Naavi.org

In a little surprising but welcome development, the Government of India has released a notification under Section 67C of ITA 2008 viz G.S.R. 711 (E) dated 21st July 2016 titled “Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules 2016. which may not perfectly fit under Section 67C but is otherwise related to the setting up of a new regulatory authority called the Digital Locker Authority and defining a new set of business in the Digital India project.

Apparently, the purpose of this notification is to define the rules under which public documents shall be preserved and protected when lodged with the Digilocker authorities and the notification is issued under Section 67C of Information Technology Act 2000/8. It sets a new trend of “Data Retention” defined specific to a domain of activity.

Sec 67C was perhaps meant to define “how long” and in “what form” intermediaries may retain information and “manner” of retention was incidental. However, this notification actually goes to define the “Manner” in which a certain type of intermediary shall retain information without much emphasis on the format and period for which the information has to be retained. Also the “Information” referred to in the Section 67C  of the Act is being used to identify the “Documents” that a subscriber would like to lodge in the safe custody of an agency as an “Uniquely Identifiable Document” with an “URI” (Unique Resource Identifier). No specific structure for the URI like a standard structure for a URL has been defined as part of the “manner of retention of information” under Sec 67C.

It therefore appears that Section 67C has been used as an excuse to define some new business proposition which has its own implications for Digital India. It has redefined Sec 67C itself and altered its scope.

May be we can call this an innovative and creative interpretation of law but the possibilities of unintended consequences that may follow from a loosely regulated service needs to be watched out.

New Opportunities Unleashed

In effect, through this notification, the Government seems to have defined a new business proposition for private sector to develop services to set up and manage “Portal”, “Access Gateways” and “Repositories” to store electronic documents deposited by public and verifiable and retrievable by authorised entities.

The service as conceived is bigger than UIDAI and without a separate Act like the UIDAI Act, it enables a new system by which electronic documents are authenticated, preserved and verified.

Obviously there will be Privacy and Security issues as well to contend with.

Further, since the Main DigiLocker authority would be the Government, the notification provides an admission that its own department may now be considered as an “Intermediary” if it also provides its own digilocker services in addition to private sector players. Such department will therefore be subject to Sec 79 obligations.

To ensure protection of the department as well as avoid conflicts, it may be necessary for Deity to refrain from directly providing the digi locker service as they are dong now and to make the DLA as the regulator like the  Controller of Certifying Authorities which will only restrict itself to regulatory issues and not provide a service of its own. These should have been part of the notification such as “Appointment of a Digital Locker Authority”, but unfortunately they are not released as of now.  We need to wait for the notification  to be issued as a supplementary notification in due course.

The “Digilocker Credentials” which may ultimately be just the log in ID and Password will henceforth become a pointer to the other documents such as Aadhaar, PAN etc held within the Digital Locker and its security would be a key obligation of the service provider since it becomes a proxy to the subscriber’s identity.

Just as the Unified Payment Interface (UPI) is becoming a Universal identification for all financial instruments owned by an individual, this Digi Locker Account may become the universal identity document for an individual.

The Digi Locker service provider would be having a “Digital Locker Practice Statement” similar to the one used by a Certifying Authority for Digital Signature and would be bound by it.

The practice statement  would be a self declaration and only verified by an audit by an independent auditor. Since the Digital Locker Service Provider has to be gazette notified, the practice statement may be subject to an approval process.

The service provider would obviously be open to obligations under Section 43A for reasonable security practice and compliance of all aspects of ITA 2000/8.

At present the qualifications of an Auditor is not defined and I hope it would be determined on a “Ability to Audit basis” and not on a “Qualification Certificate Issued by Preferred entities basis”.

In summary, it appears that the Government through this notification has opened up a new business opportunity which is as responsible as a Licensed Certifying Authority in the case of a Digital Signature issue and the Unique Identification Authority of India (UIDAI) without an elaborate legislation. It could be an innovative approach but hopefully not questioned in the Courts for its validity.

The Start Up community may welcome this move as it opens up new opportunities where they can integrate several of their services.

We need to watch out how this notification gets absorbed by the community and harnessed for business.

Naavi

(These are preliminary views and more would follow)

The hacking of a Bangladeshi Bank last February where about $81 million was transferred by fraudsters hacking into the SWIFT Inter Bank money transfer system is a grim reminder of the weaknesses in our Banking eco system.

The detailed account of this heist as explained here, 

The article explains the suspected modus operandi used by hackers to book 35 fraudulent transfers amounting to nearly US$ 1Billion from the Central Bank of Bangladesh to  Federal  Bank of New York. By by some grace of God only 4 of these transactions were carried through and the loss was limited to $81 million. The principle cause could be the compromise of the access credentials of one of the Bank employees with a malware. What compounded the problem was the delays in cross verification arising out of holidays first in Bangladesh and then in New York  exposing the Bank to the huge loss.  Finally what prevented 30 transactions to be held up by the New York Bank was that one of the e-mail addresses contained the word “Jupiter” which was a black listed name of an Iranian Oil Vessel subject to certain sanctions. One transaction failed due to a spelling mistake.

Now a clear 4 months later a similar attack seems to have been repeated on one of the Indian Banks in Mumbai which again by a stroke of luck did not go through.

The incident has been reported in Economic Times here.

This time the US Bank was a little more alert to identify an unusual transaction and the Indian Bank was saved. At this point of time it is not clear which was the Bank involved except that it was a public sector Bank with headquarters in Mumbai. The Economic Times report indicates that the Stock Exchange has not been informed of the attempted fraud which should be considered as a violation of the SEBI norms.

The CERT IN guidelines require that the information regarding such security breaches need to be reported to them and even the latest RBI guidelines mandate reporting of such incidents. However Banks continue to hide the incidents and keep their investors in the dark until one day such frauds blow up on their faces.

One thing however is clear from these incidents that the security systems within the Banks has several short comings and if even the SWIFT transactions are unsafe, one can wonder how safe are the RTGS transactions.

Just like the Banks, customers also should pray for luck to be on their side to protect their funds from fraudsters!

Naavi

Since June 2016, there have been a flurry of activities in the RBI as regards formation of security guidelines that apply to the Financial Services Industry in general in India and Banking in particular.

First, there was the circular regarding “Cyber Security Framework” which required Banks to set up a “Security Operations Center” (SOC) and monitor even “Zero Day Vulnerabilities”.  Though the earlier information security guidelines of April 2011 following the GGWG (G Gopalakrishna Working Group) recommendations did press for many information security initiatives that the Banks should have taken which could be interpreted to include what is now being stated, none of the Banks had taken the GGWG guidelines seriously.

Now RBI  has taken a decisive step to alert the Board Members in Banks and more particularly the Independent Directors to not only take stock of the implementation status but also confirm to RBI that they have indeed done so. Additionally, Banks have been specifically directed to place the RBI circular and a Gap Analysis before the Bank’s board and send a report to DBOD, before July 31, 2016. They have also been given the deadline of September 30, 2016 for implementation of the Cyber Security Framework and confirmation to RBI.

Setting up of an SOC and more particularly to watch out for “Zero Day Vulnerabilities” calls for a high level of expertise, technical enablement as well as investment by Banks. Except the top few Banks, others may neither have the expertise nor the technical know how to maintain the SOC as required. There are also many smaller Banks which may not have the necessary resources to buy technological services required for the purpose. This has already sent most CISOs in Banks to a huddle and a feverish activity amongst those Banks which have the capability to understand the implications.Many others are likely to continue in their mode of “All is Well” and “Ignorance is Bliss” until they are jolted again by another followup  initiative of RBI if there is one.

Following this circular, RBI also released a “Vision Document” for the “Payment and Settlements Systems Industry” consisting of the  a focus on “Prevention of Frauds” in the payments eco-system which includes many private sector players who are today acting as business associates of Banks. A responsive regulatory framework was suggested to be developed which included new policies to be developed for the sector.

These measures clearly indicated that Banks would significantly increase their oversight on private sector FinTech companies who were hitherto working in the background while fraud risk exposure at least in perception terms was absorbed by the front end Banks. Though legally, under ITA 2008 the back end service providers were exposed to the risks of frauds, due to general ignorance of the customers and the Banks, they were not called upon to bear the risk of fraud losses.

This situation will now be changed. RBI has identified measures to increase the accountability of the back end service providers and even indicated that RBI may directly retain the power of regulating the back end service providers such as Payment Gateways, Authentication Providers, Customer Aggregators etc. While RBI may wait until it takes a direct plunge into regulating the intermediaries who work between the Banks and the End users of different services, it will definitely bring sufficient pressure on the Banks themselves to increase their supervision of the back-end service providers.

As a result, the back-end service providers which include many Start Ups in the FinTech industry will start feeling the heat of regulatory oversight soon. Since most regulations translate into a Techno Legal Compliance exercise at the service provider’s level, it will require additional investments which might not have been budgeted earlier. The VCs who have funded these companies will also have to take note of the new regulations and ensure that their funds are protected. In case these Tech Companies continue to ignore the compliance requirements in their operations, they are likely to face unpleasant surprises soon.

In a bid to develop policies that may be required for such regulation, RBI has recently set up a working group under the Chairmanship of Mr Sudarshan Sen, Executive Director. (We shall call this the SSWG).

It is time that the FinTech industry takes note of this development and tries to understand the implications of the setting up of the SSWG and its likely recommendations that may follow. The working group has been asked to submit its report in the next 6 months. Since this will be one of the first Working Groups that will define the role of FinTech companies in India, it will be a trend setter. But if the trend is set in a direction that the FinTech companies consider as incorrect, then their business will be adversely affected.

We may take note that in the recent past the Taxi Aggregators and the E Commerce Companies were at the wrong end of new regulations from politicians who did not understand the business. Since these companies also did not understand the mindset of the regulators, they failed to defend their interests and allowed regulations that are dysfunctional. As a result, a “Taxi  Service Aggregator” today is considered as a “Taxi Operator” and E-Commerce “Market Place” is considered as a “Wholesaler”.

The next axe will fall on the Health Information App companies and the FinTech Companies. If they donot wake up and take measures to protect their interests, they will regret.

I am not suggesting here that the FinTech companies should manipulate the regulatory framework contemplated by RBI. But I am surprised that FinTech companies donot find a representation in the SSWG though the decisions taken there could affect them. There is a need for the FinTech Companies to ensure that their voices are heard in the regulatory circles.

While organizations such as CII or FICCI ensure that policies are not generally detrimental to the industries they represent, FinTech Companies donot have a proper industry body to represent them. NASSCOM is also not represented in the SSWG and even if represented, it is not a reliable representative of the FinTech companies which are mostly small and micro enterprises.

There is therefore an immediate necessity for these entities to come together and form a body of “FinTech entitites” that understands the needs of this industry segment and represents it to the right authorities.

Since the SSWG has already been formed and in the next one month will start collecting data about the industry, it is high time for the FinTech entities to formulate their strategy of presenting a collective industry face to the SSWG and ensure that they are heard fairly.

I urge industry players to take the initiative and form a “Society of FinTech Entities”, enrol members, develop an industry representation that can be presented to the SSWG. The society can propose certain “Self Regulation” that would pre-empt any unreasonable regulations which may otherwise be imposed on them.

Since Bangalore is a hub of Start Ups and there are many FinTech companies working here, it is a food place to start with. If the industry players are interested in coming together to form such a “Society of FinTech Entities” and need any assistance, Naavi would be happy to assist them.

Naavi

It is good to see that RBI at last appear to be walking its talk on hardening the security in Banks. After the last circular on “Cyber Security Framework” (June 2, 2016), which while reiterating the earlier circulars issued after the G.Gopalakrishna working group (GGWG) which was largely ignored in  implementation, the July 31 deadline for Gap Analysis and September 30 deadline for putting a new policy in place must be haunting the Bankers. Those in the Banking system who have understood the import of the circular and want to be compliant must be spending sleepless nights.

In the meantime, it is reported that Deputy Governor R Gandhi at an IDRBT participating in an event in Hyderabad on July 19, has confirmed that RBI has  constituted a working group on financial technology, “to fully understand the new paradigm of Fintech and to chart out the best way of using it”. (A Copy of the speech is available here)

It was also noticeable that for the first time, RBI has also drawn attention of the Government on the Fraud risks associated with the Jan Dhan Yojana scheme which has been highlighted in these columns on various occasions. (Refer artice in IE)

It would however have been better if RBI had also endorsed our suggestions regarding provision of Cyber Crime Insurance to the Jan Dhan users along with proper education and technical help for security.

Hopefully once the risk is flagged, some measures would follow. Probably the working group on FinTech will address these issues in their deliberations.

The Constitution of the Working Group iss indicated in this notification

The Working Group will consist of 13 members including the Chairman Shri Sudarshan Sen, Executive Director. Other members as shown below.

Notably, there is no representation of ICICI Bank, a regular participant of all RBI working groups on Banking matters but HDFC Bank and SBI represent the Banking industry. Surprisingly , there is no representation from the FINTECH industry and as usual from the Consumer side.

In the past RBI working Groups have been dominated by some industry players who have successfully tried to manipulate the RBI policies through such working group. During the times of the GGWG group Naavi  fought a tough battle to ensure that some motivated changes which were not legally sound were not part of the recommendations.

The RBI Circular however states that the Working Group may invite views from representatives from any area relevant to its terms of reference and may also, at its discretion, co-opt entities in the payment, telecom, software and start up ecosystem. Hope this would be implemented in practice and does not remain on paper only.

The terms of reference of the Working Group is:

1. To undertake a scoping exercise to gain a general understanding of the major Fin Tech innovations / developments, counterparties / entities, technology platforms involved and how markets, and the financial sector in particular, are adopting new delivery channels, products and technologies.
2. To assess opportunities and risks arising for the financial system from digitisation and use of financial technology, and how these can be utilised for optimising financial product innovation and delivery to the benefit of users / customers and other stakeholders.
3. To assess the implications and challenges for the various financial sector functions such as intermediation, clearing, payments being taken up by non-financial entities.
4. To examine cross country practices in the matter, to study models of successful regulatory responses to disruption across the globe.
5. To chalk out appropriate regulatory response with a view to re-aligning / re-orienting regulatory guidelines and statutory provisions for enhancing Fin Tech / digital banking associated opportunities while simultaneously managing the evolving challenges and risk dimensions.
6. Any other matter relevant to the above issues.

Perhaps we need to watch out how the recommendations of the FinTech Working Group developsand whether it will properly represent the views of the Fin Tech industry and the interest of the public who are consumers of the services rendered by these companies as well as Banks.

Naavi

Donald Trump the Republican nominee for US president  this year  says “There will be no prosperity without Law and Order”.  This was said in the context of the American physical space where Crime and Terrorism has created a situation where protection of the US citizens has become the prime election plank for US presidency. But what he said in the context of the US physical space is also a timely reminder for Cyber Space watchers in India  or more so to the Cyber Space regulators of India.

Time and again we have highlighted the need to ensure “Security” before we take a technology leap particularly when the users are uneducated and un-initiated to a security culture. However, the Ministry of IT has not moved fast enough and decisively enough to take such steps as are necessary to mitigate the Cyber Crime risks in the country.

It is possible that Government may not accept this criticism and say that they are taking many steps in the background for which the public is not privy. I hope it is true and security issue is being addressed in all our Digital India projects including the FinTech revolution in the financial sector, Tele Medicine projects, E Governance projects, Smart City projects , Smart Grid projects, Big Data projects etc.

But if we look at some of the publicly visible aspects such as E Banking Security, Lack of Government interest in Cyber Insurance, Continued apathy to re-activation of the Cyber Appellate Tribunal, Non Correction of the flawed Adjudication System of Cyber Justice, Scrapping of Section 66A which remains unchallenged, it appears that the list of what needs to be done urgently seems to be growing.

Not all of this can be blamed on the Modi Government since atleast on the Cyber Appellate issue and Section 66A, the role of Supreme Court is evident.  But the Government has not decisively taken steps to fight it out with the Supreme Court to make necessary corrections.

As regards the financial sector, very recently, RBI has taken some bold new initiatives and demanded action from Banks on the security front with deadlines. A Cyber Security Framework has been suggested and Bank’s acknowledgement on its implementation has been asked before July 31st.  If this is pursued, there should be improvement in the E-Banking security. But will the new Governor takes steps to push the Banks beyond issue of circulars is to be watched.

The FinTech Companies are changing the financial landscape in the country and are also eroding the role of the regulated Banks in shaping the future of e-finance industry. These being private sector companies, their profit motive is at a level higher than the commercial Banks and the possibility of a trade off between security and profits is high. There is therefore a need to keep a strict watch on the activities of FinTech Companies and ensure that the regulation works.

If however, the Government is committed to “Free Enterprise” and “Placing Faith in Private Sector” and liberalize the financial sector, then there is a need for the Government to simultaneously take steps to protect the Citizens from the vagaries of Cyber Crimes. Citizens cannot be left to fend for themselves and used as sacrificial lambs to promote Digital India.

I therefore advocate immediate steps  for the Government of India to take namely,

1. Call a meeting with the CJI and finalize the appointment of the Chair person of Cyber Appellate Tribunal immediately without the larger issues such as NJAC becoming a stumbling block.
2. Improve the system of “Adjudication” under Section 46 of ITA 2000/8, by setting up a separate “Adjudication Bench”  in each State and Union Territory which should consist of one member of the Judiciary trained in Cyber Crimes to be the Adjudicator and supported by a technically qualified Co-Adjudicator who could be a Government official like the IT Secretary or even a Non Governmental person.
3. Both the Adjudication system and Cyber Appellate Tribunal should be mobile and sit in any location outside their head quarters as often as required and also use video conferences to reduce the cost of the process and make it more user friendly.
4. Introduce a strict policy in Banks that they should not pursue the policy of litigation on Customers for Cyber Crime related issues unless there is evidence that the customer is involved in the fraud and ensure that the NPA recognition norms are suitably altered to ensure that Banks try to hide cyber crime frauds under “Pending litigation”.
5. Introduce a “Limited Liability” policy in terms of cyber crimes related to ATM cards, Credit Cards, Phishing, Mobile Wallets etc where the customer’s loss should be limited to not more than 10% of the amount lost so that where he opts for immediate settlement, the complaint may be closed at this 10% cap without any litigation with the customer while the Bank may continue its efforts to recover the full money lost against the alleged fraudster.
6. Introduce mandatory Cyber Insurance for Mobile Wallet users across the country upto a nominal amount of Rs 5000/- per month and subject to an annual limit of Rs 10000/- (The limits are suggestive) with strict penalization for fraudulent claims through the re-invigorated Adjudication system.
7. Section 66A of ITA 2008 which not only provided security against Cyber Stalking and Cyber Bullying but also on Spamming and Phishing should be re-introduced immediately if possible with a simple review of the earlier decision by a larger Supreme Court bench introducing whatever clarifications that Supreme Court wants on Free Speech..

I request Mr Ravishankar Prasad, the honourable Minsiter of Law and IT to immediately take steps to initiate these suggestions and where there is financial implications such as Cyber Insurance and Banking liability, I request Mr Arun Jaitely as the honourable Finance Minister  to step in with his support.

If such measures are not taken at the earliest, I foresee that political opponents of Mr Modi will hire hackers to hack into Cyber Assets of the country, inflict loss on the public and hold Mr Modi responsible in the same way some allegedly thought of hiring Ishrat Jehan and Taliban forces to assassinate him.

This is a prophesy which I donot want to become true but urge the Government not to neglect.

Mr Donald Trump has rightly identified that unless terrorism is eliminated by a policy which is different from the current “Politically Correct” approach, there will be no prosperity for the community. Similarly, in Digital India, prosperity will not be possible if the Government does not take corrective steps and slips into complacency that Technology is fascinating and nothing will go wrong.

Naavi