Naavi.org

In a welcome development on the Bitcoin front, Supreme Court of India has taken note of the possible illegal use of Bitcoin and is reported to have questioned RBI on its inaction in taking a decision on Bitcoins. It has given a four week deadline to examine all security related issues pertaining o virtual currencies including bitcoin.

The Supreme Court has also sought information on the steps taken by the government and the RBI to ensure digital currencies aren’t used for terror funding and money laundering.

(See Report here)

It may be recalled that the Government of India has been examining the issue of whether Bitcoins have to be legalized in India and there has been a gathering of public opinion in this regard through the Mygov.in website last month. During that time there was a concerted effort from the industry to push the Government into taking a stand inclined to either recognize Bitcoin as a “Legal Tender” or atleast say that the Crypto Currency is being “Observed”.

Naavi.org has been repeatedly stating that Bitcoin and all other privately controlled crypto coins has no place in the economy and there is no option other than declaring them as “Illegal”.

However there is undoubtedly an effort to influence the Government into taking a decision in favour of Bitcoin legalisation mounted by the industry. Even the above  report in Cryptocoinnews.com ends up with a hope that “A Ban is highy unlikely”.

Any attempt to promote Bitcoin as a “Currency” that can be used for payment for goods and services is per-se violation of the RBI Act and those who indulge in such promotion may be punishable with imprisonment of 3 years.

It is no secret that Bitcoin is being used by criminals and terrorists and hence any thought of continuing its usage in India is completely unacceptable.

If Bitcoin is not immediately declared illegal, there is likely hood of more Indian Black money being converted into Bitcoins.

It is good that the Supreme Court has taken cognizance of these possibilities and put pressure on RBI to spell out its policy and not remain silent in this regard.

A report in Livemint.com quotes M/s Nisthit Desai, the legal firm that is representing some of the Bitcoin industry players suggests that the industry should “Self-regulate”.

It is not clear how can an illegal activity can “Self-regulate”. The law firm is trying to mislead the public that by what they call “Self regulation”, the ill effects of Bitcoin could be curtailed. The self-regulation that the industry is talking of is for the Bitcoin exchanges to follow KYC principles and identifying the buyers and sellers in the exchange. This will not make “Bitcoin” legal or “Bitcoin Exchange activity” legal. It is surprising that SEBI has not so far taken penal action on Bitcoin Exchanges for running the exchange business like a “Commodity Exchange” without any authority.

Supreme Court should have also pulled up SEBI for its inaction in this regard.

During the recent effort to gather public view on Bitcoin regulation through MyGov.in, there was an effort from MCX itself to support legalization of Bitcoins. When this was vehemently opposed by Naavi.org, the comment posted by MCX on the MyGov.in site was removed without any explanation. This indicated that there were perhaps corrupt elements within the Government who want Bitcoins to be legalized.

The Supreme Court observation and direction therefore may perhaps be making some people in the power corridors a bit uncomfortable.

We however welcome the direction of Supreme Court and urge RBI to immediately come out with

a) Declaration that Bitcoin being represented as “Currency” is punishable under RBI Act

b) Declaration that Bitcoin being traded like either a commodity or a foreign exchange currency is illegal and punishable under RBI Act

Since Bitcoin is per-se not legal, there is no further regulation that needs to be considered except to declare that any person in possession of Bitcoin is presumed to have acquired it illegally through the illegal exchange activity and hence is punishable.

The question of collecting tax also does not arise since the trading itself is illegal and any profits made there on is not legal ab-initio.

Criminal punishment may perhaps be spared if the holders voluntarily declare and hand over possession of their Bitcoin possession to the RBI for destruction like it is done when fake currency or drugs are confiscated.

It is observed that the Bitcoin exchange rate has fallen drastically in the last few weeks and it could be a result of the realization that India may not fall into the Bitcoin trap by allowing current status.

Another trap which RBI should avoid is to restrict its ban only on Bitcoin and leaving other AltCoins. It must be recognized that Bitcoin is easily convertible into other Altcoins and hence all privately controlled Crypto currencies must be considered as fungible and equally illegal. Hence the ban should extend to all such Crytpo Currencies.

Unless RBI introduces its own Crypto Currency, there is no scope for any other Crypto currency to be legally recognized in India. What is left is for the RBI to clear the air and remove the uncertainty that may encourage some innocent persons to invest their hard earned white money into Crypto Coins and lose.

Naavi

Also Read:

RBI and Government should not drift in deciding about Bitcoin …

Bitcoin Regulation… What the Government needs to do.

Bitcoin is a National Security Issue… SEBI and RBI must step in and …

Can we replace Bitcoin argument with a “Law Compliant Crypto …

If Bitcoin is legalized in India, the money supply will jump up by 50 …

Is it time for a worldwide ban on Bitcoin to stop Cyber Financial …

How Does Bitcoin break India into bits and pieces and realize the …

The Bitcoin Battle…Will it be Modi Vs ZebPay?…like Kumble Vs …

Fight Against Corruption now has a new Slogan: Say No to Bitcoins …

Is MCX of India involved in insider tampering of the Committee on …

say_no_bitcoins – Naavi.org 

Regulate Bitcoins through ITA 2000 notifications under Section 1(4 …

Will the Government succumb to Zebpay PR pressure? – Naavi.org

Close on the heels of China Cyber Security Law, we now have a draft of a comprehensive Cyber Security law from Singapore. Both are interesting pieces of legislation that requires a detailed analysis which we may keep for a later day.

These developments will obviously trigger a thought on whether India should also consider a similar law.

In India, we have the ITA 2008 which provides the office of the Director General, CERT-IN all the powers that is required to implement an effective Cyber Security plan across the Cyber Space. These powers are supplemented with Sections 69,69A and 69B which provides powers to the secretaries of Home and IT additional powers that can lead to Cyber Security related decisions. Once the Data Protection law comes in, there will be a “Data Protection Commissioner” in place.

Presently, RBI already regulates the Financial Sector which is the key sector for Cyber Security. CERT-IN is restricting its control mostly to the Critical Information Infrastructure and is not imposing itself on the private sector as regards Cyber Security issues.

Most of the objectives that the Singapore legislation tries to achieve can be achieved in India through notifications by the CERT-IN. Legal empowerment is already present and we may not need a separate law to reach our objectives though the temptation for a new law is always great.

Probably CERT-IN needs to expand its work force base to meet all the responsibilities that an Apex Cyber Security Organization needs to fulfill. It also needs to step out of Delhi and start a sub-office in places like Bengaluru to be in close touch with South India and the IT hub.

Such regrouping and enhancement of CERT-IN resources is perhaps a more effective option than to think of another separate law with overlapping powers for executives and additional expenditure for the Government.

Perhaps more discussion is needed on this aspect and the two day conference in Delhi on “Securing Cyber Space-2017” on July 14th and 15th should be one forum in which these discussions may start.

Naavi

Reference:

Singapore releases draft of a Cyber Security Law

China Cyber Security Law-analysis by KPMG

China Cyber Security Law

US Cyber Security Laws

Yesterday, after the NSE technical glitch, Naavi.org raised the suspicion that it could be a Cyber Attack probably emanating from China. Today, it appears that this angle is being pursued with further investigation by the Home Ministry taking into account other recent incidents that occurred recently.

According to this report in Hindu, “The government’s senior cyber security officials are looking into both the Airtel and Jio incidents to see if they were possible attacks,” ….” they expected to know more about the cases in the next few days”….”the attacks could have emanated from a neighbouring country.”

The incidents flagged include the 32 lakh debit card data that was breached, Network outage experienced by Airtel on July 7, and Jio data breach reported on July 9.

This “China Risk” has long been ignored by the Telecom industry in pursuance of “Profits at any cost”. A few years back, the Government had set up a “Security Certification Lab” at IISc in Bangalore to certify telecom equipments from security perspective after coming to know that some of these equipments had a backdoor apparently to enable remote servicing of the software. We have not heard much about the activities of this lab except that the operations of the lab were sponsored by none other than “Huawei” !. The logic of getting the activity sponsored by the Chinese equipment supplier with connections to the Chinese Government must be known only to the then Government and the officials who represented in the committee that supervised in this project.

It is not clear if our Government under Modi has come out of the clutches of Chinese influence and the perception is that it has not. In this context the caution sounded by the Home Ministry as per this report is welcome.

The report also says that  the Home Ministry official also said “We have been warning the telecom companies for long regarding the use of Chinese products. Earlier personalisation of SIM cards was being done by Bharat Sanchar Nigam Limited (BSNL) for a fee, but later on the contract was given to Chinese companies. Essentially all telephone data is with the Chinese and we had warned against this dependence,”

Now that the Home Ministry has flagged this issue, we need to see some action to remedy the situation.

I had recently pointed out the danger of using Chinese made Finger Print scanners to be used for Aadhar Enabled Payment System suggesting that the data would be diverted to China. I therefore suggested that unless we are able to develop “Tamper Proof” biometric scanners in the facilities of BEL or ECIL, we should defer the implementation of AEPS.

I wish that at least now the relevant ministry officials realize the risk of using imported Biometric devices in AEPS and ensure that we donot make the mistake of going ahead with AEPS without proper preparation.

We know that Jio uses a biometric device for registration of customers and we donot know if it is a Chinese made equipment. May be some of the security professionals check out with the Jio dealers and let us know if this could be one of the reasons how the Jio customer data was leaked. According to one report even the CDR data of 120 million Jio users is available in the dark web for a price. If this is so, then Jio has a lot to explain about its security preparedness. Probably the giant IT companies who are working with Jio in designing the systems some of them are Indian companies, need to explain their perspective of security in Jio.

I have a doubt that apart from the data that was leaked out, there is a possibility of Aadhar registered biometric data also being available in a stored form because all Jio customers were registered with Aadhar KYC.

Now the Government has asked other mobile service providers also to link Aadhar and some of them are stating that it would require biometric based KYC and not merely providing the Aadhar number. The risk of biometric data being leaked is therefore very much there in this process.

I therefore request the Government to ensure that no Chinese made biometric devices are being used by the mobile service providers to register Aadhar.

In the meantime we await the result of the investigations about NSE technical glitch to find out whether it was in deed a Cyber Attack from China as we surmise or it was really a normal technical glitch.

Naavi.org is fully in support of the movement to reduce the national dependence on Chinese products as a means of opposing the Chinese support to Pakistani terrorists through border skirmishes. Many feel that the Chinese dependency is so deep rooted that it would be difficult to impose “People’s Sanctions” that can really hurt China, but it is still a mark of protest that requires pursuing.

Naavi

At around 9.15 am today as soon as the markets opened, after the first few ticks, the NSE system developed a glitch and its cash market rates stopped getting updated.

Probably the contracts also did not get executed. However the F&O continued to operate and BSE continued to operate smoothly.

The system is expected to come online back at 10.45 am.

The exact reasons are being analyzed. Let’s wait and watch.

If the dislocation of NSE is a result of any malicious attack, this needs to be considered as a case of Cyber Terrorism and handled as such irrespective of the reputation of NSE.

Naavi

Update 1:

The obvious question is whether the systems had a crash because of some technical glitch such as balance loading failed or such other network related issues.

There is a possibility that there was a cyber attack also which may not be immediately be revealed.

The BCP however has taken around 75 minutes to pull back the system into operation.

SEBI needs to check the cause and then determine if it has to take any further action to prevent such happenings in future.

Over the last few days, there is an online movement to boycott Chinese products in India and according to one report the sales of Chinese products in India has come down by 60% during this period.

I see a distinct possibility that  China may be flexing its muscle in the Indian Cyber Space which could be a reason for the NSE glitch. CERT IN should conduct a special investigation keeping this angle in mind.

We may have to be careful on the NPCI infrastructure being targeted next and then the Aadhar.

I urge CERT In to create a special gateway to prevent Chinese intrusion into any of our critical information infrastructure.

Update 2:

The re-opening has now been further deferred and it is not able to re-open at 10.45 am.

Update 3:

The markets re-opened at 11.15 am. But the F&O is still frozen. It is probably because they have moved some of the servers from Futures to Cash handling.  After a while both servers have been stopped at around 11.18.

I suppose both will re-open simultaneously after a few more minutes.

Update 4:

NSE to re start operations at 12.30 pm.

Update 5:

NSE seems to have come back to normal operations after 12.30 pm. Analysis of the cause etc are awaited.

Update 6:

Finance Ministry is expecting SEBI to submit a report on the incident by the end of the day. I think CERT IN should also seek a report from NSE and SEBI and prepare its own report.

Final Take

This incident is a “Denial of Access” incident in a nationally important system and it requires reporting to CERT-IN under Section 70B. If NSE does not report and CERT-In does not assert its rights, it will encourage other private sector entities also to avoid reporting security incidents to CERT-IN.

Naavi

A Bold Initiative by RBI

Just as our PM Mr Modi bit the bullet by demonetizing the Rs 500/1000 notes despite the stiff resistance from many, RBI has bit the bullet in issuing the Zero Liability guideline on E Banking transactions.

We need to congratulate Mr Urjit Patel for showing the courage in issuing the circular without making any critically adverse changes to the draft circular released in August 2016.

In the past, whenever RBI tried to bring in Customer friendly regulations, Bankers have always resisted the changes and in such cases, RBI has always been the one to yield. When Damodaran Committee on Customer Services made some very good suggestions in 2011, the recommendations were not operationalized by RBI ostensibly because Bankers were not supportive. Some of the suggestions made in that committee is now part of the Zero Liability circular of July 6, 2017.

We hope the same boldness will characterize the two more guidelines that we are expecting from RBI in the near future namely the “Bitcoin Regulation” and “P2P Lending Guidelines”.

For the time being we are happy that Mr Urjit Patel and his team has responded with a concern for the consumers in the Digital India environment where there is a push from the Government for adoption of digital methods of payment for which part of the population is not mentally equipped and hence need regulatory support with compassion.

Banks need to be reminded that when RBI or concerned citizens are speaking of “Zero Liability”, we are speaking in the interest of genuine customers of the Bank on whom the Banks should be more concerned than us. Most of the time when Banks respond in a friendly manner and pay back the fraudulent amount lost, they will not only be winning a loyal customer back and preventing him from shifting out but also a person who will get many more good customers to the Bank. On the other hand, when Banks start litigating against the customer, they are actually condoning the actions of a fraudster in preference to a genuine, honest though some what gullible and negligent customer and losing him and his friends for ever.

We can see some of this concern also reflected in the RBI’s circular if we closely observe some of the wordings used.

The systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions.

Banks should put in place a system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payments related fraud.

The SMS alerts shall mandatorily be sent to the customers, while email alerts may be sent, wherever registered.

 The existing customers must also be individually informed about the bank’s policy.

Banks must provide customers with 24×7 access through multiple channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free help line, reporting to home branch, etc.) for reporting unauthorised transactions that have taken place and/ or loss or theft of payment instrument such as card, etc.

Banks shall also enable customers to instantly respond by “Reply” to the SMS and e-mail alerts and the customers should not be required to search for a web page or an e-mail address to notify the objection, if any.

Further, a direct link for lodging the complaints, with specific option to report unauthorised electronic transactions shall be provided by banks on home page of their website.

The loss/ fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number.

The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer’s response, if any, to them.

On receipt of report of an unauthorised transaction from the customer, banks must take immediate steps to prevent further unauthorised transactions in the account.

Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.

 The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank.

 Banks shall formulate/ revise their customer relations policy, with approval of their Boards, to cover aspects of customer protection, including the mechanism of creating customer awareness on the risks and responsibilities involved in electronic banking transactions and customer liability in such cases of unauthorised electronic banking transactions. 

The policy shall be displayed on the bank’s website along with the details of grievance handling/ escalation procedure. The instructions contained in this circular shall be incorporated in the policy.

As an ex-Banker, I have always treasured the slogan of our Bank “Good People to Grow With” and hope this should be remembered by the new generation Bankers who focus only on profits even if it is at the cost of a good customer.

I urge  Banks like ICICI Bank, Axis Bank, PNB and SBI who have many past pending litigation from their customers  to respond positively and apply the guidelines under this circular to all their present litigations by settling the disputes by mediating with the customers. There should be no ego barriers in agreeing to pay back the customers of the losses they were made to suffer because of Phishing or other problems.

Don’t Blame Victim Customers 

Today, I saw a report in Times of India in which a Banker was quoted as saying

“We have had cases where the customer swore he had never shared his credentials but it turned out that the electronic payment was made by family members using the customer’s credential,”. 

The comment is attributed to a retail head of a Private Bank. I suppose this person whose identity has not been provided in the report should remember that there are many many more cases in which the Bank employees are hand in glove with the fraudsters in committing the fraud.

If the Banks donot open accounts for fraudsters without proper KYC, most of the phishing frauds would not occur. If the Banks take care to inspect their ATMs and check the working of CCTVs, many of the ATM frauds donot occur. If the Banks are careful that their own employees donot leak the passwords to the fraudsters, many frauds would not happen. If the Bank’s Information Security team understands how to configure “Adaptive Authentication”, many of the frauds would not occur.

I need not stress how Bankers have indulged in frauds that facilitated in conversion of black money by opening benami accounts, granting loans against non existent properties, unviable loans to industrials in consideration of the bribes paid to the bank executives.

So blaming a negligent or ignorant victim-customer and pass derogatory remarks that he could be fraudulently claiming loss is deplorable.

I hope that this “Retail head” who is blaming the customers as “Fraudulent” should turn his head inwards and see where the bigger fraudsters can be found.

I wish that this person tenders an apology to the public for making such derogatory comments. he should appreciate that the customers who approach the Bank reporting a fraud are “Victims of Fraud” and even if he has been cheated by his own family members, or spouse or a driver or other close acquaintances, it does not make him a willing fraudster himself. He has to be treated with respect.

If this is not understood, that person is unsuitable to be a “Retail head” in a Banking institution. I wish his top bosses in the Bank take note of this.

I wish Times of India reveals the identity of this person and seeks an apology from him and Times Now takes this up as an indication of “VIP Arrogance” like the politicians who throw fish at the officials or use chappals to hit Airline officials.

Another Executive Director of a Private Bank is reported to have expressed unhappiness that they will have to invest more on SMS and Monitoring services.

….Dear friend,

If you cannot secure the transactions you want to profit from, you have to avoid the risk by refraining from E-Banking. Donot expect poor customers to take the cost of insuring themselves while Banks introduce services without proper security.

Next time when you travel on an airplane if you find that the airline is not following proper security measures, because it costs more money, will you tolerate?

Remember that Banks exist for the Customers and By the Customers and not the other way round.

Naavi.org will now keep watching how different Banks start responding to the new RBI circular and periodically we shall report on this website the compliance efforts taken by the Banks. I request customers of the Banks to report their observations. I also invite Banks to report their own measures of compliance in this regard.

Naavi.org will also try to create a Hall of Fame to recognize those banks who do more than others to follow the spirit of this RBI Circular by watching the developments as reported in the websites of these Banks.

Let their be a “Competitive Compliance Effort” between the Banks to be more compliant than the other and Customers gravitate towards those Banks who are Customer oriented and use Technology to provide better service than to simply make more profits. We will soon provide the parameters for evaluation of the “Compliance Index” with specific reference to this Circular and indicate it on this site. Suggestions in this regard from other Customer Service organizations and Concerned citizens are welcome.

In the first phase, we will chose the top 5 Banks and evaluate them for compliance after one month.  The Banks which will be observed for compliance in this first phase will be State Bank of India, Punjab National Bank, ICICI Bank, HDFC Bank and Axis Bank.

Watch out for this “First Hall of Fame Evaluation”  report by next month.

Naavi

Also Read :

Business News

Moneylife

After waiting for more than 10 months and repeated reminders at all levels including the Finance Minister and the Prime Minister, RBI finally came out with its circular of 6th July 2017 titled “Customer Protection-Limited Liability in Unauthorized Electronic Banking Transactions” as a follow up of its August 11, 2016 draft circular.

Between the draft circular received for public comments on August 11, 2016 and the final circular of yesterday, there is not much of a difference except that the liability for notifying the Bank after a delay of 3 days has been increased from Rs 5000/- to Rs 10000/- except for the BSBD accounts (Basic Savings Bank Accounts) and to Rs 25000/- for larger accounts.

 Zero Liability of a Customer

A customer’s entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:

1. Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
2. Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.

A customer shall be liable for the loss occurring due to unauthorised transactions in the following cases:

1. In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

2. In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table below, whichever is lower.

Maximum Liability of a customer (Report between 4-7 days)

Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per the bank’s Board approved policy. Banks shall provide the details of their policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall also display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy.

It is also stated that  the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any).

Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.

The credit shall be value dated to be as of the date of the unauthorised transaction.

Further the complaint shall be resolved by the Bank within 90 days failing which the Band should reimburse the amount to the customer ensuring that there is no interst loss to the customer.

Burden of Proof

Most importantly, the burden of proving customer liability in case of unauthorised electronic banking transactions will lie on the bank.

Security Procedures to be adopted

 The circular goes on to also mandate that the systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions. To achieve this, banks must put in place:

1. appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers;
2. robust and dynamic fraud detection and prevention mechanism;
3. mechanism to assess the risks (for example, gaps in the bank’s existing systems) resulting from unauthorised transactions and measure the liabilities arising out of such events;
4. appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom; and

5. a system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payments related fraud.

Precautions to be taken by the Customer

In order to protect themselves from the frauds arising out of “Unauthorised transactions”, Customers should ensure the following.

It is the Bank’s responsibility to ensure that a mobile alert is provided for “All Debits”. When an alert comes in, the customer needs to check and if the transaction is not authorized, he should immediately report to the Bank for which Bank should publish contact information and provide for a “Reply” to the message.

Customer can ensure that the mobile is registered with the Bank. However we know that many times we may not be able to check the messages as and when it comes in and some times it may come in the night or when say you are on a flight. Most frauds occur in a single transaction or multiple transactions all of which occurs in quick succession. It is unlikely that the customer would be able to respond in time to stop the fraudulent withdrawals before the account is cleaned out.

If the customer is missing any alert, he should record it by informing the Bank and keeping record of such reports. If the customer is going abroad where he may miss the alert, he should ensure that the account is suitably locked or alternate arrangements are made by limiting the transaction limits.

Whenever the Bank receives any instruction from the customer, the banks should match the location of the transaction with the known location of the customer (eg: he is abroad or he is in the village when the transaction is reported from elsewhere etc).

Even the OTP is answered from a mobile whose location is easily available to the Bank and if they are not having systems to monitor these, it should be considered as “Inadequate security” and challenged.

We suggest that Banks introduce a system by which the transactions should have a mandatory gap of at least 5 minutes between two successive transactions to avoid such frauds besides an option to the customer to switch off the transactions any time he wants. Customers should be able to switch on the transactions at will and switch it off immediately after the transaction. For this purpose the alert should have an automatic option to switch off for a stated period like we put our WhatsApp on “mute” from time to time.

There would be occasions when there is a dispute between the Bank and the Customer regarding whether a notice was sent or not etc. The customer may then be at a disadvantage. hence customer should create an evidence that he had reported the unauthorized transaction (one can use the Cyber notice service of ceac.in for this purpose)  and hold the acknowledgement for future reference.

It goes without saying that when a customer receives a phishing call or an e-mail, he should not respond. If any such call comes in, then he should report it to the Bank also stating that he has not responded and the Banks should take action to block the mobile number used or the e-mail used like shutting down Phishing websites, as a part of its security due diligence. Since this could also be a point of dispute later , customers are suggested to use the Cyber-notice service (Refer www.ceac.in or cyber-notice.com websites, links to which are available from this site.)

We anticipate that in cases where a “Receipt of a phishing call is received” by a customer, Bank may allege that he has responded to it even if the customer swears otherwise.  Though the circular clearly says that the burden to prove such disclosure is on the Bank and not the customer, it is possible that Banks would bully the customer and just like in a Police interrogation an accused admits to an offence he might not have committed, the customer may be forced to say some thing to the effect “I don’t  know or I don’t remember” etc which the Bank may latch on to and claim that the customer has admitted. Remember that the Banks will record the call center conversations and they should be asked to produce evidence through recordings if they claim that the customer has admitted the disclosure of credentials.

Banks also need to have a good adaptive authentication systems and at present none of the Banks have proper systems in place and hence customers should be able to prove “Lack of Due Diligence” on the part of the Bank most of the time.

We should also remember that as long as Banks continue to use Undigitally signed instructions or OTP for authentication, they are not following law and hence they are vulnerable to be held negligent when challenged in a Court of law. Banking law never recognizes a “Forgery” as valid and hence any electronic transaction where the customer’s signature is forged is a nullity even if the Bank  may claim difficulty in recognizing the forgery.

The circular itself refers to “Insurance” which we have always held as mandatory for banks and they need to cover their losses through insurance and not think of burdening the customer with the loss.

There could be several more precautions that the customer can take such as using only Prepaid cards, keeping FD accounts not attached to the account, refusing increase of credit card limits if he does not need it, etc.

Banks should refrain from indiscriminately issuing cards to people who donot understand the implications of secure usage and avoid situations where the customer may be negligent.

Some of the common mistakes that people do such as “Writing the Pin on the back of the card”, “Answering the Phishing call etc” should be pointed out to the customer at the time of the issue of the card and a specific acknowledgement that the” safety precautions were read out to the customer and he has understood it before accepting the card” should be obtained under third party witness (introducer) and the declaration should be held with the account opening form as a part of the routine procedure. Bank auditors should ensure that such records are kept properly.

RBI has informed Banks that they should undertake customer education through various means and this has to be implemented and audited.

Banks should quickly come up with their policy regarding how they handle the implementation of the above circular and modify their SMS alert systems within the next one week and report it to the RBI as part of the month end compliance report.

The banks which are presently not having the 24X7 call centers which actually are responsive (operator should pick up the call within the first three rings at least for the separate number designated for these complaints) should ensure that the call centers become operational immediately.

Any customer who finds that his Banks does not have necessary measures envisaged in this circular (such as SMS alerts not sent etc) may kindly report it to Naavi.org (Special cell for monitoring Implementation of Limited Liability Circular) through an e-mail available on the website. (check contact page). We will try to maintain a record of such complaints as part of our public service so that they will come in handy when proving the negligence of the banks on a later date.

We will provide supplementary instructions from time to time on this site as and when necessary. Please do keep writing to us.  More services from Ceac.in and Cyber-notice.com along with special service charges applicable to such services would be indicated at the earliest.

Kindly note that this circular has not indicated any prospective effect and hence in all cases including the present pending cases where disputes exist, customers should approach their Banks and seek remedy under this circular. Since this is now part of the Bank’s service, even the Banking Ombudsman has to take up complaints related to these instances without brushing it aside. 

Naavi

Refer RBI Circular here