I draw the attention of all the individuals who hold the position of a Director in any of the Scheduled Commercial Banks in India including RRBs as well as Cooperative Banks about the new responsibility thrust on them by RBI through its Circular on Cyber Security Framework released on June 2, 2016 and further by announcing its intentions through the “Draft Circular” on August 11, 2016 to limit Customer liability on Internet/Mobile/Credit Card/Debit Card/ATM Card frauds.
I also draw the attention of all Bank Staff Training establishments, Principals and Faculty Members who have the responsibility to educate the Banking Executives, as well as the well wishers of Banks such as the Auditors and Company Secretaries who have the responsibility to advise the Directors towards compliance of RBI regulations may in turn keep the Directors informed that the new dispensation of RBI hoists inescapable responsibilities on them and cannot be ignored.
Kindly analyze the following and take appropriate steps without any further delay.
Naavi
Recently, we witnessed an alarming situation where the Bank of Bangladesh lost Rs 90 crores through a hacking of their SWIFT money transfer system. A similar attack also occurred on Union Bank of India system and but for a stroke of luck, Bank could have lost about Rs 1200 crores through a similar fraud. Unlike the earlier major frauds where money of customers have been stolen from the Bank accounts, this time the attack was directly on the Bank’s system. It also demonstrated that there are vulnerabilities within the Banking system and the same vulnerabilities may also cause losses to the customers.
The Legal Implication
What we need to recognize here is that the hacker was able to engineer a money transfer of hundreds of crores of rupees by forging the transfer request of two responsible officials of the Bank entrusted with the Maker-Checker responsibilities before funds can be transferred in the SWIFT system. It is therefore clear that such hackers will not find it difficult to forge the signature of a Branch system administrator who may have powers to create new users, new passwords for their own staff members to create fraudulent access credentials and initiate transfer of substantial amounts from many customer’s accounts.
Banks will therefore not be able to claim that they have good security systems in place and such systems have been audited for standards such as ISO 27001 by one of the Big Four firms etc. and try to convince judicial authorities that whenever a Bank fraud occurs it is the negligence of the customer which is responsible and not that of the Bank.
Cyber Security Framework (CSF-2016)
Taking note of the new risks that the SWIFT attack represented, RBI was quick to come up with a new “Cyber Security Framework” (CSF-2016) as a mandatory recommendation for Banks revising and upgrading the earlier directions contained in the Internet Banking Guidelines of June 2001, and the E Banking Security Guidelines (GGWG) of April 2011 as well as other guidelines on Card transactions released from time to time.
While issuing the new guidelines RBI has placed direct responsibility to the Board of Directors to take cognizance of the gaps that exist in compliance and the road map for mitigation of the gaps.
The suggestions made in the CSF 2016 are much beyond what were contained in the earlier guidelines and include setting up of a Security Operations Center (SOC) and a “Honey Pot” to defend against “Unknown Zero Day Vulnerabilities”.
The current information security systems will not be able to meet the compliance requirements even in the Big Banks and smaller banks will be woefully short of the requirements.
The Board of Directors need to therefore develop strategies of meeting the compliance requirements within the limitations of funds and expertise within their own Banks.
The CSF 2016 also requires that a report has to be sent to RBI as and when a security breach happens by submitting a detailed report within two to six hours of the incident coming to their knowledge. There will therefore be no opportunity to preview the report by holding a board meeting to approve what is being submitted to RBI that may create a liability on the Bank and its Directors.
The situation therefore calls for an urgent action by Directors to safeguard their own interests and that of the Bank. Such action includes training themselves and reviewing the action so far taken in this regard.
Many of the Banks might have already passed a resolution in their previous Board meeting since the deadline for submission of a Board acknowledged Gap report was July 31, 2016.
If the Directors had not fully appreciated the requirements and passed the resolution in good faith that their professional departments must have presented a fair proposition, now is the time for the Directors to look back at the papers which they approved and see if there is a need for review since the next deadline for actual compliance is September 30, 2016 which is hardly 45 days ahead.
Limited Customer Liability
As a further act of follow up towards “Safe E Banking” , RBI has now released a draft circular on August 11, 2016 and indicated its intentions of bringing in the concept of “Limited Liability” to customers in respect of frauds. “Limited Liability” for customers automatically means “More Liability” for the Banks.
According to the proposed system, in all cases of fraud in which the negligence of the Bank is involved, the liability has to be fully boarne by the Bank. In any case, once the Bank has been notified of an unauthorized debit, any further fraudulent withdrawals if any would also be the responsibility of the Bank irrespective of whose negligence caused the loss.
In cases where the fraud has occurred due to the direct negligence of the Customer, he may be held liable.
In cases of third party breaches where neither the customer nor the banker’s negligence is involved, if the customer notifies the the unauthorized transaction within 3 days of it being reported to him by the Bank (Sending an alert is the responsibility of the Bank), the customer will not be liable. If in such cases the Customer reports after a delay, but within 4-7 days, the liability will be limited to Rs 5000/- .
If the customer notifies the unauthorized debit arising out of a third party breach in which there is negligence of neither the customer nor the Bank, beyond 7 days, or fails to report it at all, then the Bank has to state in its policy how much of liability can be hoisted on the customer beyond the R 5000/-. It is difficult to say if RBI would accept a 100% liability in such cases on the customers since the law also may not support it. It has to be a graded system and reasonable under the circumstances. Probably any liability to the customer beyond 50% would be unreasonable even if he has failed to report the unauthorized debit in his own account.
The non compliance of the CSF 2016 and providing a false confirmation to RBI that the bank is compliant would establish “Negligence” and “Complicity” of the Bank in facilitating a fraud and can make it liable for all frauds.
In view of the above, it is time that Directors of Banks immediately take necessary action to ensure that their responsibilities are properly discharged and they are free from personal liabilities. I hope this would a personal resolution that they should take on this 70th Independence day of India.
P.S: I have placed more detailed discussions in the earlier articles and will continue to put more information and invite the Directors of the Bank to peruse the same and take appropriate action.
Naavi
If the recent circular of RBI on limited liability for Customers in E Banking frauds becomes a reality, it would simultaneously open the doors for the Cyber Insurance Industry to offer products for Cyber Insurance to individual Bank customers.
The reason why Insurance Companies were reluctant to insure E Banking frauds on behalf of individuals was their fear of unknown risks and possibility of a sudden huge loss arising out of Phishing at individual customer’s level or at a system level in Banks or their critical service providers.
While Insurers manage their risks by having a limited liability clause in their policies with sub limits for various causes, now the overall liability of the customer itself would have been brought down significantly in view of the RBI guidelines.
When a loss occurs on account of an E Banking Fraud, the fraud would be classified as
A: Zero Liability Incident
B: Limited Liability Incident
The “Zero Liability Incident” is one in which the Customer shall not be liable and the Banks should reverse the amount lost within 10 days.
This is applicable when the security architecture and systems of the bank for electronic banking transactions are not able to protect the customer in case of
a) Fraud or Negligence on the part of the Bank
-irrespective of whether the loss was reported by the customer or not
b) Third party breach
-where the fault lies neither with the Bank nor with the customer and
-the customer notifies the Bank within three working days of receiving communication from the bank regarding the unauthorized transaction
c) Involving Negligence of the customer
-such as sharing of payment credentials
– after the customer reports the unauthorized transaction to the Bank
The “Limited Liability Incident” is one where the customer has to bear the loss to a limited extent and would cover the following cases.
a) In cases where the responsibility for the unauthorized electronic banking transaction lies neither with the Bank nor the Customer and
-the customer notifies the Bank of the unauthorized nature of the transaction between 4 to 7 days
-the liability of the customer is limited to the transaction value or Rs 5000/- whichever is lower
-Where the customer notifies the Bank after 7 days, the liability will be determined as per the Bank’s approved policy.
It is reasonable to expect that the liability will be still limited and cannot be 100% of the transaction value
The residual category where the fraud is involving negligence of the customer (such as sharing of payment credentials) and the loss occurs before the customer reports the unauthorized transaction to the Bank, the loss may have to be boarne by the customer.
From the perspective of an Insurer therefore, it is critical that the customer notifies the Bank that a transaction reported to him by the SMS or EMail alert by the Bank is “Unauthorized” and it is done within 3 days.
Then the Bank will check if the unauthorized transaction is due to the “Negligence” of the Customer which will be a matter of dispute to be resolved in the next 90 days.
The Customer will not have any liability unless it is able to provide evidence that the negligence of the customer was the cause of the loss or the customer himself committed the fraud with an accomplice or otherwise.
In the meantime Bank will have to provide a shadow credit within 10 days which should also provide for compensation of any interest loss that may be involved especially in the credit card transactions.
Since the customer is not suffering any loss in these transactions, the Insurer need not take any liability on the individual’s cyber insurance policy.
Even in other cases, the liabilities will be limited to Rs 5000/- except where the “Negligence” is proved. What constitutes negligence in these cases is a matter that will be debated and the Insurance industry will be required to put its weight behind the customer in ensuring that excessive responsibility is not expected of the Customer in identifying a fraud such as “Phishing” or “Vishing” particularly when malware is used to extract the credentials of the customer without his knowledge.
Insurers will also be required to recognize the concept of “Proximate Cause” for loss where a the Bank had an opportunity to prevent the loss even after the negligent act of the customer but failed to do so because of its own inadequacies in which case the loss is due to the failure of the Bank and not of the customer.
Though some of these intricate points will be disputed and resolved over a period of time, it is clear that the Cyber Crime Insurance Risk of the insurers for E Banking frauds in policies issued or to be issued to individuals has come down from the clouds to the ground level
There is therefore no excuse after this circular to the Insurance companies to issue such policies for individuals.
I hope Tata AIG, HDFC Ergo, ICICI Lombard, Bajaj Alliance etc will now start structuring their individual Cyber liability policies.
We look forward to developments in this regard in the next few months and request IRDA to also suggest all its members through a circular to construct such policies.
In particular, I request attention of Mr Rajesh Aggarwal the dynamic ex-Adjudicator of Maharashtra who is now heading a public sector Insurance Company and urge him to make the first move. Let one of our public sector Insurance companies be the first to introduce a Cyber Insurance Policy for Individuals as a part of the 70th Independence day celebrations.
Naavi
At the cost of repetition, we must congratulate RBI on its recent circular of August 11, on Customer Service in which they have proposed that customer’s liability on cyber frauds should be limited.
Presently, a draft circular has been issued and RBI is awaiting public comments before confirming the circular. I urge all visitors to peruse the circular and provide a strong positive feedback to RBI. (Refer this earlier article for details).
The reason why I advocate strong positive support for this move of RBI from all consumers and consumer organizations (without remaining silent supporters) is that there is every possibility that vested interests in Banks would try their best to scuttle this move of RBI and let the circular remain in draft form and not see the light of the day. The Indian Banks Association which is an industry body is often swayed by the leading Banks such as SBI and ICICI Bank to adopt practices which are not always consumer interest protective. We therefore need a balancing pressure on RBI to maintain its poise and let the circular become a reality.
I recall that way back in 2002, in a circular dated April 8, 2002, RBI had stated
“…we continue to receive complaints of fraudulent encashment by unscrupulous persons opening deposit accounts in the name/s similar to already established concern/s resulting in erroneous and unwanted debit of drawers’ accounts…..Besides, in cases of the above kind, the banks have also not restored funds promptly to customers even in bona-fide cases but deferred action till completion of either departmental action or police interrogation…..
With a view to redressing the grievances of the customers in this regard, we have reviewed the position and advise that (i) in cases where banks are at fault, the banks should compensate customers without demur, and (ii) in cases where neither the bank is at fault nor the customer at fault but the fault lies elsewhere in the system, then also the banks should compensate the customers ( upto a limit) as part of a Board approved customer relations policy.”
However, we have not seen Banks following this instructions from RBI. I can personally vouch for the same having represented many Cyber Crime victims in Banks against Banks such as ICICI Bank, PNB and Union Bank of India”. Other Banks will not be better since the big brother SBI is leading this anti-customer attitude and making RBI look like a paper tiger good only for issuing circulars which can be safely ignored.
In August 2011, the D.Damodaran Committee on Customer Service in Banks had made some far reaching customer friendly recommendations. But the influential Banks forced RBI to forget the report and not issue any operative circular as a follow up.
It is in this context that we the consumers need to stand up and support RBI in its latest efforts and not let our vigil drop.
Now it appears that RBI has once again issued a circular which will have far reaching protective influence on Bank customers. It puts a cap on the liability that a Bank customer may suffer on account of a Cyber fraud which may happen with a Phishing Attack or a Credit Card Cloning or an ATM hack, or hacking of the Bank systems. In most of these cases, involvement of Bank staff may be implied though not proved. But in almost all cases, negligence of the Bank can be identified as the “Proximate Cause” of the loss that a customer suffers.
The recent circular has classified the losses into the following categories:
Once notified, the bank shall credit the amount from their suspense debit within 10 working days.
There is however a possibility that Banks may try to find a loophole in the RBI guideline and try to avoid the liability on themselves.
I have even seen one argument from a Bank that they cannot pay back the fraudulent money because it is “Public Money” as if the customer’s own money does not belong to that category. We have also seen Banks trying to hide behind “Privacy” and refusing to reveal information of fraudster’s accounts through which an honest customer’s money has been withdrawn forgetting that opening such accounts with defective KYC was part of the offence under AML.
Such unscrupulous Banks can go to any extent to refuse relief to Cyber Crime victims under one pretext or the other unless strong penalties are imposed for non compliance of RBI’s orders.
In the circular, the frauds have been categorized into three categories as follows.
In the first type involving fraud or negligence on the part of the Bank, (including where staff of Bank may be involved), there would obviously be no liability for the Customer.
At the same time legal proceedings can be initiated on the Bank and its executives including the Chairperson and Directors for civil and criminal action under ITA 2000/8.
I wish RBI also imposes “Sanctions” on such a Bank and its key executives without waiting for the law to grind to a conclusion.
The third type is self explanatory once we understand the implications of the second type “cases involving negligence of the customer”.
What is Negligence of a Customer
Banks have been struggling for generations to decipher the meaning of “Negligence” under Section 131 or Section 10 of Negotiable Instruments Act. We often leave it to be judged by the circumstances of the case to define “negligence” as “What a Prudent man under similar circumstances would have done” or “What a prudent man under similar circumstances would not have done” without being clear about who is that “Prudent Man”.
It is the Courts who have in different occasions defined what is negligence. In the E-Banking environment we need to accept that the Judiciary has not matured enough to provide a good guidance of what is “Negligence” on the part of a Customer.
Looking back on some of the instances we can identify the following types of behaviour which could come for discussion as “Negligence”.
At the same time, we need to recognize that some of the above acts of potential negligence could be prevented if Bankers are “Not Negligent” or are “Security Conscious”.
For example,
In the case of sophisticated spear phishing attacks, many of the technology aware as well as security aware users have fallen prey in the past.
Hence the level of expertise required to identify and eliminate phishing attacks should not be considered as a base line skill level that can be expected of an ordinary Bank customer. When Trojans and Viruses are installed while visiting otherwise respected websites or downloading of apps and software programs and the available malware protection has also failed, it is too much to expect every Bank Customer to have the necessary expertise to identify the signature of a malware and take steps to prevent its malicious action.
Hence the burden of “Negligence” should not be thrust on the customer in the case of phishing and installation of malware where the customer himself is a “Victim” of an identity theft crime. Making an identity theft victim liable because he allowed himself to be a victim, is like telling a pick pocket victim why did you keep your money in the pocket and not in the locked brief case or underwear pocket?
Bankers will however advance an argument that if in the case of “Phishing” the customer is not made to bear the burden, they will collude and commit frauds on the Bank. I therefore suggest that in cases of “Phishing” (and Vishing) where the customer has in fact parted with his credentials, if the “Customer” and the “Beneficiary” donot have any nexus (Such as one being a family member or a friend), his contention that he was cheated should be given credence and the fraud should be considered as arising not due to the negligence of the customer. Even then, I suggest that the customer could be penalized even 10% of the total loss. This can be part of the mediation between the customer and the bank where the mediator adjudicates if the customer was in deed negligent or not.
Presently RBI has a scheme of Ombudsman to resolve disputes arising out of “Non Adherence to RBI regulations”. However Ombudsman often refuse to take responsibility to mediate and function more like “Adjudicators” and often have a soft corner with the Banks. Customers have often been at the wrong end of the decisions of Ombudsman and hence this system requires a serious rethinking. One suggestion is to make the Ombudsman adopt a mediation strategy and include a member of public who has knowledge of Cyber Fraud issues in the mediation team.
In all cases of “Alleged Negligence” by the customer where the Bank wants to refuse payment under the proposed scheme, the Ombudsman may step in to resolve the dispute.
We need to continue our discussions and debate this issue of “What Constitutes Negligence” of the Customer in cases of E Banking frauds before making the customer pay for the technological advances of the financial market. I invite comments and suggestions in this regard.
Naavi
In a long awaited but highly welcome move, RBI has released a “Draft Circular” for public comments on “Limited Liability” for customers in case of frauds in Internet Banking and Card transactions.
Suggestions/comments, if any, on the Draft Circular may be sent by post to the Chief General Manager, Department of Banking Regulation, Reserve Bank of India, Central Office, 12th Floor, Shahid Bhagat Singh Marg, Mumbai-400 001, or by E-Mail: ( Click Here to send email) (liabilityebt@rbi.org.in) on or before August 31, 2016.
I urge all visitors to go through the circular and provide their feedback to RBI taking into account the following points.
The suggested recommendation from RBI is therefore welcome and needs to be notified at the earliest.
As regards some of the conditions that have been indicated in the circular, the following may be noted.
| Recommendation | Comments |
| Banks must ask their customers to mandatorily register for alerts for electronic banking transactions.
The alerts shall be sent to the customers through different channels (email or SMS) offered by the banks. |
Where the customer is able to provide both SMS and E-Mail addresses, the alert should be sent through both channels.
Hence the circular may be modified to read as (email and/or SMS) instead of (email or SMS) |
| The customers must be advised to notify the bank concerned of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction. | Banks must provide for response by “Reply” to the SMS and E Mail and should not be required to search for a web page or an e-mail address to notify the objection if any.
Necessary change may be made to the circular in this regard |
| A customer shall be liable for the loss occurring due to fraudulent transactions in the following cases:
(a) In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank. |
When the credentials of the customer is stolen by a fraudster by the use of “malware”, it should not be construed as “sharing” of the credentials in as much as the customer is a victim of the systemic problem.
Such instances may be classified as “Arising due to neither the negligence of the bank nor the customer”. In order to ensure that malware in the browser software does not result in a fraud, Bankers should provide “Secure Browsing Environment” for all Banking transactions through an appropriate security software. Presently, most anti virus software such as Kasparesky provides such “Safe Browsing” for Banking transactions but such session requests are some times are rejected by the Banking systems due to improper configuration. Not enabling such “Safe Browsing” environment should be considered as a “Negligence” by the Bank. Under Indian law (ITA 2000), the only legally recognized form of authentication which also applies to the Banking transaction is in the form of Digital Signatures (or eSign). Banks should mandatorily enable their systems for the use of Digital Signatures and eSign so that customers who intend to use digital signature based log-in may be able to use them. Not providing such options should be considered as “Negligence” by the Banks. (P.S: This was stated in the Internet Banking Guidelines of June 2001 where the Banks were expected to assume the legal risk in such cases) |
| In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction the customer liability shall be limited to the transaction value or ₹ 5000/- | In the case of mobile transactions through apps where there is a monthly transaction limit of Rs 10000/- and no KYC obligation, the liability limit may be reduced to Rs 2000/- |
| The policy must be transparent, non-discriminatory | In the past Banks have easily refunded fraud losses to some celebrities and even the police personnel but have taken the genuine normal customers to Court through a process of lengthy litigation which the customers are unable to sustain.
Examples of cases pending in Cyber Appellate Tribunal involving ICICI Bank, SBI , PNB and Axis Bank are available for this. All these cases involved serious KYC lapses on the part of Banks but are going through needless litigation because Banks can throw money to lawyers for dragging the cases for years. RBI should therefore review all the pending cases and open a window for mediating compromise solutions based on the new policy. |
| The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank. The bank’s above policy shall also specify the maximum time period for establishing customer liability after which the bank shall compensate the customer. | Welcome move since all the evidences are with the Bankers within their system and are capable of being manipulated.
Bankers should be advised to archive fraud related log data as “Evidence” and make it available to the law enforcement authorities even when the dispute with the customer is settled through this suggested mechanism or otherwise. |
| The banks shall put in place a suitable mechanism and structure for reporting of the customer liability cases to the Board or its Committee. The reporting shall, inter-alia, include volume/number of cases and the aggregate value involved and distribution across various categories of cases viz., card present transactions, card not present transactions, internet banking, mobile banking, ATM transactions, etc. The Standing Committee on Customer Service in each bank shall review, on a monthly basis, the unauthorised electronic banking transactions reported by customers or otherwise, as also the action taken thereupon, the functioning of the grievance redress mechanism and take appropriate measures to improve the systems and procedures. | A summary of incidents settled under this mechanism should be made available on the website of the Bank. |
I request visitors to send their comments to RBI without fail both appreciating their efforts towards Consumer protection as well as making suggestions if any.
Once this system comes into practice, I suppose Cyber Insurance Providers will feel bold enough to provide Cyber Fraud insurance cover to Bank customers to cover the balance risk that is left uncovered by this system (Rs 5000/- )
Naavi
Suggestions/comments, if any, on the Draft Circular may be sent by post to the Chief General Manager, Department of Banking Regulation, Reserve Bank of India, Central Office, 12th Floor, Shahid Bhagat Singh Marg, Mumbai-400 001, or by E-Mail: ( Click Here to send email )on or before August 31, 2016.
