MODULE 6: THE LEGAL CHALLENGES TO INTERNET BANKING
The potential benefits for banks to conclude their businesses on-line are immense, with
decreased transaction costs and access to new customers providing seemingly irresistible
advantages to conducting business on-line. However, the uptake of Internet banking within
India has been slow with only a handful of players providing a true ‘Internet banking service. The
purpose of this chapter is to set out some of the regulatory challenges to Internet banking
within India and to provide a brief explanation of the technology involved.
The Internet revolution is a worldwide phenomenon and moving forward by the present
progression data, India is looking towards an increase in the Internet penetration in near
future chiefly in the area of electronic commerce.1 It is an apparent conception that Internet
(Online) banking and payments are expected to progress more or less together with e-
commerce. Researches indicate that Internet banking has a significant impact on the
business models of banks, securities trading firms, brokerage houses, insurance companies
etc. Internet banking has also attracted the attention of regulators and lawmakers in the
developing nations since the late 1990s.2 The beginning of the Internet era and
developments in information technology and telecommunications undisputedly are
inflicting major impact on financial markets and institutions. Everyone seems to be
confident that, in the long run, online banking will result in more helpful financial
intermediation. Banks have customarily been in the race of utilizing technology to make
their products, services and efficiency better.3 They have, over a long time, been using
electronic and telecommunication networks for delivering a wide range of value added
products and services. The delivery channels include direct dial – up connections, private
networks, public networks etc and the devices include telephone, Personal Computers
including the Automated Teller Machines, etc. The term “Electronic Banking” 4or “e-
banking” is defined as remote banking services provided by authorized banks, or their
representatives through devices operated either under the bank's direct control and
management or under the outsourcing agreement.5 In other words, e-banking is an
umbrella term for the process by which a customer may perform banking transactions
electronically without visiting a branch and includes the systems that enable customers of
banks, individuals or businesses, to access accounts, transact business, or obtain
information on financial products and services through a public or private network,
including the Internet.6Though such technologies have affected a very substantial and wide
1Murshed, S. Mansood. (2000). "Globalization, Marginalization and Development. A UNU Working Paper. No.
175.
2Stiglitz, Joseph. (2002). Globalization and Its Discontents. W. W. Norton, New York.
3Walsham, G. (2001). Making a World of Difference: IT in a Global Context. John Wiley and Sons, New York.
4 The FSS in Korea defines the Internet banking as computer network based banking, which includes automated
transfer of money, settlement of bills, and realization of general financial service network. On the other hand,
Cave and Mason (2001) define Internet as a global network of networks. Their paper elaborates the mechanism
of Internet.
5DeYoung R. (2005) “The performance of internet-based business models: evidence from the banking industry”,
Journal of Business, vol.78, n.3, pp. 893-947.
6DeYoung R. (2006) “The limits of information technology: how much will the banking industry change?”, in
“Technology driven efficiencies in financial markets”, Heikkinen P., Korhonen K. (eds), pp. 35-46.
Page 1
array of business activities, the legal challenges displayed by the introduction and use of
new technological means to both, banking and financial services might be one of the most
defying tasks confronting the international business and legal communities which has
already required substantial amounts of discussions, debates and lots of ink, and which is
promising to ask for more. Banks have been experimenting with various forms of online
banking for many years.7 The Internet, as an enabling technology, has made banking and
financial products and services available to more customers and eliminated geographic and
proprietary systems barriers. With an expanded market, banks and financial organizations
can also have opportunities to expand or change their product and service offerings.8
Broadly, the levels of banking services offered through Internet can be categorized into
three types:9 (i) The Basic Level Service, whereby the banks’ websites, which disseminate
information on different products and services offered to customers and members of public
in general. It may receive and reply to customers’ queries through e-mail, (ii) In the next
level are Simple Transactional Websites which allow customers to submit their instructions,
applications for different services, queries on their account balances, etc, but do not permit
any fund-based transactions on their accounts, (iii) The third level of Internet banking
services are offered by Fully Transactional Websites which allow the customers to operate
on their accounts for transfer of funds, payment of different bills, subscribing to other
products of the bank and to transact purchase and sale of securities, etc. Traditional banks,
offer the forms of Internet banking services as an additional method of serving the customer
or by new banks, who deliver banking services primarily through Internet or other electronic
delivery channels as the value added services. Some of these banks are known as ‘virtual’
banks or ‘Internet-only’ banks and may not have any physical presence in a country despite
offering different banking services.10Certainly, as banks and financial organizations have in
their huge majority presented new technologies service delivery, an assembly of concerns
have been raised, the dealing with which shall be one of the most interesting and
complicated legal challenges in the coming few years. Among these issues, worries over
security, authentication, privacy, liabilities are undoubtedly to trouble all of suppliers of
banking and financial services, the users thereof in addition to lawmakers and
practitioners.11
Actually, the suitable legal structure associated to e-banking and financial services shall
possibly institute one of the extremely analytical and important sections in a infrastructure
7Furst K., Lang W.W., Nolle D. E. (2000) “Special studies on technology and banking. Who offers internet
banking”, Quarterly Journal, vol.19, n.2, pp. 29-48.
8Sullivan R.J. (2000) “How has the adoption of internet banking affected performance and risk at banks? A look
at internet banking in the tenth Federal Reserve district”, Federal Reserve Bank of Kansas City Financial
Industry Perspectives, December, pp. 1-16.
9Internet Banking in India - Guidelines, www.banknetindia.com/banking/ibguide2.htm
10Birch D., Young M. (1997) “Financial services and the internet-what does the cyberspace mean for the
financial services industry?”, Internet Research: Electronic Networking Applications and Policy, vol.7, n.2, pp.
120-128.
11Jayawardhena C., Foley P. (2000) “Changes in the banking sector-the case of internet banking in the UK”,
Internet Research: Electronic Networking Applications and Policy, vol.10, n.1, pp. 19-30.
Page 2
of a country and notwithstanding the fact that most of the banks and financial institutions
are already providing a considerable amount of their services through the use of new
technologies, the amount of users of e-banking or financial services shall largely depend on
existing domestic and international legal support provided by the laws and regulations. Such
users shall only feel comfortable in using new electronic services if they are aware of
defined legal framework that would allow them to identify their rights and obligations with
the least possible uncertainties.12Uniformly it should be extended to banks and financial
institutions which are presently using such new technologies possibly thinking of the
commercial facets of presenting new services to their customers but with important
concerns over the existence of an appropriately explained legal framework which by result
in the absence thereof, shall abstain the institutions from expanding the scale of their
services and may also result in disregarding such use, a concern that would harmfully affect
their business and the quality of services provided to the clients.
For these reasons, the requirement of a revision of domestic and international legal
framework has been acknowledged as being of highest significance in the development of e-
banking activities and transactions, which would establish one of the major constituents for
a strong growth of these sectors.
Electronic banking was firstly introduced in the United States of America (USA) in the early
of 1990s and it has since extended globally gradually.13 The phenomenon of online banking
with which we are familiar today, started in the early 1980s, when it was first planned and
tried out with. In the beginning computers and Internet stood less developed; the idea of
home banking came into being, which basically used fax machines and telephones to
interact with their customers.14 With time extensive use of computer and Internet facilities
produced further opportunities for evolution of home banking which is popularly known as
Internet Banking in today’s world. It was only in 1995 that Presidential Savings Bank first
announced the facility for regular client use. Other banks like Wells Fargo, Chase Manhattan
and Security First Network Bank quickly snapped up the idea.15 Today, quite a few banks
operate solely via the Internet and have no 'four walls' entity at all. The first online banking
service in the United States was introduced, in October 1994.16Stanford Federal Credit
Union developed this service, which is a financial institution. The online banking services are
becoming more and more prevalent due to the well- developed systems. Though there are
pros and cons of electronic cash, it has become a revolution that is enhancing the banking
sector.
12 Cronin, M.J. (1997), Banking and Finance on the Internet, VNR
13Davies, S. (1979), The Diffusion of Process Innovations, Cambridge University Press
14Gourlay, A. and E. Pentecost (2002), “The Determinants of Technology Diffusion: Evidence from the UK
Financial Sector”, The Manchester School. Vol.70, No.2, pp.185-203
15Hoppe, H.C. (2002), “The Timing of New Technology Adoption: Theoretical Models and Empirical
evidence”, The Manchester School Vol.70, No.1, pp.56-76
16Mansfield, E. (1968), The Economics of Technical Change, New York, Norton.
Page 3
In the commencement of the Online banking system, its inventors and experts had
forecasted that soon the new system would take over and replace completely the
traditional banks. Evidences have proved that it was an overestimated calculation done by
the investors; Lots of customers still depend on the traditional system of banking because of
an intrinsic distrust in the new system. Some of the customers are reluctant to use all the
offered facilities because they had bad experience with cyber frauds. Still the number of
online banking customers has been increasing at an exponential rate.
There is no denying the fact that information technology has been the most rapidly
changing industry in India, and the marriage of technology and banking has to occur for
India to keep pace with changes in the global scenario.17 Looking back, the Narasimham
Committee deserves mention in that it was instrumental in forcing Indian banks to become
competitive. Fleet footed private sector banks, forced the public sector banks to embrace
technology and improve their level of customer service. Next, the Khan Committee was
highly important in that it recommended the setting up of universal banks.18 Preference was
given to financial institutions, which could provide a whole range of corporate financial
solutions under one roof. But most importantly, the Verma Committee recommended the
need for greater use of IT even in the weak Public sector banks. Actually, the nationalization
of banks back in the 80s is proving to be a major obstacle in bringing about the required
technological changes.19 Nationalization of the banking sector has led to occurrences of
pseudo developmental activities for nurturing vote banks, loss of accent on performance
and profitability, creation of unions etc to name a few.
Primarily, the main desirability of the new system of Internet Banking is the exclusion of
wearisome bureaucratic red tape in registering for an account, and the unending paperwork
involved in regular banking. The speed with which this process happens online, as well as
the other services achievable by this process, has converted into a literal growth in the
banking industry. The development of Internet banking has helped a lot to banks and their
customers. It has benefited the banks in many ways such as expand outreach, reduce
transaction costs, improve efficiency, and provide virtual banking services. Customers also
have gained from effective banking services at comparatively lower costs and holding then
choice to select from alternate delivery channels.20 The Internet banking has also enabled
fast transfer of funds domestically and across borders.
A main influence over the fast spread of Online banking across the globe is its approval as an
exceptionally low cost delivery means of banking services as rivalled to the other traditional
means. However, Internet is also mixed with certain disadvantages. Along with decrease in
17Bose Jayshree (2006),ǁE-Banking in India, The paradigm Shiftǁ, PP. 22-23, The ICFAI Unversity Press.
18Gurusamy S.(2005), ―Merchant Banking and Financial Servicesǁ. PP. 406-410, Nicole Imprints Pvt. Ltd
19Uppal R.K., ―Customer Perception of E – Banking Services of Indian Banks: Some Survey Evidenceǁ, The
ICFAI Journal of Bank Management, Vol. VII No.10
20Mason, R. and H. Weeds (2001), “Networks, Options and Pre-emption”, mimeo, Universityof Southampton.
Page 4
cost of transactions, it has also become open to risks and even new forms of risks to which
banks conducting internet-banking expose themselves. Regulators and supervisors all over
the world are concerned that while banks should remain efficient and cost effective, they
must be conscious of different types of risks this form of banking entails and have systems in
place to manage the same. An important and distinctive feature is that technology plays a
significant part both as source and tool for control of risks. Because of rapid changes in
information technology, there is no finality either in the types of risks or their control
measures. Both evolve continuously.
In the Internet banking system, information is considered as an asset and so worthy of
protection. However, the present system of authentication does not address the security
aspect in full. This calls for an urgent need to acclimatize the whole system.
According to Online banking Association, member institutions rated security as the most
important issue of online Banking. There is a dual requirement to protect customers’ privacy
and protection against fraud.
Another major issue is that of Data Protection and the need for a legal and regulatory
framework. Information security in e-banking present’s two main areas of risk: preventing
unauthorized transactions and maintaining integrity of customers’ transactions. Data
protection falls in the latter. Data protection laws primarily aim to safeguard the interest of
the individual whose data is handled and processed by others. ‘Interests’ are usually
expressed in terms of privacy, autonomy and or integrity.
The Internet and its underlying technologies will change and transform not just banking, but
also all aspects of finance and commerce. It represents much more than a new distribution
opportunity. It will enable nimble players to leverage their brick and mortar presence to
improve customer satisfaction and gain share. It will force lethargic players who are struck
with legacy cost basis, out of business since they are unable to bring to play in the new
context.
The Reserve Bank of India constituted a Working Group to examine different issues relating
to e-banking21 and recommend technology, security, legal standards and operational
standards keeping in view the international best practices. The Group is headed by the Chief
General Manager-in-Charge of the Department of Information Technology and comprised
experts from the fields of banking regulation and supervision, commercial banking, law and
technology. The Bank also constituted an Operational Group under its Executive Director
comprising officers from different disciplines in the bank, who would guide implementation
of the recommendations.
The Working Group, as its terms of reference, was to examine different aspects of Internet
banking from regulatory and supervisory perspective and recommend appropriate
standards for adoption in India,22particularly with reference to the following:
21P. Dasgupta, Future of E-banking in India, www.projectshub.com/projects/30008/30008.htm
22Rodney D. Ryder, The Legal Challenges, www.india-today.com/ctoday/20000501/mit.html.
Page 5
1. Risks to the organization and banking system, associated with Internet banking and
methods of adopting International best practices for managing such risks.
2. Identifying gaps in supervisory and legal framework with reference to the existing
banking and financial regulations, IT regulations, tax laws, depositor protection,
consumer protection,23 criminal laws, money laundering and other cross border issues
and suggesting improvements in them.
3. Identifying international best practices on operational and internal control issues, and
suggesting suitable ways for adopting the same in India.
4. Recommending minimum technology and security standards, in conformity with
international standards and addressing issues like system vulnerability, digital
signature, information system audit etc.
5. Clearing and settlement arrangement for electronic banking and electronic money
transfer; linkages between i-banking and e-commerce
6. Any other matter, which the Working Group may think as of relevance to Internet
banking in India.
Legal Issues
1. Considering the legal position prevalent, there is an obligation on the part of banks
not only to establish the identity but also to make enquiries about integrity and
reputation of the prospective customer. Therefore, even though request for opening
account can be accepted over Internet, accounts should be opened only after proper
introduction and physical verification of the identity of the customer.24
2. From a legal perspective, security procedure adopted by banks for authenticating
users needs to be recognized by law as a substitute for signature. In India, the
Information Technology Act, 2000, in Section 3(2) provides for a particular technology
(viz., the asymmetric crypto system and hash function) as a means of authenticating
electronic record. Any other method used by banks for authentication should be
recognized as a source of legal risk.25
3. Under the present regime there is an obligation on banks to maintain secrecy and
confidentiality of customers' accounts. In the Internet banking scenario, the risk of
banks not meeting the above obligation is high on account of several factors. Despite
all reasonable precautions, banks may be exposed to enhanced risk of liability to
customers on account of breach of secrecy, denial of service etc., because of hacking/
other technological failures. The banks should, therefore, institute adequate risk
control measures to manage such risks.26
4. In Internet banking scenario there is very little scope for the banks to act on stop-
payment instructions from the customers. Hence, banks should clearly notify to the
customers the timeframe and the circumstances in which any stop-payment
instructions could be accepted. The Consumer Protection Act, 1986 defines the rights
of consumers in India and is applicable to banking services as well. Currently, the
23Nishith Desai Associates, Legal Policy Framework for E-commerce in India,
www.giic.org/pubs/indiawhitepape
24Internet Banking in India - Guidelines, www.banknetindia.com/banking/ibguide2.htm, See Para 7.2.1 of the
Report
25See Para 7.3.1 of the Report.
26See Paras 7.5.1-7.5.4 of the Report.
Page 6
rights and liabilities of customers availing of Internet banking services are being
determined by bilateral agreements between the banks and customers. Considering
the banking practice and rights enjoyed by customers in traditional banking, banks'
liability to the customers on account of unauthorized transfer through hacking, denial
of service on account of technological failure etc. needs to be assessed and banks
providing Internet banking should insure themselves against such risks.27
As recommended by the Group, the existing regulatory framework over banks will be
extended to Internet banking also. In this regard, it is advised that:
1. Only such banks which are licensed and supervised in India and have a physical
presence in India will be permitted to offer Internet banking products to residents of
India. Thus, both banks and virtual banks incorporated outside the country and having
no physical presence in India will not, for the present, be permitted to offer Internet
banking services to Indian residents.
2. The products should be restricted to account holders only and should not be offered
in other jurisdictions.
3. The services should only include local currency products.
4. The 'in-out' scenario where customers in cross border jurisdictions are offered banking
services by Indian banks (or branches of foreign banks in India) and the 'out-in'
scenario where Indian residents are offered banking services by banks operating in
cross-border jurisdictions are generally not permitted and this approach will apply to
Internet banking also. The existing exceptions for limited purposes under FEMA i.e.
where resident Indians have been permitted to continue to maintain their accounts
with overseas banks etc., will, however, be permitted.
5. Overseas branches of Indian banks will be permitted to offer Internet banking services
to their overseas customers subject to their satisfying, in addition to the host
supervisor, the home supervisor.
Given the regulatory approach as above, banks are advised to follow the following
instructions:
1. Banks, who propose to offer transactional services on the Internet should obtain
prior approval from RBI. Bank's application for such permission should indicate its
business plan, analysis of cost and benefit, operational arrangements like technology
adopted, business partners, third party service providers and systems and control
procedures the bank proposes to adopt for managing risks. The bank should also
submit a security policy covering recommendations made in this circular and a
certificate from an independent auditor that the minimum requirements prescribed
have been met. After the initial approval the banks will be obliged to inform RBI any
material changes in the services / products offered by them.28
2. Banks will report to RBI every breach or failure of security systems and procedure
and the latter, at its discretion, may decide to commission special audit / inspection
of such banks. The guidelines issued by RBI on 'Risks and Controls in Computers and
Telecommunications' vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated 4th
27See Paras 7.6.1 and 7.11.1 of the Report.
28See Paras 8.4.1, 8.4.2 of the Report
Page 7
February 1998 will equally apply to Internet banking. The RBI as supervisor will cover
the entire risks associated with electronic banking as a part of its regular inspections
of banks.29
3. Banks should develop outsourcing guidelines to manage risks arising out of third
party service providers, such as, disruption in service, defective services and
personnel of service providers gaining intimate knowledge of banks' systems and
mis-utilizing the same, etc., effectively. With the increasing popularity of e-
commerce, it has become necessary to set up 'Inter-bank Payment Gateways' for
settlement of such transactions. The protocol for transactions between the
customer, the bank and the portal and the framework for setting up of payment
gateways as recommended by the Group should be adopted.30
4. Only institutions who are members of the cheque clearing system in the country will
be permitted to participate in Inter-bank payment gateways for Internet payment.
Each gateway must nominate a bank as the clearing bank to settle all transactions.
Payments affected using credit cards, payments arising out of cross border e-
commerce transactions and all intra-bank payments (i.e., transactions involving only
one bank) should be excluded for settlement through an inter-bank payment
gateway.31
5. Inter-bank payment gateways must have capabilities for both net and gross
settlement. All settlement should be intra-day and as far as possible, in real time.
Connectivity between the gateway and the computer system of the member bank
should be achieved using a leased line network (not through Internet) with
appropriate data encryption standard. All transactions must be authenticated. Once,
the regulatory framework is in place, the transactions should be digitally certified by
any licensed certifying agency. SSL / 128 bit encryption must be used as minimum
level of security. Reserve Bank may get the security of the entire infrastructure both
at the payment gateway's end and the participating institutions' end certified prior
to making the facility available for customers use. Bilateral contracts between the
payee and payee's bank, the participating banks and service provider and the banks
themselves will form the legal basis for such transactions. The rights and obligations
of each party must be clearly defined and should be valid in a court of law.32
6. Banks must make mandatory disclosures of risks, responsibilities and liabilities of the
customers in doing business through Internet through a disclosure template. The
banks should also provide their latest published financial results over the net.
Hyperlinks from banks' websites often raise the issue of reputational risk. Such links
should not mislead the customers into believing that banks sponsor any particular
product or any business unrelated to banking. Hyperlinks from a banks' websites
should be confined to only those portals with which they have a payment
arrangement or sites of their subsidiaries or principals. Hyperlinks to banks' websites
from other portals are normally meant for passing on information relating to
purchases made by banks' customers in the portal. Banks must follow the minimum
29See Paras 8.4.3, 8.4.4, 8.4.5 of the Report.
30See Paras 8.4.7, 8.4.9.1 - 8.4.9.5 of the Report.
31See Para 8.4.7 of the Report.
32See Para 8.4.6 of the Report.
Page 8
recommended security precautions while dealing with request received from other
websites, relating to customers' purchases.33
11.1 INFORMATION SECURITY
There are two main areas of risk that are inherent in conducting banking transactions over
the Internet:-
Preventing unauthorized transactions; and
Maintaining integrity of customers’ transactions;
11.1.1 TECHNOLOGY AND SECURITY STANDARDS
1. Banks should designate a network and database administrator with clearly defined
roles as indicated in the Group's report. Banks should have a security policy duly
approved by the Board of Directors. There should be a segregation of duty of
Security Officer / Group dealing exclusively with information systems security and
Information Technology Division which actually implements the computer systems.
Further, Information Systems Auditor will audit the information systems.34
2. Banks should introduce logical access controls to data, systems, application software,
utilities, telecommunication lines, libraries, system software, etc. Logical access
control techniques may include user-ids, passwords, smart cards or other biometric
technologies.35
3. At the minimum, banks should use the proxy server type of firewall so that there is
no direct connection between the Internet and the bank's system. It facilitates a high
level of control and in-depth monitoring using logging and auditing tools. For
sensitive systems, a state of the art inspection firewall is recommended which
thoroughly inspects all packets of information, and past and present transactions are
compared. These generally include a real time security alert.36
4. All the systems supporting dial up services through modem on the same LAN as the
application server should be isolated to prevent intrusions into the network as this
may bypass the proxy server. PKI (Public Key Infrastructure) is the most favoured
technology for secure Internet banking services. However, as it is not yet commonly
available, banks should use the following alternative system during the transition,
until the PKI is put in place:
a) Usage of SSL (Secured Socket Layer), which ensures server authentication and
use of client side certificates issued by the banks themselves using a
Certificate Server.
b) The use of at least 128-bit SSL for securing browser to web server
communications and, in addition, encryption of sensitive data like passwords
in transit within the enterprise itself.37
33See Para 8.4.8 and Para 8.4.9.
34See Paras 6.2.4, 6.4.1 of the Report.
35See Para 6.4.2 of the Report.
36See Para 6.4.3 of the Report.
37See Paras 6.4.4 and 6.4.5 of the Report.
Page 9
c) It is also recommended that all unnecessary services on the application
server such as FTP (File Transfer Protocol), telnet should be disabled. The
application server should be isolated from the e-mail server. All computer
accesses, including messages received, should be logged. Security violations
(suspected or attempted) should be reported and follow up action taken
should be kept in mind while framing future policy. Banks should acquire
tools for monitoring systems and the networks against intrusions and attacks.
These tools should be used regularly to avoid security breaches. The banks
should review their security infrastructure and security policies regularly and
optimize them in the light of their own experiences and changing
technologies. They should educate their security personnel and also the end-
users on a continuous basis.38
5. The information security officer and the information system auditor should
undertake periodic penetration tests of the system, which should include:
a) Attempting to guess passwords using password-cracking tools.
b) Search for back door traps in the programs.
c) Attempt to overload the system using DDoS (Distributed Denial of Service) &
DoS (Denial of Service) attacks.
d) Check if commonly known holes in the software, especially the browser and
the e-mail software exist.
e) The penetration testing may also be carried out by engaging outside experts
(often called 'Ethical Hackers').39
6. Physical access controls should be strictly enforced. Physical security should cover all
the information systems and sites where they are housed, both against internal and
external threats. Banks should have proper infrastructure and schedules for backing
up data. The backed-up data should be periodically tested to ensure recovery
without loss of transactions in a time frame as given out in the bank's security policy.
Business continuity should be ensured by setting up disaster recovery sites. These
facilities should also be tested periodically.40
7. All applications of banks should have proper record keeping facilities for legal
purposes. It may be necessary to keep all received and sent messages both in
encrypted and decrypted form. Security infrastructure should be properly tested
before using the systems and applications for normal operations. Banks should
upgrade the systems by installing patches released by developers to remove bugs
and loopholes, and upgrade to newer versions, which give better security and
control.41
38See Paras 6.4.6, 6.4.7, 6.4.11, 6.4.12 of the Report.
39See Para 6.4.8 of the Report.
40See Paras 6.4.9 and 6.4.10 of the Report.
41See Paras 6.4.13 and 6.4.15 of the Report.
Page 10
11.2 PREVENTING UNAUTHORISED TRANSACTIONS
It will generally be implied into the contract between a bank and its customer that, in the
absence of any negligence on behalf of the customer, the bank will be liable for any
transactions occurring on the account that have been perpetrated by fraud. Bhashyam and
Adiga’s Negotiable Instrument Act state that “the relationship of a banker and a customer is that
of a creditor and a debtor with the superadded obligation of honouring customers orders on the
funds in his hands. The extent to which banks in the India can exclude their liability for any
losses incurred is governed ( in relation to transactions involving retail customers) by the
application of the law of contract: -
i. The Indian Contract Act, 1872, prevents contractual terms being enforced against a
consumer that are inherently unfair. Similar to the English Unfair Contract Terms Act,
1977, the Indian ‘Act’ provides that a party dealing with a consumer can not exclude or
restrict its liability in respect of a breach of contract and can not claim to be entitled to
render a contractual performance subsequently different from that which was
reasonable expected or render no performance at all, except insofar as the contract
terms satisfy the requirements of ‘reasonableness’.
Ii A short reference here to the norms under UK and EU laws. A word on the Banking Code
of the British Bankers Association; this Code limited the losses for which customers can
be liable relating to fraudulent transactions by third parties affecting their accounts. The
recommendation of the EU relating to “transactions by electronic payment instruments
and in particular the relationship between the insurer and holder’. This
recommendation suggests that a limit of ECU 150 be placed on a customer’s liability for
fraudulent transactions in the absence of extreme negligence on behalf of the customer.
11.3 MAINTAINING INTEGRITY OF CUSTOMERS’ TRANSACTIONS
The risk here that a customer’s transaction history or account details are accessed by a third
party. The ability of hackers to crack encryption products has been widely published and a bank
is likely to be liable under one of the heads:
11.3.1 CONTRACTUAL LIABILITY
In relation to the confidentiality of the customer’s transactions, the banks have an implied
contractual obligation to keep their customer’s affairs secret. The bank will be also liable to its
customers and other third parties who are contractually authorized to access its network, and to
read information held on it, for loss or damage to those customers and other third parties that
arise from inaccurate or faulty information held on the network.
11.3.2 NEGLIGENT MISSTATEMENTS
There is little case law on the point of the liability on an information service provider for
information, which is inaccurate or incomplete, and there is no legislation regarding liability
arising from information services (electric or conventional). Much will depend on the
contractual relationship between the bank and its customer. However, similar considerations
Page 11
in relation to the ability of banks to limit their liability to cover the risk of unauthorized
transactions apply equally in context.
It is important to note that data controllers must take account both the harm that might result
from unauthorized processing and the nature of the data to be protected.
11.4 JURISDICTIONAL ISSUES [JURISDICTION AND GOVERNING LAW]
In terms of legal risk management, banks may want the law of their choice [laws they are
familiar and therefore comfortable with] to govern their contractual relationships when
conducting banking on the Internet. The Contracts (Applicable Law) Act 1990 [UK Act] will
almost always uphold an express choice of law clause in a contract. This means a bank can
specify which law governs the contract (provided the terms have been adequately
incorporated). However, it is crucial to remember that, English banks may still have to take into
account the consumer protection laws in the country in which the consumer is based. This
confronts banks with potentially open-ended obligations and greatly adds to the uncertainty of
their risk management policies.
One possible pollution is to design the web-site on which the banking services are accessible so
that it is seen as making an ‘invitation to treat’ as compared to an offer. This will mean that
when the customer contacts the bank, the bank is free to accept or reject the offer made by the
customer depending on the bank’s evaluation of whether it is prepared to accept risk of
contracting with a consumer based in the relevant country. As customer relations exercise,
banks would be wise to state clearly on their web –sites that they are not prepared to accept
dealings with consumers in certain jurisdictions. The ability of consumers to rely on their own
country’s mandatory consumer protection laws may prove to be an irrevocable barrier to
Internet banking and e-commerce in general.
11.5 INTERNATIONAL LEGISLATIONS
Online banking laws have reached the forefront of consumers' minds of late mostly because
the use of online banking has skyrocketed. For the safety and protection of both consumers
and the banking institutions, there are online banking laws.
Internet banking has presented regulators and supervisors worldwide with new challenges.
The Internet, by its very nature, reaches across borders and is, for this reason, engaging the
attention of regulatory and supervisory authorities all over the world.
UNITED STATES OF AMERICA
In the USA, the number of thrift institutions and commercial banks with transactional web-
sites is 1275 or 12% of all banks and thrifts. Of the 1275-thrifts/commercial banks offering
transactional Internet banking, 7 could be considered ‘virtual banks’. Several new business
process and technological advances such as Electronic Bill Presentment and Payment
(EBPP), handheld access devices such as Personal Digital Assistants (PDAs), Internet
Telephone and Wireless Communication channels and phones are emerging in the US
market.
Page 12
There is a matrix of legislation and regulations within the US that specifically codifies the use
of and rights associated with the Internet and e-commerce in general, and electronic
banking and Internet banking activities in particular. Federal and state laws, regulations, and
court decisions, and self-regulation among industries groups provide the legal and
operational framework for Internet commerce and banking in the USA. The international
model laws promulgated by the United Nations Commission on International Trade Law
(UNCITRAL) provide the guidance to the member nations on the necessity for revising
existing legal structures to accommodate electronic transactions. Some important laws of
general application to commercial activity over the Internet within the US are the Uniform
Commercial Code (UCC), the Uniform Electronic Transaction Act (UETA) (which provides that
electronic documents and contracts should not be disqualified as legal documents
particularly because of their electronic form), various state laws and regulations on digital
signatures and national encryption standards and export regulations. Many states already
have digital signature and other legislation to enable e-commerce. State laws in this area
differ but the trend is towards creating legislation, which is technology neutral.
The E-sign Act, a new US law that took effect on October 1, 2000, validates contracts
concluded by electronic signatures and equates them to those signed with ink on paper.
Under the Act, electronic signatures using touch-tones (on a telephone), retinal scans and
voice recognition are also acceptable ways of entering into agreements. The E-sign Act takes
a technological neutral approach and does not favor the use of any particular technology to
validate an electronic document.
The Gramm - Leach – Bliley (GLB) Act has substantially eased restrictions on the ability of
banks to provide other financial services. It has established new rules for the protection of
consumer financial information. The Inter-agency Statement on Electronic Financial Services
and Consumer Compliance (July 1998) addresses consumer protection laws and describe
how they can be met in the context of electronic delivery. In addition, the Federal Reserve
Board has issued a request for comment on revised proposals that would permit electronic
delivery of federally mandated disclosures under the five consumer protection regulations
of the FRB (Regulations B, DD, E, M & Z).
The Interpretive Ruling of the Office of the Comptroller of Currency (OCC) authorizes a
national bank to ‘perform, provide or deliver through electronic means and facilities any
activity, functions, product or service that it is otherwise authorized to perform, provide or
deliver’. The concerns of the Federal Reserve are limited to ensuring that Internet banking
and other electronic banking services are implemented with proper attention to security,
the safety and soundness of the bank, and the protection of the banks’ customers.
Currently, all banks, whether they are ‘Internet only’ or traditional banks must apply for a
charter according to existing guidelines. The five federal agencies - Federal Deposit
Insurance Corporation (FDIC), Federal Reserve System (FRS), Office of the Comptroller of
Currency (OCC), Office of Thrift Supervision (OTS) and the National Credit Union Association
(NCUA) supervise more than 20,000 institutions. In addition, each state has a supervisory
agency for the banks that it charters. Most financial institutions in the US face no
prerequisite conditions or notification requirements for an existing banking institution to
begin electronic banking activities. For these banks, supervisors gather information on
electronic banking during routine annual examination. Newly chartered Internet banks are
Page 13
subject to the standard chartering procedures. For thrift institutions, however, OTS has
instituted a 30-day advance notification requirement for thrift institutions that plan to
establish a transactional web site. A few State banking departments have instituted a similar
notification requirement for transactional Internet banking web sites.
Supervisory policy, licensing, legal requirements and consumer protection are generally
similar for electronic banking and traditional banking activities. Internet banks are also
subject to the same rules, regulations and policy statement as traditional banks. However, in
response to the risks posed by electronic banking, federal banking agencies have begun to
issue supervisory guidelines and examination procedures for examiners who review and
inspect electronic banking applications. Although specialized banking procedures are used in
some areas of Internet banking activities, the existing information technology examination
framework that addresses access controls, information security, business recovery and
other risk areas generally continues to be applicable. To assist supervisors in monitoring the
expansion of Internet banking, state chartered and national banks have been required since
June 1999 to report their websites’ ‘Uniform Resource Locators’ (URL) in the Quarterly
Reports of Financial Condition that are submitted to supervisors. In addition, examiners
review the potential for reputational risk associated with web-site information or activities,
the potential impact of various Internet strategies on an institution’s financial condition, and
the need to monitor and manage outsourcing relationships. To address these risks, the OCC
is developing specific guidance for establishing ‘Internet only’ banks within the US. The
Banking Industry Technology Secretariat recently announced the formation of a security lab
to test and validate the security of software and hardware used by banking organizations. If
a bank is relying on a third party provider, it is accepted that it should be able to understand
the provided information security programme to effectively evaluate the security system’s
ability to protect bank and customer data. Examination of service providers’ operations,
where necessary, is conducted by one or more Federal banking agencies pursuant to the
Bank Services Company Act, solely to support supervision of banking organizations.
The Federal Financial Institutions Examination Council (FFIEC) introduced the Information
Systems (IS) rating system to be used by federal and state regulators to assess uniformly
financial and service provider risks introduced by information technology and to identify
those institutions and service providers requiring special supervisor attention. The FFIEC has
recently renamed the system as Uniform Rating System for IT (URSIT), which has enhanced
the audit function. The importance of risk management procedure has been reinforced
under the revised system.
Some characteristics of e-money products such as their relative lack of physical bulk, their
potential anonymity and the possibility of effecting fast and remote transfers make them
more susceptible than traditional systems to money laundering activities. The OCC
guidelines lay down an effective ‘know your customer’ policy. Federal financial institutions,
regulators, Society for Worldwide Interbank Financial Telecommunications (SWIFT) and
Clearing House Interbank Payment System (CHIPS) have issued statements encouraging
participants to include information on originators and beneficiaries.
Page 14
UNITED KINGDOM
Most banks in U.K. are offering transactional services through a wider range of channels
including Wireless Application Protocol (WAP), mobile phone and T.V. A number of non-
banks have approached the Financial Services Authority (FSA) about charters for virtual
banks or ‘clicks and mortar’ operations. There is a move towards banks establishing portals.
The Financial Services Authority (FSA) is neutral on regulations of electronic banks. The
current legislation, viz. the Banking Act 1987 and the Building Societies Act, provides it with
the necessary powers and the current range of supervisory tools. A new legislation, the
Financial Services and Market Bill, offers a significant addition in the form of an objective
requiring the FSA to promote public understanding of the financial system. There is,
therefore, no special regime for electronic banks. A draft Electronic Banking Guidance for
supervisors has, however, been developed. A guide to Bank Policy has also been published
by the FSA which is technology neutral, but specifically covers outsourcing and fraud. The
FSA also maintains bilateral discussions with other national supervisors and monitors
developments in the European Union (EU) including discussions by the Banking Advisory
Committee and Group de Contract. New legislation on money laundering has been
proposed and both the British Bankers Association and the FSA have issued guidance papers
in this regard.
The FSA is actively involved in the Basle Committee e-banking group which has identified
authorization, prudential standards, transparency, privacy, money laundering and cross
border provision as issues where there is need for further work. The FSA has also been
supporting the efforts of the G7 Financial Stability Forum, which is exploring common
standards for financial market, which is particularly relevant to the Internet, which reaches
across all borders.
The Financial Services and Markets Bill will replace current powers under the 1987 Banking
Act giving the FSA statutory authority for consumer protection and promotion of consumer
awareness. Consumer compliance is required to be ensured via desk based and on site
supervision. The FSA has an Authorization and Enforcement Division, which sees if web sites
referred to them are in violation of U.K. laws.
The FSA has issued guidelines on advertising in U.K. by banks for deposits, investments and
other securities, which apply to Internet banking also. The guidelines include an Appendix
on Internet banking. The FSA’s supervisory policy and powers in relation to breaches in the
advertising code (viz. invitation by any authorized person to take a deposit within U.K.,
fraudulent inducements to make a deposit, illegal use of banking names and descriptions,
etc.) are the same for Internet banking as they are for conventional banking. The FSA does
not regard a bank authorized overseas, which is targeting potential depositors in its home
market or in third countries as falling within U.K. regulatory requirements solely by reason
of its web site being accessible to Internet users within the U.K., as the advertisements are
not aimed at potential U.K. depositors.
Page 15
AUSTRALIA:
Internet Banking in Australia is offered in two forms: web-based and through the provision
of proprietary software. Initial web-based products have focused on personal banking
whereas the provision of proprietary software has been targeted at the business/corporate
sector. Most Australian-owned banks and some foreign subsidiaries of banks have
transactional or interactive web-sites. Online banking services range from FIs’ websites
providing information on financial products to enabling account management and financial
transactions. Customer services offered online include account monitoring (electronic
statements, real-time account balances), account management (bill payments, funds
transfers, applying for products on-line) and financial transactions (securities trading,
foreign currency transactions). Electronic Bill Presentment and Payment (EBPP) is at an early
stage. Features offered in proprietary software products (enabling business and corporation
customers to connect to the financial institutions (via dial-up/leased line/extranet) include
account reporting, improved reconciliation, direct payments, payroll functionality and funds
transfer between accounts held at their own or other banks. Apart from closed payment
systems (involving a single payment-provider), Internet banking and e-commerce
transactions in Australia are conducted using long-standing payment instruments and are
cleared and settled through existing clearing and settlement system. Banks rely on third
party vendors or are involved with outside providers for a range of products and services
including e-banking. Generally, there are no ‘virtual’ banks licensed to operate in Australia.
The Electronic Transactions Act, 1999 provides certainty about the legal status of electronic
transactions and allows for Australians to use the Internet to provide Commonwealth
Departments and agencies with documents which have the same legal status as traditional
paperwork. The Australian Securities and Investments Commission (ASIC) is the Australian
regulator with responsibility for consumer aspects of banking, insurance and
superannuation and as such, it is responsible for developing policy on consumer protection
issues relating to the Internet and e-commerce. ASIC currently has a draft proposal to
expand the existing Electronic Funds Transfer Code of Conduct (a voluntary code that deals
with transactions initiated using a card and a PIN) to cover all forms of consumer
technologies, including stored value cards and other new electronic payment products.
Australia’s anti-money laundering regulator is the Australian Transaction Reports and
Analysis Centre (AUSTRAC).
Responsibility for prudential supervisory matters lies with the Australian Prudential
Regulation Authority (APRA). APRA does not have any Internet specific legislation,
regulations or policy, and banks are expected to comply with the established legislation and
prudential standards. APRA’s approach to the supervision of e-commerce activities, like the
products and services themselves, is at an early stage and is still evolving. APRA’s approach
is to visit institutions to discuss their Internet banking initiatives. However, APRA is
undertaking a survey of e-commerce activities of all regulated financial institutions. The
growing reliance on third party or outside providers of e-banking is an area on which APRA
is increasingly focusing.
Page 16
NEW ZEALAND:
Major Banks offer Internet banking service to customers; operate as a division of the bank
rather than as a separate legal entity.
Reserve Bank of New Zealand applies the same approach to the regulation of both Internet
banking activities and traditional banking activities. There are however, banking supervision
regulations that apply only to Internet banking. Supervision is based on public disclosure of
information rather than application of detailed prudential rules. These disclosure rules apply
to Internet banking activity also.
SINGAPORE:
The Monetary Authority of Singapore (MAS) has reviewed its current framework for
licensing, and for prudential regulation and supervision of banks, to ensure its relevance in
the light of developments in Internet banking, either as an additional channel or in the form
of a specialized division, or as stand-alone entities (Internet Only Banks), owned either by
existing banks or by new players entering the banking industry. The existing policy of MAS
already allows all banks licensed in Singapore to use the Internet to provide banking
services. MAS are subjecting Internet banking, including IOBs, to the same prudential
standards as traditional banking. It will be granting new licenses to banking groups
incorporated in Singapore to set up bank subsidiaries if they wish to pursue new business
models and give them flexibility to decide whether to engage in Internet banking through a
subsidiary or within the bank (where no additional license is required). MAS also will be
admitting branches of foreign incorporated IOBs within the existing framework of admission
of foreign banks.
As certain types of risk are accentuated in Internet banking, a risk – based supervisory
approach, tailored to individual banks’ circumstances and strategies, is considered more
appropriate by MAS than 'one-size-fits-all' regulation. MAS require public disclosures of such
undertakings, as part of its requirement for all banks and enhance disclosure of their risk
management systems. It is issuing a consultative document on Internet banking security and
technology risk management. In their risk management initiatives for Internet banking
relating to security and technology related risks, banks should
(a) Implement appropriate workflow, authenticated process and control procedures
surrounding physical and system access
(b) Develop, test, implement and maintain disaster recovery and business contingency
plans
(c) Appoint an independent third party specialist to assess its security and operations
(d) Clearly communicate to customers their policies with reference to rights and
responsibilities of the bank and customer, particularly issues arising from errors in
security systems and related procedures. For liquidity risk, banks, especially IOBs,
should establish robust liquidity contingency plans and appropriate Asset-Liability
Management systems. As regards operational risk, banks should carefully manage
outsourcing of operations, and maintain comprehensive audit trails of all such
Page 17
operations. As far as business risk is concerned, IOBs should maintain and continually
update a detailed system of performance measurement.
MAS encourages financial institutions and industry associations such as the Associations of
Banks in Singapore (ABS) to play a proactive role in educating consumers on benefits and
risks on new financial products and services offered by banks, including Internet banking
services.
HONG KONG:
There has been a spate of activity in Internet banking in Hong Kong. Two virtual banks are
being planned. It is estimated that almost 15% of transactions are processed on the
Internet. During the first quarter of 2000, seven banks have begun Internet services. Banks
are participating in strategic alliances for e-commerce ventures and are forming alliances for
Internet banking services delivered through Jetco (a bank consortium operating an ATM
network in Hong Kong). A few banks have launched transactional mobile phone banking
earlier for retail customers.
The Hong Kong Monetary Authority (HKMA) requires that banks must discuss their business
plans and risk management measures before launching a transactional website. HKMA has
the right to carry out inspections of security controls and obtain reports from the home
supervisor, external auditors or experts commissioned to produce reports. HKMA is
developing specific guidance on information security with the guiding principle that security
should be 'fit for purpose'. HKMA requires that risks in Internet banking system should be
properly controlled. The onus of maintaining adequate systems of control including those in
respect of Internet banking ultimately lies with the institution itself. Under the Seventh
Schedule to the Banking ordinance, one of the authorization criteria is the requirement to
maintain adequate accounting system and adequate systems control. Banks should continue
to acquire state-of-the art technologies and to keep pace with developments in security
measures. The HKMA’s supervisory approach is to hold discussions with individual
institutions who wish to embark on Internet banking to allow them to demonstrate how
they have properly addressed the security systems before starting to provide such services,
particularly in respect of the following:
Encryption by industry proven techniques of data accessible by outsiders,
Preventive measures for unauthorized access to the bank’s internal computer
systems,
set of comprehensive security policies and procedures,
Reporting to HKMA all security incidents and adequacy of security measures on a
timely basis. At present, it has not been considered necessary to codify security
objectives and requirements into a guideline. The general security objectives for
institutions intending to offer Internet banking services should have been considered
and addressed by such institutions.
HKMA has issued guidelines on ‘Authorization of Virtual Banks’ under Section 16(10) of the
Banking Ordinance under which
Page 18
The HKMA will not object to the establishment of virtual banks in Hong Kong provided
they can satisfy the same prudential criteria that apply to conventional banks,
A virtual bank which wishes to carry on banking business in Hong Kong must maintain
a physical presence in Hong Kong;
A virtual bank must maintain a level of security which is appropriate to the type of
business which it intends to carry out. A copy of report on security of computer
hardware, systems, procedures, controls etc. from a qualified independent expert
should be provided to the HKMA at the time of application,
A virtual bank must put in place appropriate policies, procedures and controls to meet
the risks involved in the business;
The virtual bank must set out clearly in the terms and conditions for its service what
are the rights and obligations of its customers.
Outsourcing by virtual banks to a third party service provider is allowed, provided
HKMA’s guidelines on outsourcing are complied with. There are principles applicable
to locally incorporated virtual banks and those applicable to overseas-incorporated
virtual banks. Consumer protection laws in Hong Kong do not apply specifically to e-
banking but banks are expected to ensure that their e-services comply with the
relevant laws. The Code of Banking Practice is being reviewed to incorporate
safeguards for customers of e-banking.
11.5.1 THE UNCITRAL MODEL AND ELECTRONIC COMMERCE
The United Nations Commission on International Trade Law (UNCITRAL) adopted, in June, 1996,
a Model Law on Electronic Commerce, intended to give states a legislative framework to
remove legal barriers to electronic commerce. The Model Law provides, among other things,
that where the law required a signature, that requirement could be met electronically if the
electronic signature provided a link between the singer and the record (called the ‘data
message’ in the Model Law) and evidence of intent to be associated with the record, both to be
sufficiently reliable for the purposes of the record in the circumstances.
The model law is not binding, but individual states may adopt the model law by
incorporating it into their domestic law (as, for example, Australia did, in the International
Arbitration Act 1974, as amended).
The model law was published in English and in French. Translations in all six United Nations
languages now exist.
There is a distinct difference between the UNCITRAL Model Law on International
Commercial Arbitration (1985) and the UNCITRAL Arbitration Rules. On its website,
UNCITRAL explains the difference as follows: "The UNCITRAL Model Law provides a pattern
that law-makers in national governments can adopt as part of their domestic legislation on
arbitration. The UNCITRAL Arbitration Rules, on the other hand, are selected by parties
either as part of their contract, or after a dispute arises; to govern the conduct of arbitration
intended to resolve a dispute or disputes between themselves. The Model Law is directed at
States, while the Arbitration Rules are directed at potential (or actual) parties to a dispute."
Page 19
UNCITRAL Model Law on International Commercial Arbitration, with amendments as
adopted in 2006. The Model Law is designed to assist States in reforming and modernizing
their laws on arbitral procedure so as to take into account the particular features and needs
of international commercial arbitration. It covers all stages of the arbitral process from the
arbitration agreement, the composition and jurisdiction of the arbitral tribunal and the
extent of court intervention through to the recognition and enforcement of the arbitral
award. It reflects worldwide consensus on key aspects of international arbitration practice
having been accepted by States of all regions and the different legal or economic systems of
the world.
Amendments to articles 1 (2), 7, and 35 (2), a new chapter IV A to replace article 17 and a
new article 2 A were adopted by UNCITRAL on 7 July 2006. The revised version of article 7 is
intended to modernize the form requirement of an arbitration agreement to better conform
with international contract practices. The newly introduced chapter IV A establishes a more
comprehensive legal regime dealing with interim measures in support of arbitration. As of
2006, the standard version of the Model Law is the amended version. The original 1985 text
is also reproduced in view of the many national enactments based on this original version.
The core legal body of the United Nations system in the field of international trade law. A
legal body with universal membership specializing in commercial law reform worldwide for
over 40 years. UNCITRAL's business is the modernization and harmonization of rules on
international business.
Trade means faster growth, higher living standards, and new opportunities through
commerce. In order to increase these opportunities worldwide, UNCITRAL is formulating
modern, fair, and harmonized rules on commercial transactions.
These include:
Conventions, model laws and rules which are acceptable worldwide
Legal and legislative guides and recommendations of great practical value
Updated information on case law and enactments of uniform commercial law
Technical assistance in law reform projects
Regional and national seminars on uniform commercial law
It is widely accepted that trade creates wealth and is essential to the economic health of the
world.
When world trade began to expand dramatically in the 1960s, national governments began
to realize the need for a global set of standards and rules to harmonize and modernize the
assortment of national and regional regulations, which until then largely governed
international trade. They turned to the United Nations, which in 1966 recognized the need
for it to play a more active role in removing legal obstacles to the flow of international trade
and established the United Nations Commission on International Trade Law (UNCITRAL).
UNCITRAL has since become the core legal body of the United Nations system in the field of
international trade law.
Page 20
Much of the complex network of international legal rules and agreements that affects
today's commercial arrangements has been reached through long and detailed
consultations and negotiations organized by UNCITRAL. Its aim is to remove or reduce legal
obstacles to the flow of international trade and progressively modernize and harmonize
trade laws. It also seeks to coordinate the work of organizations active in this type of work
and promote wider acceptance and use of the rules and legal texts it develops.
Since the adoption of the Model Law, the Commission has given the Working Group a mandate
to explore the development of a legal regime applicable to digital signatures and certification
authorities. The scope of the work tentatively includes: the legal basis supporting certification
processes, including emerging digital authentication and certification technology; the
applicability of the certification process; the allocation of risk and liabilities of users, providers
and third parties in the context of the use of certification techniques; the specific issues of
certification through the use of registries; and incorporation by reference.
The UNCITRAL Model is preferred for its universality and harmonious approach. Article 3 of the
Draft UNCITRAL, Model says that, in the interpretation of this Law, regard is to be had to its
international origin and the need to promote uniformity in its application and observance of
good faith and questions concerning matters governed by this law which are not expressly
settled in it are to be settled in conformity with the general principles on which this law is based.
11.6 Security and Privacy Issues
Security:
Security in Internet banking comprises both the computer and communication security. The
aim of computer security is to preserve computing resources against abuse and
unauthorized use, and to protect data from accidental and deliberate damage, disclosure
and modification. The communication security aims to protect data during the transmission
in computer network and distributed system.
Authentication:
It is a process of verifying claimed identity of an individual user, machine, software
component or any other entity. For example, an IP Address identifies a computer system on
the Internet, much like a phone number identifies a telephone. It may be to ensure that
unauthorized users do not enter, or for verifying the sources from where the data are
received. It is important because it ensures authorization and accountability. Authorization
means control over the activity of user, whereas accountability allows us to trace uniquely
the action to a specific user. Authentication can be based on password or network address
or on cryptographic techniques.
Access Control:
It is a mechanism to control the access to the system and its facilities by a given user up to
the extent necessary to perform his job function. It provides for the protection of the
system resources against unauthorized access. An access control mechanism uses the
Page 21
authenticated identities of principals and the information about these principals to
determine and enforce access rights. It goes hand in hand with authentication. In
establishing a link between a bank’s internal network and the Internet, we may create a
number of additional access points into the internal operational system. In this situation,
unauthorized access attempts might be initiated from anywhere. Unauthorized access
causes destruction, alterations, theft of data or funds, compromising data confidentiality,
denial of service etc. Access control may be of discretionary and mandatory types.
Data Confidentiality:
The concept of providing for protection of data from unauthorized disclosure is called data
confidentiality. Due to the open nature of Internet, unless otherwise protected, all data
transfer can be monitored or read by others. Although it is difficult to monitor a
transmission at random, because of numerous paths available, special programs such as
'Sniffers', set up at an opportune location like Web server, can collect vital information. This
may include credit card number, deposits, loans or password etc. Confidentiality extends
beyond data transfer and includes any connected data storage system including network
storage systems. Password and other access control methods help in ensuring data
confidentiality.
Data Integrity:
It ensures that information cannot be modified in unexpected way. Loss of data integrity
could result from human error, intentional tampering, or even catastrophic events. Failure
to protect the correctness of data may render data useless, or worse, dangerous. Efforts
must be made to ensure the accuracy and soundness of data at all times. Access control,
encryption and digital signatures are the methods to ensure data integrity.
Non-Repudiation:
Non-Repudiation involves creating proof of the origin or delivery of data to protect the
sender against false denial by the recipient that data has been received or to protect the
recipient against false denial by the sender that the data has been sent. To ensure that a
transaction is enforceable, steps must be taken to prohibit parties from disputing the
validity of, or refusing to acknowledge, legitimate communication or transaction.
Security Audit Trail:
A security audit refers to an independent review and examination of system's records and
activities, in order to test for adequacy of system controls. It ensures compliance with
established policy and operational procedures, to detect breaches in security, and to
recommend any indicated changes in the control, policy and procedures. Audit Trail refers
to data generated by the system, which facilitates a security audit at a future date.
Page 22
Attacks and Compromises:
When a bank’s system is connected to the Internet, an attack could originate at any time
from anywhere. Some acceptable level of security must be established before business on
the Internet can be reliably conducted.
An attack could be any form like:
The intruder may gain unauthorized access and nothing more
The intruder gains access and destroys, corrupt or otherwise alters data
The intruder gains access and seizes control partly or wholly, perhaps denying access
to privileged users
The intruder does not gain access, but instead forges messages from your system
The intruder does not gain access, but instead implements malicious procedures that
cause the network to fail, reboot, and hang.
Modern security techniques have made cracking very difficult but not impossible.
Furthermore, if the system is not configured properly or the updated patches are not
installed then hackers may crack the system using security hole. A wide range of information
regarding security hole and their fixes is freely available on the Internet.
System administrator should keep himself updated with this information.
Common cracking attacks include:
E-mail bomb:
This is a harassment tool. A traditional e-mail bomb is simply a series of message (perhaps
thousands) sent to your mailbox. The attacker’s object is to fill the mailbox with junk.
Denial-of-Service (DoS) attacks:
DoS attacks can temporarily incapacitate the entire network (or at least those hosts that rely
on TCP/IP). DoS attacks strike at the heart of IP implementations. Hence they can crop up at
any platform; a single DoS attack may well work on several target operating systems. Many
DoS attacks are well known and well documented. Available fixes must be applied.
Sniffer Attack:
Sniffers are devices that capture network packets. They are a combination of hardware and
software. Sniffers work by placing the network interface into promiscuous mode. Under
normal circumstances, all machines on the network can 'hear' the traffic passing through,
but will only respond to data addressed specifically to it. Nevertheless, if the machine is in
promiscuous mode then it can capture all packets and frames on the network. Sniffers can
capture passwords and other confidential information. Sniffers are extremely difficult to
detect because they are passive programs. Encrypted session provides a good solution for
Page 23
this. If an attacker sniffs encrypted data, it will be useless to him. However, not all
applications have integrated encryption support.
Holes:
A hole is any defect in hardware, software or policy that allows attackers to gain
unauthorized access to your system. The network tools that can have holes are Routers,
Client and Server software, Operating Systems and Firewalls.
Authentication Technique:
Authentication is a process to verify the claimed identity. There are various techniques
available for authentication. Password is the most extensively used method. Most of the
financial institutions use passwords along with PIN (Personal Identification Number) for
authentication. Technologies such as tokens, smart cards and biometrics can be used to
strengthen the security structure by requiring the user to possess something physical.
Token technology relies on a separate physical device, which is retained by an individual, to
verify the user’s identity. The token resembles a small hand-held card or calculator and is
used to generate passwords. The device is usually synchronized with security software in the
host computer such as an internal clock or an identical time based mathematical algorithm.
Tokens are well suited for one-time password generation and access control. A separate PIN
is typically required to activate the token.
Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an
embedded computer chip. The chip includes a processor, operating system, and both Read
Only Memory (ROM) and Random Access Memory (RAM). They can be used to generate
one-time passwords when prompted by a host computer, or to carry cryptographic keys. A
smart card reader is required for their use.
Biometrics involves identification and verification of an individual based on some physical
characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This
technology is advancing rapidly, and offers an alternative means to authenticate a user.
Firewalls:
The connection between internal networks and the outside world must be watched and
monitored carefully by a gatekeeper of sorts. Firewalls do this job. Otherwise, there is a risk
of exposing the internal network and systems, often leaving them vulnerable and
compromising the integrity and privacy of data. Firewalls are a component or set of
components that restrict access between a protected network and the outside world (i.e.,
the Internet). They control traffic between outside and inside a network, providing a single
entry point where access control and auditing can be imposed. All firewalls examine the
pieces or packets of data flowing into and out of a network and determine whether a
particular person should be given access inside the network. As a result, unauthorized
computers outside the firewall are prevented from directly accessing the computers inside
the internal network. Broadly, there are three types of firewalls i.e. Packet filtering firewalls,
Proxy servers and state of the art inspection firewall.
Page 24
Packet filtering routers:
Packet filtering routers are the simplest form of firewalls. They are connected between the
host computer of an Internal network and the Internet gateway as shown in Fig.6. 2. The
bastion host directs message accepted by the router to the appropriate application servers
in the protected network. Their function is to route data of a network and to allow only
certain types of data into the network by checking the type of data and its source and
destination address. If the router determines that the data is sourced from an Internet
address which is not on its acceptable or trusted sources list, the connection would be
simply refused. The advantage of this type of firewall is that it is simple and cheaper to
implement and also fast and transparent to the users. The disadvantage is that if the
security of the router were compromised, computers on the internal network would be
open to external network for attacks. Also, the filtering rules can be difficult to configure,
and a poorly configured firewall could result in security loopholes by unintentionally
allowing access to an internal network.
Security Policy:
The information security policy is the systemization of approaches and policies related to
the formulation of information security measures to be employed within the organization to
assure security of information and information systems owned by it. The security policy
should address the following items:
Basic approach to information security measures.
The information and information systems that must be protected, and the reasons for
such protection.
Priorities of information and information systems that must be protected.
Involvement and responsibility of management and establishment of an information
security coordination division.
Checks by legal department and compliance with laws / regulations.
The use of outside consultants.
Identification of information security risks and their management.
Impact of security policies on quality of service to the customers (for example,
disabling an account after three unsuccessful logins may result in denial of service
when it is done by somebody else mischievously or when restoration takes unduly
long time).
Decision making process of carrying out information security measures.
Procedures for revising information security measures.
Responsibilities of each officer and employee and the rules (disciplinary action etc) to
be applied in each case.
Auditing of the compliance to the security policy.
User awareness and training regarding information security.
Business continuity Plans.
Procedures for periodic review of the policy and security measures.
Page 25
The top management of the bank must express a commitment to security by manifestly
approving and supporting formal security awareness and training. This may require special
management level training. Security awareness will teach people not to disclose sensitive
information such as password file names. Security guidelines, policies and procedures affect
the entire organization and as such, should have the support and suggestions of end users,
executive management, security administration, IS personnel and legal counsel.
11.6.1 SECURITY PRODUCTS AVAILABLE
Banks in India are at different stages of the web-enabled banking cycle. Initially, a bank,
which is not having a web site, allows its customer to communicate with it through an e-mail
address; communication is limited to a small number of branches and offices which have
access to this e-mail account. As yet, many scheduled commercial banks in India are still in
the first stage of Internet banking operations.42
Some of the banks permit customers to interact with them and transact electronically with
them. Such services include request for opening of accounts, requisition for cheque books,
stop payment of cheques, viewing and printing statements of accounts, movement of funds
between accounts within the same bank, querying on status of requests, instructions for
opening of Letters of Credit and Bank Guarantees etc.43 Certain banks like ICICI Bank Ltd.,
have gone a step further within the transactional stage of Internet banking by allowing
transfer of funds by an account holder to any other account holder of the bank.44
Some of the more aggressive players in this area such as ICICI Bank Ltd., HDFC Bank Ltd., UTI
Bank Ltd., Citibank, Global Trust Bank Ltd. and Bank of Punjab Ltd. offer the facility of
receipt, review and payment of bills on-line. These banks have tied up with a number of
utility companies. The ‘Infinity’ service of ICICI Bank Ltd. Also allows online real time
shopping mall payments to be made by customers. HDFC Bank Ltd. has made e-shopping
online and real time with the launch of its payment gateway. It has tied up with a number of
portals to offer business to-consumer (B2C) e-commerce transactions.45 The first online real
time e-commerce credit card transaction in the country was carried out on the
Easy3shoppe.com shopping mall, enabled by HDFC Bank Ltd. on a VISA card.46
Banks providing Internet banking services have been entering into agreements with their
customers setting out the terms and conditions of the services. The terms and conditions
include information on the access through user-id and secret password, minimum balance
and charges, authority to the bank for carrying out transactions performed through the
service, liability of the user and the bank, disclosure of personal information for statistical
42Sakkthivel, A.M. (Dec. 2006) “Impact Of Demographics On The Consumption Of Different Services Online
In India”, Journal of Internet Banking and Commerce, vol. 11(3) at www.arraydev.com
43Awamleh, R &Fernandes C. (2005) “Internet Banking: An Empirical investigation into the Extent of Adoption
by Banks and the Determinants of Customer Satisfaction in the United Arab Emirates”, Journal of Internet
Banking and Commerce, vol. 10(1) at www.arraydevcom/commerce/jibc/2005-02/raedcedwnl.htm
44P.K. Gupta, JamiaMilliaIslamia. (2008) “Internet Banking In India – Consumer Concerns And Bank
Strategies”Global Journal Of Business Research ♦ Volume 2 ♦ Number 1 ♦ 2008
45Sharma, B.R. (2001), Bank Frauds-Prevention & Detection, Universal law Publishing, p.167-182.
46Commercial Banking : A Module of NSE’s Certification on Financial Module
Page 26
analysis and credit scoring also, non-transferability of the facility, notices and termination,
etc.47
The race for market supremacy is compelling banks in India to adopt the latest technology
on the Internet in a bid to capture new markets and customers. HDFC Bank Ltd. with its
‘Freedom- the e-Age Saving Account’ Service, Citibank with ‘Suvidha’ and ICICI Bank Ltd.
with its ‘Mobile Commerce’ service have tied up with cell-phone operators to offer Mobile
Banking to their customers.48 Global Ltd. has also announced that it has tied up with cellular
operators to launch mobile banking services. Under Mobile Banking services, customers can
scan their accounts to seek balance and payments status or instruct banks to issue cheques,
pay bills or deliver statements of accounts. It is estimated that by 2003, cellular phones will
have become the premier Internet access device, outselling personal computers. Mobile
banking will further minimize the need to visit a bank branch.49
Compared to banks abroad, Indian banks offering online services still have a long way to go.
For online banking to reach a critical mass, there has to be sufficient number of users and
the sufficient infrastructure in place. Though various security options like line encryption,
branch connection encryption, firewalls, digital certificates, automatic sign-offs, random
pop-ups and disaster recovery sites are in place or are being looked at, there is as yet no
Certification Authority in India offering Public Key Infrastructure, which is absolutely
necessary for online banking. The customer can only be assured of a secured conduit for its
online activities if an authority certifying digital signatures is in place.50 The communication
bandwidth available today in India is also not enough to meet the needs of high priority
services like online banking and trading. Banks offering online facilities need to have an
effective disaster recovery plan along with comprehensive risk management measures.
Banks offering online facilities also need to calculate their downtime losses, because even a
few minutes of downtime in a week could mean substantial losses. Some banks even today
do not have uninterrupted power supply unit or systems to take care of prolonged power
breakdown. Proper encryption of data and effective use of passwords are also matters that
leave a lot to be desired. Systems and processes have to be put in place to ensure that
errors do not take place.
Users of Internet Banking Services are required to fill up the application forms online and
send a copy of the same by mail or fax to the bank. A contractual agreement is entered into
by the customer with the bank for using the Internet banking services. In this way, personal
data in the applications forms is being held by the bank providing the service. The contract
details are often one-sided, with the bank having the absolute discretion to amend or
supplement any of the terms at any time. For these reasons domestic customers for whom
other access points such as ATMs,
47Ajimon George and G. S. Aneesh Kumar, (2011) Internet Banking and Customer Resistance, Sci. & Soc. 9(1)
79-88, 2011
48 Supra note 50.
49IAMAI 2006. IAMAI’s Report Online Banking ‘2006’, http://www.iamai.in/
50Gurusamy S.(2005), ―Merchant Banking and Financial Services.PP. 406-410, Nicole Imprints Pvt. Ltd.
Page 27
Tele-banking, personal contact, etc. are available. Users are often hesitant to use the
Internet banking services offered by Indian banks. Internet Banking, as an additional delivery
channel, is, therefore, being attractive / appealing as a value added service to domestic
customers. Non-resident Indians for whom it is expensive and time consuming to access
their bank accounts maintained in India find net banking very convenient and useful.
The Internet is in the public domain whereby geographical boundaries are eliminated. Cyber
crimes are therefore difficult to be identified and controlled. In order to promote Internet
banking services, it is necessary that the proper legal infrastructure is in place. Government
has introduced the Information Technology Bill, which has already been notified in October
2000. Section 72 of the Information Technology Act, 2000 casts an obligation of
confidentiality against disclosure of any electronic record, register, correspondence and
information, except for certain purposes and violation of this provision is a criminal
offence.51
Comprehensive enactments like the Electronic Funds Transfer Act in U.K. and data
protection rules and regulations in the developed countries are in place abroad to
prevention authorized access to data, mala-fide or otherwise, and to protect the individual’s
rights of privacy. 52The legal issues are, however, being debated in our country and it is
expected that some headway will be made in this respect in the near future.
The ability of banks to rely on encryption products is crucial to processing customer’s
transaction safely. There are various products available, some offering a greater level of security
than others. For example, the secure electronic transactions (SET) protocol offers a form of
guarantee against credit card fraud. The protocol consists of a cardholder interface resident on
the customers PC, an electronic till at the retail level, and a payment mechanism located on the
bank’s server. The protocol consists of a cardholder interface resident on the customers PC, an
electronic till at the retail level, and a payment mechanism located on the bank’ server, which
possesses the encrypted transaction messages.
In contrast to SET, secure sockets layer (GSL) technology does not offer a guarantee against
credit card fraud. However, the cost-benefits of this technology appear to outweigh the security
risks and many banks are currently trailing this technology background, the uncertainty
surrounding mandatory key escrow and the consequent perceived lack of security provides yet
another challenge for banks to consider.
11.7 REGULATORY COMPLIANCE ISSUES
Internet banking, both as a medium of delivery of banking services and as a strategic tool for
business development, has gained wide acceptance internationally and is fast catching up in
India with more and more banks entering the fray.
51Ram S. and Sheth J.N. 1989. Consumer resistance to innovations: The marketing problem and its solutions,
The journal ofConsumer Marketing, Vol. 6 No.2, pp. 5-4.
52Elements of Mercantile Law by N D Kapoor – Sultan Chand & Sons, New Delhi, 2006, P – 353.
Page 28
The growth potential of internet users in the country immense. Further incentives provided
by banks dissuade customers from visiting physical branches, and thus get ‘hooked’ to the
convenience of arm-chair banking.53 The facility of accessing their accounts from anywhere
in the world by using a home computer with Internet connection, is particularly fascinating
to Non-Resident Indians and High Net-worth Individuals having multiple bank accounts.
Costs of banking service through the Internet form a fraction of costs through conventional
methods. Rough estimates assume teller cost at Re.1 per transaction, ATM transaction cost
at 45 paise, phone banking at 35 paise, debit cards at 20 paise and Internet banking at 10
paise per transaction.54 The cost-conscious banks in the country have therefore actively
migrated to the use of the Internet as a channel for providing services. Fully computerized
banks, with better management of their customer base are in a stronger position to cross-
sell their products through this channel.55
Banking on the Internet provides benefits to the consumer in terms of convenience, and to
the provider in terms of cost reduction and greater reach. The Internet itself however is not
a secure medium, and thus poses a number of risks of concern to regulators and supervisors
of banks and financial institutions. World over, regulators and supervisors are still evolving
their approach towards the regulation and supervision of Internet banking. Regulations and
guidelines issued by some countries include the following.
Requirement to notify about web site content
Prior authorization based on risk assessment made by external auditors
On-site examination of third party service providers
Off-site policing the perimeters to look for infringement.
Prohibition on hyperlinks to non-bank business sites
Specification of the architecture
In some countries supervisors have followed a ‘hands-off’ approach to regulation of such
activities, while others have adopted a wait and watch attitude. This chapter suggests
approaches to supervision of Internet banking activities, drawing upon the best
international practices in this area as relevant to the Indian context.
Major supervisory concerns can be clubbed into the following:
1. Operational risk issues
The open architecture of the Internet exposes the banks’ systems to decide access through
the easy availability of technology. The dependence of banks on third party providers places
knowledge of banks’ systems in a public domain and leaves the banks dependent upon
relatively small firms which have high turnover of personnel. Further, there is absence of
conventional audit trails as also relative anonymity of transactions due to remote access. It
is imperative that security and integrity of the transactions are protected so that the
53Rajgopalan, S.P. (2001) Banking in the New Millennium, Kanishka Publishers, Distributors, pp.1-6
54Rao, Rohit (2001) “Internet Banking: Challenges for banks and Regulators” Banking in the New Millennium,
Institute of Chartered Financial Analysts of India, p. 31
55“Will the Banks Control Online Banking”(August 2001), Treasury Management, ICFAI Press, Delhi
Page 29
potentiality for loss arising out of criminal activities, such as fraud, money laundering, tax
evasion etc. and a disruption in delivery systems either by accident or by design are
mitigated. The supervisory responses to manage operational risk matters include issue of
appropriate guidance on the risk (including outsourcing risk) control and record
maintenance, issue of minimum standards of technology and security appropriate to the
conduct of transactional business, extension of ‘know your customer’ rules for transactions
on the Internet, and insistence on appropriate and visible disclosure to inform customers of
the risks that they face on doing business on the Internet.
2. Cross border issues
The Internet knows no frontiers, and banks can source deposits from jurisdiction where they
are not licensed or supervised or have access to payment systems. Customers can
Potentiality Park their funds in jurisdictions where their national authorities have no access
to records. The issues of jurisdiction, territoriality and recourse become even more blurred
in the case of virtual banks. Cross border issues would also come into play where banks
choose to locate their processing centers, records or back up centers in different
jurisdictions. While country - specific approaches are being adopted at the national level,
the ‘Group on e-banking’ set up by the Basle Committee on Banking Supervision (BCBS) is
engaged in bringing about harmonization in approaches at an international level.
3. Customer protection and confidentiality issues:
The loss of customer confidentiality may pose a reputation risk to banks and the banking
system as a whole. Transacting business on the Internet exposes data being sent across the
Internet to interception by unauthorized agents, who may then use the data without the
approval of the customers. There has also been incidence where glitches have developed in
web sites permitting customers to access each other’s accounts. To address these risks,
customers need to be educated through adequate disclosures of such risks.
4. Competitiveness and profitability issues:
While Internet banking is expected to substantially reduce the cost of doing transactions in
the long run, the limited business being done on the Internet has yet to pay for the
infrastructure in which banks have invested. This includes the tie up with technology
companies in setting up payment gateways, portals and Internet solutions and the alliance
with other businesses for cross-selling products. The coming years may however see a
scenario where the margins of conventional banks come under pressure because of
competition from Internet banking, including virtual banks, which need no infrastructure
expenses. These issues have to be kept in mind by supervisors while deciding their approach
to e-banking.
Broad regulatory framework
It would be necessary to extend the existing regulatory framework over banks to Internet
banking also. Such an approach would need to take into account the provisions of both the
Banking Regulation Act 1949 and the Foreign Exchange Management Act, 1999.
Page 30
Only such banks which are licensed and supervised in India and have a physical
presence here should be permitted to offer Internet banking products to residents of
India.
These products should be restricted to account holders only and should not be offered
in other jurisdictions.
The services should only offer local currency products and that too by entities that are
part of the local currency payment systems.
The ‘in-out’ scenario where customers in cross border jurisdictions are offered
banking services by Indian banks (or branches of foreign banks in India) and the ‘out-
in’ scenario where Indian residents are offered banking services by banks operating in
cross-border jurisdictions are generally not permitted and this approach should be
carried over to Internet banking also.
The existing exceptions for limited purposes under FEMA i.e. where resident Indians
have been permitted to continue to maintain their accounts with overseas banks etc.,
would however be permitted transactions.
Overseas branches of Indian banks would be permitted to offer Internet banking
services to their overseas customers subject to their satisfying, in addition to the host
supervisor, the home supervisor in keeping with the supervisory approach outlined in
the next section.
This extension of approach would apply to virtual banks as well. Thus, both banks and
virtual banks incorporated outside the country and having no physical presence here
would not, for the present, be permitted to offer Internet services to Indian
depositors.
In addition to the security and the jurisdictional regime issues facing banks, they also must
comply with extremely detailed regulatory procedures. The Proposal for a Directive concerning
the distance marketing of consumer financial services is currently being debated.
The aim of India’s IT legislation is to harmonise consumer protection especially in the use of new
technologies. The Commission proposed a directive concerning the distance marketing of
consumer financial services. This will complement the previous distance-selling directive
concerning general goods. The main principle of the proposal directive is that consumers must
be able to examine and compare contract terms before entering into an agreement, and must
have a corresponding right of withdrawal if they are not given the chance of examination or
have been unfairly induced to enter a contract.
Financial services differ in nature form general services in that usually their only tangible feature
is the contract and the prices for such services may fluctuate with market forces.
There are also provisions regarding unsolicited approaches and the setting up of complaint
procedures. The proposal is being finalised by the Ministry of Communications and Information
Technology for adoption. It can be seen that these proposals, and in particular the right for a
customer to withdraw from the contract, restrict the ability of banks to rely on transactions
carried out on-line although this is to a certain extent off-set by proposed indemnity given by a
consumer to the supplier if he withdraws after the provision of the services has commenced. It
is also possible that the practical ability of banks to enforce such indemnities may be restricted.
Page 31
Compliance for the Banking Industry under “The Information Technology Act, 2000”: A
checklist
1. Retention of electronic records [Section 7]
2. Regular Audit of electronic records [Section 7A]
3. Reasonable measures to ensure that its employees don’t inflict damage upon any
computer, computer system, etc. Without the permission of the owner, they also
must not do the following acts [Section 43]
Securing access to computer or computer system
Downloading, copying and extracting data
Introducing computer virus or contaminant
Damaging or disrupting the computer
Denying access to any person authorized to do so
Assisting someone in gaining access to the computer
Tampering and manipulating any computer
Stealing, destroying, deleting or altering any information and assisting
someone in doing so
4. Compensation for failure to protect data [Section 43A]
5. Furnish information, record, document or report including books of accounts to the
concerned authorities [Section 44]
6. Reasonable steps to ensure that its employees don’t tamper with computer source
documents [Section 65]
7. Computer related offences [Section 66 (A-F)]
Offensive messaging
Receiving stolen computer source and Data
Identity Theft
Cheating by personating using computer source
Violation of privacy
Cyber Terrorism
8. Publishing obscene material [Section 67]
9. Preservation and retention of information by intermediaries [Section 67 C]
10. To comply with the directions to monitor and collect traffic data or information
through any computer resource for cyber security [Section 69B]
11. To comply with the direction of the Indian Computer Emergency Response Team
(CERT-IN) in the area of cyber security [Section 70B]
12. Organizations must also take serious note of the following offences:
Misrepresentation [Section 71]
Breach of Confidentiality [Section 72]
Disclosure of information in breach of contract [Section 72A]
Publishing false particulars in Electronic Signature Certificate [Section 73]
Using Electronic Signature Certificate for fraudulent purposes [Section 74]
13. Intermediary Liability [Section 79]
Page 32
Intermediary with respect to any particular electronic records, means any person who
on behalf of another person receives, stores or transmits that record or provides any
service with respect to that record and includes telecom service providers, network
service providers, internet service providers, web hosting service providers, search
engines, online payment sites, online-auction sites, online market places and cyber
cafes. Banks also come under the purview of an Intermediary. As per section 79 of the IT
Act, an intermediary shall not be liable for any third party information, data, or
communication link hosted by him if the intermediary does not-
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission
And that the intermediary observes due diligence while discharging his duties under this
Act and also observes such other guidelines as the Central Government may prescribe in
this behalf. [Refer to Intermediary Guidelines on page 5 of this note]
14. Offences committed by Companies [Section 85]
Every person who, at the time an offence was committed, was in charge of, and was
responsible to, the company for the conduct of businesses of the company as well as
the company, shall be guilty of the contravention and shall be liable to be proceeded
against and punished accordingly.
He/she will not be punished provided he/she proves that the contravention took
place without his knowledge or that he exercised all due diligence to prevent such
contravention.
If it is proved that the contravention has taken place with the consent or connivance
of, or is attributable to any neglect on the part of, any director, manager, secretary
or other officer of the company, such director, manager, secretary or other officer
shall also be deemed to be guilty of the contravention and shall be liable to be
proceeded against and punished accordingly
Page 33
Penalties for Non Compliance of IT Act - See Table
Legal Provisions [Information Technology Penalties in case of non-compliance
Act – 2000 [Amended in 2008]
Section 43A - Compensation for failure to Body corporate liable to pay damages by
protect data way of compensation to the person so
affected
Section 44 - Penalty for failure to furnish
information, return, etc Failure to furnish information – not
exceeding rupees one lakh fifty
thousand for each failure
Failure to maintain book of
accounts or records – not
exceeding ten thousand rupees for
everyday during which the failure
continues
Section 45 – Residuary Penalty
Whoever contravenes any rules or
regulations made under this Act, for the
contravention of which no penalty has
been separately provided, shall be liable to
pay a compensation not exceeding twenty-
five thousand rupees to the person
affected by such contravention or a
penalty not exceeding twenty-five
thousand rupees.
Section 67 C - Preservation and retention
of information by intermediaries
Imprisonment for a term, which may
extend to 3 years and shall also be liable to
fine
Section 69 – “Powers to issue directions
for interception or monitoring or
decryption of any information through 7 years imprisonment and fine
any computer resource” - read with
Information Technology (Procedure and
Safeguards for Interception, Monitoring
Page 34
and Decryption of Information) Rules,
2009.
Section 69A – “Power to issue directions
for blocking for public access of any
information through any computer 7 years imprisonment and fine
resource” - read with Information
Technology (Procedure and Safeguards for
Blocking for Access of Information by
Public) Rules, 2009.
Section 69B – “Power to authorize to
monitor and collect traffic data or
information through any computer
resource for Cyber Security” - read with 3 years imprisonment and fine
Information Technology (Procedure and
Safeguard for Monitoring and Collecting
Traffic Data or Information) Rules, 2009.
Section 70B - Indian Computer Emergency 1 year imprisonment and / or fine upto Rs
Response Team to serve as national 1 lakh
agency for incident response.
Section 72A - Punishment for Disclosure Imprisonment for a term, which may
of information in breach of lawful extend to 3 years or with fine, which may
contract extend to five lakh rupees, or with both
No express provision vis-à-vis penalties
and compensation. However, the onus is
Section 85 - Offences by Companies on the company and its Directors,
Secretary and Officers to prove their
innocence
Page 35
11.8 REGULATION OF DEPOSIT TAKING BUSINESS
The regulation of organisations conducting banking activities in the India is carried out by the
Reserve Bank of India [under the Banking Regulation Act and allied rules and guidelines]. The
Banking Act provides that only ‘an authorized institution’ may accept a deposit in the India in
the course of carrying on a deposit-taking business. An overseas institution will be in breach of
this provision should it accept a deposit in the India in the course of a deposit taking business
conducted overseas. In relation to offshore banks, the interpretation of where the deposit is
actually made will be crucial in quantifying the level of compliance required.
11.8.1 THE LEGAL FRAMEWORK FOR INTERNET BANKING IN INDIA
The Banking Regulations Act, 1949,
The Reserve Bank of India Act, 1934,
The Foreign Exchange Management Act, 1999.
Information technology Act, 2000
Personal Data Protection Bill, 2006
The legal framework for banking in India is provided by a set of enactments
The Banking Regulations Act, 1949,
The Reserve Bank of India Act, 1934, and
The Foreign Exchange Management Act, 1999.
Broadly, no entity can function as a bank in India without obtaining a license from the
Reserve Bank of India under Banking Regulations Act, 1949. Different types of activities
which a bank may undertake and prudential requirements are provided under this Act.
Accepting deposits from public by a non- bank attracts regulatory provisions under Reserve
Bank of India Act, 1934. Under the Foreign Exchange Management Act 1999, no Indian
resident can lend, open a foreign currency account or borrow from a non-resident, including
non-resident banks, except under certain circumstances provided in law.
Internet banking is an extension of the traditional banking, which uses internet both as a
medium for receiving instructions from the customers and also delivering banking services.
Hence, conceptually, various provisions of law which are applicable to traditional banking
activities are also applicable to Internet Banking. In the digital age, the issues which have
arisen are regarding the legality under the existing laws, of certain types of electronic
commerce/banking transactions on the Internet. These transactions include but are not
limited to validity of an electronic message/ document, authentication, validity of contract
entered into electronically, non-reputation.
Page 36
It has also raise the issue of ability of banks to comply with legal requirements/ practices like
secrecy of customers account, privacy, consumer protection, etc. given the vulnerability of
information/ data passing through Internet. There is also the question of adequacy of law to
deal with situations which are technology driven like denial of service/ data corruption
because of technological failure, infrastructure failure, hacking, etc. Cross border
transactions carried through Internet pose the issue of jurisdiction and conflict of laws of
different nations.
Banking over Internet has attracted increasing attention from bankers and other financial
services industry participants, the business press, regulators, and law makers. Among the
reasons for Internet Banking’s audience are the notions that the electronic banking and
payments will grow rapidly, more or less in tandem proliferating electronic commerce;
industry projections that the Internet banking will cut bank’s costs, increase bank’s revenue
growth, and make banking more convenient for customers; and some vexing public policy
issues. Despite this attention, there is a dearth of systematic information on nature and
scope of Internet banking. Bankers and public policymakers alike have had to plan using
largely anecdotal evidence and conjecture.
Banks offer Internet banking in two main ways. An existing bank with physical offices can
establish a Web site and offer Internet banking to its customers as an addition to its
traditional delivery channels. A second alternative is to establish a “virtual,” “branchless,” or
“Internet only” bank. The computer server that lies at the heart of a virtual bank may be
housed in an office that serves as the legal address of such a bank, or some other location.
Virtual banks may offer their customers the ability to make deposits and withdraw funds via
ATMs or other remote delivery channels owned by other institutions.
Practice of the internet and electronic media for carrying out business, mainly financial
transactions, encouraged the Government of India to bring in existence the Information
Technology Act, 2000. The Act offers recognition of electronic signatures, e-documents and
e–transactions, and tries to curb cyber crime.56 After 2001, the Reserve Bank of India issued
guidelines to regulate online banking, privacy, anti-money laundering and know-your-
customer norms, which consequently encouraged customers to shift towards the e-
commerce banking, with some interest with respect to the confidentiality of transactions
and safe banking.57
With the emergence and rise of internet banking and e-commerce environment,
Government of India made an effort to bring a separate bill called the ''Personal Data
Protection Bill 2006'' to protect the privacy of individuals, but the bill was not ratified by the
both the houses. In the meantime, the Act was amended in 2008 to include Section 43A and
Section 72A to protect personal data (''PI'') and sensitive personal data and information
(''SPDI'').58
56 Journal of Internet Banking and Commerce --www.Arraydev.com/commerce/jibc
57 Enabling E-Commerce in India – www.giic.org
58 Avinandan Mukherjee, (2003), A model of trust in online relationship banking, The International Journal of
Bank Marketing 2003; 21, 1; ProQuest Central pg. 5
Page 37
Basically, to work as a bank in India a company is bound to obtain a license from the Reserve
Bank of India under Banking Regulations Act, 1949. The functions and activities which a bank
can enter into or undertake and prudential requirement are mentioned in The Banking
Regulations Act, 1949.Taking deposits from public by a non- bank invites governing
provisions under Reserve Bank of India Act, 1934.59 Under the Foreign Exchange
Management Act 1999(FEMA), no Indian citizen can give a loan, start a foreign currency
account or borrow from a non-resident, including non-resident banks, excluding some of the
situations given in the law.60
Online banking is a leeway of the conventional banking, which uses internet to connect with
the customers and provide them banking services. Therefore, theoretically, many provisions
of law that applies to conventional banking activities also apply to Online Banking in the
same way. In the Information era, the concerns, which have arisen, are related to the
legality under the prevailing laws, of certain kinds of e/banking transactions on the Internet.
These transactions comprise but are not restricted to legality of an electronic message/
document, authentication, validity of contract entered into electronically, non-reputation.
It has also elevated the concern about the capability of banks and financial institutions to
fulfil all the legal requirements/ practices like privacy of customers information,
confidentiality, and protection of consumer, etc. given the vulnerability of private
information going by the way of Internet as a medium.61 Additionally the issue of
competency of law to deal with conditions that are technology motivated like rejection of
service/ data corruption because of failure of technology, infrastructure breakdown,
hacking, etc. Cross border transactions raise the problem of jurisdiction and there is a
conflict of laws among different nations.
Internet Banking has developed an increasing interest from bankers and other financial
services industry participants, the business press, regulators, and lawmakers. Amid the
reasons for Internet Banking’s spectators are the conceptions that the online banking and
transaction will nurture swiftly, industry forecasts that the Internet banking will reduce the
cost of the banks, increase their revenue growth, and make banking farther handy for
customers; and some worrisome public policy concerns. Notwithstanding this
thoughtfulness, there is a shortage of organized information on nature and extent of
Internet banking.
The Banks offers Internet banking in two ways. A traditional bank with tangible offices can
launch a Web site or a portal and promote Internet banking to its customers as a
supplement to its conventional delivery channels. A second option is to create a “virtual,”
“branchless,” or “Internet only” bank. The computer server that is the most important thing
of a virtual bank may be kept in a registered office of the bank, or some other place. Virtual
banks may propose their customers the facility to make deposits and withdraw funds via
ATMs or other channels.
The Government of India has sanctioned The Information Technology Act, 2000, to give legal
identification for financial transactions by the banks carried out by the way of electronic
59 Mishra A.K.(2002) “Internet banking in India”. BanknetIndia.com
60 Foreign Exchange and Management Act, 1999
61 Singh Talwar, Cyber law and Information Technology.
Page 38
data, which has also drawn upon the Model Law, came into force with effect from October
17, 2000. The Act has also amended certain provisions of The Indian Penal Code, The Indian
Evidence Act, 1872, The Bankers Book of Evidence Act, 1891, The Reserve Bank of India Act
1934 in order to facilitate e-commerce in India.
However, this act does not apply to:-62
1. Negotiable instrument as defined in section 13 of the Negotiable Instruments Act,
1881;
2. Power-of-attorney as defined in section 1-A of the Power-of-Attorney Act, 1882;
3. Trust as defined in section 3 of the India Trusts Act, 1882;
4. Will as defined in clause (h) of section 2 in Indian Succession Act, 1925;
5. Contract for the sale or conveyance of immovable property or any interest in such
property;
6. Such class of documents or transactions as maybe notified by Central Government in
the official gazette.
The banks offering Internet banking service, at currently are merely agreeable to admit the
application for opening of accounts. The accounts are opened only after appropriate
introduction and proper verification of all the necessary documents. This is mainly for the
reason of proper identification of the customer and furthermore to evade benami accounts
to prevent money laundering activities that can be done by the customer. Under Section
131 of the Negotiable Instruments Act, 1881, a banker who has in good faith and without
negligence received payment for a customer of a cheque crossed generally or specially to
himself shall not, in case the title to the cheque proves defective, incur any liability to the
true owner of the cheque by reason of having received such payment. The banker’s action in
good faith and without negligence have been discussed case laws and one of the relevant
passages from a supreme court judgment “Primarily, enquiry as to negligence must be
directed in order to find out whether there is negligence in collecting the cheque and not in
opening the account, but if there is antecedent or present circumstance which aroused the
suspicion of the banker then it would be his duty before he collects the cheque to make the
necessary enquiry and undoubtedly one of the antecedent circumstances would be the
opening of the account. In certain cases failure to make enquiries as to the integrity of the
proposed customer would constitute negligence”.63
Further the Supreme Court of India has stated that as a general rule, before accepting a
customer, the bank must take reasonable care to satisfy himself that the person in question
is in good reputation and if he fails to do so, he will run the risk of forfeiting the protection
given under Section 131 of Negotiable Instruments Act, 1881 but reasonable care depends
upon the facts and circumstances of the case.64 Similarly, the Delhi High Court was also of
the view that the modern banking practice requires that a constituent should either be
known to the bank or should be properly introduced. The underlying object of the bank
62 http://rbidocs.rbi.org.in/rdocs/PublicationReport
63 BapulalPremchand Vs. Nath Bank Ltd. ( AIR 1946 Bom.482 )
64 Indian Overseas Bank Ltd. Vs. Industrial Chain Concern [JT1989 (4) SC 334]
Page 39
insisting on producing reliable references is only to find out if possible whether the new
constituent is a genuine party or an imposter or a fraudulent rogue.65
One of the key challenges encountered by the financial institutions comprised in Internet
banking is the matter concerning to verification and the concerns appearing in deciphering
difficulties unique to electronic confirmation such as concerns of data integrity, non-
repudiation, evidentiary standards, privacy, confidentiality issues and the consumer
protection. The current legal system does not set out the limits as to the degree to which a
person can be obliged in respect of an electronic instruction claimed to have been issued by
him. Usually, authentication is set to be attained by security procedure. Methods and
devices like the personal identification numbers (PIN), code numbers, telephone-PIN
numbers, relationship numbers, passwords, account numbers and encryption are evolved to
establish authenticity of an instruction.66 From, a legal viewpoint, the security procedure
needs to be acknowledged by a law as an alternative for signature.
Different countries have tackled these matters through precise laws dealing with digital
signatures. In India, Information Technology Act 2000, in Section 3 (2) requires that any
subscriber can validate an electronic record by attaching his digital signature.67 However,
the act only identifies one precise technology as a way of validating the electronic records.
This may lead to the uncertainty of whether the law would understand the existing
techniques used by the banks as a rightful method of validating the transactions. In this
respect, the approach in other countries has been to keep the legislation technology
neutral. The law should be technology neutral so that it can keep pace with technological
developments without requiring frequent amendments to the law as there exists a lot of
uncertainty about future technological and market developments in Internet banking.68 This
however, would not suggest that the security risks related with Internet banking should go
unregulated.
Section 40A (3) of the Income Tax Act, 1961, dealing with deductible expenses, provides that
in cases where the amount exceeds Rs. 20,000/-, the benefit of the said section will be
available only if the payment is made by a crossed cheque or a crossed bank draft. One of
the services provided by the banks offering Internet banking services is the online transfer
of funds between accounts where cheques are not used, in which the above benefit will not
be available to the customers. 69
The principal purpose behind the passing of Section 40 A, of the Income Tax Act, 1961 is to
keep a check on the tax evasion by demanding payment of designated accounts. In the
event of a funds transfer, the transfer of funds takes place only between identified
accounts, which serves the same purpose as a crossed cheque or a crossed bank draft.
65 Union of India Vs. National Overseas Grind lays Bank Ltd. (1978) 48 Com.cases 277 (DEL)
66Vijayan V.P., Perumal V. and Bala shanmugam 2004. Waves of Multimedia Banking Development, Journal
of Internet Banking and Commerce, Vol. 9, No. 3
67 Information Technology Act 2000
68Report on Trend and Progress of Banking in India, Reserve Bank of India, various issues.
69Ibid.
Page 40
Hence, the committee recommends that Section 40 A, of Indian Tax Act, 1961, maybe
amended to recognize even electronic funds transfer.70
The general revocation and amendment instructions to the banks are intended to correct
errors, including the sending of an instruction more than once. Occasionally, a revocation or
amendment maybe intended to stop a fraud. Under the existing law, banks are responsible
for making and stopping payment in good faith and without negligence. In an Internet
banking scenario there is very limited or no-stop payment privileges since it becomes
impossible for the banks to stop payment in spite of receipt of a stop payment instruction as
the transactions are completed instantaneously and are incapable of being reversed. Hence
the banks offering Internet banking services may clearly notify the customers the time
frame and the circumstances in which any stop payment instructions could be accepted.
Typically, the banker-customer relationship is embodied in a contract entered into by them.
The banks providing Internet banking services currently enter into agreements with their
customers stipulating their respective rights and responsibilities including the disclosure
requirements in the case on Internet banking transactions, contractually. A Standard
format/ minimum consent requirement to be adopted by banks offering Internet banking
facility could be designed by the Indian Banks’ Association capturing, inter alia, access
requirements, duties and responsibilities of the banks as well as customers and any
limitations on the liabilities of the banks in negligence and non-adherence to the terms of
agreement by customers.
One of the major concerns associated with Internet banking has been that the Internet
banking transactions may become untraceable and are incredibly mobile and may easily be
anonymous and may not leave a traditional audit trial by allowing instantaneous transfer of
funds. It is pertinent to note that money- laundering transactions are cash transactions
leaving no paper trial. Such an apprehension will be more in the case of use of electronic
money or e-cash. In the case of Internet banking the transactions are initiated and
concluded between designated accounts. Further Section 11 of the proposed Prevention of
Money Laundering Bill, 1999 imposes an obligation on every Banking Company, Financial
Institution or Intermediary to maintain a record of transactions or a series of transactions
taking place within a month, the nature and value of which may be prescribed by the
Central Government.71 These records are to be maintained for a period of five years from
the date of cessation of the transaction between the client and the Banking Company,
Financial institution or intermediary. This would apply to banks offering physical or Internet
banking services. This will adequately guard against any misuse of the Internet banking
services for the purpose of money laundering.
Section 4 of the Banker’ Book Evidence act, 1891, provides that a certified copy of any entry
in a Bankers’ Book shall in all legal proceedings be received as a prima facie evidence of the
existence of such an entry. The Banking Companies (Period of Preservation of Records)
Rules, 1985 promulgated by the Central Government requires banking companies to
70 Reserve Bank of India, www.rbi.org.in/ home.aspx
71 Supra note 71.
Page 41
maintain ledgers, records, books and other documents for a period of 5 to 8 years.72 A fear
has been expressed as to whether the above details of the transactions if maintained in an
electronic form will also serve the above purpose. The Group is of the considered opinion
that that this has been adequately taken care of by Section 7 and Third Schedule of the
Information Technology Act, 2000.73
11.9 CONCLUSION
As with everything else connected with the Internet, banking and electronic commerce on
the Internet is changing rapidly. To properly advise their clients, lawyers must be able to
understand the technology involved (particularly the structure of the networks) and must
also be prepared to review and, if possible, adapt traditional legal principles in their
application to this new technology.
According to the International Survey of Privacy Laws and Practice, there is no general
privacy law in India. RBI ombudsmen office has been flooded with such complaints. In these
circumstances; online banking in India is risky. We have no e-banking laws in India and this
also makes the mobile banking in India risky. Even RBI has acknowledged risks of e-banking
in India.
E-banking in India cannot succeed till a strong legal framework in this is enacted. We have
no specific E-Banking Law in India. Even though, RBI has issued many guidelines in this
regard and even our Information Technology Act, 2000 contains some indirect and implied
provisions for Internet or E-Banking yet we need a separate and dedicated law in this
regard. Although RBI has mandated cyber due diligence for banks in India especially the due
diligence for banks under IT Act 2000 yet banks have still to keep their functions in order.
Indian banks are poor at cyber security. It is high time for banks operating in India to keep
their e-banking infrastructure technologically and legally sound. Resistance to internet
banking retards its adoption and requires the banks to continue to provide the existing
options in customer service. It decreases the ability of the banks to realize the full potential
of technological innovations. Therefore an understanding of these factors is essential for
bank administrators to devise policy measures that can remove these barriers.
Online banking in India or e-banking in India is increasingly being used by both banks and
customers alike. This brings mobility and convenience to both banks and customers.
However, with the benefits there are negative aspects of e-banking as well.
72 Vijayan V.P., Perumal V. and Bala shanmugam 2004. Waves of Multimedia Banking Development, Journal
of Internet Banking and Commerce, Vol. 9, No. 3.
73 Sheth J.N. 1981. Psychology of innovation resistance: the less developed concept (LDC) in diffusion
research, Research in Marketing, Vol. 4 No.3, pp. 273-282
Page 42
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Module 6
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Module 6
- 1 - 42
Pages: