This article has been written by Devagni Vatsaraj, pursuing the Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
Table of Contents
Introduction
Net Banking is an electronic payment system, a service offered by banks/financial institutions. It allows an individual to undertake different kinds of transactions from the comfort of their home, through the internet. The development of the internet and technology has been enormous and has ventured into the field of banking. ICICI Bank was the first Indian Bank to facilitate Internet Banking, which was also then referred to as “Convenience Banking.” Though India has been digitized for quite some time now, it has taken a significant leap in the last year during the COVID-19. Digital appearance has grown considerably in the forms of payments, online meetings, video conferences, and webinars, etc. During these times, we have seen a sharp rise in the number of frauds, white-collar crimes, phishing, scams, etc.; while reducing the use of technology may not seem like a viable option, the only workable recourse is following the precautionary measures, being alert and vigilant, so we are in a safe place. This article dwells upon the cyber risks associated with Net Banking, how the legislation is recognizing technology and making amendments to the existing laws; and suggests some of the solutions that may curb the cyber-crimes.
Net banking in India
As mentioned earlier, ICICI Bank began facilitating online banking services in 1996, followed by some other banks. On the opposite hand, the general public sector banks were reluctant to adopt internet banking practices. While net banking is not a separate business but an ancillary service provided by the banks/financial institutions; the depository financial institution of India took the lead in adapting to technology and taking banking to the doorsteps of its customers. Some banks blame it on the shortage of laws and regulations for them to go online while others are comfortable and not willing to switch from traditional banking methodology. It has always been a concern for the banks that if they provide a net banking facility, how they are going to be regulated; in the absence of proper laws, will they have autonomy in their affairs or will they be under the radar of the Reserve Bank of India (RBI). The RBI had welcomed suggestions from the industry and adopted recommendations of the “Working Group on Internet Banking,” which examined three driving forces like Technology and its allied security issues, legal issues, and regulatory and supervisory issues. The RBI then gave some independence to the banks, while ensuring that for some issues, the banks strictly follow the provisions of the RBI.
The Indian government has been promoting “Digital India” to quite a far-reaching extent. This campaign has been initiated to provide the citizens with services through the mode of internet and thereby increasing the scope of connectivity throughout the country. To promote the use of internet banking technology, the Ministry of Finance implemented Public Financial Management Systems (earlier known as Central Plan Scheme Monitoring System), which is an element of the digital India campaign. The primary objective of Public Financial Management Systems is to establish an efficient fund flow system and establish a proper accounting network. Further, it has widened the scope of online payments amongst users.
Drawbacks of net banking in India
There are many forms of cyber frauds in the banking industry; almost every day we read headlines about people falling prey to the internet’s wrong-doers, losing their money while making payments, or availing other transactional services over the internet. Privacy and security of the customers are one of the biggest drawbacks of net banking. It cannot be denied that despite having specific statutes in place, like the Information and Technology Act, 2000 (IT Act) and Indian Penal Code, 1860 (IPC) for curbing cybercrimes, wrong-doing by fraudsters concerning net banking is increasing rapidly. There is a lacuna in the legal system and the administration for tackling these crimes and adjudicating the wrong-doer. It has been over a decade and yet we as a nation are not able to curb or even reduce the frequency of these crimes. The reason being that there is a gap between the training methodology provided; the corporate houses are easily able to hire good analysts to protect data and secure their channels, however, on the other hand, the government and other small banks lack these resources.
Security of net banking transfers becomes a major concern. The transactions made over the internet are flexible, effective but at the same time, can be untraceable, made anonymously, and due to lack of effective audit, facilitate immediate movement of money. Identifying and avoiding unauthorized and illegal activities becomes a major apprehension for the banking sector. Application of money laundering laws could also be inadequate for other types of electronic payment such that banks are exposed to the vulnerability of money laundering. Even after undertaking preventive measures like Know Your Customer (KYC) and Biometric Verification, the security and privacy concerns are major roadblocks for effective net banking in India.
Legal outlook on shortening the evils associated with net banking
Internet banking fraud can be defined as a mala fide illegal act by any individual to illegally obtain sensitive data or finances from banks/financial institutions via the internet. The IT Act primarily governs the process of net banking. Cyber frauds include phishing, malware attacks, identity theft, debit/credit card frauds, embezzlement, frauds relating to loans, fraud by forgery, etc. The substantive and procedural laws and rules governing the areas of banking, internet information technology are effective mechanisms to prevent such internet banking frauds. To counter such crimes, the IT Act has incorporated certain legal provisions creating legal rights and their corresponding duties to the bankers and the customer. Failure to adhere to such provisions would result in penal provisions under the Act. Apart from the relevant provisions of the IPC, the IT Act also provides punitive provisions for identity theft and cheating through technology under Section 66C and 66D of the IT Act along with a remedial right by way of compensation and penalty for breach of data under Section 43A and 72 of the same Act.
The Act imposes a legal duty that the bankers protect the sensitive personal data in the system which the banks/financial institutions own, hold, and operate. Any negligence would result in the payment of compensation for the victims. Vide its language, the legislation vide Section 43A and Section 72 of the IT Act, has laid down penalizing measures against the bank in the event of failure to maintain the confidentiality of its customers.
The Act comes down heavily on online fraudsters by the virtue of provisions Section 66C and 66D of the IT Act. Both the provision punishes acts like online frauds, computer attacks, and other digital frauds. The provisions of the IT Act that deal with net banking are:
- Hacking and Data Theft:
Sections 43 and Section 66 of the IT Act penalizes activities such as data theft, hacking into a computer network, introducing and spreading viruses through computer networks, damaging computers or computer networks or computer programs, disrupting any computer or network, damaging or destroying information in a computer, etc. The maximum punishment for these offenses is imprisonment of up to 3 (three) years or a fine of Rs. 5,00,000/- (Rupees Five Lakh only) or both.
- Umashankar Sivasubramaniian v. ICICI Bank (Civil Petition No. 2462/2008, Adjudicating Officer of Judicature of Chennai) – The complainant, Mr. Umashankar, alleged that his bank account was wrongfully debited on account of negligence on the part of the bank. The Bank contended that the case refers to phishing and blamed negligence on part of the complainant and was of the opinion that the matter cannot be brought under the purview of the IT Act and that the complainant must lodge an FIR. The Adjudicating Authority vide its order held that the ICICI bank had failed to establish that due diligence was exercised to prevent the breach, found that the Bank was guilty of the offenses made out in Section 85 read with relevant clauses of Section 43 of the IT Act and directed ICICI Bank to pay to the complainant a total sum of Rs. 12,85,000/- (Rupees Twelve Lakh Eighty-Five Thousand only). The bank had obtained a stay and an appeal was filed before the Cyber Appellate Authority.
- Mphasis BPO Fraud (2005): In December 2004, four employees of Mphasis, working at an outsourcing facility in India, obtained PINs from four customers of the company’s clients based in the U.S. They were not authorized to do so; but they impersonated that to have the authority and with details obtained, they opened new bank accounts using false identities. Within a couple of months, they used the credentials and transferred all the money from the bank accounts of the clients (in the U.S.) to their new accounts at Indian banks. By April 2005, the Indian police had been informed by the U.S. bank of the scam, and post-investigation, the individuals involved in the scam were arrested. It was informed that an amount of $426,000 was stolen, out of which $230,000 was recovered. The arrests were made successfully when these fraudsters tried withdrawing the cash from the Indian bank account. The Court held that the nature of the crime was that of unauthorized access to commit fraudulent transactions and hence, Section 43(a) was applicable.
2. Identity theft and cheating by personation:
Section 66C of the IT Act prescribes punishment for identity theft and provides that anyone who fraudulently or dishonestly makes use of the electronic signature, password, or any other unique identification feature of any other person shall be punished with imprisonment of either description for a term which may extend to 3 (three) years and shall also be liable to fine which may extend to Rs. 1,00,000/- (Rupees One Lakh only.)
3. Section 66D of the IT Act prescribes punishment for cheating by personation by using computer resources and provides that any person who by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to 3 (three) years and shall also be liable to fine which may extend to Rs. 1,00,000/- (Rupees One Lakh only)
4. Section 43(h) of the IT Act:
Section 43(h) read with section 66 of the IT Act penalizes an individual who charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network.
5. Section 65 of the IT Act:
Section 65 of the IT Act prescribes punishment for tampering with computer source documents and provides that any person who knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy, or alter any computer source code used for a computer, program or network, computer system, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment for up to 3 (three) years or with a fine which may extend to Rs. 2,00,000/- (Rupees Two Lakh only) or with both.
6. Section 67C of the IT Act:
Section 67C of the IT Act requires an intermediary to preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe. The section further provides that any intermediary who intentionally or knowingly contravenes this requirement shall be punished with imprisonment for a term which may extend to 3 (three) years and also be liable to a fine. An intermediary concerning any particular electronic record has been defined in the IT Act to mean any person who on behalf of another person receives or stores or transmits that record or provides any service concerning that record.
7. Section 73 of IT Act:
Read along with Section 3 that defines and explains electronic signature (the word electronic signature was earlier defined as digital signature, and was amended vide Information Technology Amendment Act, 2008), this Section states that no person shall publish an Electronic Signature Certificate or otherwise make it available with the knowledge that the certifying authority has not authorized it and/or the license has been revoked/suspended. In these circumstances, the person may be imprisoned for a term that may extend to 2 (two) years and shall also be liable to a fine which may extend to Rs. 1,00,000/- (Rupees One Lakh only) or both.
8. Section 75 of the IT Act:
This section grants universal jurisdiction for offenses committed by a person not authorized to do so, who attacks the computer system under operations in banks in India by hacking either by operating within India or outside India. The Internet has no boundaries; but as undertaken in Mphasis, banking frauds are usually committed not only within India but also outside India. Therefore, it becomes difficult for the prosecuting agencies to initiate actions concerning jurisdictional issues. The IT Act by this Section, has eased and have provided relaxation to the adjudicating agencies to prosecute criminals that are not within their jurisdiction (subject to one of these factors being present; the criminal in the citizen or the victim is the citizen, the computer source tampered is in India or the funds transferred was Indian currency, etc)
With the introduction of provisions focusing on data privacy, information security, making electronic signatures neutral, redefining the role of intermediaries, and recognizing the role of the Computer Emergency Response Team; the Information Technology Amendment Act, 2008 has widened the scope for the security of net banking transactions. Yet there is still scope to streamline the act to define provisions and their consequent penalty (in cases of breach of the provision) concerning internet banking.
Way forward
It is pertinent to measure here that the government of India to further insulate the mechanism for protection of personal data has tabled a bill called the “Personal Data Protection Bill 2019” and the same is under a consultative process. The bill aims at protecting the privacy of individuals relating to personal data under the guidance of a regulatory body concerning the data protection authority of India. Privacy is regarded as a Fundamental right by extending the scope of Article 21 by the Hon’ble Supreme Court in Puttoswamy’s case. Post this case, privacy was considered an element of the right to life and the banks/financial institutions found it difficult to identify their online customers as cards issued by the institution and storing of sensitive personal data could not be made mandatory. The internet banking service accepts the requests for the opening of accounts and has made the procedure very simple, faster, and easier.
Some of the options to be kept in check by the banks/financial institutions as well as the customers to be safe against these crimes are:
- To install good antivirus software for the computer, tab, laptop and to protect the servers. This protects the devices and data from internet threats, viruses, and malware. One must always scan any external drive for viruses, before inserting it into the device. Another precaution to be undertaken is to download any software, application, anti-virus, etc. only from a genuine and determining source.
- One must also keep in check that they enter into net banking transactions through their device or devices of someone known to the individual. Using a third party’s electronic device for banking should be avoided. If used, it is to be checked that the credentials do not get saved on the server, and to clear the history and caches is important. Using credentials that are hard for people to guess. Also, it is always best to use a different password for banking than one would usually use for social media, shopping, etc. It is also advisable to use different passwords for different banks.
- The prosecuting agencies have set up dedicated cybercrime cells across all the districts in India for effective redressal of the grievances, however, each Bank also should incorporate their redressal cell, that could identify internet banking frauds happening to their banks and can at regular intervals, forward such reports and complaints to the cyber cell.
- One must avoid opening links sent from undetermined sources. Choosing the correct website is important – many fake websites on the internet look like internet banking sites, if one falls for a fake one, an individual’s credentials are jeopardized and they can be a victim of a phishing attack.
Conclusion
With the advancement of technology, the customers can undertake banking transactions without much trouble, in their comfort, anytime and anywhere; while this is slowing down if not the disappearance of the traditional banking system, it cannot be denied that crimes and frauds associated with net banking transactions have witnessed a rise. Therefore, it has become necessary for the government to evolve a mechanism to control and eliminate online frauds by inculcating security measures in e-banking transactions. For this reason, the RBI has set up and has formulated mechanisms for all the banks/financial institutions under its control through the protocols set up by them. The legislative measures by the virtue of the said relevant provisions of law as discussed hereinabove clearly leads towards a balance mechanism together with stringent punitive measures to discourage online crimes and imposes heavy restraint from committing online fraudulent activities and such other related criminal acts either within the jurisdiction of India or any part of the world. These measures themselves pose a hurdle to the person who enters into the banking transactions with a mala fide intent to enrich themselves unjustly. The punitive provisions available under the act are in addition to the penal provisions under the Indian Penal Code. To conclude, the working and security mechanism evolved in the net banking transactions though has come a long way, it needs to be updated and evolved promptly; for the Indian economy to rise and strengthen, to tackle the risks and frauds to be kept in check.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: