Naavi.org

A Bold Initiative by RBI

Just as our PM Mr Modi bit the bullet by demonetizing the Rs 500/1000 notes despite the stiff resistance from many, RBI has bit the bullet in issuing the Zero Liability guideline on E Banking transactions.

We need to congratulate Mr Urjit Patel for showing the courage in issuing the circular without making any critically adverse changes to the draft circular released in August 2016.

In the past, whenever RBI tried to bring in Customer friendly regulations, Bankers have always resisted the changes and in such cases, RBI has always been the one to yield. When Damodaran Committee on Customer Services made some very good suggestions in 2011, the recommendations were not operationalized by RBI ostensibly because Bankers were not supportive. Some of the suggestions made in that committee is now part of the Zero Liability circular of July 6, 2017.

We hope the same boldness will characterize the two more guidelines that we are expecting from RBI in the near future namely the “Bitcoin Regulation” and “P2P Lending Guidelines”.

For the time being we are happy that Mr Urjit Patel and his team has responded with a concern for the consumers in the Digital India environment where there is a push from the Government for adoption of digital methods of payment for which part of the population is not mentally equipped and hence need regulatory support with compassion.

Banks need to be reminded that when RBI or concerned citizens are speaking of “Zero Liability”, we are speaking in the interest of genuine customers of the Bank on whom the Banks should be more concerned than us. Most of the time when Banks respond in a friendly manner and pay back the fraudulent amount lost, they will not only be winning a loyal customer back and preventing him from shifting out but also a person who will get many more good customers to the Bank. On the other hand, when Banks start litigating against the customer, they are actually condoning the actions of a fraudster in preference to a genuine, honest though some what gullible and negligent customer and losing him and his friends for ever.

We can see some of this concern also reflected in the RBI’s circular if we closely observe some of the wordings used.

The systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions.

Banks should put in place a system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payments related fraud.

The SMS alerts shall mandatorily be sent to the customers, while email alerts may be sent, wherever registered.

 The existing customers must also be individually informed about the bank’s policy.

Banks must provide customers with 24×7 access through multiple channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free help line, reporting to home branch, etc.) for reporting unauthorised transactions that have taken place and/ or loss or theft of payment instrument such as card, etc.

Banks shall also enable customers to instantly respond by “Reply” to the SMS and e-mail alerts and the customers should not be required to search for a web page or an e-mail address to notify the objection, if any.

Further, a direct link for lodging the complaints, with specific option to report unauthorised electronic transactions shall be provided by banks on home page of their website.

The loss/ fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number.

The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer’s response, if any, to them.

On receipt of report of an unauthorised transaction from the customer, banks must take immediate steps to prevent further unauthorised transactions in the account.

Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.

 The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank.

 Banks shall formulate/ revise their customer relations policy, with approval of their Boards, to cover aspects of customer protection, including the mechanism of creating customer awareness on the risks and responsibilities involved in electronic banking transactions and customer liability in such cases of unauthorised electronic banking transactions. 

The policy shall be displayed on the bank’s website along with the details of grievance handling/ escalation procedure. The instructions contained in this circular shall be incorporated in the policy.

As an ex-Banker, I have always treasured the slogan of our Bank “Good People to Grow With” and hope this should be remembered by the new generation Bankers who focus only on profits even if it is at the cost of a good customer.

I urge  Banks like ICICI Bank, Axis Bank, PNB and SBI who have many past pending litigation from their customers  to respond positively and apply the guidelines under this circular to all their present litigations by settling the disputes by mediating with the customers. There should be no ego barriers in agreeing to pay back the customers of the losses they were made to suffer because of Phishing or other problems.

Don’t Blame Victim Customers 

Today, I saw a report in Times of India in which a Banker was quoted as saying

“We have had cases where the customer swore he had never shared his credentials but it turned out that the electronic payment was made by family members using the customer’s credential,”. 

The comment is attributed to a retail head of a Private Bank. I suppose this person whose identity has not been provided in the report should remember that there are many many more cases in which the Bank employees are hand in glove with the fraudsters in committing the fraud.

If the Banks donot open accounts for fraudsters without proper KYC, most of the phishing frauds would not occur. If the Banks take care to inspect their ATMs and check the working of CCTVs, many of the ATM frauds donot occur. If the Banks are careful that their own employees donot leak the passwords to the fraudsters, many frauds would not happen. If the Bank’s Information Security team understands how to configure “Adaptive Authentication”, many of the frauds would not occur.

I need not stress how Bankers have indulged in frauds that facilitated in conversion of black money by opening benami accounts, granting loans against non existent properties, unviable loans to industrials in consideration of the bribes paid to the bank executives.

So blaming a negligent or ignorant victim-customer and pass derogatory remarks that he could be fraudulently claiming loss is deplorable.

I hope that this “Retail head” who is blaming the customers as “Fraudulent” should turn his head inwards and see where the bigger fraudsters can be found.

I wish that this person tenders an apology to the public for making such derogatory comments. he should appreciate that the customers who approach the Bank reporting a fraud are “Victims of Fraud” and even if he has been cheated by his own family members, or spouse or a driver or other close acquaintances, it does not make him a willing fraudster himself. He has to be treated with respect.

If this is not understood, that person is unsuitable to be a “Retail head” in a Banking institution. I wish his top bosses in the Bank take note of this.

I wish Times of India reveals the identity of this person and seeks an apology from him and Times Now takes this up as an indication of “VIP Arrogance” like the politicians who throw fish at the officials or use chappals to hit Airline officials.

Another Executive Director of a Private Bank is reported to have expressed unhappiness that they will have to invest more on SMS and Monitoring services.

….Dear friend,

If you cannot secure the transactions you want to profit from, you have to avoid the risk by refraining from E-Banking. Donot expect poor customers to take the cost of insuring themselves while Banks introduce services without proper security.

Next time when you travel on an airplane if you find that the airline is not following proper security measures, because it costs more money, will you tolerate?

Remember that Banks exist for the Customers and By the Customers and not the other way round.

Naavi.org will now keep watching how different Banks start responding to the new RBI circular and periodically we shall report on this website the compliance efforts taken by the Banks. I request customers of the Banks to report their observations. I also invite Banks to report their own measures of compliance in this regard.

Naavi.org will also try to create a Hall of Fame to recognize those banks who do more than others to follow the spirit of this RBI Circular by watching the developments as reported in the websites of these Banks.

Let their be a “Competitive Compliance Effort” between the Banks to be more compliant than the other and Customers gravitate towards those Banks who are Customer oriented and use Technology to provide better service than to simply make more profits. We will soon provide the parameters for evaluation of the “Compliance Index” with specific reference to this Circular and indicate it on this site. Suggestions in this regard from other Customer Service organizations and Concerned citizens are welcome.

In the first phase, we will chose the top 5 Banks and evaluate them for compliance after one month.  The Banks which will be observed for compliance in this first phase will be State Bank of India, Punjab National Bank, ICICI Bank, HDFC Bank and Axis Bank.

Watch out for this “First Hall of Fame Evaluation”  report by next month.

Naavi

Also Read :

Business News

Moneylife

After waiting for more than 10 months and repeated reminders at all levels including the Finance Minister and the Prime Minister, RBI finally came out with its circular of 6th July 2017 titled “Customer Protection-Limited Liability in Unauthorized Electronic Banking Transactions” as a follow up of its August 11, 2016 draft circular.

Between the draft circular received for public comments on August 11, 2016 and the final circular of yesterday, there is not much of a difference except that the liability for notifying the Bank after a delay of 3 days has been increased from Rs 5000/- to Rs 10000/- except for the BSBD accounts (Basic Savings Bank Accounts) and to Rs 25000/- for larger accounts.

 Zero Liability of a Customer

A customer’s entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:

1. Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
2. Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.

A customer shall be liable for the loss occurring due to unauthorised transactions in the following cases:

1. In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

2. In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table below, whichever is lower.

Maximum Liability of a customer (Report between 4-7 days)

Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per the bank’s Board approved policy. Banks shall provide the details of their policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall also display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy.

It is also stated that  the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any).

Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.

The credit shall be value dated to be as of the date of the unauthorised transaction.

Further the complaint shall be resolved by the Bank within 90 days failing which the Band should reimburse the amount to the customer ensuring that there is no interst loss to the customer.

Burden of Proof

Most importantly, the burden of proving customer liability in case of unauthorised electronic banking transactions will lie on the bank.

Security Procedures to be adopted

 The circular goes on to also mandate that the systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions. To achieve this, banks must put in place:

1. appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers;
2. robust and dynamic fraud detection and prevention mechanism;
3. mechanism to assess the risks (for example, gaps in the bank’s existing systems) resulting from unauthorised transactions and measure the liabilities arising out of such events;
4. appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom; and

5. a system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payments related fraud.

Precautions to be taken by the Customer

In order to protect themselves from the frauds arising out of “Unauthorised transactions”, Customers should ensure the following.

It is the Bank’s responsibility to ensure that a mobile alert is provided for “All Debits”. When an alert comes in, the customer needs to check and if the transaction is not authorized, he should immediately report to the Bank for which Bank should publish contact information and provide for a “Reply” to the message.

Customer can ensure that the mobile is registered with the Bank. However we know that many times we may not be able to check the messages as and when it comes in and some times it may come in the night or when say you are on a flight. Most frauds occur in a single transaction or multiple transactions all of which occurs in quick succession. It is unlikely that the customer would be able to respond in time to stop the fraudulent withdrawals before the account is cleaned out.

If the customer is missing any alert, he should record it by informing the Bank and keeping record of such reports. If the customer is going abroad where he may miss the alert, he should ensure that the account is suitably locked or alternate arrangements are made by limiting the transaction limits.

Whenever the Bank receives any instruction from the customer, the banks should match the location of the transaction with the known location of the customer (eg: he is abroad or he is in the village when the transaction is reported from elsewhere etc).

Even the OTP is answered from a mobile whose location is easily available to the Bank and if they are not having systems to monitor these, it should be considered as “Inadequate security” and challenged.

We suggest that Banks introduce a system by which the transactions should have a mandatory gap of at least 5 minutes between two successive transactions to avoid such frauds besides an option to the customer to switch off the transactions any time he wants. Customers should be able to switch on the transactions at will and switch it off immediately after the transaction. For this purpose the alert should have an automatic option to switch off for a stated period like we put our WhatsApp on “mute” from time to time.

There would be occasions when there is a dispute between the Bank and the Customer regarding whether a notice was sent or not etc. The customer may then be at a disadvantage. hence customer should create an evidence that he had reported the unauthorized transaction (one can use the Cyber notice service of ceac.in for this purpose)  and hold the acknowledgement for future reference.

It goes without saying that when a customer receives a phishing call or an e-mail, he should not respond. If any such call comes in, then he should report it to the Bank also stating that he has not responded and the Banks should take action to block the mobile number used or the e-mail used like shutting down Phishing websites, as a part of its security due diligence. Since this could also be a point of dispute later , customers are suggested to use the Cyber-notice service (Refer www.ceac.in or cyber-notice.com websites, links to which are available from this site.)

We anticipate that in cases where a “Receipt of a phishing call is received” by a customer, Bank may allege that he has responded to it even if the customer swears otherwise.  Though the circular clearly says that the burden to prove such disclosure is on the Bank and not the customer, it is possible that Banks would bully the customer and just like in a Police interrogation an accused admits to an offence he might not have committed, the customer may be forced to say some thing to the effect “I don’t  know or I don’t remember” etc which the Bank may latch on to and claim that the customer has admitted. Remember that the Banks will record the call center conversations and they should be asked to produce evidence through recordings if they claim that the customer has admitted the disclosure of credentials.

Banks also need to have a good adaptive authentication systems and at present none of the Banks have proper systems in place and hence customers should be able to prove “Lack of Due Diligence” on the part of the Bank most of the time.

We should also remember that as long as Banks continue to use Undigitally signed instructions or OTP for authentication, they are not following law and hence they are vulnerable to be held negligent when challenged in a Court of law. Banking law never recognizes a “Forgery” as valid and hence any electronic transaction where the customer’s signature is forged is a nullity even if the Bank  may claim difficulty in recognizing the forgery.

The circular itself refers to “Insurance” which we have always held as mandatory for banks and they need to cover their losses through insurance and not think of burdening the customer with the loss.

There could be several more precautions that the customer can take such as using only Prepaid cards, keeping FD accounts not attached to the account, refusing increase of credit card limits if he does not need it, etc.

Banks should refrain from indiscriminately issuing cards to people who donot understand the implications of secure usage and avoid situations where the customer may be negligent.

Some of the common mistakes that people do such as “Writing the Pin on the back of the card”, “Answering the Phishing call etc” should be pointed out to the customer at the time of the issue of the card and a specific acknowledgement that the” safety precautions were read out to the customer and he has understood it before accepting the card” should be obtained under third party witness (introducer) and the declaration should be held with the account opening form as a part of the routine procedure. Bank auditors should ensure that such records are kept properly.

RBI has informed Banks that they should undertake customer education through various means and this has to be implemented and audited.

Banks should quickly come up with their policy regarding how they handle the implementation of the above circular and modify their SMS alert systems within the next one week and report it to the RBI as part of the month end compliance report.

The banks which are presently not having the 24X7 call centers which actually are responsive (operator should pick up the call within the first three rings at least for the separate number designated for these complaints) should ensure that the call centers become operational immediately.

Any customer who finds that his Banks does not have necessary measures envisaged in this circular (such as SMS alerts not sent etc) may kindly report it to Naavi.org (Special cell for monitoring Implementation of Limited Liability Circular) through an e-mail available on the website. (check contact page). We will try to maintain a record of such complaints as part of our public service so that they will come in handy when proving the negligence of the banks on a later date.

We will provide supplementary instructions from time to time on this site as and when necessary. Please do keep writing to us.  More services from Ceac.in and Cyber-notice.com along with special service charges applicable to such services would be indicated at the earliest.

Kindly note that this circular has not indicated any prospective effect and hence in all cases including the present pending cases where disputes exist, customers should approach their Banks and seek remedy under this circular. Since this is now part of the Bank’s service, even the Banking Ombudsman has to take up complaints related to these instances without brushing it aside. 

Naavi

Refer RBI Circular here

After a long wait, the Limited Liability Circular issued on August 11, 2016  (Also refer an earlier article), has now been operationalized.

In a notification released today, RBI has finally issued the circular as an operational circular. (Earlier circular was a draft circular for pubic comments).

We welcome the circular which is definitely going to help some of the customers. Bankers will also have a breather since in cases where they can prove that the customer has parted with the credentials for a phishing call, they may try to avoid the liability.

The essence of the circular is that Bankers should have a linked mobile of the customer and should not fail to issue an SMS alert for every debit to the account. In case of any unauthorized transaction, if the customer informs the Banker within 3 days, he shall have zero liability. If the information is given after 3 days but before 7 days, the liability shall be limited to Rs 5000 for BSBD SB acccounts.

In case of other SB Accounts, Pre-paid Payment Instruments and Gift Cards, Current/ Cash Credit/ Overdraft Accounts of MSMEs, Current Accounts/ Cash Credit/ Overdraft Accounts of Individuals with annual average balance (during 365 days preceding the incidence of fraud)/ limit up to Rs.25 lakh and Credit cards with limit up to Rs.5 lakh, the liability will be limited to Rs 10000/-

In other cases (All other Current/ Cash Credit/ Overdraft Accounts and Credit cards with limit above Rs.5 lakh) the liability will be limited to Rs 25000/- .

If the Bank is informed beyond 7 days, the Bank will still be liable but the extent of liability would be as per the Bank’s policy (Which needs to be defined).

These limits will be applicable where the customer has no “Contributory Negligence” where he has parted with information on his account to phishing calls.

We will discuss a more detailed implication of this circular and also some services which Naavi.org would provide to Bank customers to take advantage of the circular in subsequent posts.

Naavi

Police in Patiala have reportedly busted an “Abduction” (Kidnapping) case in which the ransom demand was made in Bitcoins. This has therefore raised a question once again about the role of Bitcoins as a  “Currency of Criminals” and the need to treat it as such.

See the report about Kidnapping here

According to the report a trader by name Ashu Jain was kidnapped by 6 persons on May 30 and demanded 20 Bitcoins (approximately Rs 40 lakh equivalent) from his family. He was released after 6 days and we should presume that the family was compelled to buy bitcoins as indicated and deliver it to them. The purchase would have been done through perhaps ZebPay or Coinsure or some such Bitcoin exchanges .

The king pin was one Mr Deepak who is a B.Sc (IT) and an MBA graduate. Unfortunately, he has applied his technical knowledge and business acumen in a wrong way discrediting his educators as well.

The Police will have a strong case under IPC for Abduction, Illegal Confinement, Threat to Murder, Asking for Ransom etc… The punishment could be several life sentences and I wish this is strongly pressed and the person denied bail.

We can use this opportunity to also discuss what is the responsibility and liability of the Bitcoin exchanges who have aided and abetted in this transaction where by the family was forced to shell out its white money to buy bitcoins and deliver it to the criminals as reward for their offence. In the process the white money has become “Criminal Earnings” and the exchange has abetted in this offence under Prevention of Money Laundering Act (PMLA). Also just like Afzal Guru was tried for funding a terror activity, the exchanges are liable to be treated as abettors of the Kidnapping activity and they can be tried for life imprisonment.

If Mr Avnish Bajaj could be tried under Section 67 (ITA 2000) for his company facilitating sale of obscene video file for a total gain of around less than rs 1000, there is no reason why the owners of Bitcoin Exchanges which were involved in this transaction should not be tried for life imprisonment for abetting a crime which may fall under Sections 364, 364A, 365 etc of IPC.

As regards the Bitcoin Exchanges, they have represented to the family that “Bitcoin is a currency” and hence are liable under RBI act to promote an “Electronic piece of paper” as a “Legal Tender”. Also the commodity is being traded for and against Rupee without SEBI registration as “Commodity Traders” and hence there would be penalties under SEBI Act also to be considered.

If the sale involves any dealings with a non resident, then there would be also the FEMA considerations.

Apart from these, we all know that Bitcoin (and other AltCoins) are promoted as an innovative currency that is “Deregulated” and “eliminates the need for a Central Banking Agency like RBI and the Banks who are licensed for money exchange”.  The Indian Bitcoin exchanges have been aggressive in this aspect particularly in the last couple of months.

Now just think, If any person says that

“I want to destroy the Central Banking System of the country and float my own system of Currency”,

what would it be?

In my opinion it would amount to “Treason” and punishable as such under IPC for waging war against the Nation.

RBI is also a Critical Information Infrastructure and any direct or indirect attempt to kill the system would also amount to an offence or an attempt to commit an offence under Section 66F of ITA 2000/8. This is called “Cyber Terrorism”.

To these, apply Section 85 and Section 79, the CEO and the Directors of the Bitcoin Exchanges can be easily booked under ITA 2000/8.

It is upto them to these exchanges to come out and voluntarily  assist the prosecution and claim to be treated as “Approvers” and friends of the law enforcement. They can otherwise try to defend themselves under Section 79 of ITA 2000/8 and claim that they have exercised due diligence as an intermediary and take a chance.

I request Mr A.S.Rai, the IG of Patiala and Chief Minister Captain Amarinder Singh to pursue this angle so that in future no Indian will ever dare to ask Bitcoins as ransom either for physical kidnapping or for injecting ransomware into to the IT systems. For this purpose FIR has to include the Bitcoin Exchanges (unknown at this point of time) who have assisted in providing the Bitcoins and investigate the log records of each of the Bitcoin exchanges operating in the country to identify how the Bitcoins were sourced by the family.

This would be a deterrent measure to promote Cyber Security.

I hope the members of the “Taskforce” of the Bitcoin Regulation committee of the Ministry of Finance, and Reserve Bank of India, as well as SEBI and MCX will all take note of this development and understand that if they try to legitimize Bitcoins for whatever consideration, they will be guilty of supporting an act of Treason and Cyber Terrorism in India.

Naavi

Peer to Peer Lending (P2P lending) is a relatively recent innovation in the “FinTech” business space. It is an interesting development enabled by the development of technology platforms which can bring together people with complimentary needs instantly.

The Uber, Ola platforms are similar. BlaBla cars and other car pooling mechanisms are also similar attempts. Out of these, taxi operators have now been brought under a regulatory regime as if the technology platforms are themselves taxi operators. Even the GST has specified the manner in which these taxi operations will be taxed. States have already passed legislations in their transport laws on regulatory mechanisms for these entities. E Commerce market places including OLX or Quikr etc dealing with “Goods” on a peer to peer basis also have been operating for some time under the regulations of ITA 2000/8.

However, P2P lending is in the financial sector and may have to be dealt with differently when it comes to regulations. P2P lending is a system where persons with surplus money to invest will directly lend to persons who require to borrow. It therefore comes close to what may be called “Banking” which is a heavily regulated sector by tradition. Apart from Banking regulation act, RBI act, there could be other legislation that limit the rate of interest or manner of recovery etc. We need to therefore look at this sector differently from other technology platforms dealing with C2C transactions.

We are aware that the classic definition of “Banking” is “Accepting Deposits from public for the purpose of lending”.

According to RBI Act,(Section 5), Banking is defined as

 “banking” means the accepting, for the purpose of lending or investment, of deposits of money from the public, repayable on demand or otherwise, and withdrawal by cheque, draft, order or otherwise;)

The P2P lending IT Start Ups are proposing to set up a platform which will register “Borrowers” and “Lenders” and try to match the borrowers and lenders in to a personal loan contract. In between the service provider takes the “Commission” or “Brokerage” or “Service Charges”.

Unlike a Bank, the P2P platform does not borrow and pay interest to the depositor and also does not lend and collect interest from the borrower. It therefore remains outside the transaction and acts only as a match maker.

There is no doubt that this so called “Innovation” does overlap with the function of “Banking” and requires RBI to take a policy view.

Currently, any entity that tries to take public money is either working  as a “Bank” or “NBFC” or a “Payment Bank” under the regulations of RBI or as an entity that is regulated under the issue of securities by SEBI. Individual Money lenders are not permitted to release public advertisements and collect deposits from the public. It is however possible for individuals to borrow money from other individuals directly on one to one basis by private negotiation.

Apart from these regulations on who can take deposits from the public and how, there are regulations on the maximum interest that can be charged as well as Tax Deduction at Source. There are State level laws on “Chit Funds” that also may affect loans within a common group.

One of the main risks that RBI has to worry about is “If a large number of public are lured into investing in the P2P platform based on the brand name of the platform and if they are unable to recover their money and the platform goes bust, then will the RBI have served a public cause.

The Sharda scam and various other Chitfund scams which we have seen through out our lives indicate that when money is collected from the public at rates of interest that are higher than what is offered in the Banks, public will not be able to identify it under a “Risk-Reward” equation. They will move money from Banks and hope to earn more without understanding the difference in Risks associated with the lending. The failure of CRB Capital Markets around 1996 introduced the “Credit Rating Scheme” for Deposits of NBFCs. This accelerated a huge shake up in the then thriving NBFC industry and hurt even major players. Only a handful of them like Sundaram Finance and Shriram survived.

The risk of such scams re-surfacing in the form of P2P lending cannot be ruled out. Hence “Regulation of P2P platforms” is extremely critical for a healthy development of the Financial Services activity.

Innovation cannot be Destructive in the guise of being Disruptive:

In the last month there have been a buzz in the industry that RBI is about to come up with a guideline for P2P lending.

In particular I draw the attention of the public to the following articles:

‘RBI guidelines on P2P lending platform likely by June-July’-Economic Times

RBI proposes P2P lending regulations-Livemint.com

RBI Finalises Norms For P2P Lending Platforms; Final Guidelines To Be Out In 2-3 Weeks-inc42.com

RBI guidelines to act as a growth catalyst for P2P business-Yourstory.com

RBI guidelines to act as a growth catalyst for P2P business Investors eye RBI move

Investors to eye RBI Move to regulate P2P lending-Luthra &Luthra

In April 2016, RBI had released a consultative paper for public comments on the proposed P2P lending platforms. Afterwards like many consultative papers, this had also gone into hiding and it appears to have suddenly re-surfaced in the last week. This obviously indicates a Public Relations Exercise undertaken by some vested interests which wanted to create a favourable mood in the market before RBI comes out with its announcement.

Looks very similar to the behind the scene machinations seen in the Bitcoin regulation push. Like in the Bitcoin push, here also there seems to the Finance Ministry which is involved in the policy making. According to one of the sources, the comment “The guidelines should be out soon. The norms will be out before July-end.” was attributed to a Finance Ministry official and not RBI.

Finance ministry also seems to have given a micro instruction that  it proposes “to register these institutions as Non-Banking Financial Companies (NBFC)” completely taking over the decision making from RBI to itself.

As per the proposed guidelines which is no longer a secret and already fixed for RBI to sign on the dotted line, the regulatory framework would majorly encompass the following regulations:

• Permitted Activity: The platform could be registered only as an intermediary and will be prohibited from giving any assured return either directly or indirectly. It will be allowed to opine on the suitability of a lender and creditworthiness of a borrower and will prohibit the platforms being used for any cross-border transaction.
• Prudential Requirements: Prudential requirements will include a minimum capital of INR 2 Cr, with a prescribed leverage ratio and prudential limits on maximum contribution by a lender to a borrower/segment of activity.
• Governance Requirements: This includes a set criterion for promoters, directors, and the CEO, with preference to a financial sector background. Also, the guidelines may also require the P2P lender to have a brick and mortar place of business in India.
• Business Continuity Plan (BCP): The platforms need to put in place adequate risk management systems for smooth operations. A BCP and backup for the data needs to be put in place since the platform also acts as a custodian of the agreements/cheques etc.
• Customer Interface: Confidentiality of customer data and data security would be the responsibility of the platform. P2P lending platforms may be prohibited from promising or suggesting a promise of extraordinary returns. Also, the current regulations applicable to other NBFCs will be made applicable to the P2P platforms in regard to recovery practice.
• Reporting Requirements: Platforms will need to submit regular reports on their financial position, loans arranged each quarter, complaints etc. to the Reserve Bank. The bank may come out with a detailed reporting requirement.

The indications are therefore clear that some influential entity has ensured that the Finance Ministry will take the decision and push it down the throat of RBI as in the case of the Bitcoin regulation.

In the light of this development we saw a news report today in Times of India stating that a new venture “billionloans.com” has raised $1 million funding from Reliance owned Reliance Capital Trust

Fine. We now know why there is so much interest in the guidelines being issued to regulate P2P lending. Now we can wait for the actual guidelines to come out.

While I donot cast any aspersions on the new venture referred to above, when I made a cursory glance at the website, it was clear that the project is in a shoddy state of compliance and if this is an indication of the “Due Diligence” that Reliance Capital has done, it reflects poorly on their expertise.

At the same time, unless there is a major change, it appears that Mr Bala’s reputation will be at stake in this venture. I would take this opportunity to alert him that associating with a finance activity with low level of compliance culture is a huge risk. There is no need to remind us of what is the problem Sahara Chairman is having. In the past even General Manek Shah and Sachin Tendulkar had difficult times due their association with some companies.

My first impression on billionloans.com website was that they have simply lifted the terms and conditions from a US company. It is otherwise funny to see that dispute resolution is by a binding arbitration under the laws of US by the US based Arbitration Council.

The first para of the dispute clause states

“This Agreement is governed by the laws of the State of California, USA, without regard to its choice of law or conflict of law provisions. If any dispute arises between you and billionloans, including, without limitation, any dispute arising from or relating to the Website or the Program, you agree that all such disputes will be determined exclusively by final and binding arbitration, in accordance with the then existing commercial rules of the American Arbitration Association in San Francisco.

The arbitration shall be heard and adjudicated by one arbitrator to be selected by you and billionloans…”

“Any award will be final, binding and conclusive upon the parties, subject only to judicial review provided by California statute, and a judgment rendered on the arbitration award can be entered in any court having jurisdiction thereof…

Notwithstanding the foregoing, either you or billionloans may seek any injunctive relief in a state or federal court in San Francisco, California, as may be necessary to preserve rights pending the completion of arbitration and billionloans may seek any injunctive relief in a state or federal court in San Francisco, California, or another court of competent jurisdiction, at any time against any violations of Section 2 (Proprietary Rights) or Section 3 (Acceptable Use) of this Agreement.”

The Company should know that India has an Arbitration Act and if they want to sell their services in India they need to abide by the Indian regulations.

The second para of the clause does mention Indian laws by stating

“This Agreement shall be construed and interpreted in accordance with the laws of India and the courts and tribunals in Bangalore shall alone have the jurisdiction thereof. . If any dispute arises between you and billionloans, including, without limitation, any dispute arising from or relating to the Website or the Program, you agree that all such disputes will be determined exclusively by final and binding arbitration, in accordance with the laws of India and the courts and tribunals in Bangalore shall alone have the jurisdiction thereof.”

In the light of the first para, I donot know what is the force of the second para and whether it will stand. What it could mean is that after the arbitration by the US arbitration tribunal, if there is an appeal it can be taken up in the Bangalore Court and we all know that it will be thrown out in the first sitting itself.

I want RBI to be aware that this is the attitude of the P2P Platforms that they may register and permit raising money from the Indian public. If tomorrow a scam surfaces, RBI cannot say they were not forewarned.

As regards the risk of loss for the lenders, the platform engages the services of “Field Partners” who will be the local agents who will have direct contact with the borrower or the lender. They will be like the branch managers of the finance companies who will be there today and vanish tomorrow and not liable for the repayments. They will be mules who will take the blame while the Platform owners may say they are not liable.  These mules will be helpless and take the blame if the investor loses his money. The “Field Partner” may also be the local muscle man who is using your money for funding his lending activity and will be untouchable if there is a dispute.

The repayment terms include the following wordings

“If, for any reason, the Field Partner(s) are unable to collect Loan repayments directly from the Borrowers or if billionloans, for any reason, is unable to collect Loan repayments directly from the Field Partner(s), repayment of your Loan could be at risk of partial or total delay or non-repayment and a loss of some or all of your principal could occur.

You hereby acknowledge and agree that billionloans is obligated to repay only such Loan principal to the extent actually received by billionloans from a Field Partner with respect to a Borrower. None of billionloans, its Field Partner(s) or any Borrower will have any obligation to pay interest on the Loan or other fees or amounts (other that as expressly set forth above) to you or any other Lender in connection with any Loan you make. billionloans and Field Partners charge fees and interest on loans posted on the Website to Borrowers, for example, cover their operational expenses……If for any reason less than 100% of your Loan is repaid, you agree that billionloans and its Field Partners shall have no liability therefor, and you hereby release and forever hold harmless billionloans and its Field Partners for any loss you may incur. You should consult with your accountant and/or tax advisors to determine the appropriate tax treatment of such a loss..”

This essentially protects the platform and its agents and places the entire credit risk on the lenders who have no control on the recovery process and have to blindly trust the “Field Agents” that the P2P platform engages.

The aggregate liability that the P2P platform owner is accepting is indicated here

“Notwithstanding anything contained in these terms of use, billionloans’s aggregate liablilty to the Lenders, Field Partners and/or Borrowers for any damages shall not exceed the amount of total introducers fees received by billionloans from the user and end user..”

What this means is that in the unlikely event of a liability arising, Billionloans will payback the 2% or 3% commission that it has collected on the transaction. (P.S: There is an exception however in case of Date Protection related loss).

Another issue which most of the P2P service providers need to check now is the impact of GST on the transaction. Both the lender and the borrower needs to pay GST since they avail service from the platform and the Field agents. The net return of the lender gets adjusted for the tax effect which will be 18% either way on the service charges. Since both parties are likely to be unregistered but the intermediary is registered, there could be “Reverse Charge” for the platform owner and he may have to jack up the fees to cover this loss ultimately recovering it from the service users.

While billionloans collects sensitive personal information, there is no recognition that the Company is either liable under Section 43A or under 79 indicating how unprepared they are in running a business of this nature.

I am not sure if other P2P lenders who are also in the market as are as bad as billionloans.com in designing their terms but it is unlikely that they will be much better.

It is such entities that the RBI is now required to register and for the sake of being considered progressive, have to cannibalize Bank’s deposits and simultaneously endanger the community’s interests.

Bank interests are likely to remain low and come down further in the coming months and at that time if the P2P lenders enter the market with funds from Venture capitals to advertise, it would not be difficult for them to divert not only Bank deposits into their coffers but also poach into the profitable consumer loan portfolio of Banks.

Unless the P2P platform is owned, managed along with liability ownership, by a licensed banking institution that maintains Capital as per the Basel II/III norms, the P2P lending is a high risk venture from the point of view of the public interest.

I suppose RBI will be strong enough to resist the pressure from the Finance Ministry and uphold what is correct from the principal of prudent lending.

I wish RBI as well as the Finance Ministry under Mr Arun Jaitely responds to this post with its views. In the meantime, members of the public who happen to view this may kindly share this with other prudent Bankers and send in their comments.

I have sent an e-mail to billionloans.com in the morning itself seeking their comments and if they provide any rejoinder, I will be happy to publish it here.

I suppose that some corrective action will be taken by billionloans though there is a major change required in their business model if this business has to come anywhere near acceptance in India.

The ball is however in the Court of RBI and I look forward to a good decision from them. It would not be sufficient if they simply publish a guideline and expect the technology companies to comply. What can be guaranteed is that the technology companies will completely ignore the regulation and do what they want and RBI will keep the responsibility for allowing such businesses to loot public money.

Naavi.org will be closely watching the identity of the particular officer who will eventually pass the regulation and mark him for responsibility if things sour some time in the future.

Naavi

On June 8, 2017, RBI issued an important document containing guidelines for Information Technology Framework for NBFC sector. The Master Direction sets detailed guidelines for managing the IT infrastructure by  NBFCs in order to enhance the safety, security and efficiency of IT operations. The guidelines are on the lines of the Gopala Krishna Working Group (GGWG) recommendations for Banks and cover

1. IT Governance
2. IT Policy
3. Information and Cyber Security
4. IT Operations
5. IS Audit
6. Business Continuity Planning and
7. IT Services Outsourcing.

Subsequently in 2016, a Cyber Security Framework for Banks was also mandated.

While the directions proceed on expected general principles of Good IT Governance, it is interesting to note that the Information Security has been defined to include “Authenticity” as one of the basic tenets apart from the well known CIA principle (Confidentiality, Integrity and Availability). The Total Information Assurance model which the undersigned recommends is on the similar thought process and infact extends it to the fifth tenet which is “Non Repudiation”. “Non Repudiation” is an extension of “Authenticity” and hence we can equate the new RBI quartet of CIAA as not different from Naavi’s adoption of CIAA and Non Repudiation.

The IS policy is recommended to be built on

1. Identification and Classification of Information Assets. NBFCs shall maintain detailed inventory of Information Asset with distinct and clear identification of the asset.
2. Segregation of functions: There should be segregation of the duties of the Security Officer/Group (both physical security as well as cyber security) dealing exclusively with information systems security and the Information Technology division which actually implements the computer systems. The information security function should be adequately resourced in terms of the number of staff, level of skill and tools or techniques like risk assessment, security architecture, vulnerability assessment, forensic assessment, etc. Further, there should be a clear segregation of responsibilities relating to system administration, database administration and transaction processing.
3. Role based Access Control – Access to information should be based on well-defined user roles (system administrator, user manager, application owner etc.), NBFCs shall avoid dependence on one or few persons for a particular job. There should be clear delegation of authority for right to upgrade/change user profiles and permissions and also key business parameters (eg. interest rates) which should be documented.
4. Personnel Security – A few authorized application owners/users may have intimate knowledge of financial institution processes and they pose potential threat to systems and data. NBFC should have a process of appropriate check and balance in this regard. Personnel with privileged access like system administrator, cyber security personnel, etc should be subject to rigorous background check and screening.
5. Physical Security – The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. NBFCs need to create a secured environment for physical security of IS Assets such as secure location of critical data, restricted access to sensitive areas like data center etc.
6. Maker-checker is one of the important principles of authorization in the information systems of financial entities. For each transaction, there must be at least two individuals necessary for its completion as this will reduce the risk of error and will ensure reliability of information.
7. Incident Management – The IS Policy should define what constitutes an incident. NBFCs shall develop and implement processes for preventing, detecting, analysing and responding to information security incidents.
8. Trails- NBFCs shall ensure that audit trails exist for IT assets satisfying its business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. If an employee, for instance, attempts to access an unauthorized section, this improper activity should be recorded in the audit trail.
9. Public Key Infrastructure (PKI) – NBFCs may increase the usage of PKI to ensure confidentiality of data, access control, data integrity, authentication and nonrepudiation.

It is interesting to note that RBI stops at making a suggestion that NBFCs may increase the usage of PKI and does not go for a mandate though any prudent NBFC would like its operations to be fully compliant with the law of the land though the regulatory authority has given them a certain cushion.

A separate mention has been made of a “Cyber Security Policy” though experts would consider both Information Security and Cyber Security as inter dependent.

As indicated in the Cyber Security Framework (CSF) for Banks, the directions require that “The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness. These indicators should be used for comprehensive testing through independent compliance checks and audits carried out by qualified and competent professionals. The awareness among the stakeholders including employees may also form a part of this assessment.”

Similarly, a “Cyber Crisis Management Plan” has also been suggested which includes DEtection< Response, Recovery and Containment principles. As in the CSF, it has been stated that NBFCs are “Expected” to  be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.

A specific mention has also been made of the necessity to take necessary preventive and corrective measures in addressing various types of cyber threats including, but not limited to, denial of service, distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc.

Additionally, a Cyber Incident Reporting mechanism has also been suggested on the format similar to that meant for the Banks and the reporting has to be done within 24 hours. (Format)

On the mobile, “End to End Encryption” has been mandated to maintain information security. A warning has also been sounded on the risks of using Social Media for marketing and the possibility of malware distribution through this channel.

For smaller NBFCs with an asset size of less than Rs 500 crores, it has been suggested that the appropriate Information Technology policy is put in place by September 30, 2018.

In summary one can observe that RBI like its earlier guidelines, is washing its hands off by sending out a circular. It has been observed that RBI does not normally care to follow up on implementation of any of its Information Security related circulars at least as we have seen in the Banking sector. Hopefully they will be more pro active in implementation since NBFCs are not as powerful as Banks and cannot arm twist the RBI.

Naavi