Nirav Modi, Mehul Chokshi companies must be removed tomorrow and replaced with appropriate persons.

Will Mr Arun Jaitely have the necessary commitment?

Naavi

Reference Articles:

Naavi.org has been carrying on a crusade against Bank frauds in the Digital era and discussed many issues in the past. If the authorities had taken some action on these warnings, we would have perhaps not be in the situation we are now in. Some of these warnings were to individual Banks, some to RBI and some to the Government itself. I hope at least now some body will find time to examine how security in Indian Digital Banking industry can be improved with appropriate regulatory action. The ball is the court of Mr Arun Jaitely, the Finance Minister.

For immediate reference some of the past articles are indicated here:

Axis Bank ATM license should be cancelled by RBI

Does SBI Cards pose a special risk for customers because of Incompetence and possible collusion?

Will RBI disclose “Sanction Mechanism” to enforce sanctity of Banking license conditions?”

Let RBI show Who is the Boss

1710 Bank Frauds reported by Police..Does RBI have a count?

RBI cannot remain silent.. and so also NPCI, CERT and Ministers of Home, IT and Finance1>

Banks want their negligence to be underwritten by the Customers. Do you agree Mr Urjit Patel?

Yet another Bank Fraud.. What will RBI say?

This credit card fraud should be a lesson to Judges, Adjudicators and Banking Ombudsmen

Another Great E Banking Robbery Could destroy our Banking system

Protect Bank Consumers from Frauds or be prepared for disaster..A warning to BJP Government

90% growth in Credit Card Frauds … Dear Police, How Many Banks have you Charged?

SWIFT Hacking exposes Indian Banks to huge Risks

RBI’s conspiracy by silence

Negligence of Export Promotion Councils, ECGC and Banks lead to Rs 2.35 crore fraud

Has RBI really woken up from its slumber?

What does the new RBI Governor has to say for this?

..The list is endless. May be a search page like this will help

Posted in Cyber Law | Tagged arun jaitely, Gokulnath Shetty, K R kamat, password sharing, PNB fraud, RBI, TCS | 1 Comment

Let’s tighten our seat belts and let Mr Narendra Modi shake up and clean the Indian Banking system

Posted on February 18, 2018 by Vijayashankar Na

After the surfacing of the Nirav Modi-Mehul Chokshi scam in PNB, media is on its own interpretation some of which are politically motivated and some are born out of lack of information. According to NDTV and some other media, the loss may be over Rs 20000/- crores. Rahul Gandhi who may think he belongs to the Mahatma Gandhi family but he is still struggling to distinguish if Nirav Modi is the cousin of Narendra Modi. Mr Singhvi is caught in the “Unaccounted Money” allegations. The Alpha files and deep throat are also in the fray making this a great time for TRP oriented media.

Negligence in Banking is universal

The Dinesh Dubey revelations may appear sensational to Mr Arnab Goswami but the fact that Bank Boards are manipulated by the politicians is well known. The UPA Government which had mastered the art of making money by exploiting the land, see, air and even the spectrum, could not have missed an opportunity to take money directly from the Bank. Hence if Mr Narendra Modi says that when he took over, NPAs were more than 126000 crores and he could not have publicised it without hurting the industry, it does not come as a surprise to observers like us. From the old Indian Bank fraud to Harshad Mehta Fraud, we have seen enough of frauds in the Banks to believe that if Digital Banking is indiscriminately promoted, fraudsters will make merry.

If Global Bankers have a system where by SWIFT message from a deputy manager of a Bank can be used to lend Thousands of Crores to one company by several banks, then the problem is that Digital Bankers of the day donot know the Risks inherent in Banks. This includes even the wisemen in RBI who are good paper pushers.

Naavi.org had its own share of “Dooms day predictions” in Banking and there are plenty of articles in the past highlighting a day of this nature when Cyber Frauds or Frauds in the Cyber Banking scenario could be huge enough to wipe out even big Banks.

For a long time we have held that RBI has no control over influential Commercial bank Chairmen. We have stated this in the context of ICICI Bank, State Bank of India, PNB and Axis bank where we had observed frauds, brought it to the notice of RBI and found no action was taken. We had even demanded that some branch licenses of ICICI Bank and PNB should be suspended as a deterrent. Some of these Chair persons have held influential positions in IBA which has been more powerful than RBI. Hence many security guidelines of RBI are simply ignored by IBA and RBI has done nothing to enforce its authority.

As a result, the negligence and apathy in the Banking industry continues. Security is always subordinated to profits and hence we see weak IT systems and opportunities for frauds increasing by the day.

Yesterday, City Union Bank has also been confronted with the SWIFT fraud in which three fraudulent remittances seem to have been attempted. One of this has been prevented. One more may be retrieved quickly. Other may require some effort. But the fact that CUB faced the same problem which Bank of Bangladesh suffered long ago shows that our Banks donot learn lessons.

There is presently no doubt that officials of PNB were involved in the fraud to favour Nirav Modi-Mehul Chokshi. They might have been pressurized politically at the Chairman level. It is only when Mr K.R.Kamat the former Chairman of PNB is queried about some of these transactions, that the truth may come out.

In this confusion, we should not forget that it is not only PNB that should be hauled up, but each of the Banks which gave funded loans to Nirav Modi-Mehul Chokshi firms based on a SWIFT message from a junior officer without following the 90 day RBI norm or examining the end-use of funds and feasibility of the operations.

As Mr Dinesh Dubey’s statements indicate, there was political conspiracy where by multiple Bank Chiarmen were made to provide funded loans against the PNB’s LOUs. Hence all these Banks are part of the conspiracy to siphon off Rs 11000 crores or whatever amount we finally end up with as the loss in the funded accounts. It is for this reason that RBI should not force PNB to take all the liability and leave out the other Banks from the conspiracy. If this is forced, it would mean that RBI itself would be guilty of abetting the fraud.

The other independent Directors who were complicit with these frauds should also be questioned in each of these Banks.

The contribution of Finacle sofware

Another neglected aspect is the Company that is responsible for the Core Banking Software used in Indian Banking system which happens to be our beloved Infosys. The system is FINACLE. After the few PNB phishing frauds that I had come across, I have raised my voice against FINACLE not being Cyber Law Compliant. Now this PNB fraud indicates some of the systemic weaknesses in the Finacle software.

I am sure that my friends in Infosys will immediately object to my drawing their name into this controversy. When I objected to Finacle Marketing chief hailing it as a platform for Bitcoin usage, I had many of my friends displeased. But the reason why Infosys should find itself reviewing its own contributory role in this Banking fraud is because it appears that the software is not built by design to prevent such frauds.

Software developers may conveniently say that it is for the software user to provide specifications and the developer will provide a solution as desired. If the solution facilitates frauds, it should not be the responsibility of the software developer.

They may say that “Releasing a Software with Bugs is their right” and what conventional Bankers like the undersigned may dub as “Fraud friendly specifications”, is the responsibility of the Bank using their software.

I am aware that in the past developers of the Accounting software “Tally” telling me that some security features in the software was deliberately removed in subsequent versions because the users wanted “Flexibility” in the accounting. The flexibility wanted by the users was the ability to manipulate accounts so that false accounts can be created without the log system capturing the manipulations. This facilitated a fraud in an Exporter’s firm in Chennai in whose investigation, I had participated. Tally succumbed to this marketing pressure and fell into the practice of “Customization for Customer Convenience”.

It is possible that Infosys might be in the same situation where for commercial reasons, they have to configure FINACLE to facilitate convenience even though it makes it easy for fraudsters to misuse the system.

Today everybody is asking why The PNB’s SWIFT messaging system works outside CBS.

If certain messages sent out of SWIFT creates liabilities (contingent or otherwise) for PNB, and has to generate a corresponding “Margin Money Demand” and “Guarantee Commission Credit”, then FINACLE should have ensured that the messages are generated only from within FINACLE only.

If PNB officials did not want it this way, Infosys should have documented the request with the reasons. If Infosys developers were aware of “Banking” in depth, they would have immediately sensed that the request is made only to keep a “Backdoor for fraud” that can be exploited.

Infosys failed to show the commitment to prevent a “Fraud Friendly Configuration” to prevail which could hurt the society.

I would be happy to receive a clarification from the FINACLE team if my conjecture is wrong. I would expect Mr Nandan Nilekani to order a review of the security features of Finacle without restricting the definition of security to only the CIA principle of technical security but extending it to “Security of the underlying business which the software supports”, which is the “Total Information Assurance” principle.

Role of Auditors

We can now shift our attention to the auditors and Information Security department of PNB. Should they not have seen the “Vulnerability” in the CBS system and flagged it as a risk?.

Probably these are auditors did not understand how the IT system of Financle could be misused. Even if they were not IS experts and had to believed the management statements, the nature of financial transactions, the 365 day window provided for the LOUs, the frequent roll overs etc should have given them the clue.

Internal auditors who should be Techno Banking specialists also failed to note the suspicious patterns.

I am sure that SWIFT messages are separately audited and at least it should have been reconciled with margin money and guarantee commission account which the auditors ignored.

The Board which should provide an annual declaration under clause 49 of the listing requirements in the annual report stating that there are “Adequate Controls and the correct financial statements are reflected” have made false statement for which the entire board of directors are responsible.

The same questions of internal controls of auditing failures applies in each of the other Banks who are today claiming that they trusted the LOU of PNB and blindly paid out money in thousands of crores to beneficiaries. We are not fools to accept this argument.

I consider that the issue of loans by all these Banks under circumstances where the business feasibility was doubtful and known norms flouted, is a prima-facie evidence of the involvement of employees/Directors/CMDs in all these Banks (6 or 32?) in a great Banking fraud conspiracy.

CBI must enquire all these employees starting with Allahabad Bank Board members on whom specific information is now available.

Demoralization Effect

As an ex-banker, I am aware that this fraud which cuts across many Banks will have a demoralizing impact on the employees when CBI extends it’s net wide. We have seen this happen after the Indian Bank fraud surfaced two decades ago.

It is for this reason that Media should stop creating panic and putting pressure on BJP Government. Instead, they should try to instill confidence in the public that what the Government is trying to do is a very sensitive operation and has to be done discretely.

While the anti national forces which includes the present version of the Congress party would like to create more confusion with its demand for JPC so that the thieves can themselves be the judges, Government of India should resolutely move towards cleaning up the mess. Less they talk, better it is.

Only one word of comfort from Mr Arun Jaitely or Narendra Modi that proper action would be taken should suffice. All the spokes persons should stop talking on this scam even if they are tempted to do so because of the utterances of the opposition. The “Professional Panelists” like Sumant Sriram et.al, should be kept out of the channels for some time so that a sense of responsible reporting returns to the media rather than shouting for political gains.

In the process, we need to root out corruption in Banking and ensure that the future of Banking is saved. Let more heads roll and more bodies go behind the bars. It will be in good cause.

Indian Banking system has many honest individuals who can raise to meet the challenge, fill the void even if 25% of the top management in Banks are removed and manage the turmoil. All the independent directors of the 6-32 Banks who were complicit in the conspiracy should be removed forthwith and brought into the enquiry process.

This will have its share of demoralization in the industry. But it will spur the honest Bankers in the next level to work more honestly than before and restore the Banks back to health.

This is like the Kargil fight. We might have lost the battle but let us fight to win the War. Just as in the demonetization days, the public supported Mr Narendra Modi, they will support him even now.

Let’s therefore tighten our seat belts and let Mr Narendra Modi shake up the Banking system.

May be the above ad from PNB on its home page is meaningful in the current context.

P.S: It is now reported that Level 5 password for SWIFT which only AGMs could use was shared by Mr Shetty who was a deputy manager with the officials of Nirav Modi so that they could issue their own LOUs.

This means that the password was first shared by the AGM with Mr Shetty and the system was not configured to link the hardware ID from which the SWIFT could be accessed. Normally the adaptive authentication system should prevent logging in to SWIFT except from a designated computer. The IT Manager, the IS manager, the AGM himself all deserve to be put to jail for giving away the key to the strong room to the fraudster.

If the software had been designed with this possible use case in picture, such logging in would not have been allowed even if the fraudsters had come to Mr Shetty’s cabin and operated his computer since the AGM’s password should have been linked to his computer.

It also means that there was no digital signature or biometric authentication either to the SWIFT application or to the computers authorized to access SWIFT application. (Refer India Today article)

…Disgusting

Naavi

Posted in Cyber Law | Tagged city union bank, dinesh dubey, finacle, infosys, PNB, SWIFT | Leave a comment

Contingent Electronic Evidence and Evidence Drop Box, Concepts which we should be aware of..

Posted on February 17, 2018 by Vijayashankar Na

After the Basheer judgement, there has been several discussions on the Section 65B (IEA) certification of electronic evidence for “Admissibility”. I suppose some clarity has dawned on the community with these discussions, though there are some areas which continue to create doubts.

In the recent SLP order issued by Supreme Court in the case of Shafhi Mohammad Vs State of Himachal Pradesh, the two member bench consisting of Adarsh Kumar Goel and Uday Umesh Lalit actually challenged the P.V Anvar Vs P. K Basheer judgement given by a three member bench and created confusion in the judicial circles.

One of the issues discussed in the Shafhi Mohammad case was how an electronic document present in a device not under the control of the producer of the evidence be produced for admissibility. The Court came to a very illogical decision that in such cases, Section 65B certificate itself is not required. We have already stated that the decision has to be ignored since a two member SLP order cannot over ride a three member Judgement.

Our objection to the order was that if at some point of time the presenter of evidence had access to an electronic document and today that document is not available for Section 65B certification, then it is a failure of the person in getting the Section 65B certificate at the time when he had access to it.

Since Section 65B certificate can be provided by any person who has a viewing access to the document, there should be no problem in getting the certificate if people are aware of the provision. Ignorance of law is not an excuse and hence if the original electronic document is no longer available and the earlier copy is not admissible because it is not Section 65B certified, then the evidence should be considered as lost.

Just because “Documentary Electronic Evidence” is lost, it does not mean that justice would be lost. It would be difficult of course but not entirely unthinkable.

For example, if you have just witnessed a murder before your eyes but did not take out your mobile and take a picture, the documentary evidence of murder is lost for ever. It does not mean that you can excuse the evidence itself since every body does not carry a camera around to capture the events happening around.

However, we are not trying to debate why the SLP order said what it said and whether it was out of ignorance or out of a need to challenge other Judicial order or for any other purpose. We have another point emerging out of the situation which we have already discussed but can be recalled again.

In many instances, we donot know if an electronic document before us is an “Evidence” or not. But an intelligent person would know if it is a “Potential Evidence”. For example, when we enter into a business deal, we want a written paper so that if tomorrow there is any dispute, we know what we have agreed upon. The document becomes an evidence if there is a dispute before a judicial authority. Until such time, it is a redundant piece of paper.

In the case of electronic documents, the “Potential Evidence” if any, has to be archived along with a Section 65B Certificate so that if and when it is required later, the electronic document is already bundled with the Certificate at the archival center.

Once such a document is archived, even if the original gets destroyed, the evidence is still admissible. However, no person should deliberately destroy an evidence which is in his hands since it may attract Section 65 or Section 67C of ITA 2008 or Section 204 of IPC if what is being destroyed is an “Evidence” at the time it was destroyed.

There is however the case where we may have an archived electronic document along with Section 65B certificate but the original which was in the hands of a third party (eg ISP/MSP). Though law provides that such a person can be summoned to produce the evidence, many times this may not be practical or the document might have been removed in the ordinary course of business by the holder who did not know that it was “Evidential Matter”.

It was to accommodate such a situation that Shafhi Mohammad order came to the absurd conclusion “Let’s do away with the Section 65B certificate itself”.

On the other hand, CEAC (Cyber Evidence Archival Center) when confronted with the challenge in the E Commerce scenario, thought differently and introduced a service called “Evidence Drop Box”.

Evidence Drop Box is a service provided by CEAC to ensure that “Contingent Evidence” can be submitted for Section 65B certification without any cost and held in “Contingent” condition for a period of 30 days. By the end of this 30 day period if the person decides to use the “Contingent Evidence” as “Evidence”, he may request for a Section 65B certificate and acquire it at the cost specified by CEAC.

The “Contingent Evidence” becomes “Evidence” when the contingency materializes. For example, in an E Commerce transaction, when a purchase has been made on the basis of a product description that has been mentioned on the E Commerce website, the information provided about the product is a “Marketing Information” and is read before the purchase decision is made but is more often not kept on record. If subsequently, a “Dispute” arises and the buyer or the seller is claiming that the product description was not what the product supplied indicates, the “Marketing Information” becomes an “Evidence”. The “Dispute” is therefore is the contingency under which the contingent evidence turns into evidence.

The CEAC-Evidence Drop Box provides an opportunity to the buyer to deposit the evidence before he completes the purchase with no financial stake until the contingency arises.

It will take some time for the market to absorb the utility of this proposition and also some time for CEAC to automate and fine tune the certification process but it will be a boon to E Commerce in India.

Explore it next time when you make any online purchase.

Naavi

Posted in Cyber Law | Tagged CEAC, Contingent evidence, Drop box, Evidence, P K Basheer, Shafhi Mohammad | Leave a comment

RBI is making a mistake in the PNB fraud case

Posted on February 15, 2018 by Vijayashankar Na

As expected, media is crying as if Rs 11500 crores have been lost by PNB. Congress as expected is talking as if it is not Nirav Modi who is in question but Mr Narendra Modi himself. Both may be excused for their ignorance and need for TRP.

However, I am surprised that RBI has come out with a statement which is in my opinion legally incorrect.

Normally when letters of guarantee are issued, they are issued on stamped papers and with an understanding that the beneficiary will be “Paid without demur”. RBI is therefore saying that PNB should pay all the liabilities without contesting.

However , PNB Chairman has rightly stated in his press conference that the bank would repay only bonafide claims.

I fully agree with the contention of PNB that they should not make payment blindly to anybody who makes a claim as beneficiary of the guarantee. They should challenge the claim since there is a “Notice of Defective Title” to the beneficiary and PNB is bound to exercise caution.

In this case, the lenders are supposed to have financed some valid business proposition with the letter of comfort as a collateral security. No Bank is supposed to treat a letter of guarantee as just an endorsement of a cheque and make payment just like that. If after this the venture fails for some reason and the cause of action for which the letter of guarantee was issued arises, then only the guarantee can be invoked and the issuing Bank is obliged to pay.

If the beneficiary is Nirav Modi’s own firm or there are other reasons for which the transaction for which the lender disbursed money was not justifiable for business purposes, then the transaction is prima facie suspect and the beneficiary himself can be considered as an accomplice to defraud PNB.

The forged letter of undertaking should be considered as a “Nullity” and not an “Authorized instrument that can create liability”.

If PNB can prove that the beneficiary had reasons to believe that the transaction is suspicious, then PNB would not be liable to pay.

Share holders of PNB should therefore object to RBI’s instructions which is meant to protect the other Banks which actually had a direct contractual relationship with Nirav Modi’s beneficiaries while PNB itself is a victim of the fraud committed by its own officers.

We can accuse PNB of negligence but it is for another day and for another argument . It does not give license to other banks to accommodate Nirav Modi beyond his genuine business requirements and claim protection under the guarantee. The Guarantee would be valid if the beneficiary had taken the decision to lend as if there was no collateral in the form of the guarantee.

Further PNB should immediately revoke its guarantee and if there is any claim by any beneficiary, the beneficiaries may be asked to raise their claims with full particulars of how the lending decision was taken. It can then evaluate genuineness of the claims and decide the course of action.

At this point of time we donot have the actual text of the document and hence we donot know whether it was transferable and could be discounted with secondary lenders or whether any transfer was required to be registered with the PNB, whether there was a time limit for validity and the claim, etc.

I suppose the press will get these details shortly but RBI should let PNB handle its liability without jumping in to protect other Banks like Allahabad Bank or State Bank of India.

If the liability gets divided with 30 Banks it may be fine. No single Bank will take a big hit. In future RBI should insist that the beneficiary should register his claim within a reasonable time after the guarantee letter is submitted to him and that would avoid situations like this.

The Swift system should provide for digital signature of such transactions and the digital signing should be registered automatically in the Core Banking System so that frauds like this cannot happen. Finacle as a CBS software should integrate the Swift messages with the CBS so that every SWIFT message is generated from within the Finacle system and duly recorded for audit at the Central office level

Since it is stated that more than Rs 6500 cores worth assets have already been confiscated, and the lenders will have additional securities available to them, a substantial part of the actual losses may be fully recovered.

Hence neither RBI nor the media need to sensationalize this scam. The officials however need to be punished for the fraud.

Naavi

Posted in Cyber Law | Tagged finacle, fraud, nirav modi, PNB | 1 Comment

PNB Fraud of Rs 11500 crores was waiting to happen.

Posted on February 15, 2018 by Vijayashankar Na

The Rs 11500 crore fraud in India in Punjab National Bank (PNB) was a fraud which was waiting to happen due to the negligence of the Bank and the software developers supporting the Banking operations.

It appears that those who developed the Core Banking software for the Bank had no understanding of the nature of controls that were required to prevent misuse of “Non Funded Lending”. If money goes out of a lending transaction, it might be captured by the system. But when only a “Letter” goes out “Undertaking a liability to pay contingent to an event of default by a customer”, it may not get into the books until the liability fructifies.

If the liability does not fructify and the letter is issued for a period which lapses, no problem arises to the Bank except for the opportunity loss of a “Commission”.

Such activities lend itself to “Kite flying” frauds which is what has happened in this case. In the past the Harshad Mehta Scam.was in similar mould. Even the Satyam Computer fraud was also of the same nature. In all these cases, certain false papers were floated around on the basis of which another third party lent funds. When such kite flying frauds miss a repayment cycle, it would snow ball into a major scam with a casacading effect.

It is ironic that the name of the fraudster is Nirav Modi and the Congress would be happy to use the occasion to place the blame on Mr Narendra Modi as if Rs 11500 crores has gone to his pockets. Mr Rahul Gandhi who is an expert at spreading falsehood will soon start speaking about this fraud in the Karnataka elections. It would not help if Mr Nirav Modi has left the country and is absconding.

Compared to Mr Vijay Mallya’s case which appeared to be caused out of a business failure of the companies of Mr Mallya, this fraud is of a more criminal nature since it involves “Forgery” of a document in the name of PNB. Hence the kind of protection Mr Mallya may get from international legal processes for not forcing his return to India may not hold for Mr Nirav Modi. Once he is located, he can be quickly arrested in the foreign soil with the help of Interpol and brought back to India.

It is critical for such speedy action to categorize this scam as a result of a “Forgery”. The forgery is because a false unauthorized letter of undertaking has been issued by some of the officials of PNB. Since these letters were issued without proper authorization, they have no legal validity.

Whether the beneficiary of the letter can go behind the unauthorized letter and claim the money from PNB has to be evaluated from the terms of the letter. If the liability arises any time after the public notice of the fraud has been received, then the beneficiary cannot make any claim on PNB.

For the contingent liabilities to fructify, the cause of action should be before the date of publication of the fraud and and the demand should be immediately thereafter.

Whiles frauds using “Contingent Obligations” issued in the name of a Bank or another organization are not new, in this particular case, one can identify the failure of the internal controls of PNB in not properly recording the message sent out of SWIFT undertaking a liability as part of the Bank’s contingent liabilities in the balance sheet.

It is also supposed that no “Digital Signature” was used in the process of signing the letter of undertaking and it was an “Un-digitally signed” letter from the Bank sent out of a system where authentication was based only on password.

This is the failure of the design of the Banking software developed by large companies such as Infosys and used by all major Banks in India and abroad. The software developers only focus on functional aspects of the software and unless there is a domain specialist to assist the developer in understanding the fraud risks, they end up developing software which is not properly designed. The CBS used by PNB is one such software that appears to have not been developed by a proper Techno Banking professional team.

Unless Banks in India and the software companies providing CBS software donot understand the Fraud prevention requirements to be built into the software, we will continue to see more of such frauds not only in the Banking domain but also in other fields.

I recall one of the early software architecture suggestions given by the undersigned to a broking firm where I had suggested control in the form of using accounting principles to track the risks of trading from the placing of the orders to the realization of money from the client etc. Though it was not implemented, it appears that the PNB fraud would have been caught by such a design.

For the records however, we need to remember that

a) not all of Rs 11500 crores will become a loss to PNB. PNB has to immediately send notices to recall all such undertakings and freeze their operations. They should give notices that these are forged letters not binding on the Bank. If there is any leal fall out arising out of this in international Courts, it should be faced.

b) This is a case of forgery and not a case of business failure like that of Mr Mallya and hence extradition from whichever country Mr Nirav Modi is in is not going to be tough.

c) PNB and other banks should review their software systems to ensure that they capture all contingent liabilities for which there could be a simple solution.

d) RBI should recognize that the failure of PNB and the CBS ( Finacle) as part of their supervision failure.

e) Media should not create false propaganda and fear mongering that Rs 11000 crores might have been siphoned off. Most of these may be in the form of loans against assets and if they are recovered, most of the losses can be recouped.

f) Congress will keep shouting and this should be ignored.

g) The Government should not lose time in taking swift action across the globe and confiscate as may properties of Mr Nirav Modi as possible even before full legal process is initiated.

h) Courts and Anti-National Lawyers should be prevented from placing hurdles in the recovery of money which is of paramount importance now.

If proper action is taken the adverse impact of the fraud can be managed. At the same time proper corrective measures must be initiated for the future. “FINACLE” as a product appears to require a complete overhaul and hopefully the software companies involved must act immediately.

Naavi