The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by Enhelion, 2019-11-23 04:24:11

Module_11

Module_11

MODULE 11: THE LEGAL CHALLENGES TO INTERNET BANKING

The potential benefits for banks to conclude their businesses on-line are immense, with
decreased transaction costs and access to new customers providing seemingly irresistible
advantages to conducting business on-line. However, the uptake of Internet banking within
India has been slow with only a handful of players providing a true ‘Internet banking service. The
purpose of this chapter is to set out some of the regulatory challenges to Internet banking
within India and to provide a brief explanation of the technology involved.

The Internet revolution is a worldwide phenomenon and moving forward by the present
progression data, India is looking towards an increase in the Internet penetration in near
future chiefly in the area of electronic commerce.1 It is an apparent conception that Internet
(Online) banking and payments are expected to progress more or less together with e-
commerce. Researches indicate that Internet banking has a significant impact on the
business models of banks, securities trading firms, brokerage houses, insurance companies
etc. Internet banking has also attracted the attention of regulators and lawmakers in the
developing nations since the late 1990s.2 The beginning of the Internet era and
developments in information technology and telecommunications undisputedly are
inflicting major impact on financial markets and institutions. Everyone seems to be
confident that, in the long run, online banking will result in more helpful financial
intermediation. Banks have customarily been in the race of utilizing technology to make
their products, services and efficiency better.3 They have, over a long time, been using
electronic and telecommunication networks for delivering a wide range of value added
products and services. The delivery channels include direct dial – up connections, private
networks, public networks etc and the devices include telephone, Personal Computers
including the Automated Teller Machines, etc. The term “Electronic Banking” 4or “e-
banking” is defined as remote banking services provided by authorized banks, or their
representatives through devices operated either under the bank's direct control and
management or under the outsourcing agreement.5 In other words, e-banking is an
umbrella term for the process by which a customer may perform banking transactions
electronically without visiting a branch and includes the systems that enable customers of
banks, individuals or businesses, to access accounts, transact business, or obtain
information on financial products and services through a public or private network,
including the Internet.6Though such technologies have affected a very substantial and wide

1Murshed, S. Mansood. (2000). "Globalization, Marginalization and Development. A UNU Working Paper. No.
175.
2Stiglitz, Joseph. (2002). Globalization and Its Discontents. W. W. Norton, New York.
3Walsham, G. (2001). Making a World of Difference: IT in a Global Context. John Wiley and Sons, New York.
4 The FSS in Korea defines the Internet banking as computer network based banking, which includes automated
transfer of money, settlement of bills, and realization of general financial service network. On the other hand,
Cave and Mason (2001) define Internet as a global network of networks. Their paper elaborates the mechanism
of Internet.

5DeYoung R. (2005) “The performance of internet-based business models: evidence from the banking industry”,
Journal of Business, vol.78, n.3, pp. 893-947.

6DeYoung R. (2006) “The limits of information technology: how much will the banking industry change?”, in
“Technology driven efficiencies in financial markets”, Heikkinen P., Korhonen K. (eds), pp. 35-46.

array of business activities, the legal challenges displayed by the introduction and use of
new technological means to both, banking and financial services might be one of the most
defying tasks confronting the international business and legal communities which has
already required substantial amounts of discussions, debates and lots of ink, and which is
promising to ask for more. Banks have been experimenting with various forms of online
banking for many years.7 The Internet, as an enabling technology, has made banking and
financial products and services available to more customers and eliminated geographic and
proprietary systems barriers. With an expanded market, banks and financial organizations
can also have opportunities to expand or change their product and service offerings.8

Broadly, the levels of banking services offered through Internet can be categorized into
three types:9 (i) The Basic Level Service, whereby the banks’ websites, which disseminate
information on different products and services offered to customers and members of public
in general. It may receive and reply to customers’ queries through e-mail, (ii) In the next
level are Simple Transactional Websites which allow customers to submit their instructions,
applications for different services, queries on their account balances, etc, but do not permit
any fund-based transactions on their accounts, (iii) The third level of Internet banking
services are offered by Fully Transactional Websites which allow the customers to operate
on their accounts for transfer of funds, payment of different bills, subscribing to other
products of the bank and to transact purchase and sale of securities, etc. Traditional banks,
offer the forms of Internet banking services as an additional method of serving the customer
or by new banks, who deliver banking services primarily through Internet or other electronic
delivery channels as the value added services. Some of these banks are known as ‘virtual’
banks or ‘Internet-only’ banks and may not have any physical presence in a country despite
offering different banking services.10Certainly, as banks and financial organizations have in
their huge majority presented new technologies service delivery, an assembly of concerns
have been raised, the dealing with which shall be one of the most interesting and
complicated legal challenges in the coming few years. Among these issues, worries over
security, authentication, privacy, liabilities are undoubtedly to trouble all of suppliers of
banking and financial services, the users thereof in addition to lawmakers and
practitioners.11

7Furst K., Lang W.W., Nolle D. E. (2000) “Special studies on technology and banking. Who offers internet
banking”, Quarterly Journal, vol.19, n.2, pp. 29-48.

8Sullivan R.J. (2000) “How has the adoption of internet banking affected performance and risk at banks? A look
at internet banking in the tenth Federal Reserve district”, Federal Reserve Bank of Kansas City Financial
Industry Perspectives, December, pp. 1-16.

9Internet Banking in India - Guidelines, www.banknetindia.com/banking/ibguide2.htm
10Birch D., Young M. (1997) “Financial services and the internet-what does the cyberspace mean for the
financial services industry?”, Internet Research: Electronic Networking Applications and Policy, vol.7, n.2, pp.
120-128.

11Jayawardhena C., Foley P. (2000) “Changes in the banking sector-the case of internet banking in the UK”,
Internet Research: Electronic Networking Applications and Policy, vol.10, n.1, pp. 19-30.

Actually, the suitable legal structure associated to e-banking and financial services shall
possibly institute one of the extremely analytical and important sections in a infrastructure
of a country and notwithstanding the fact that most of the banks and financial institutions
are already providing a considerable amount of their services through the use of new
technologies, the amount of users of e-banking or financial services shall largely depend on
existing domestic and international legal support provided by the laws and regulations. Such
users shall only feel comfortable in using new electronic services if they are aware of
defined legal framework that would allow them to identify their rights and obligations with
the least possible uncertainties.12Uniformly it should be extended to banks and financial
institutions which are presently using such new technologies possibly thinking of the
commercial facets of presenting new services to their customers but with important
concerns over the existence of an appropriately explained legal framework which by result
in the absence thereof, shall abstain the institutions from expanding the scale of their
services and may also result in disregarding such use, a concern that would harmfully affect
their business and the quality of services provided to the clients.

For these reasons, the requirement of a revision of domestic and international legal
framework has been acknowledged as being of highest significance in the development of e-
banking activities and transactions, which would establish one of the major constituents for
a strong growth of these sectors.

Electronic banking was firstly introduced in the United States of America (USA) in the early
of 1990s and it has since extended globally gradually.13 The phenomenon of online banking
with which we are familiar today, started in the early 1980s, when it was first planned and
tried out with. In the beginning computers and Internet stood less developed; the idea of
home banking came into being, which basically used fax machines and telephones to
interact with their customers.14 With time extensive use of computer and Internet facilities
produced further opportunities for evolution of home banking which is popularly known as
Internet Banking in today’s world. It was only in 1995 that Presidential Savings Bank first
announced the facility for regular client use. Other banks like Wells Fargo, Chase Manhattan
and Security First Network Bank quickly snapped up the idea.15 Today, quite a few banks
operate solely via the Internet and have no 'four walls' entity at all. The first online banking
service in the United States was introduced, in October 1994.16Stanford Federal Credit
Union developed this service, which is a financial institution. The online banking services are

12 Cronin, M.J. (1997), Banking and Finance on the Internet, VNR

13Davies, S. (1979), The Diffusion of Process Innovations, Cambridge University Press

14Gourlay, A. and E. Pentecost (2002), “The Determinants of Technology Diffusion: Evidence from the UK
Financial Sector”, The Manchester School. Vol.70, No.2, pp.185-203

15Hoppe, H.C. (2002), “The Timing of New Technology Adoption: Theoretical Models and Empirical
evidence”, The Manchester School Vol.70, No.1, pp.56-76

16Mansfield, E. (1968), The Economics of Technical Change, New York, Norton.

becoming more and more prevalent due to the well- developed systems. Though there are
pros and cons of electronic cash, it has become a revolution that is enhancing the banking
sector.
In the commencement of the Online banking system, its inventors and experts had
forecasted that soon the new system would take over and replace completely the
traditional banks. Evidences have proved that it was an overestimated calculation done by
the investors; Lots of customers still depend on the traditional system of banking because of
an intrinsic distrust in the new system. Some of the customers are reluctant to use all the
offered facilities because they had bad experience with cyber frauds. Still the number of
online banking customers has been increasing at an exponential rate.

There is no denying the fact that information technology has been the most rapidly
changing industry in India, and the marriage of technology and banking has to occur for
India to keep pace with changes in the global scenario.17 Looking back, the Narasimham
Committee deserves mention in that it was instrumental in forcing Indian banks to become
competitive. Fleet footed private sector banks, forced the public sector banks to embrace
technology and improve their level of customer service. Next, the Khan Committee was
highly important in that it recommended the setting up of universal banks.18 Preference was
given to financial institutions, which could provide a whole range of corporate financial
solutions under one roof. But most importantly, the Verma Committee recommended the
need for greater use of IT even in the weak Public sector banks. Actually, the nationalization
of banks back in the 80s is proving to be a major obstacle in bringing about the required
technological changes.19 Nationalization of the banking sector has led to occurrences of
pseudo developmental activities for nurturing vote banks, loss of accent on performance
and profitability, creation of unions etc to name a few.

Primarily, the main desirability of the new system of Internet Banking is the exclusion of
wearisome bureaucratic red tape in registering for an account, and the unending paperwork
involved in regular banking. The speed with which this process happens online, as well as
the other services achievable by this process, has converted into a literal growth in the
banking industry. The development of Internet banking has helped a lot to banks and their
customers. It has benefited the banks in many ways such as expand outreach, reduce
transaction costs, improve efficiency, and provide virtual banking services. Customers also
have gained from effective banking services at comparatively lower costs and holding then
choice to select from alternate delivery channels.20 The Internet banking has also enabled
fast transfer of funds domestically and across borders.

17Bose Jayshree (2006),‖E-Banking in India, The paradigm Shift‖, PP. 22-23, The ICFAI Unversity Press.

18Gurusamy S.(2005), ―Merchant Banking and Financial Services‖. PP. 406-410, Nicole Imprints Pvt. Ltd

19Uppal R.K., ―Customer Perception of E – Banking Services of Indian Banks: Some
Survey Evidence‖,
The ICFAI Journal of Bank Management, Vol. VII No.10

20Mason, R. and H. Weeds (2001), “Networks, Options and Pre-emption”, mimeo, Universityof Southampton.























The Financial Services and Markets Bill will replace current powers under the 1987 Banking
Act giving the FSA statutory authority for consumer protection and promotion of consumer
awareness. Consumer compliance is required to be ensured via desk based and on site
supervision. The FSA has an Authorization and Enforcement Division, which sees if web sites
referred to them are in violation of U.K. laws.

The FSA has issued guidelines on advertising in U.K. by banks for deposits, investments and
other securities, which apply to Internet banking also. The guidelines include an Appendix
on Internet banking. The FSA’s supervisory policy and powers in relation to breaches in the
advertising code (viz. invitation by any authorized person to take a deposit within U.K.,
fraudulent inducements to make a deposit, illegal use of banking names and descriptions,
etc.) are the same for Internet banking as they are for conventional banking. The FSA does
not regard a bank authorized overseas, which is targeting potential depositors in its home
market or in third countries as falling within U.K. regulatory requirements solely by reason
of its web site being accessible to Internet users within the U.K., as the advertisements are
not aimed at potential U.K. depositors.

AUSTRALIA:

Internet Banking in Australia is offered in two forms: web-based and through the provision
of proprietary software. Initial web-based products have focused on personal banking
whereas the provision of proprietary software has been targeted at the business/corporate
sector. Most Australian-owned banks and some foreign subsidiaries of banks have
transactional or interactive web-sites. Online banking services range from FIs’ websites
providing information on financial products to enabling account management and financial
transactions. Customer services offered online include account monitoring (electronic
statements, real-time account balances), account management (bill payments, funds
transfers, applying for products on-line) and financial transactions (securities trading,
foreign currency transactions). Electronic Bill Presentment and Payment (EBPP) is at an early
stage. Features offered in proprietary software products (enabling business and corporation
customers to connect to the financial institutions (via dial-up/leased line/extranet) include
account reporting, improved reconciliation, direct payments, payroll functionality and funds
transfer between accounts held at their own or other banks. Apart from closed payment
systems (involving a single payment-provider), Internet banking and e-commerce
transactions in Australia are conducted using long-standing payment instruments and are
cleared and settled through existing clearing and settlement system. Banks rely on third
party vendors or are involved with outside providers for a range of products and services
including e-banking. Generally, there are no ‘virtual’ banks licensed to operate in Australia.

The Electronic Transactions Act, 1999 provides certainty about the legal status of electronic
transactions and allows for Australians to use the Internet to provide Commonwealth
Departments and agencies with documents which have the same legal status as traditional
paperwork. The Australian Securities and Investments Commission (ASIC) is the Australian

regulator with responsibility for consumer aspects of banking, insurance and
superannuation and as such, it is responsible for developing policy on consumer protection
issues relating to the Internet and e-commerce. ASIC currently has a draft proposal to
expand the existing Electronic Funds Transfer Code of Conduct (a voluntary code that deals
with transactions initiated using a card and a PIN) to cover all forms of consumer
technologies, including stored value cards and other new electronic payment products.
Australia’s anti-money laundering regulator is the Australian Transaction Reports and
Analysis Centre (AUSTRAC).

Responsibility for prudential supervisory matters lies with the Australian Prudential
Regulation Authority (APRA). APRA does not have any Internet specific legislation,
regulations or policy, and banks are expected to comply with the established legislation and
prudential standards. APRA’s approach to the supervision of e-commerce activities, like the
products and services themselves, is at an early stage and is still evolving. APRA’s approach
is to visit institutions to discuss their Internet banking initiatives. However, APRA is
undertaking a survey of e-commerce activities of all regulated financial institutions. The
growing reliance on third party or outside providers of e-banking is an area on which APRA
is increasingly focusing.

NEW ZEALAND:

Major Banks offer Internet banking service to customers; operate as a division of the bank
rather than as a separate legal entity.

Reserve Bank of New Zealand applies the same approach to the regulation of both Internet
banking activities and traditional banking activities. There are however, banking supervision
regulations that apply only to Internet banking. Supervision is based on public disclosure of
information rather than application of detailed prudential rules. These disclosure rules apply
to Internet banking activity also.

SINGAPORE:

The Monetary Authority of Singapore (MAS) has reviewed its current framework for
licensing, and for prudential regulation and supervision of banks, to ensure its relevance in
the light of developments in Internet banking, either as an additional channel or in the form
of a specialized division, or as stand-alone entities (Internet Only Banks), owned either by
existing banks or by new players entering the banking industry. The existing policy of MAS
already allows all banks licensed in Singapore to use the Internet to provide banking
services. MAS are subjecting Internet banking, including IOBs, to the same prudential
standards as traditional banking. It will be granting new licenses to banking groups
incorporated in Singapore to set up bank subsidiaries if they wish to pursue new business
models and give them flexibility to decide whether to engage in Internet banking through a
subsidiary or within the bank (where no additional license is required). MAS also will be

admitting branches of foreign incorporated IOBs within the existing framework of admission
of foreign banks.

As certain types of risk are accentuated in Internet banking, a risk – based supervisory
approach, tailored to individual banks’ circumstances and strategies, is considered more
appropriate by MAS than 'one-size-fits-all' regulation. MAS require public disclosures of such
undertakings, as part of its requirement for all banks and enhance disclosure of their risk
management systems. It is issuing a consultative document on Internet banking security and
technology risk management. In their risk management initiatives for Internet banking
relating to security and technology related risks, banks should

(a) Implement appropriate workflow, authenticated process and control procedures
surrounding physical and system access

(b) Develop, test, implement and maintain disaster recovery and business contingency
plans

(c) Appoint an independent third party specialist to assess its security and operations
(d) Clearly communicate to customers their policies with reference to rights and

responsibilities of the bank and customer, particularly issues arising from errors in
security systems and related procedures. For liquidity risk, banks, especially IOBs,
should establish robust liquidity contingency plans and appropriate Asset-Liability
Management systems. As regards operational risk, banks should carefully manage
outsourcing of operations, and maintain comprehensive audit trails of all such
operations. As far as business risk is concerned, IOBs should maintain and continually
update a detailed system of performance measurement.

MAS encourages financial institutions and industry associations such as the Associations of
Banks in Singapore (ABS) to play a proactive role in educating consumers on benefits and
risks on new financial products and services offered by banks, including Internet banking
services.

HONG KONG:

There has been a spate of activity in Internet banking in Hong Kong. Two virtual banks are
being planned. It is estimated that almost 15% of transactions are processed on the
Internet. During the first quarter of 2000, seven banks have begun Internet services. Banks
are participating in strategic alliances for e-commerce ventures and are forming alliances for
Internet banking services delivered through Jetco (a bank consortium operating an ATM
network in Hong Kong). A few banks have launched transactional mobile phone banking
earlier for retail customers.

The Hong Kong Monetary Authority (HKMA) requires that banks must discuss their business
plans and risk management measures before launching a transactional website. HKMA has
the right to carry out inspections of security controls and obtain reports from the home
supervisor, external auditors or experts commissioned to produce reports. HKMA is
developing specific guidance on information security with the guiding principle that security
should be 'fit for purpose'. HKMA requires that risks in Internet banking system should be

properly controlled. The onus of maintaining adequate systems of control including those in
respect of Internet banking ultimately lies with the institution itself. Under the Seventh
Schedule to the Banking ordinance, one of the authorization criteria is the requirement to
maintain adequate accounting system and adequate systems control. Banks should continue
to acquire state-of-the art technologies and to keep pace with developments in security
measures. The HKMA’s supervisory approach is to hold discussions with individual
institutions who wish to embark on Internet banking to allow them to demonstrate how
they have properly addressed the security systems before starting to provide such services,
particularly in respect of the following:

• Encryption by industry proven techniques of data accessible by outsiders,
• Preventive measures for unauthorized access to the bank’s internal computer

systems,
• set of comprehensive security policies and procedures,
• Reporting to HKMA all security incidents and adequacy of security measures on a

timely basis. At present, it has not been considered necessary to codify security
objectives and requirements into a guideline. The general security objectives for
institutions intending to offer Internet banking services should have been considered
and addressed by such institutions.

HKMA has issued guidelines on ‘Authorization of Virtual Banks’ under Section 16(10) of the
Banking Ordinance under which
• The HKMA will not object to the establishment of virtual banks in Hong Kong provided

they can satisfy the same prudential criteria that apply to conventional banks,
• A virtual bank which wishes to carry on banking business in Hong Kong must maintain

a physical presence in Hong Kong;
• A virtual bank must maintain a level of security which is appropriate to the type of

business which it intends to carry out. A copy of report on security of computer
hardware, systems, procedures, controls etc. from a qualified independent expert
should be provided to the HKMA at the time of application,
• A virtual bank must put in place appropriate policies, procedures and controls to meet
the risks involved in the business;
• The virtual bank must set out clearly in the terms and conditions for its service what
are the rights and obligations of its customers.
• Outsourcing by virtual banks to a third party service provider is allowed, provided
HKMA’s guidelines on outsourcing are complied with. There are principles applicable
to locally incorporated virtual banks and those applicable to overseas-incorporated
virtual banks. Consumer protection laws in Hong Kong do not apply specifically to e-
banking but banks are expected to ensure that their e-services comply with the
relevant laws. The Code of Banking Practice is being reviewed to incorporate
safeguards for customers of e-banking.

11.5.1 THE UNCITRAL MODEL AND ELECTRONIC COMMERCE

The United Nations Commission on International Trade Law (UNCITRAL) adopted, in June, 1996,
a Model Law on Electronic Commerce, intended to give states a legislative framework to
remove legal barriers to electronic commerce. The Model Law provides, among other things,
that where the law required a signature, that requirement could be met electronically if the
electronic signature provided a link between the singer and the record (called the ‘data
message’ in the Model Law) and evidence of intent to be associated with the record, both to be
sufficiently reliable for the purposes of the record in the circumstances.

The model law is not binding, but individual states may adopt the model law by
incorporating it into their domestic law (as, for example, Australia did, in the International
Arbitration Act 1974, as amended).

The model law was published in English and in French. Translations in all six United Nations
languages now exist.

There is a distinct difference between the UNCITRAL Model Law on International
Commercial Arbitration (1985) and the UNCITRAL Arbitration Rules. On its website,
UNCITRAL explains the difference as follows: "The UNCITRAL Model Law provides a pattern
that law-makers in national governments can adopt as part of their domestic legislation on
arbitration. The UNCITRAL Arbitration Rules, on the other hand, are selected by parties
either as part of their contract, or after a dispute arises; to govern the conduct of arbitration
intended to resolve a dispute or disputes between themselves. The Model Law is directed at
States, while the Arbitration Rules are directed at potential (or actual) parties to a dispute."

UNCITRAL Model Law on International Commercial Arbitration, with amendments as
adopted in 2006. The Model Law is designed to assist States in reforming and modernizing
their laws on arbitral procedure so as to take into account the particular features and needs
of international commercial arbitration. It covers all stages of the arbitral process from the
arbitration agreement, the composition and jurisdiction of the arbitral tribunal and the
extent of court intervention through to the recognition and enforcement of the arbitral
award. It reflects worldwide consensus on key aspects of international arbitration practice
having been accepted by States of all regions and the different legal or economic systems of
the world.

Amendments to articles 1 (2), 7, and 35 (2), a new chapter IV A to replace article 17 and a
new article 2 A were adopted by UNCITRAL on 7 July 2006. The revised version of article 7 is
intended to modernize the form requirement of an arbitration agreement to better conform
with international contract practices. The newly introduced chapter IV A establishes a more
comprehensive legal regime dealing with interim measures in support of arbitration. As of
2006, the standard version of the Model Law is the amended version. The original 1985 text
is also reproduced in view of the many national enactments based on this original version.

The core legal body of the United Nations system in the field of international trade law. A
legal body with universal membership specializing in commercial law reform worldwide for
over 40 years. UNCITRAL's business is the modernization and harmonization of rules on
international business.

Trade means faster growth, higher living standards, and new opportunities through
commerce. In order to increase these opportunities worldwide, UNCITRAL is formulating
modern, fair, and harmonized rules on commercial transactions.

These include:

• Conventions, model laws and rules which are acceptable worldwide
• Legal and legislative guides and recommendations of great practical value
• Updated information on case law and enactments of uniform commercial law
• Technical assistance in law reform projects
• Regional and national seminars on uniform commercial law

It is widely accepted that trade creates wealth and is essential to the economic health of the
world.

When world trade began to expand dramatically in the 1960s, national governments began
to realize the need for a global set of standards and rules to harmonize and modernize the
assortment of national and regional regulations, which until then largely governed
international trade. They turned to the United Nations, which in 1966 recognized the need
for it to play a more active role in removing legal obstacles to the flow of international trade
and established the United Nations Commission on International Trade Law (UNCITRAL).
UNCITRAL has since become the core legal body of the United Nations system in the field of
international trade law.
Much of the complex network of international legal rules and agreements that affects
today's commercial arrangements has been reached through long and detailed
consultations and negotiations organized by UNCITRAL. Its aim is to remove or reduce legal
obstacles to the flow of international trade and progressively modernize and harmonize
trade laws. It also seeks to coordinate the work of organizations active in this type of work
and promote wider acceptance and use of the rules and legal texts it develops.

Since the adoption of the Model Law, the Commission has given the Working Group a mandate
to explore the development of a legal regime applicable to digital signatures and certification
authorities. The scope of the work tentatively includes: the legal basis supporting certification
processes, including emerging digital authentication and certification technology; the
applicability of the certification process; the allocation of risk and liabilities of users, providers
and third parties in the context of the use of certification techniques; the specific issues of
certification through the use of registries; and incorporation by reference.

The UNCITRAL Model is preferred for its universality and harmonious approach. Article 3 of the
Draft UNCITRAL, Model says that, in the interpretation of this Law, regard is to be had to its
international origin and the need to promote uniformity in its application and observance of
good faith and questions concerning matters governed by this law which are not expressly
settled in it are to be settled in conformity with the general principles on which this law is based.

11.6 Security and Privacy Issues

Security:

Security in Internet banking comprises both the computer and communication security. The
aim of computer security is to preserve computing resources against abuse and
unauthorized use, and to protect data from accidental and deliberate damage, disclosure
and modification. The communication security aims to protect data during the transmission
in computer network and distributed system.

Authentication:

It is a process of verifying claimed identity of an individual user, machine, software
component or any other entity. For example, an IP Address identifies a computer system on
the Internet, much like a phone number identifies a telephone. It may be to ensure that
unauthorized users do not enter, or for verifying the sources from where the data are
received. It is important because it ensures authorization and accountability. Authorization
means control over the activity of user, whereas accountability allows us to trace uniquely
the action to a specific user. Authentication can be based on password or network address
or on cryptographic techniques.

Access Control:

It is a mechanism to control the access to the system and its facilities by a given user up to
the extent necessary to perform his job function. It provides for the protection of the
system resources against unauthorized access. An access control mechanism uses the
authenticated identities of principals and the information about these principals to
determine and enforce access rights. It goes hand in hand with authentication. In
establishing a link between a bank’s internal network and the Internet, we may create a
number of additional access points into the internal operational system. In this situation,
unauthorized access attempts might be initiated from anywhere. Unauthorized access
causes destruction, alterations, theft of data or funds, compromising data confidentiality,
denial of service etc. Access control may be of discretionary and mandatory types.

Data Confidentiality:

The concept of providing for protection of data from unauthorized disclosure is called data
confidentiality. Due to the open nature of Internet, unless otherwise protected, all data
transfer can be monitored or read by others. Although it is difficult to monitor a
transmission at random, because of numerous paths available, special programs such as
'Sniffers', set up at an opportune location like Web server, can collect vital information. This
may include credit card number, deposits, loans or password etc. Confidentiality extends
beyond data transfer and include any connected data storage system including network
storage systems. Password and other access control methods help in ensuring data
confidentiality.

Data Integrity:

It ensures that information cannot be modified in unexpected way. Loss of data integrity
could result from human error, intentional tampering, or even catastrophic events. Failure
to protect the correctness of data may render data useless, or worse, dangerous. Efforts
must be made to ensure the accuracy and soundness of data at all times. Access control,
encryption and digital signatures are the methods to ensure data integrity.

Non-Repudiation:

Non-Repudiation involves creating proof of the origin or delivery of data to protect the
sender against false denial by the recipient that data has been received or to protect the
recipient against false denial by the sender that the data has been sent. To ensure that a
transaction is enforceable, steps must be taken to prohibit parties from disputing the
validity of, or refusing to acknowledge, legitimate communication or transaction.

Security Audit Trail:

A security audit refers to an independent review and examination of system's records and
activities, in order to test for adequacy of system controls. It ensures compliance with
established policy and operational procedures, to detect breaches in security, and to
recommend any indicated changes in the control, policy and procedures. Audit Trail refers
to data generated by the system, which facilitates a security audit at a future date.

Attacks and Compromises:

When a bank’s system is connected to the Internet, an attack could originate at any time
from anywhere. Some acceptable level of security must be established before business on
the Internet can be reliably conducted.

An attack could be any form like:

• The intruder may gain unauthorized access and nothing more
• The intruder gains access and destroys, corrupt or otherwise alters data
• The intruder gains access and seizes control partly or wholly, perhaps denying access

to privileged users
• The intruder does not gain access, but instead forges messages from your system
• The intruder does not gain access, but instead implements malicious procedures that

cause the network to fail, reboot, and hang.

Modern security techniques have made cracking very difficult but not impossible.
Furthermore, if the system is not configured properly or the updated patches are not
installed then hackers may crack the system using security hole. A wide range of information
regarding security hole and their fixes is freely available on the Internet.

System administrator should keep himself updated with this information.

Common cracking attacks include:

E-mail bomb:

This is a harassment tool. A traditional e-mail bomb is simply a series of message (perhaps
thousands) sent to your mailbox. The attacker’s object is to fill the mailbox with junk.

Denial-of-Service (DoS) attacks:

DoS attacks can temporarily incapacitate the entire network (or at least those hosts that rely
on TCP/IP). DoS attacks strike at the heart of IP implementations. Hence they can crop up at
any platform; a single DoS attack may well work on several target operating systems. Many
DoS attacks are well known and well documented. Available fixes must be applied.

Sniffer Attack:

Sniffers are devices that capture network packets. They are a combination of hardware and
software. Sniffers work by placing the network interface into promiscuous mode. Under
normal circumstances, all machines on the network can 'hear' the traffic passing through,
but will only respond to data addressed specifically to it. Nevertheless, if the machine is in
promiscuous mode then it can capture all packets and frames on the network. Sniffers can
capture passwords and other confidential information. Sniffers are extremely difficult to
detect because they are passive programs. Encrypted session provides a good solution for
this. If an attacker sniffs encrypted data, it will be useless to him. However, not all
applications have integrated encryption support.

Holes:

A hole is any defect in hardware, software or policy that allows attackers to gain
unauthorized access to your system. The network tools that can have holes are Routers,
Client and Server software, Operating Systems and Firewalls.

Authentication Technique:

Authentication is a process to verify the claimed identity. There are various techniques
available for authentication. Password is the most extensively used method. Most of the
financial institutions use passwords along with PIN (Personal Identification Number) for
authentication. Technologies such as tokens, smart cards and biometrics can be used to
strengthen the security structure by requiring the user to possess something physical.
Token technology relies on a separate physical device, which is retained by an individual, to
verify the user’s identity. The token resembles a small hand-held card or calculator and is
used to generate passwords. The device is usually synchronized with security software in the
host computer such as an internal clock or an identical time based mathematical algorithm.

Tokens are well suited for one-time password generation and access control. A separate PIN
is typically required to activate the token.

Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an
embedded computer chip. The chip includes a processor, operating system, and both Read
Only Memory (ROM) and Random Access Memory (RAM). They can be used to generate
one-time passwords when prompted by a host computer, or to carry cryptographic keys. A
smart card reader is required for their use.

Biometrics involves identification and verification of an individual based on some physical
characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This
technology is advancing rapidly, and offers an alternative means to authenticate a user.

Firewalls:

The connection between internal networks and the outside world must be watched and
monitored carefully by a gatekeeper of sorts. Firewalls do this job. Otherwise, there is a risk
of exposing the internal network and systems, often leaving them vulnerable and
compromising the integrity and privacy of data. Firewalls are a component or set of
components that restrict access between a protected network and the outside world (i.e.,
the Internet). They control traffic between outside and inside a network, providing a single
entry point where access control and auditing can be imposed. All firewalls examine the
pieces or packets of data flowing into and out of a network and determine whether a
particular person should be given access inside the network. As a result, unauthorized
computers outside the firewall are prevented from directly accessing the computers inside
the internal network. Broadly, there are three types of firewalls i.e. Packet filtering firewalls,
Proxy servers and state of the art inspection firewall.
Packet filtering routers:

Packet filtering routers are the simplest form of firewalls. They are connected between the
host computer of an Internal network and the Internet gateway as shown in Fig.6. 2. The
bastion host directs message accepted by the router to the appropriate application servers
in the protected network. Their function is to route data of a network and to allow only
certain types of data into the network by checking the type of data and its source and
destination address. If the router determines that the data is sourced from an Internet
address which is not on its acceptable or trusted sources list, the connection would be
simply refused. The advantage of this type of firewall is that it is simple and cheaper to
implement and also fast and transparent to the users. The disadvantage is that if the
security of the router were compromised, computers on the internal network would be
open to external network for attacks. Also, the filtering rules can be difficult to configure,
and a poorly configured firewall could result in security loopholes by unintentionally
allowing access to an internal network.

Security Policy:

The information security policy is the systemization of approaches and policies related to
the formulation of information security measures to be employed within the organization to
assure security of information and information systems owned by it. The security policy
should address the following items:

• Basic approach to information security measures.
• The information and information systems that must be protected, and the reasons for

such protection.
• Priorities of information and information systems that must be protected.
• Involvement and responsibility of management and establishment of an information

security coordination division.
• Checks by legal department and compliance with laws / regulations.
• The use of outside consultants.
• Identification of information security risks and their management.
• Impact of security policies on quality of service to the customers (for example,

disabling an account after three unsuccessful logins may result in denial of service
when it is done by somebody else mischievously or when restoration takes unduly
long time).
• Decision making process of carrying out information security measures.
• Procedures for revising information security measures.
• Responsibilities of each officer and employee and the rules (disciplinary action etc) to
be applied in each case.
• Auditing of the compliance to the security policy.
• User awareness and training regarding information security.
• Business continuity Plans.
• Procedures for periodic review of the policy and security measures.

The top management of the bank must express a commitment to security by manifestly
approving and supporting formal security awareness and training. This may require special
management level training. Security awareness will teach people not to disclose sensitive
information such as password file names. Security guidelines, policies and procedures affect
the entire organization and as such, should have the support and suggestions of end users,
executive management, security administration, IS personnel and legal counsel.

11.6.1 SECURITY PRODUCTS AVAILABLE

Banks in India are at different stages of the web-enabled banking cycle. Initially, a bank,
which is not having a web site, allows its customer to communicate with it through an e-mail
address; communication is limited to a small number of branches and offices which have
access to this e-mail account. As yet, many scheduled commercial banks in India are still in
the first stage of Internet banking operations.42

42Sakkthivel, A.M. (Dec. 2006) “Impact Of Demographics On The Consumption Of Different Services Online
In India”, Journal of Internet Banking and Commerce, vol. 11(3) at www.arraydev.com

Some of the banks permit customers to interact with them and transact electronically with
them. Such services include request for opening of accounts, requisition for cheque books,
stop payment of cheques, viewing and printing statements of accounts, movement of funds
between accounts within the same bank, querying on status of requests, instructions for
opening of Letters of Credit and Bank Guarantees etc.43 Certain banks like ICICI Bank Ltd.,
have gone a step further within the transactional stage of Internet banking by allowing
transfer of funds by an account holder to any other account holder of the bank.44

Some of the more aggressive players in this area such as ICICI Bank Ltd., HDFC Bank Ltd., UTI
Bank Ltd., Citibank, Global Trust Bank Ltd. and Bank of Punjab Ltd. offer the facility of
receipt, review and payment of bills on-line. These banks have tied up with a number of
utility companies. The ‘Infinity’ service of ICICI Bank Ltd. Also allows online real time
shopping mall payments to be made by customers. HDFC Bank Ltd. has made e-shopping
online and real time with the launch of its payment gateway. It has tied up with a number of
portals to offer business to-consumer (B2C) e-commerce transactions.45 The first online real
time e-commerce credit card transaction in the country was carried out on the
Easy3shoppe.com shopping mall, enabled by HDFC Bank Ltd. on a VISA card.46

Banks providing Internet banking services have been entering into agreements with their
customers setting out the terms and conditions of the services. The terms and conditions
include information on the access through user-id and secret password, minimum balance
and charges, authority to the bank for carrying out transactions performed through the
service, liability of the user and the bank, disclosure of personal information for statistical
analysis and credit scoring also, non-transferability of the facility, notices and termination,
etc.47

The race for market supremacy is compelling banks in India to adopt the latest technology
on the Internet in a bid to capture new markets and customers. HDFC Bank Ltd. with its
‘Freedom- the e-Age Saving Account’ Service, Citibank with ‘Suvidha’ and ICICI Bank Ltd.
with its ‘Mobile Commerce’ service have tied up with cell-phone operators to offer Mobile
Banking to their customers.48 Global Ltd. has also announced that it has tied up with cellular
operators to launch mobile banking services. Under Mobile Banking services, customers can
scan their accounts to seek balance and payments status or instruct banks to issue cheques,
pay bills or deliver statements of accounts. It is estimated that by 2003, cellular phones will
have become the premier Internet access device, outselling personal computers. Mobile
banking will further minimize the need to visit a bank branch.49

43Awamleh, R &Fernandes C. (2005) “Internet Banking: An Empirical investigation into the Extent of Adoption
by Banks and the Determinants of Customer Satisfaction in the United Arab Emirates”, Journal of Internet
Banking and Commerce, vol. 10(1) at www.arraydevcom/commerce/jibc/2005-02/raedcedwnl.htm

44P.K. Gupta, JamiaMilliaIslamia. (2008) “Internet Banking In India – Consumer Concerns And Bank

Strategies”Global Journal Of Business Research ♦ Volume 2 ♦ Number 1 ♦ 2008
45Sharma, B.R. (2001), Bank Frauds-Prevention & Detection, Universal law Publishing, p.167-182.
46Commercial Banking : A Module of NSE’s Certification on Financial Module
47Ajimon George and G. S. Aneesh Kumar, (2011) Internet Banking and Customer Resistance, Sci. & Soc. 9(1)
79-88, 2011
48 Supra note 50.
49IAMAI 2006. IAMAI’s Report Online Banking ‘2006’, http://www.iamai.in/

Compared to banks abroad, Indian banks offering online services still have a long way to go.
For online banking to reach a critical mass, there has to be sufficient number of users and
the sufficient infrastructure in place. Though various security options like line encryption,
branch connection encryption, firewalls, digital certificates, automatic sign-offs, random
pop-ups and disaster recovery sites are in place or are being looked at, there is as yet no
Certification Authority in India offering Public Key Infrastructure, which is absolutely
necessary for online banking. The customer can only be assured of a secured conduit for its
online activities if an authority certifying digital signatures is in place.50 The communication
bandwidth available today in India is also not enough to meet the needs of high priority
services like online banking and trading. Banks offering online facilities need to have an
effective disaster recovery plan along with comprehensive risk management measures.
Banks offering online facilities also need to calculate their downtime losses, because even a
few minutes of downtime in a week could mean substantial losses. Some banks even today
do not have uninterrupted power supply unit or systems to take care of prolonged power
breakdown. Proper encryption of data and effective use of passwords are also matters that
leave a lot to be desired. Systems and processes have to be put in place to ensure that
errors do not take place.

Users of Internet Banking Services are required to fill up the application forms online and
send a copy of the same by mail or fax to the bank. A contractual agreement is entered into
by the customer with the bank for using the Internet banking services. In this way, personal
data in the applications forms is being held by the bank providing the service. The contract
details are often one-sided, with the bank having the absolute discretion to amend or
supplement any of the terms at any time. For these reasons domestic customers for whom
other access points such as ATMs,

Tele-banking, personal contact, etc. are available. Users are often hesitant to use the
Internet banking services offered by Indian banks. Internet Banking, as an additional delivery
channel, is, therefore, being attractive / appealing as a value added service to domestic
customers. Non-resident Indians for whom it is expensive and time consuming to access
their bank accounts maintained in India find net banking very convenient and useful.

The Internet is in the public domain whereby geographical boundaries are eliminated. Cyber
crimes are therefore difficult to be identified and controlled. In order to promote Internet
banking services, it is necessary that the proper legal infrastructure is in place. Government
has introduced the Information Technology Bill, which has already been notified in October
2000. Section 72 of the Information Technology Act, 2000 casts an obligation of
confidentiality against disclosure of any electronic record, register, correspondence and
information, except for certain purposes and violation of this provision is a criminal
offence.51

50Gurusamy S.(2005), ―Merchant Banking and Financial Services.PP. 406-410, Nicole Imprints Pvt. Ltd.

51Ram S. and Sheth J.N. 1989. Consumer resistance to innovations: The marketing problem and its solutions,
The journal ofConsumer Marketing, Vol. 6 No.2, pp. 5-4.

Comprehensive enactments like the Electronic Funds Transfer Act in U.K. and data
protection rules and regulations in the developed countries are in place abroad to
prevention authorized access to data, mala-fide or otherwise, and to protect the individual’s
rights of privacy. 52The legal issues are, however, being debated in our country and it is
expected that some headway will be made in this respect in the near future.

The ability of banks to rely on encryption products is crucial to processing customer’s
transaction safely. There are various products available, some offering a greater level of security
than others. For example, the secure electronic transactions (SET) protocol offers a form of
guarantee against credit card fraud. The protocol consists of a cardholder interface resident on
the customers PC, an electronic till at the retail level, and a payment mechanism located on the
bank’s server. The protocol consists of a cardholder interface resident on the customers PC, an
electronic till at the retail level, and a payment mechanism located on the bank’ server, which
possesses the encrypted transaction messages.

In contrast to SET, secure sockets layer (GSL) technology does not offer a guarantee against
credit card fraud. However, the cost-benefits of this technology appear to outweigh the security
risks and many banks are currently trailing this technology background, the uncertainty
surrounding mandatory key escrow and the consequent perceived lack of security provides yet
another challenge for banks to consider.

11.7 REGULATORY COMPLIANCE ISSUES

Internet banking, both as a medium of delivery of banking services and as a strategic tool for
business development, has gained wide acceptance internationally and is fast catching up in
India with more and more banks entering the fray.

The growth potential of internet users in the country immense. Further incentives provided
by banks dissuade customers from visiting physical branches, and thus get ‘hooked’ to the
convenience of arm-chair banking.53 The facility of accessing their accounts from anywhere
in the world by using a home computer with Internet connection, is particularly fascinating
to Non-Resident Indians and High Net-worth Individuals having multiple bank accounts.

Costs of banking service through the Internet form a fraction of costs through conventional
methods. Rough estimates assume teller cost at Re.1 per transaction, ATM transaction cost
at 45 paise, phone banking at 35 paise, debit cards at 20 paise and Internet banking at 10
paise per transaction.54 The cost-conscious banks in the country have therefore actively
migrated to the use of the Internet as a channel for providing services. Fully computerized

52Elements of Mercantile Law by N D Kapoor – Sultan Chand & Sons, New Delhi, 2006, P – 353.

53Rajgopalan, S.P. (2001) Banking in the New Millennium, Kanishka Publishers, Distributors, pp.1-6
54Rao, Rohit (2001) “Internet Banking: Challenges for banks and Regulators” Banking in the New Millennium,
Institute of Chartered Financial Analysts of India, p. 31

banks, with better management of their customer base are in a stronger position to cross-
sell their products through this channel.55

Banking on the Internet provides benefits to the consumer in terms of convenience, and to
the provider in terms of cost reduction and greater reach. The Internet itself however is not
a secure medium, and thus poses a number of risks of concern to regulators and supervisors
of banks and financial institutions. World over, regulators and supervisors are still evolving
their approach towards the regulation and supervision of Internet banking. Regulations and
guidelines issued by some countries include the following.

• Requirement to notify about web site content
• Prior authorization based on risk assessment made by external auditors
• On-site examination of third party service providers
• Off-site policing the perimeters to look for infringement.
• Prohibition on hyperlinks to non-bank business sites
• Specification of the architecture

In some countries supervisors have followed a ‘hands-off’ approach to regulation of such
activities, while others have adopted a wait and watch attitude. This chapter suggests
approaches to supervision of Internet banking activities, drawing upon the best
international practices in this area as relevant to the Indian context.

Major supervisory concerns can be clubbed into the following:

1. Operational risk issues

The open architecture of the Internet exposes the banks’ systems to decide access through
the easy availability of technology. The dependence of banks on third party providers places
knowledge of banks’ systems in a public domain and leaves the banks dependent upon
relatively small firms which have high turnover of personnel. Further, there is absence of
conventional audit trails as also relative anonymity of transactions due to remote access. It
is imperative that security and integrity of the transactions are protected so that the
potentiality for loss arising out of criminal activities, such as fraud, money laundering, tax
evasion etc. and a disruption in delivery systems either by accident or by design are
mitigated. The supervisory responses to manage operational risk matters include issue of
appropriate guidance on the risk (including outsourcing risk) control and record
maintenance, issue of minimum standards of technology and security appropriate to the
conduct of transactional business, extension of ‘know your customer’ rules for transactions
on the Internet, and insistence on appropriate and visible disclosure to inform customers of
the risks that they face on doing business on the Internet.

2. Cross border issues

55“Will the Banks Control Online Banking”(August 2001), Treasury Management, ICFAI Press, Delhi

The Internet knows no frontiers, and banks can source deposits from jurisdiction where they
are not licensed or supervised or have access to payment systems. Customers can
Potentiality Park their funds in jurisdictions where their national authorities have no access
to records. The issues of jurisdiction, territoriality and recourse become even more blurred
in the case of virtual banks. Cross border issues would also come into play where banks
choose to locate their processing centers, records or back up centers in different
jurisdictions. While country - specific approaches are being adopted at the national level,
the ‘Group on e-banking’ set up by the Basle Committee on Banking Supervision (BCBS) is
engaged in bringing about harmonization in approaches at an international level.

3. Customer protection and confidentiality issues:

The loss of customer confidentiality may pose a reputation risk to banks and the banking
system as a whole. Transacting business on the Internet exposes data being sent across the
Internet to interception by unauthorized agents, who may then use the data without the
approval of the customers. There has also been incidence where glitches have developed in
web sites permitting customers to access each other’s accounts. To address these risks,
customers need to be educated through adequate disclosures of such risks.

4. Competitiveness and profitability issues:

While Internet banking is expected to substantially reduce the cost of doing transactions in
the long run, the limited business being done on the Internet has yet to pay for the
infrastructure in which banks have invested. This includes the tie up with technology
companies in setting up payment gateways, portals and Internet solutions and the alliance
with other businesses for cross-selling products. The coming years may however see a
scenario where the margins of conventional banks come under pressure because of
competition from Internet banking, including virtual banks, which need no infrastructure
expenses. These issues have to be kept in mind by supervisors while deciding their approach
to e-banking.

Broad regulatory framework

It would be necessary to extend the existing regulatory framework over banks to Internet
banking also. Such an approach would need to take into account the provisions of both the
Banking Regulation Act 1949 and the Foreign Exchange Management Act, 1999.

• Only such banks which are licensed and supervised in India and have a physical
presence here should be permitted to offer Internet banking products to residents of
India.

• These products should be restricted to account holders only and should not be offered
in other jurisdictions.

• The services should only offer local currency products and that too by entities that are
part of the local currency payment systems.

• The ‘in-out’ scenario where customers in cross border jurisdictions are offered
banking services by Indian banks (or branches of foreign banks in India) and the ‘out-

in’ scenario where Indian residents are offered banking services by banks operating in
cross-border jurisdictions are generally not permitted and this approach should be
carried over to Internet banking also.
• The existing exceptions for limited purposes under FEMA i.e. where resident Indians
have been permitted to continue to maintain their accounts with overseas banks etc.,
would however be permitted transactions.
• Overseas branches of Indian banks would be permitted to offer Internet banking
services to their overseas customers subject to their satisfying, in addition to the host
supervisor, the home supervisor in keeping with the supervisory approach outlined in
the next section.
• This extension of approach would apply to virtual banks as well. Thus, both banks and
virtual banks incorporated outside the country and having no physical presence here
would not, for the present, be permitted to offer Internet services to Indian
depositors.

In addition to the security and the jurisdictional regime issues facing banks, they also must
comply with extremely detailed regulatory procedures. The Proposal for a Directive concerning
the distance marketing of consumer financial services is currently being debated.

The aim of India’s IT legislation is to harmonise consumer protection especially in the use of new
technologies. The Commission proposed a directive concerning the distance marketing of
consumer financial services. This will complement the previous distance-selling directive
concerning general goods. The main principle of the proposal directive is that consumers must
be able to examine and compare contract terms before entering into an agreement, and must
have a corresponding right of withdrawal if they are not given the chance of examination or
have been unfairly induced to enter a contract.

Financial services differ in nature form general services in that usually their only tangible feature
is the contract and the prices for such services may fluctuate with market forces.

There are also provisions regarding unsolicited approaches and the setting up of complaint
procedures. The proposal is being finalised by the Ministry of Communications and Information
Technology for adoption. It can be seen that these proposals, and in particular the right for a
customer to withdraw from the contract, restrict the ability of banks to rely on transactions
carried out on-line although this is to a certain extent off-set by proposed indemnity given by a
consumer to the supplier if he withdraws after the provision of the services has commenced. It
is also possible that the practical ability of banks to enforce such indemnities may be restricted.

Compliance for the Banking Industry under “The Information Technology Act, 2000”: A
checklist

1. Retention of electronic records [Section 7]
2. Regular Audit of electronic records [Section 7A]

3. Reasonable measures to ensure that its employees don’t inflict damage upon any
computer, computer system, etc. Without the permission of the owner, they also
must not do the following acts [Section 43]
• Securing access to computer or computer system
• Downloading, copying and extracting data
• Introducing computer virus or contaminant
• Damaging or disrupting the computer
• Denying access to any person authorized to do so
• Assisting someone in gaining access to the computer
• Tampering and manipulating any computer
• Stealing, destroying, deleting or altering any information and assisting
someone in doing so

4. Compensation for failure to protect data [Section 43A]
5. Furnish information, record, document or report including books of accounts to the

concerned authorities [Section 44]
6. Reasonable steps to ensure that its employees don’t tamper with computer source

documents [Section 65]
7. Computer related offences [Section 66 (A-F)]

• Offensive messaging
• Receiving stolen computer source and Data
• Identity Theft
• Cheating by personating using computer source
• Violation of privacy
• Cyber Terrorism
8. Publishing obscene material [Section 67]
9. Preservation and retention of information by intermediaries [Section 67 C]
10. To comply with the directions to monitor and collect traffic data or information
through any computer resource for cyber security [Section 69B]
11. To comply with the direction of the Indian Computer Emergency Response Team
(CERT-IN) in the area of cyber security [Section 70B]
12. Organizations must also take serious note of the following offences:
• Misrepresentation [Section 71]
• Breach of Confidentiality [Section 72]
• Disclosure of information in breach of contract [Section 72A]
• Publishing false particulars in Electronic Signature Certificate [Section 73]
• Using Electronic Signature Certificate for fraudulent purposes [Section 74]

13. Intermediary Liability [Section 79]
Intermediary with respect to any particular electronic records, means any person who
on behalf of another person receives, stores or transmits that record or provides any
service with respect to that record and includes telecom service providers, network
service providers, internet service providers, web hosting service providers, search
engines, online payment sites, online-auction sites, online market places and cyber
cafes. Banks also come under the purview of an Intermediary. As per section 79 of the IT

Act, an intermediary shall not be liable for any third party information, data, or
communication link hosted by him if the intermediary does not-

(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission

And that the intermediary observes due diligence while discharging his duties under this
Act and also observes such other guidelines as the Central Government may prescribe in
this behalf. [Refer to Intermediary Guidelines on page 5 of this note]

14. Offences committed by Companies [Section 85]
Every person who, at the time an offence was committed, was in charge of, and was
responsible to, the company for the conduct of businesses of the company as well as
the company, shall be guilty of the contravention and shall be liable to be proceeded
against and punished accordingly.
He/she will not be punished provided he/she proves that the contravention took
place without his knowledge or that he exercised all due diligence to prevent such
contravention.
If it is proved that the contravention has taken place with the consent or connivance
of, or is attributable to any neglect on the part of, any director, manager, secretary
or other officer of the company, such director, manager, secretary or other officer
shall also be deemed to be guilty of the contravention and shall be liable to be
proceeded against and punished accordingly

Penalties for Non Compliance of IT Act - See Table
Legal Provisions [Information Technology Penalties in case of non-compliance
Act – 2000 [Amended in 2008]

Body corporate liable to pay damages by
way of compensation to the person so

Section 43A - Compensation for failure to affected
protect data

Section 44 - Penalty for failure to furnish • Failure to furnish information – not
information, return, etc exceeding rupees one lakh fifty
thousand for each failure

Section 45 – Residuary Penalty • Failure to maintain book of
accounts or records – not
exceeding ten thousand rupees for
everyday during which the failure
continues

Whoever contravenes any rules or
regulations made under this Act, for the
contravention of which no penalty has
been separately provided, shall be liable to
pay a compensation not exceeding twenty-
five thousand rupees to the person
affected by such contravention or a
penalty not exceeding twenty-five
thousand rupees.

Section 67 C - Preservation and retention Imprisonment for a term, which may
of information by intermediaries extend to 3 years and shall also be liable to
fine

Section 69 – “Powers to issue directions 7 years imprisonment and fine
for interception or monitoring or
decryption of any information through
any computer resource” - read with
Information Technology (Procedure and
Safeguards for Interception, Monitoring
and Decryption of Information) Rules,
2009.

7 years imprisonment and fine

Section 69A – “Power to issue directions
for blocking for public access of any
information through any computer
resource” - read with Information
Technology (Procedure and Safeguards for
Blocking for Access of Information by
Public) Rules, 2009.

Section 69B – “Power to authorize to 3 years imprisonment and fine
monitor and collect traffic data or
information through any computer
resource for Cyber Security” - read with
Information Technology (Procedure and
Safeguard for Monitoring and Collecting
Traffic Data or Information) Rules, 2009.

Section 70B - Indian Computer Emergency 1 year imprisonment and / or fine upto Rs
Response Team to serve as national 1 lakh
agency for incident response.

Section 72A - Punishment for Disclosure Imprisonment for a term, which may
of information in breach of lawful extend to 3 years or with fine, which may
contract extend to five lakh rupees, or with both

Section 85 - Offences by Companies No express provision vis-à-vis penalties
and compensation. However, the onus is
on the company and its Directors,
Secretary and Officers to prove their
innocence

11.8 REGULATION OF DEPOSIT TAKING BUSINESS

The regulation of organisations conducting banking activities in the India is carried out by the
Reserve Bank of India [under the Banking Regulation Act and allied rules and guidelines]. The
Banking Act provides that only ‘an authorized institution’ may accept a deposit in the India in
the course of carrying on a deposit-taking business. An overseas institution will be in breach of
this provision should it accept a deposit in the India in the course of a deposit taking business
conducted overseas. In relation to offshore banks, the interpretation of where the deposit is
actually made will be crucial in quantifying the level of compliance required.

11.8.1 THE LEGAL FRAMEWORK FOR INTERNET BANKING IN INDIA

The Banking Regulations Act, 1949,
The Reserve Bank of India Act, 1934,
The Foreign Exchange Management Act, 1999.
Information technology Act, 2000
Personal Data Protection Bill, 2006

The legal framework for banking in India is provided by a set of enactments

• The Banking Regulations Act, 1949,
• The Reserve Bank of India Act, 1934, and
• The Foreign Exchange Management Act, 1999.

Broadly, no entity can function as a bank in India without obtaining a license from the
Reserve Bank of India under Banking Regulations Act, 1949. Different types of activities
which a bank may undertake and prudential requirements are provided under this Act.
Accepting deposits from public by a non- bank attracts regulatory provisions under Reserve
Bank of India Act, 1934. Under the Foreign Exchange Management Act 1999, no Indian
resident can lend, open a foreign currency account or borrow from a non-resident, including
non-resident banks, except under certain circumstances provided in law.

Internet banking is an extension of the traditional banking, which uses internet both as a
medium for receiving instructions from the customers and also delivering banking services.
Hence, conceptually, various provisions of law which are applicable to traditional banking
activities are also applicable to Internet Banking. In the digital age, the issues which have
arisen are regarding the legality under the existing laws, of certain types of electronic
commerce/banking transactions on the Internet. These transactions include but are not
limited to validity of an electronic message/ document, authentication, validity of contract
entered into electronically, non-reputation.

It has also raise the issue of ability of banks to comply with legal requirements/ practices like
secrecy of customers account, privacy, consumer protection, etc. given the vulnerability of
information/ data passing through Internet. There is also the question of adequacy of law to

deal with situations which are technology driven like denial of service/ data corruption
because of technological failure, infrastructure failure, hacking, etc. Cross border
transactions carried through Internet pose the issue of jurisdiction and conflict of laws of
different nations.

Banking over Internet has attracted increasing attention from bankers and other financial
services industry participants, the business press, regulators, and law makers. Among the
reasons for Internet Banking’s audience are the notions that the electronic banking and
payments will grow rapidly, more or less in tandem proliferating electronic commerce;
industry projections that the Internet banking will cut bank’s costs, increase bank’s revenue
growth, and make banking more convenient for customers; and some vexing public policy
issues. Despite this attention, there is a dearth of systematic information on nature and
scope of Internet banking. Bankers and public policymakers alike have had to plan using
largely anecdotal evidence and conjecture.

Banks offer Internet banking in two main ways. An existing bank with physical offices can
establish a Web site and offer Internet banking to its customers as an addition to its
traditional delivery channels. A second alternative is to establish a “virtual,” “branchless,” or
“Internet only” bank. The computer server that lies at the heart of a virtual bank may be
housed in an office that serves as the legal address of such a bank, or some other location.
Virtual banks may offer their customers the ability to make deposits and withdraw funds via
ATMs or other remote delivery channels owned by other institutions.

Practice of the internet and electronic media for carrying out business, mainly financial
transactions, encouraged the Government of India to bring in existence the Information
Technology Act, 2000. The Act offers recognition of electronic signatures, e-documents and
e–transactions, and tries to curb cyber crime.56 After 2001, the Reserve Bank of India issued
guidelines to regulate online banking, privacy, anti-money laundering and know-your-
customer norms, which consequently encouraged customers to shift towards the e-
commerce banking, with some interest with respect to the confidentiality of transactions
and safe banking.57

With the emergence and rise of internet banking and e-commerce environment,
Government of India made an effort to bring a separate bill called the ''Personal Data
Protection Bill 2006'' to protect the privacy of individuals, but the bill was not ratified by the
both the houses. In the meantime, the Act was amended in 2008 to include Section 43A and
Section 72A to protect personal data (''PI'') and sensitive personal data and information
(''SPDI'').58

Basically, to work as a bank in India a company is bound to obtain a license from the Reserve
Bank of India under Banking Regulations Act, 1949. The functions and activities which a bank
can enter into or undertake and prudential requirement are mentioned in The Banking

56 Journal of Internet Banking and Commerce --www.Arraydev.com/commerce/jibc
57 Enabling E-Commerce in India – www.giic.org
58 Avinandan Mukherjee, (2003), A model of trust in online relationship banking, The International Journal of
Bank Marketing 2003; 21, 1; ProQuest Central pg. 5

Regulations Act, 1949.Taking deposits from public by a non- bank invites governing
provisions under Reserve Bank of India Act, 1934.59 Under the Foreign Exchange
Management Act 1999(FEMA), no Indian citizen can give a loan, start a foreign currency
account or borrow from a non-resident, including non-resident banks, excluding some of the
situations given in the law.60

Online banking is a leeway of the conventional banking, which uses internet to connect with
the customers and provide them banking services. Therefore, theoretically, many provisions
of law that applies to conventional banking activities also apply to Online Banking in the
same way. In the Information era, the concerns, which have arisen, are related to the
legality under the prevailing laws, of certain kinds of e/banking transactions on the Internet.
These transactions comprise but are not restricted to legality of an electronic message/
document, authentication, validity of contract entered into electronically, non-reputation.
It has also elevated the concern about the capability of banks and financial institutions to
fulfil all the legal requirements/ practices like privacy of customers information,
confidentiality, and protection of consumer, etc. given the vulnerability of private
information going by the way of Internet as a medium.61 Additionally the issue of
competency of law to deal with conditions that are technology motivated like rejection of
service/ data corruption because of failure of technology, infrastructure breakdown,
hacking, etc. Cross border transactions raise the problem of jurisdiction and there is a
conflict of laws among different nations.

Internet Banking has developed an increasing interest from bankers and other financial
services industry participants, the business press, regulators, and lawmakers. Amid the
reasons for Internet Banking’s spectators are the conceptions that the online banking and
transaction will nurture swiftly, industry forecasts that the Internet banking will reduce the
cost of the banks, increase their revenue growth, and make banking farther handy for
customers; and some worrisome public policy concerns. Notwithstanding this
thoughtfulness, there is a shortage of organized information on nature and extent of
Internet banking.

The Banks offers Internet banking in two ways. A traditional bank with tangible offices can
launch a Web site or a portal and promote Internet banking to its customers as a
supplement to its conventional delivery channels. A second option is to create a “virtual,”
“branchless,” or “Internet only” bank. The computer server that is the most important thing
of a virtual bank may be kept in a registered office of the bank, or some other place. Virtual
banks may propose their customers the facility to make deposits and withdraw funds via
ATMs or other channels.

The Government of India has sanctioned The Information Technology Act, 2000, to give legal
identification for financial transactions by the banks carried out by the way of electronic
data, which has also drawn upon the Model Law, came into force with effect from October
17, 2000. The Act has also amended certain provisions of The Indian Penal Code, The Indian

59 Mishra A.K.(2002) “Internet banking in India”. BanknetIndia.com
60 Foreign Exchange and Management Act, 1999
61 Singh Talwar, Cyber law and Information Technology.

Evidence Act, 1872, The Bankers Book of Evidence Act, 1891, The Reserve Bank of India Act
1934 in order to facilitate e-commerce in India.

However, this act does not apply to:-62

1. Negotiable instrument as defined in section 13 of the Negotiable Instruments Act,
1881;

2. Power-of-attorney as defined in section 1-A of the Power-of-Attorney Act, 1882;
3. Trust as defined in section 3 of the India Trusts Act, 1882;
4. Will as defined in clause (h) of section 2 in Indian Succession Act, 1925;
5. Contract for the sale or conveyance of immovable property or any interest in such

property;
6. Such class of documents or transactions as maybe notified by Central Government in

the official gazette.

The banks offering Internet banking service, at currently are merely agreeable to admit the
application for opening of accounts. The accounts are opened only after appropriate
introduction and proper verification of all the necessary documents. This is mainly for the
reason of proper identification of the customer and furthermore to evade benami accounts
to prevent money laundering activities that can be done by the customer. Under Section
131 of the Negotiable Instruments Act, 1881, a banker who has in good faith and without
negligence received payment for a customer of a cheque crossed generally or specially to
himself shall not, in case the title to the cheque proves defective, incur any liability to the
true owner of the cheque by reason of having received such payment. The banker’s action in
good faith and without negligence have been discussed case laws and one of the relevant
passages from a supreme court judgment “Primarily, enquiry as to negligence must be
directed in order to find out whether there is negligence in collecting the cheque and not in
opening the account, but if there is antecedent or present circumstance which aroused the
suspicion of the banker then it would be his duty before he collects the cheque to make the
necessary enquiry and undoubtedly one of the antecedent circumstances would be the
opening of the account. In certain cases failure to make enquiries as to the integrity of the
proposed customer would constitute negligence”.63

Further the Supreme Court of India has stated that as a general rule, before accepting a
customer, the bank must take reasonable care to satisfy himself that the person in question
is in good reputation and if he fails to do so, he will run the risk of forfeiting the protection
given under Section 131 of Negotiable Instruments Act, 1881 but reasonable care depends
upon the facts and circumstances of the case.64 Similarly, the Delhi High Court was also of
the view that the modern banking practice requires that a constituent should either be
known to the bank or should be properly introduced. The underlying object of the bank
insisting on producing reliable references is only to find out if possible whether the new
constituent is a genuine party or an imposter or a fraudulent rogue.65

62 http://rbidocs.rbi.org.in/rdocs/PublicationReport
63 BapulalPremchand Vs. Nath Bank Ltd. ( AIR 1946 Bom.482 )
64 Indian Overseas Bank Ltd. Vs. Industrial Chain Concern [JT1989 (4) SC 334]
65 Union of India Vs. National Overseas Grind lays Bank Ltd. (1978) 48 Com.cases 277 (DEL)

One of the key challenges encountered by the financial institutions comprised in Internet
banking is the matter concerning to verification and the concerns appearing in deciphering
difficulties unique to electronic confirmation such as concerns of data integrity, non-
repudiation, evidentiary standards, privacy, confidentiality issues and the consumer
protection. The current legal system does not set out the limits as to the degree to which a
person can be obliged in respect of an electronic instruction claimed to have been issued by
him. Usually, authentication is set to be attained by security procedure. Methods and
devices like the personal identification numbers (PIN), code numbers, telephone-PIN
numbers, relationship numbers, passwords, account numbers and encryption are evolved to
establish authenticity of an instruction.66 From, a legal viewpoint, the security procedure
needs to be acknowledged by a law as an alternative for signature.

Different countries have tackled these matters through precise laws dealing with digital
signatures. In India, Information Technology Act 2000, in Section 3 (2) requires that any
subscriber can validate an electronic record by attaching his digital signature.67 However,
the act only identifies one precise technology as a way of validating the electronic records.
This may lead to the uncertainty of whether the law would understand the existing
techniques used by the banks as a rightful method of validating the transactions. In this
respect, the approach in other countries has been to keep the legislation technology
neutral. The law should be technology neutral so that it can keep pace with technological
developments without requiring frequent amendments to the law as there exists a lot of
uncertainty about future technological and market developments in Internet banking.68 This
however, would not suggest that the security risks related with Internet banking should go
unregulated.

Section 40A (3) of the Income Tax Act, 1961, dealing with deductible expenses, provides that
in cases where the amount exceeds Rs. 20,000/-, the benefit of the said section will be
available only if the payment is made by a crossed cheque or a crossed bank draft. One of
the services provided by the banks offering Internet banking services is the online transfer
of funds between accounts where cheques are not used, in which the above benefit will not
be available to the customers. 69

The principal purpose behind the passing of Section 40 A, of the Income Tax Act, 1961 is to
keep a check on the tax evasion by demanding payment of designated accounts. In the
event of a funds transfer, the transfer of funds takes place only between identified
accounts, which serves the same purpose as a crossed cheque or a crossed bank draft.
Hence, the committee recommends that Section 40 A, of Indian Tax Act, 1961, maybe
amended to recognize even electronic funds transfer.70

66Vijayan V.P., Perumal V. and Bala shanmugam 2004. Waves of Multimedia Banking Development, Journal
of Internet Banking and Commerce, Vol. 9, No. 3
67 Information Technology Act 2000
68Report on Trend and Progress of Banking in India, Reserve Bank of India, various issues.
69Ibid.
70 Reserve Bank of India, www.rbi.org.in/ home.aspx

The general revocation and amendment instructions to the banks are intended to correct
errors, including the sending of an instruction more than once. Occasionally, a revocation or
amendment maybe intended to stop a fraud. Under the existing law, banks are responsible
for making and stopping payment in good faith and without negligence. In an Internet
banking scenario there is very limited or no-stop payment privileges since it becomes
impossible for the banks to stop payment in spite of receipt of a stop payment instruction as
the transactions are completed instantaneously and are incapable of being reversed. Hence
the banks offering Internet banking services may clearly notify the customers the time
frame and the circumstances in which any stop payment instructions could be accepted.

Typically, the banker-customer relationship is embodied in a contract entered into by them.
The banks providing Internet banking services currently enter into agreements with their
customers stipulating their respective rights and responsibilities including the disclosure
requirements in the case on Internet banking transactions, contractually. A Standard
format/ minimum consent requirement to be adopted by banks offering Internet banking
facility could be designed by the Indian Banks’ Association capturing, inter alia, access
requirements, duties and responsibilities of the banks as well as customers and any
limitations on the liabilities of the banks in negligence and non-adherence to the terms of
agreement by customers.

One of the major concerns associated with Internet banking has been that the Internet
banking transactions may become untraceable and are incredibly mobile and may easily be
anonymous and may not leave a traditional audit trial by allowing instantaneous transfer of
funds. It is pertinent to note that money- laundering transactions are cash transactions
leaving no paper trial. Such an apprehension will be more in the case of use of electronic
money or e-cash. In the case of Internet banking the transactions are initiated and
concluded between designated accounts. Further Section 11 of the proposed Prevention of
Money Laundering Bill, 1999 imposes an obligation on every Banking Company, Financial
Institution or Intermediary to maintain a record of transactions or a series of transactions
taking place within a month, the nature and value of which may be prescribed by the
Central Government.71 These records are to be maintained for a period of five years from
the date of cessation of the transaction between the client and the Banking Company,
Financial institution or intermediary. This would apply to banks offering physical or Internet
banking services. This will adequately guard against any misuse of the Internet banking
services for the purpose of money laundering.

Section 4 of the Banker’ Book Evidence act, 1891, provides that a certified copy of any entry
in a Bankers’ Book shall in all legal proceedings be received as a prima facie evidence of the
existence of such an entry. The Banking Companies (Period of Preservation of Records)
Rules, 1985 promulgated by the Central Government requires banking companies to
maintain ledgers, records, books and other documents for a period of 5 to 8 years.72 A fear
has been expressed as to whether the above details of the transactions if maintained in an

71 Supra note 71.
72 Vijayan V.P., Perumal V. and Bala shanmugam 2004. Waves of Multimedia Banking Development, Journal
of Internet Banking and Commerce, Vol. 9, No. 3.

electronic form will also serve the above purpose. The Group is of the considered opinion
that that this has been adequately taken care of by Section 7 and Third Schedule of the
Information Technology Act, 2000.73

11.9 CONCLUSION

As with everything else connected with the Internet, banking and electronic commerce on
the Internet is changing rapidly. To properly advise their clients, lawyers must be able to
understand the technology involved (particularly the structure of the networks) and must
also be prepared to review and, if possible, adapt traditional legal principles in their
application to this new technology.

According to the International Survey of Privacy Laws and Practice, there is no general
privacy law in India. RBI ombudsmen office has been flooded with such complaints. In these
circumstances; online banking in India is risky. We have no e-banking laws in India and this
also makes the mobile banking in India risky. Even RBI has acknowledged risks of e-banking
in India.

E-banking in India cannot succeed till a strong legal framework in this is enacted. We have
no specific E-Banking Law in India. Even though, RBI has issued many guidelines in this
regard and even our Information Technology Act, 2000 contains some indirect and implied
provisions for Internet or E-Banking yet we need a separate and dedicated law in this
regard. Although RBI has mandated cyber due diligence for banks in India especially the due
diligence for banks under IT Act 2000 yet banks have still to keep their functions in order.
Indian banks are poor at cyber security. It is high time for banks operating in India to keep
their e-banking infrastructure technologically and legally sound. Resistance to internet
banking retards its adoption and requires the banks to continue to provide the existing
options in customer service. It decreases the ability of the banks to realize the full potential
of technological innovations. Therefore an understanding of these factors is essential for
bank administrators to devise policy measures that can remove these barriers.

Online banking in India or e-banking in India is increasingly being used by both banks and
customers alike. This brings mobility and convenience to both banks and customers.
However, with the benefits there are negative aspects of e-banking as well.

73 Sheth J.N. 1981. Psychology of innovation resistance: the less developed concept (LDC) in diffusion
research, Research in Marketing, Vol. 4 No.3, pp. 273-282


Click to View FlipBook Version