Certifier under Section 65B need not mandatorily be a witness also

Posted on December 26, 2017 by Vijayashankar Na

Recently, I was posed a question as follows:

Quote:

Mr A who produced the CDR from SERVER with Sec. 65B certificate which was filed in the court by IO. However, since Mr. A was not produced as witness, both the CDR as well as Sec. 65B certificate issued by Mr. A were not proved in court. The prosecution produced Mr. B in the court as witness to prove the CDR. Mr. B brought a fresh printout of the CDR from the computer where Mr. A had saved it, before leaving the MSP. The fresh printout of the CDR and the earlier one, both are exactly identical and both carry the same date on which the first person (Mr. A) had produced the CDR from SERVER. Mr. B also brought a fresh Sec. 65B certificate, signed by him. He also stated that in his testimony that the CDR had been transferred from SERVER to the computer by Mr. A, and now he (Mr. B) has brought a printout of the same. In this scenario, when the original Sec. 65B certificate issued by Mr. A has not been proved, although on record, how the court will hold the subsequent Sec. 65B certificate issued by Mr. B valid in law.

Unquote:

P.S: My views on the above are given below. It may however be noted that-

I am aware that there are a few professionals who may not agree entirely with what is stated here. However, I consider that we are still in the process of crystallising the Cyber Jurisprudence regarding submission of Section 65B certificates and some differences of opinion are natural and are also welcome.

I am also aware that some Courts have accepted certificates under Section 65B under circumstances that are contrary to my view also. Even such decisions are part of the development of Cyber Jurisprudence.

We must not forget that even the honourable Supreme Court in 2005 made a mistake in the Afsan Guru case which was corrected in the Basheer case on 18th September 2014.  In 2004 itself honourable judge of AMM Egmore Court, Chennai in the Suhas Katti case and Trisha defamation case had established certain principles consistent with the views held by me since 17th October 2000 till date. Some experts argued that after the Afsan Guru judgement, my views were incorrect at least partially. But they had to accept the views after the Basheer judgement.

Similarly, what I am stating here could be disagreed with by some advocates and even by some Courts. Even in such a circumstance, I expect that these views will prevail in due course…. Naavi

Under Section 65B it is not mandatory that the certifier has to be a “Witness”. Even if this is so, the only requirement is to identify the person who has signed the report and to confirm to the Court that the report itself is not forged. If however, there are means for the Court to establish that a given report is not forged, then there is no need for the person to be also produced as a witness.

In fact, “Oral Evidence” with respect to an “Electronic Document” is not acceptable. When the signatory of a Section 65 B certificate stands as a Witness, he cannot therefore provide any information other than what is already written down in the certificate.

He can only  say “This is my signature. This report does not appear to have been tampered with”.

If he starts saying anything outside the written report, it could either be considered as “Irrelevant” or “An Opinion for which the witness has to be considered as an Expert Witness under Section 45A of IEA”.

The structure of Section 65B Certificate, if submitted in the correct format, is such that it would indicate the process by which the “Computer Output produced for Evidence” was produced and if any other person of ordinary prudence under similar circumstances repeat the process, he should get similar results.  The exception would be when the evidence in the original binary form has been erased by some body in which case it would be a section 65 and Section 67C offences under ITA 2000/8. Then the Court has to admit or reject the computer output based on the establishment of the fact whether the witness is reliable or considered unreliable. If considered unreliable, the witness could be charged for perjury and hence Court has to be reasonably convinced that the witness is falsifying the document before rejecting the certificate or atleast qualify the rejection suitably so as not to endanger an honest witness who has produced the certificate in good faith.

In the instant case, it was not necessary for A to be produced as a “Witness” and hence the contention that because he was not available as a witness, the document is not proved is in my opinion incorrect, though it may be an age old practice in respect of paper based documents.

We are here not discussing evidence which is “Oral” or “Documentary” but another category of evidence which under Section 17 of IEA is classified as a document “contained in electronic form” (Electronic Document).

Rules for admission of an “Electronic Document” is based only on Section 65B and other sections and prior practices are irrelevant.

Prosecution may therefore argue that the rejection of the first certificate was itself not correct, though I am not aware if it was produced and presented as per the standards which I recommend under Cyber Evidence Archival Center. (Naavi: Other experts are open to disagree that the standards set by CEAC need not be accepted and reject my views if they so desire. ).

Additionally, B has two options. Since he is an authorized person to log in to the server and view the CDR once again, he can do so and produce another Section 65B certified Computer Output which should be admissible in the proceedings. He can testify his signature to the report and that the report has not been tampered with by personal deposition and the Court would be comfortable.

Alternatively, his certificate can create a new Computer Output which may say, ” I observed a document in xxx computer, which contained a document named……….. which has been produced here under the process described……..” etc.

The defence may after admission, question the genuinity of the  original binary document on the basis of which B’s certificate was produced. If the Court has reasons to accept the objection as reasonable and relevant, it can then call another expert under Section 45A to enable the Court to take a final decision. Court in my opinion need not reject B’s certificate for admission but accept the defence plea to call in another expert to assist the Court in examining the genuinity of the document.

This will naturally rise another question whether such an “Expert” should necessarily be a Section 79A accredited Government agency. Since no such entity exists as of now and also that Section 79A does not necessarily say that any evidence given by any other expert is null and void, it is open to the Court to call an expert on whom they can rely on and satisfy itself about the genuinity of B’s certificate.

I hope this satisfies the query.

(Kindly note that this is only the opinion of the undersigned as a person who has a demonstrated experience in the field related to Cyber Evidence and has submitted over 105 Section 65B Certificates since 18th February 2004 when the first certificate was produced and I was examined as an “Expert” in the Court on a subsequent date.)

Naavi

Posted in Cyber Law | Tagged , , , | Leave a comment

Awards are perceived as an endorsement and hence care is required before selection.

Posted on December 25, 2017 by Vijayashankar Na

Recently, there has been a debate in the professional circles whether the multiple “Awards of Excellence” in Privacy and Security  won by AIRTEL is an endorsement of its Privacy and Security practices by the organization giving out the award. The awards were granted by DSCI which is part of the Ministry of Information Technology and sponsored by NASSCOM. (Refer our previous article for details)

It was a fact that the day after the awards were announced,  license of AIRTEL Payment Bank was suspended for a gross misuse of the Mobile_Aadhaar linking process to make profits. The accusation was that Airtel opened Payment Bank accounts for those who linked aadhaar to their mobile accounts and by another faulty system, the Gas subsidies payable to each of the 23 lakh such mobile subscribers were transferred to Airtel Payment Bank accounts. The Bank therefore got deposits of around Rs 47 crores without any efforts and expenditure to acquire customers. Airtel Payment Bank could have taken a consent for opening the account by a fine print mention some where in an un-digitally signed electronic consent form but most customers were not properly informed that the consent went beyond the linking of Aadhaar to the Mobile and opened new Bank accounts.

This was a deliberate action on the part of Airtel to cheat the public and make financial gain out of the act. In other words this was a fraud and betrayed lack of integrity of the organization. If Government of India is really concerned about “Privacy”, they should have launched prosecution of not only the Airtel Payment Bank but also Airtel. However, we know that Airtel has too much of a clout in Delhi and therefore no action would be taken. The award giving organization and the Jury failed to capture this aspect of the organization to which a “Special Jury Award” was being conferred.

While this issue was in public domain several days prior to the announcement of the award, it appeared that the awards were announced so that it could  influence UIDAI to soften its stand or atleast create a public perception that everything is hunky dory with Airtel. For records, Airtel Payment Bank’s CEO resigned so that MeitY can feel comfortable and not initiate any further action.

Airtel is a known serial offender which has been not only accused of customer billing frauds but also hacking into the mobile browsing of its customers.  We have discussed this in our earlier article “Airtel does a Maggi” where Airtel was accused of introducing a script into the browser used by mobile customers.

This  was also an incident that could be considered as a cyber crime in which the company could have been prosecuted but was not.

In the light of these known facts, it was a surprise that Airtel got three coveted awards from DSCI in its annual award ceremony. Obviously the question was whether  the system of selection of the Jury or the system by which the finalists were identified or the system by which Jury conflict was avoided was faulty.

It appears that DSCI based its assessment on the basis of applications submitted. No body doubts the ability of organizations like Airtel to put up a fantastic presentation that can floor anybody. Though the jury are expected to be intelligent and informed not to be swayed by presentations, they are also human and know that Airtel kind of companies are required as sponsors to many of the other activities of organizations like DSCI and has to be treated with respect. Hence without raising too many questions the presentations can be accepted as given and awards can be based on such self certifications.

One of the suggestions the undersigned put out was that the assessment should have been carried out based on monitoring the activity of an organization over a period and not based solely on the application.

For records, officials of DSCI maintain that “Award is not an Endorsement” and hence they should not be blamed for an awardee being underserving.  Yes we agree. But has any disclaimer been put up on the Certificate making such a statement? Will the awardee be prevented from using the award for its publicity?.  …….Probably not.

In fact every award is a recognition which the awardee should be able to use it for its publicity and as a motivation for further similar good work.  Otherwise the purpose of an award would be defeated.  At the same time, when an award is used in publicity, it will automatically be perceived as an endorsement. It is natural and cannot be avoided.

The award giving organization should therefore consider it as its responsibility to have a proper system of selection which is not amenable to manipulation.

I therefore suggest DSCI that for the coming year awards, make some changes to the system of selection.

They can announce the categories and eligibility criteria for different awards well in advance, receive advance applications and disclose the applications received it to public or atleast to the community of Privacy and Security professionals. Also the awards should be based on consistent performance over a period and not solely on the presentation made in an application.

In order to assess the performance and to enable monitoring of such activity, DSCI may create an “Opinion Drop Box” to which public/Privacy and Security professionals can drop their views from time to time, whenever  positive or negative events are noticed which can be taken into account by the jury.

This Opinion drop box can be activated along with the disclosure of the application information to bring about greater transparency to the system, at least for a period of one month before the finalists are presented to the Jury . This would prevent false claims being made by the applicants misleading the jury.

This would enhance the value of the awards , bring better acceptance and should make DSCI itself more respectable in the community. It will also help the Jury avoid mistakes which hurt their own personal reputation.

I am not expecting that these suggestions would be heeded by DSCI, but the suggestion of creating a monitoring mechanism over a period before an award is given is an idea which even other organizations can follow and hence using this award process as an example, I am putting it out. Hope it would be useful for other organizations.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

AIRTEL Sweeps awards from DSCI…while the AIRTEL Bank CEO resigns….

Posted on December 24, 2017 by Vijayashankar Na

AIRTEL is no doubt the leading mobile service provider in India. However when Airtel swept several awards in the recent DSCI Excellence Awards 2017, several eyebrows were raised. It was clear that the process used by DSCI to confer the awards appeared flawed to say the least.

One of the recipients of the award was “Airtel Payment Bank” which got a “Special Jury Recognition Award” for “Best Practices in Payments Bank”.

The awards were announced in the summit held  between 13th and 15th of December.

On 16th December, as if on cue, UIDAI suspended Airtel Payments Bank’s eKYC license because it had misused the process to open Payment Bank accounts for customers who wanted to link their mobile accounts to Aadhaar without obtaining proper “Informed consent” from the customers. The opening of such accounts had a financial benefit for the Bank since it automatically transferred the Gas subsidies to these accounts. According to the report, more than 23 lakh customers had such accounts opened and over Rs 47 crores were credited to these accounts without the knowledge and consent of the customers.

If there was a Data Protection Act in India, Airtel would have been fined hundreds of crores in penalty for violating the privacy of 23 lakh customers. But DSCI, considered this organization fit for an “Excellence Award”!!!

Now it is reported that CEO of the Airtel Payment Bank has resigned But what this Bank did was a refection of the lack of Privacy and Security Culture in the Airtel family and just because they can produce some nice Privacy policy statements designed by expert professionals, they should not get awards from a discerning institution which DSCI should aim to be.

Apart from this, Airtel also got “DSCI Excellence Award for Best Security Practices in Organization” where Airtel was classified as a “Critical Information Infrastructure”. DSCI Excellence award for Privacy in User industry also went to Bharti Airtel.

It was not surprising to note that the Jury panel had representatives from Airtel who could have directly or indirectly influenced the selection of the winners of the award.

Apart from the Global CIO of Airtel being in the panel, even the Jury Chair Mr Paramod Bhasin the chairman of Clix Capital has a partnership with Airtel to launch a digital payment platform.

DSCI may say that these persons have recused themselves from the selection of winners in the categroy in which Airtel was a winner.  This is not a convincing excuse since Airtel was winner in 2 of the four categories and also got a special jury award which means that the Chairperson should not have participated in selections of 3 of the 5 categories. HDFC Director was also in the panel and it also won an award. CIO f Mahindra and Mahindra wa in the panel and Tech Mahindra won an award. There was only one jury member who did not have any conflict and that was Mr Nandakumar Sarvade of RBI.

The Jury panel constitution itself was inappropriate, though this is not a comment on the achievements and skills of each of the jury members. Conflict of interest is another matter and the Jury panel did not exhibit that it had no conflict.

As public know, Airtel is known for its sharp business practices and has been often accused of committing billing frauds. It was also accused of introducing tracking codes when its users browse through mobile (Refer Article Airtel Does a Maggi). This incident should have resulted in the prosecution of Airtel under Section 66 of ITA 2000/8 but the law enforcement agencies failed to take note and TRAI looked the otherway.

It was therefore unthinkable that Airtel would get “Excellence” awards from DSCI on Privacy and Security. If they have, then it reflects more on the ability of the award giving organisation on framing its policies and selection of Jury.

We also observe that Axis bank which is another notorious Bank known for insider frauds and lack of security was a finalist in one of the categories where as they should have been rejected at the eligibility level itself.

These awards therefore represent a complete farce and if DSCI has to retain its reputation, they need to recall the award granted to Airtel particularly the special jury award given to Airtel Payment Bank.

However it is unlikely that DSCI will have the courage of conviction to recall the award. I urge them to prove me wrong.

Naavi

Posted in Cyber Law | Leave a comment

Black Money gets a Boost from SEBI. Mr Thaygi should be removed as SEBI Chairman

Posted on December 22, 2017 by Vijayashankar Na

 

In a surprising but disgusting news report, Mr Ajay Thyagi, the Chairman of SEBI has come up with a public statement that is intended or likely to move the price of Bitcoin in the Exchanges.

Contrary to the popular opinion,  Mr Thyagi has stated

“Virtual Currencies have not posted any systemic risk to the economy”

“Government Panel is currently looking into the regulation”

Mr Thyagi was speaking at a CII summit when he made these statements. It must be remembered that Mr Thyagi represents SEBI which is the regulator who has so far failed to take any action against the Bitcoin exchanges which deal with the commodity called “bitcoin” without either the sanction from SEBI or from RBI.

By referring to Bitcoin and Virtual currencies as “Currencies”, Mr Thyagi has clearly represented them as “Currencies” which can legally be issued only by RBI. Any commodity touted as “Currency” though not recognized by RBI is just a “bit of paper” (In this case bit of electronic paper) and when value is placed on them, it is pure “Speculation”. The SEBI Chairman is fuelling such speculation and supporting Bitcoins through his irresponsible utterances. The statements can also be challenged as factual inaccuracies or clever manipulation of words that “At present Bitcoin is not a systemic risk” without saying that “In future it can be”.

For a regulator to refer to Bitcoin in a public meeting and to make a statement that Virtual Currencies have not posted any systemic risk to the economy is the height of deliberate misrepresentation to the public.

Bitcoin is an “Anonymously held value proposition” and is being used as a replacement of legit currency.

Can Mr Thyagi deny this?.. if he is put on a witness box in a Court?

If Bitcoin is a value proposition that can replace legit currency like Rupee, how can anybody differentiate it from “Black Money”?.

Mr Thyagi has by making such a statement said something to the effect “Black Money has not posed any systemic risk to the economy”.

Mr Modi and Mr Jaitely should take note of this.

This is absurd. If Mr Thyagi was not speaking from his regulatory position but as a representative of a  Bitcoin start up, his words would have sounded more honest. He needs to immediately clarify his position and in case the media has not represented him properly, he should state so.

Further by stating that the Government Panel is looking into regulation, Mr Thyagi has made it clear that a final view of how to treat Bitcoin has not yet been taken by the Government. This is fuelling the speculation that Bitcoin can still be recognized and will move the Bitcoin price upwards. In the recent days, the move of income tax authorities to ask for information from traders of Bitcoins in India had shaken the market a little and the statement of Mr Thyagi is meant to bolster the market.

It now appears that SEBI is one of the stumbling blocks in preventing action by the Government against Bitcoin. It may be recalled that Naavi.org had pointed out earlier in May 2017 that MCX which works under SEBI was indulging in “Insider Tampering” of the decision of this Government panel (Please read : Is MCX of India involved in insider tampering of the Committee on Bitcoins?.. Directors, Please answer) by posting some supporting views on the MCX letterhead when the Government had called for public opinion on Bitcoin regulation last year. At that time we had demanded an explanation from the Board of Directors of MCX. Subsequently the recommendation was taken down but SEBI did not take any action.

It is now clear that the attempt of tampering of the Panel decision by posting an opinion of MCX in the public forum had the blessings from the highest officials of SEBI.

It is now  not possible to trust SEBI with any credible regulation of Bitcoin Exchange as it has spoken against the RBI and openly supported the Bitcoin community.

SEBI Chairman’s statement  is against known fact that Bitcoin and Virtual Currencies are the “Currencies of Criminals” and is “Black Money” in virtual form whose identity is hidden by encryption so that the holder of Bitcoin cannot be identified and that It can be moved across borders like data and cannot be identified when it moves in and out of the country in the form of data and enables Indians to convert their wealth either in Indian currency or in Foreign currency to Bitcoins or other virtual currencies.

In this context, Mr Thyagi should immediately

a) Declare his holding of Bitcoins even if he wants to say that he does not hold any Bitcoins himself.

b) Resign from his position as the regulator since he has ignored the fact that there are “Exchanges” working in the country, trading in the commodity called “Bitcoin” without license from SEBI and he has failed to take punitive action.

I request Government of India to take immediate action in this regard to ensure that Mr Thyagi is replaced as SEBI Chairman.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

Hacking of EVMs is Cyber Terrorism

Posted on December 19, 2017 by Vijayashankar Na

It is unfortunate that many of the politicians are irresponsibly commenting on hacking of EVMs . If anybody has suggestions to improve the security of EVMs, it should be welcome. But making irresponsible statements and spreading rumours is an attempt to undermine the Indian election mechanism and must be stopped.

As we understand, EVMs are manufactured by public sector organizations, shuffled before being issued for any particular booth, and are always under the physical custody of some officials. They are finally tested before they are committed for use. There are some kinds of checks subsequently on the total votes polled.

Naavi has long time back spoken about the Cyber Law Compliance aspects of EVMs and the EC has now introduced the VVPAT system (Voter Verified Paper Trail System) which will become mandatory by the next set of elections. In this system the voter views the printed slip before the completion of voting. Then the slips are collected in a sealed box. These slips will  be counted if there is an election petition which orders the re-counting of the slips. If a person sees that the slip is different, then he can raise his objection then and there.

There is however a system of procedures designed to make it impossible to tamper with the EVMs under ordinary set of circumstances. Making theoretical claims or assuming that several Election Commission officials will collude etc is a mischievous claim not substantiated by evidence.

However, there are many opposition parties including the Congress party which uses EVM as an excuse to cover its losses.

Even when VVPAT system is used, it is possible that some opposition party supporters may simply claim that the slip is different from what he has voted, and it has fallen into the sealed box and cannot be verified, there are situations where false alarms may be raised by unscrupulous supporters of a political party to disturb the election process.

If this has not happened till now, it can be envisaged that it will happen next time. I will be surprised if such tactics are not used to discredit the system during the next elections in Karnataka since the current CM of Congress is himself opposing the EVM system.

In the light of these attempts to discredit the EVM system by unscrupulous politicians, it is necessary for Election Commission to ensure that no political party member or a member of the public makes a dishonest claim that EVM is hacked or is hackable.

In order to ensure that people are serious about EVMs, Election Commission should declare that EVMs are “Protected Systems under Section 70 of Information Technology Act 2000”. EC has already developed the standard operating procedure (SOP) for accessing the systems and hence a notification accompanied by the SOP as required under the Act can be quickly made.

Once EVMs are considered as “Protected Systems”, any attempt to hack any EVM, even by any employee of EC will be considered as an offence carrying a punishment of 10 years.

Additionally, under Section 66F of ITA 2000/8, any action that could damage or disrupt or adversely affect the EVMs can be considered as an offence under section 66F (1) (A). Additionally, any incitement to commit hacking of an EVM or disruption of the EVM usage can be considered as causing injury to the interests of the state and brought under Section 66(F) (1) (B).

In either case, the offence carries an imprisonment of upto life and would be termed “Cyber Terrorism”.

EC has already given one opportunity to those claiming that EVMs are hackable to demonstrate the possibility. This was not used by any of the political parties such as Congress or AAP. Now the new kid called Hardik Patel has started talking of EVMs about which his knowledge may be suspect.

EC can however make another offer to anybody to seek an appointment to demonstrate their claim if they have any credible doubt. Obviously, they should demonstrate that the system can be hacked under the conditions under which they are used and not expect that the hacker would be able to open the machine and insert any chips into it. Such “Request for Demonstration” should be publicised and the person requesting must be made to deposit a security deposit to cover the expenses and prevent frivolous requests which can be returned only if the charge made is proved.

EC can also invite suggestions for improving the security of the system and honestly try to implement suggestions if they are useful.

I am sure that EC would not be averse to these suggestions which they should announce immediately and shut the mouth of irresponsible politicians.

Naavi

Posted in Cyber Law | Leave a comment

Limited Liability on Electronic Banking Frauds also extends to Cooperative Banks

Posted on December 18, 2017 by Vijayashankar Na

On July 6, 2017, RBI released the “Customer Protection-Limiting Liability of Customers in Unauthorized Electronic Banking Transactions”.

The circular indicated that a customer is entitled to “Zero Liability” in case of loss arising out of frauds in E banking in which

a) There is a contributory fraud or negligence or deficiency on the part of the Bank irrespective of whether or not the transaction is reported by the customer

b) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and the customer notifies the Bank within three working days of receiving the communication from the Bank regarding the unauthorized transaction

Further the Customer would have a “Limited Liability” of Rs 5000 or 10000 or 25000/- (depending on the nature of the customer) in cases where the responsibility for the unauthorized electronic banking transaction lies neither with the Bank nor the customer and when there is a delay (of four to seven working days) in notifying the Bank.

If the delay in reporting the transaction where the fault lies with neither the Bank nor the customer, the Bank’s boards were expected to come up with their policies on how much of liability they would bear.

However, even after nearly five months, we donot see any such policy from any of the Banks being announced at least on their websites. (If any Bank disagrees, they are requested to keep us informed so that we can correct this statement). This shows that RBI has not been able to impose its regulation so far on the Banks.

The circular of July 6, 2017 was applicable to all Scheduled Commercial Banks including RRBs, All Small Finance Banks and Payment Banks.

Now, on 14th December, RBI issued a follow up circular extending the applicability of the Circular also to the Primary (Urban) Cooperative Banks, State Cooperative Banks and District Central Cooperative Banks.

While it was natural that all Banks which were in the E-Banking activity had to come under one regulation as regards protecting the Consumers and it was more important in the case of the rural banks such as the Cooperative sector Banks, RBI needs to ensure that the Banks take it’s regulations seriously.

Recently, we came across a fraud in which a well known journalist reported that a supplementary credit card had been issued in her name and an outstanding debit in the card was claimed from her by none other than HDFC Bank. She also reported that the Bank refused to accept her complaint and insisted that the amount was payable by her.

In many instances the frauds happen because of “Phishing”. In some cases the customers do give out their Passwords or OTP without being aware of the possibility of the fraud. It is in such cases that Banks and Customers need to resolve who has to bear the liability. In most cases there would be no doubt that the customer would be a victim but the Bank tries to claim that it also is a victim and hence if the customer is negligent in giving away his credentials then he should bear the loss himself and not the Bank.

However, we need to ask the Bankers whether they are pitting their information security capabilities and knowledge with the awareness of the customer and claiming that the customer has to be more intelligent than the Bank. RBI has clearly advised these banks to adopt “Adaptive Authentication” and a robust Cyber Security Framework which should identify fraudulent transactions before they occur and take measures to prevent a fraud before it occurs. In some cases the money would have been debited to one account but the payment would not have been irrevocably paid out to the fraudster and it may lie in the system with another Banker. In such cases if the paying bank moves the collecting bank immediately and stops the withdrawal, the fraud could be prevented. But the Banks are so arrogant and fraudster friendly that they will raise 100 questions to the customer that he should file a police complaint, give complaint in writing, accept that he has given away the password etc, besides saying my Manager is not available etc… and delay action.

Many banks make their Call center access difficult and not provide specific fraud reporting mechanism directly on the SMS which they must send. If the customer says that they have not received SMS, Banks often refuse to accept.

All these hurdles need to be addressed by RBI by conducting the audit of Banks on the implementation of the July 6th Circular at branch level without which the intentions of RBI will not be implemented in practice.

RBI has also since June 2001, mandated that Customers should be protected by picking up the legal risk themselves and using the Cyber Insurance cover. But none of the Banks have so far sent one SMS to their customers about Cyber Insurance cover they have taken for them though they might have sent scores of messages for not linking Aadhaar.

The Chair persons of the Banks need to be pulled up by RBI for ignoring the RBI guidelines and apart from imposing some fine or the other, they must make an example of some Banks and suspend the Chair person. Banks like Axis Bank which were considered as the habitual offenders during the demonetization days continue to carry on business without paying for their guilt.

The definition of “negligence” in the limited liability circular on the part of the Bank will have to be evaluated in this context of “Not correcting past mistakes” and even in case of Phishing where there is negligence on the part of the customer, “Contributory negligence” on the part of the Bank should be recognized.

It is some time back that ICICI Bank was pulled up by the Adjudicator of Tamil Nadu and made to pay for their negligence in the S.Umashankar case. Perhaps many have forgotten the case and there is a need for other similar judicial interventions holding the Banks liable for Banking frauds before we ensure security in the Banking scenario.

Some of these Banks are even challenging the RBI by adopting to use of Bitcoins and also use of Block chain against the Banking laws. RBI unfortunately is unable to take corrective action and letting the public continue to take risks which they should not take,

Will RBI now wake up and take necessary corrective action so that the Customers feel safe?

Naavi

Posted in Cyber Law | Leave a comment