Limited Customer Liability on Bank Frauds.. Your Comments solicited by RBI

Posted on August 12, 2016 by Vijayashankar Na

In a long awaited but highly welcome move, RBI has released a “Draft Circular” for public comments on “Limited Liability” for customers in case of frauds in Internet Banking and Card transactions.

Suggestions/comments, if any, on the Draft Circular may be sent by post to the Chief General Manager, Department of Banking Regulation, Reserve Bank of India, Central Office, 12th Floor, Shahid Bhagat Singh Marg, Mumbai-400 001, or by E-Mail:  (  Click Here to send email)  (liabilityebt@rbi.org.in) on or before August 31, 2016.

I urge all visitors to go through the circular and provide their feedback to RBI taking into account the following points.

  1. The recommendations in the Circular are welcome in the context of increased use of electronic mode of payments by Banks as a part of its effort to improve efficiency and reduce costs and the growing cyber threats from organised cyber criminals.
  2. The frauds are being facilitated by use of “Password” for most of the authentication requirements though use of passwords is legally not recognized as “Signature” for banking transactions.
  3. The marginal improvements in security sought with the 2 Factor authentication is considered inadequate to protect the consumers against the current set of frauds.
  4. The increased use of cloned cards for Credit/Debit Card and ATM cards through card merchant side compromises has placed the customers in a defenseless position against frauds.
  5. The system of limited liability to customers has already been in vogue in USA and other countries and was also recommended by the Damodaran Committee on Customer Service which gave its report way back in 2011 and was sidelined due to opposition from influential Banks.

The suggested recommendation from RBI is therefore welcome and needs to be notified at the earliest.

As regards some of the conditions that have been indicated in the circular, the following may be noted.

Recommendation Comments
Banks must ask their customers to mandatorily register for alerts for electronic banking transactions.

The alerts shall be sent to the customers through different channels (email or SMS) offered by the banks.

 Where the customer is able to provide both SMS and E-Mail addresses, the alert should be sent through both channels.

Hence the circular may be modified to read as (email and/or SMS)  instead of (email or SMS)
The customers must be advised to notify the bank concerned of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction. Banks must provide for response by “Reply” to the SMS and E Mail and should not be required to search for a web page or an e-mail address to notify the objection if any.

Necessary change may be made to the circular in this regard
A customer shall be liable for the loss occurring due to fraudulent transactions in the following cases:

(a) In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

 When the credentials of the customer is stolen by a fraudster by the use of “malware”, it should not be construed as “sharing” of the credentials in as much as the customer is a victim of the systemic problem.

Such instances may be classified as “Arising due to neither the negligence of the bank nor the customer”.

In order to ensure that malware in the browser software does not result in a fraud, Bankers should provide “Secure Browsing Environment” for all Banking transactions through an appropriate security software.

Presently, most anti virus software such as Kasparesky provides such “Safe Browsing” for Banking transactions but such session requests are some times are rejected by the Banking systems due to improper configuration.

Not enabling such “Safe Browsing” environment should be considered as a “Negligence” by the Bank.

Under Indian law (ITA 2000), the only legally recognized form of authentication which also applies to the Banking transaction is in the form of Digital Signatures (or eSign).

Banks should mandatorily enable their systems for the use of Digital Signatures and eSign so that customers who intend to use digital signature based log-in may be able to use them.

Not providing such options should be considered as “Negligence” by the Banks.

(P.S: This was stated in the Internet Banking Guidelines of June 2001 where the Banks were expected to assume the legal risk in such cases)
In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction the customer liability shall be limited to the transaction value or ₹ 5000/- In the case of mobile transactions through apps where there is a monthly transaction limit of Rs 10000/- and no KYC obligation, the liability limit  may be reduced to Rs 2000/-
The policy must be transparent, non-discriminatory In the past Banks have easily refunded fraud losses to some celebrities and even the police personnel but have taken the genuine normal customers to Court through a process of lengthy litigation which the customers are unable to sustain.

Examples of cases pending in Cyber Appellate Tribunal involving ICICI Bank, SBI , PNB and Axis Bank are available for this. All these cases involved serious KYC lapses on the part of Banks but are going through needless litigation because Banks can throw money to lawyers for dragging the cases for years.

RBI should therefore review all the pending cases and open a window for mediating compromise solutions based on the new policy.
The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank. The bank’s above policy shall also specify the maximum time period for establishing customer liability after which the bank shall compensate the customer. Welcome move since all the evidences are with the Bankers within their system and are capable of being manipulated.

Bankers should be advised to archive fraud related log data as “Evidence” and make it available to the law enforcement authorities even when the dispute with the customer is settled through this suggested mechanism or otherwise.
The banks shall put in place a suitable mechanism and structure for reporting of the customer liability cases to the Board or its Committee. The reporting shall, inter-alia, include volume/number of cases and the aggregate value involved and distribution across various categories of cases viz., card present transactions, card not present transactions, internet banking, mobile banking, ATM transactions, etc. The Standing Committee on Customer Service in each bank shall review, on a monthly basis, the unauthorised electronic banking transactions reported by customers or otherwise, as also the action taken thereupon, the functioning of the grievance redress mechanism and take appropriate measures to improve the systems and procedures. A summary of incidents settled under this mechanism should be made available on the website of the Bank.

I request visitors to send their comments to RBI without fail both appreciating their efforts towards Consumer protection as well as making suggestions if any.

Once this system comes into practice, I suppose Cyber Insurance Providers will feel bold enough to provide Cyber Fraud insurance cover to Bank customers to cover the balance risk that is left uncovered by this system (Rs 5000/- )

Naavi

Suggestions/comments, if any, on the Draft Circular may be sent by post to the Chief General Manager, Department of Banking Regulation, Reserve Bank of India, Central Office, 12th Floor, Shahid Bhagat Singh Marg, Mumbai-400 001, or by E-Mail:  (  Click Here to send email )on or before August 31, 2016.

Posted in Cyber Law | 2 Comments

Cyber Security Framework and Directors of Banks- An Action Plan..for Now..

Posted on August 11, 2016 by Vijayashankar Na

The Cyber Security Framework (CSF-2016) proposed by RBI to be implemented by Banks has posed a stiff challenge to the community of Bank Directors. After the lukewarm response to its previous guidelines including the E Banking Security Guidelines (GGWG Recommendations) of 2011 from Banks, RBI has now tried to tighten its screws on the Bank boards and therefore repeatedly sought the direct responsibility of the Board of Directors in Banks for ensuring implementation of the recommendations under CSF-2016.

The Countdown has already started. By September 30, 2016, RBI wants several aspects of its recommendation to be in place and it is hardly 51 days to this deadline and probably not more than two board meetings left to review the implementation.  The challenge is stiff, but we need to make a start and start running. The spirit is to make an honest attempt.. afterall, we are in the season of Olympics and participation is the key.. Making an honest attempt to win is necessary….But actually winning is incidental..

Let’s briefly review the challenge that our Bank Directors have on their hand now. I wish Directors in banks and more appropriately the “Independent Directors” need to take note of the following in their own interest.

The first deadline given by RBI was July 31, 2016 by which the Board should have approved a “Gap Analysis ” and signed on a report sent to the DBOD.  Probably most Banks should have completed the formality. Those who have shot off the report may now review if the report was complete and those who have not, need to review how quickly they can recover the lost ground.

Banks already have some infrastructure to handle Information Security and there will be a sub committee of senior executives already assigned to the task of managing the Information Security in the Bank as per the GGWG guidelines. There is also a CISO in most Banks. The CISO should therefore present (should have already presented) to the Board his assessment of the Gap and recommended action plan.

If not, summon another Board meeting immediately and ask the CISO to make a presentation. Even if a note has been already presented, it is recommended that the CISO is asked to present his views on the Gap report already sent to RBI and modifications that may be required.

The “Gap Report” is to document the current status of the implementation of the “Cyber Security Program” vis a vis the recommendations contained in the Cyber Security Framework-2016 elucidated in the RBI circular of June 2, 2016.

Obviously, in order to prepare this Gap Report or approve it as a member of the Board of Directors, there is a need to understand the CSF-2016 document and absorb its implications. This itself requires a deep understanding of the nuances of Cyber Risk Management without which the Directors can be easily mislead that “All is Well” and ignore the urgent action to be undertaken.

The first question to be raised is

  • It is a requirement of the CSF-2016 that the Board of Directors should be adequately trained on Cyber Security issues. Has the CISO organized such an awareness  program for the Directors? If not.. when is it scheduled?
  • In order not to waste further time, the agenda for the next Board meeting should include a presentation by the CISO of not only the action plan under CSF-2016 but also a general training on the implications of CSF-2016 .
  • Since CISO is the implementing party, it is better if such a training program is organized by an external consultant who understands the issues in managing Information Security in the Banking environment and should precede the presentation of the CISO so that right questions can be raised to the CISO.
  • Since it is embarassing for the Board to call for a training for itself, it is better to call this an  “Interaction with an expert” or a “Round Table” in which the implications of CSF-2016 can be discussed by the members of the Board along with the CISO and his team.

Some of the challenges that the Directors need to meet during this initial interaction is..

a) The Gap report should have identified the Cyber Threats that confront the Banking environment considering the business and product profile of the Bank. The CISO should have developed a “Threat Register” to identify and list the threats.

b) The Gap report should have identified the Cyber Vulnerabilities of the system including the technical, regulatory, and manpower related deficiencies in the system.

c) Based on the threats and vulnerabilities, the CISO should have developed a “Risk Register” listing out the individual Cyber Risks that confront the Bank.

d) The “Risk Identification” should not be restricted to technical matters only and should also address the legal issues such as compliance to Information Technology Act 2000 as amended in 2008 and later (ITA 2000/8) and also take into account the human factors that can result in exploitation both at the employee level and the customer level

c) The Risk Identification has to also assign a measure of the risk criticality  which can be either a subjective evaluation of “Low Risk”, “Medium Risk”, “High Risk” etc or assign a value in an objective manner if possible.

d) The CISO should also indicate and recommend the “Risk Management Policy” consisting of how much of the risk can be avoided, how much of the risk can be transferred by insurance, how much of the risk can be mitigated by various measures and how much of the risk has to be absorbed by the organisation.

e) The CISO should also indicate and recommend a brief overview of a  “Risk Mitigation Plan” and suggest what should be the “Risk Appetite” of the organization. It would however be the decision of the Board to determine the “Risk Appetite” of the organization which reflects the extent of risk that it can absorb in the interest of business since ultimately commercial activity is always a risk-return trade off.

f) The CISO may also be asked to present his specific recommendations on the status of implementation on the 24 Baseline controls that have been indicated in Annexure 1 of the CSF-2016 as well as how to approach the SOC set up indicated in Annexure 2 and the Incident Reporting structure indicated in Annexure 3 of the CSF-2016

The “Gap Report” is only a starting point and may be imperfect. But what is required to be done is to set in motion a corrective plan so  that by September 30, 2016 when a comprehensive “Cyber security Policy” along with an operating “Security Operations Center” and a “Cyber Crisis Management Plan” is to be presented to the RBI with the recommendations of the Board, the Directors are fully aware of the responsibilities they are undertaking in submitting the plan.

This is also the time for the Board to review if its current information security management infrastructure is adequate and needs to be augmented. Finding right people in the domain is not easy and even if a decision is taken today, it is impossible to get quality people before the deadline of September 30 has already elapsed by a mile. Hence the first set of action has to be initiated by the existing team summoning whatever assistance they can gather from within and available external consultancy resources.

There is no doubt that your CISO will say setting up an SOC is a long term project and even a proper risk assessment will take time. But RBI has taken this into account and advised that Banks cooperate amongst themselves through the CISO forum coordinated by IDRBT to share knowledge and achieve the goals faster than what they would otherwise achieve.

This however requires shedding of individual egos of Banks and their CISOs and working in a spirit of cooperation and benefit to the Banking community on the whole.

The Board has a responsibility to provide support to their CISOs to explore such cooperation in a spirit of give and take so that professional CISOs are not constrained by the fears of breaking the norms of secrecy that often shrouds the operation of the information security departments.

… With these introductory words, I urge the Directors of the Banks to accept the challenge placed before them by RBI to strive towards achieving the Cyber Security Goal however difficult it appears to be.

Naavi

 

Posted in Bank, ITA 2008, RBI | Leave a comment

At Last, the Finance Ministry seems to have recognized Cyber Threats in Banks

Posted on August 10, 2016 by Vijayashankar Na

It has been pointed out ad nauseam on this forum that Cyber threats in Banks are looming large to be considered as a “National Security Issue”. However, the commercial considerations in Banks have pushed technology solutions ahead of security considerations in most Banks and new services dependent on insecure technology has been embraced with enthusiasm by the system. Customers are being lured by the fancy of “Convenience” to adopt technologies that they donot understand and open themselves to threats of Cyber Crimes.

While our repeated cries in the name of Customer Fraud Protection through Cyber Insurance have still not caught the attention of the Government, what seems to have moved them now is the direct attacks on the Banks such as what Union Bank Faced in the SWIFT system. It appears that the “Intelligence Officials” have nudged the ministry to initiate the latest set of measures.

Recognizing the risks in the compromise of the Banking system, the Finance Ministry has sent out a warning  to state owned Banks to strengthen the Bank’s Information Technology Systems. Coming close on the heels of the RBI’s notification of the Cyber Security Framework-2016, there appears to be some positive action from the regulatory system to harden security in e-Banking.

In the past there have been such short bursts of enthusiasm which have later fizzled out due to commercial considerations.

160808gycs_17Last Saturday, the undersigned addressed a group of Bankers in Chennai and spoke on “Role of Banks in Cyber Security”. During the interaction the immediate measures that the Bankers need to initiate to meet the September 30 deadline for implementing the Cyber Security Framework were briefly discussed.

In the latest monetary policy speech, the Governor of RBI has hinted at some more immediate regulatory notes on the FinTech industry In particular, there could be some measures to regulate P2P lending and aggregation services in Financial Services.

Following the deliberations in the workshop, Naavi is intending to launch a “CSF-2016 Compliance initiative” directed to create better awareness with the Bankers on the implications of the new RBI guidelines. Watch out for more information on the developments in the coming days.

However these new regulations are likely to be more on regulating the business of these FinTech companies rather than addressing the information security issues arising out of these services.

We need to wait and watch the shape of these new regulations before passing any specific comment on them. But our earlier warning to FinTech companies remains in tact.

Naavi

Posted in Cyber Law | Leave a comment

Privacy Rights..Let’s preserve for the next generation.

Posted on August 5, 2016 by Vijayashankar Na

“Privacy” is a concept most dear to human right activists and is considered as an important pillar of democracy. Constitutions of all democratic countries swear by Privacy Rights to its citizens. However, it is well known that no Government in the World is really intending to provide “Privacy Rights”  which infringe on the Security of the State and hence all Privacy legislations provide for  “Reasonable Exceptions”.

If there is a direct conflict between providing “Privacy” for Citizens and “National Security”, there is no option but to chose National Security.

The problem however is that while “Surrender of Privacy Rights” in the name of National Security is normally accepted by all right thinking Citizens, there is a fear that the information so surrendered may not be used by the State for the purpose for which it is collected. The misuse may be for political reasons or for the self interest of officials who are provided with powers to deal with the information in the interest of national security.

Similarly, when commercial organizations seek information which is in violation of the general privacy norms, for the purpose of providing some services in return, most Citizens are able to forego their rights if they see value in return.  Hence if Google maps provide directions for driving, we obviously donot mind sharing our locations. We also may not mind Google maps suggesting through some advertisements, services such as hotels on the highway as part of its service since it could be of some use.

Again the problem arises when the commercial entities donot provide adequate value in return for the private information exchanged by the individual or use it in contexts different from the purpose for which they were shared or simply are not transparent of their intentions.

With the new developments such as Smart Cities, Smart Grid, IOT, Big Data etc, the concept of mining data from multiple sources has become an acceptable practice. E-Governance in India has placed large quality of both Personal and Sensitive Personal Data in narrow funnels such as the Aadhar system, the Digi Locker System or the UPI or the upcoming GST. Citizens donot have the confidence that these agencies will be able to protect the integrity of the system and sooner or later (if not already) the data shared by millions of Indians with these authorities in good faith and in confidence will be available in public domain.

Hence the fight for “Privacy” may already be a lost cause at least for the current generation. We therefore need to learn to live without privacy.

However, the next generation which have not already shared their personal information to Aadhar and other agencies may still have an opportunity to keep their future activities away from the risk of privacy breach if we can develop a suitable system which provides a middle of the road solution between Privacy and National Security.

The solution for “Privacy in harmony with National Interest” is therefore to find a method by which an individual can interact with the world without disclosing his identity to the extent it is not necessary either in the interest of the transaction nor national interest.

The quest for such a solution is the challenge to all of us who need to leave a legacy of “Privacy Protection” to our posterity though we ourselves may not consider it feasible at this point of time.

“Anonymization” of transactions could be a solution but it needs to be protected in the interest of “Security”. Hence the solution lies in building a system of “Regulated Anonymity System” which is also a system of “Filtered Identity Management” system.

The time for such a solution seems to have arrived now with Aadhaar, Digi Locker and UPI systems becoming a part of every individual in India and all these are dependent on the Mobile identity of an individual which therefore has become a universal ID for all of us. Unfortunately the KYC system under which the mobile ID is issued as well as the security risks in its compromise place all our other IDs in danger of being subsumed by the insecurity associated with the Mobile ID.

Hope technologists will start working towards finding a solution to this problem..

Naavi

Posted in Cyber Law | Leave a comment

Digital Signature Landscape in India expands

Posted on August 4, 2016 by Vijayashankar Na

The Digital Signature system based on Public Key Infrastructure was defined as the sole electronic authentication method under Information technology Act 2000 notified on 17th October 2000. However, as on the date of the notification of the Act, there was no infrastructure present for issue of Digital Certificates in India. As a result, the community had to wait until the first Certifying Authority license was issued on 5th February 2002 to Safescrypt which was a subsidiary of Sify.com. Subsequently licenses were issued to IDRBT, NIC, TCS, (n)Code, e-mudhra, MTNL, and Department of Central Excise. In the last few years, MTNL, the Department of Central Excise and TCS exited from the business (TCS license expires in 2017), leaving Safescrypt, (n)Code and E-Mudhra as Certifying Authorities (CAs) for the public, NIC for the Government and IDRBT for Bankers.

In the last one year, two new licensees have been added to the list of CAs. First was CDAC-PUne which was licensed on 29th June 2015 and more recently, “Capricorn Certifying Authority” in Delhi was licensed on 16th May 2016.

Of these two, CDAC  CA is set up to cater to the needs of issuing Digital Certificates for eSign Services, which was notified as an additional method of authentication under Section 3A of ITA 2008 vide G.S.R. 61(E) dated 28th June 2015, under which e-authentication guidelines were issued by CCA on 24th June 2015. The notification of 28th June 2015 was however modified on 30th June 2015 vide G.S.R.539(E).

The eSign facility was first used on a beta basis in the DigiLocker service of the Government of India. Now it is learnt that a private company in Bangalore has launched a web based service using the e-Sign facility offered by CDAC.

The Capricorn Certifying Authority is launched in Delhi recently and is offering its services to the public. It therefore becomes the fourth CA besides Safescrypt, (n) Code and e-Mudhra to offer such services to public.

In the list of licensed CAs as available in the CCA website, there is a mention of Indian Air Force as a licensed Certifying Authority but no details of information has been provided. Assuming that this is not an error, it may be presumed that Indian AirForce has obtained a license probably for its internal use so that secure communication can take place between the AirForce employees which may include the defense personnel, the equipments used in air defense systems etc. In order to secure further information of the same the full details might not have been provided in the website.

This development where IAF has set up its own Certifying Authority with legal validity in India but for captive use is a good security policy which could be adopted by the Army and Navy.

While trying out the CDAC system of e-Sign, it was not clear if the system has been implemented properly and we hope in the coming days, the system would be fine tuned.

Naavi

 

Posted in Cyber Law | Leave a comment

The Five Commandments on Cyber Security For Banks… R.Gandhi, Executive Director

Posted on August 2, 2016 by Vijayashankar Na

 After Mr K C Chakrabarthy, the former Executive Director of RBI, it appears that the mantle of Cyber Security has passed on to Mr R. Gandhi, Deputy Governor, who appears to be pushing the Commercial Bankers for better Cyber Security.

Speaking recently in a Conference on “Protection of Critical Infrastructure” in Mumbai, Mr Gandhi has pointed out five important focus areas for bankers which he has termed as “Five Commandments” which should, if followed by Bankers bring about a lot of improvement to the state of “Secure Banking” in India particularly in the light of new licenses being issued in the industry.

In a hard-hitting speech (See the full speech here), Mr Gandhi has punched several wise observations and empathized with the customers by recognizing that

“…while the Banks may have better resilience in terms of risk mitigation structures, and ability to absorb the losses and expenses, the customers may not be so privileged. A relatively small value fraud of a fR_gandhi_ED_RBIew thousands of rupees may endanger the purchase of basic needs and most customers may be ill-equipped to effectively handle the security features provided with the service”

This is an excellent observation coming from a person who has risen to the present position from a small town in Tamil Nadu, namely Tirunelveli. (Incidentally, Tirunelveli is the town from which the fighter Mr S.Umashankar emerged to challenge ICICI Bank in a Phishing Fraud which became history when the TN adjudicator held the Bank liable for Phishing… though the continued apathy since 2011 of successive Central Governments and CJI s has kept the fight incomplete).

In highlighting the defense strategies, he has rightly recognized that the liabilities and responsibilities of the financial Intermediaries by stating that..

“…ecosystem for financial transaction not only includes banks and their customers, but also network service providers, IT infrastructure providers, providers of security solutions and providers of the end-point device which is used for accessing the financial service including the ATMs which may or may not be bank-owned/managed devices”.

Highlighting the need for Cyber Security Preparedness, he has also indicated his five commandments for safety in Banking namely

  1. Thou shall know your customer
  2. Thou shall know your employee
  3. Thou shall keep your IT Systems up-to-date and free of all risky components
  4. Thou shall provide for maximum IT Governance
  5. Thou shall ensure continued Cyber Security Awareness 

Mr Gandhi continued to also list some of the recent initiatives that RBI has introduced in this regard and referred to the June 2, 2016 guidelines for Cyber Security framework for Banks. Among other things he has pointed out the important of Cyber Incident Information sharing and expressed confidence that Banks will respond adequately to the initiatives suggested by RBI.

As a long time critic of the E-Banking safety in India,  I appreciate the tone and the content of this speech which indicates that RBI is really serious about Cyber Security this time.

However, knowing that in the past the IBA as an industry body has always put commercial interests before the security requirements and ignored the dictats of RBI and its initiatives have all fallen by the way side. So, we need to watch out further developments before celebrating the new Cyber Security thrust.

I would however urge Mr Gandhi to continue his push with the following additional initiatives.

  1. Make Cyber Insurance mandatory for all new Banking licensees as a part of the approval criteria.
  2. Enforce the existing mandate on Cyber Insurance contained in June 2001 Internet Banking guidelines on  present Internet Banking licensees.
  3. Direct Banks not to harass the cyber crime victims by prolonged legal battles across multiple Courts and enforce compulsory compromises at a maximum liability of 10% of the loss to the customer.
  4. Punish  Bank’s own negligence in KYC facilitating the frauds by fining them heavily and create a fund for providing “Cyber Security Fraud Guarantee” to the customers.
  5. Ensure that the aggregation of risks under the proposed UPI scheme and the user of Aadhaar based DigiLocker schemes is adequately dealt with to avoid adverse impact on Indian Banking systems.
  6. Ensure that Consumer Voice is heard in RBI policy making by providing representation to Cyber Security Activists in RBI’s policy recommending working groups.
  7. Improve the Banking Ombudsman scheme to ensure quick settlement of disputes involving Bank’s negligence even when frauds are the root cause.
  8. In the light of the proper functioning of the Adjudication System, RBI should explore setting up of an external multi member online Adjudication/Mediation/Arbitration body for quick, low-cost resolution of all Bank disputes as a replacement or in addition to the Ombudsman scheme.
  9. Ensure implementation of its guidelines under Cyber Security Framework and the earlier April 2011 E Banking security guidelines without fail and penalize the Bank Boards if they fail to do so.

Looking forward to a more secure E Banking era.

Naavi

 

Posted in Cyber Law | Leave a comment