The cyber space is increasingly used by organized criminal groups to target credit cards, bank account and other financial instruments for fraudulent transactions. Online fraud is considered to be third amongst economic crimes prevalent in India according to Global Economic Crime Survey 2011, conducted by Price House Water House Cooper, which reveals the propensity of such crimes in India.[1] The major forms of cyber fraud includes online auctions, internet access services, work at home plans, payment methods using debit/credit card, phishing etc.

Banking frauds methods

Most of the online banking frauds are conducted either through phishing, stealing of banking information or through cloning of credit/debit cards. In phishing, a fraudster will send an email pretending to be sent from the bank to the victim asking for their personal details including banking information like PIN code or banking user name and password on some pretext or the other. Once the person reveals such crucial information, the fraudster may withdraw or transfer the money from the account of the victim. In most cases, due to lack of awareness, people fall for the traps of such fraudster and looses huge sums of amount.

A selected study of banking frauds revealed that the fraudsters mostly apply the following tactics to defraud innocent people:

• Stealing of the original credit/debit cards and using the cards at shopping merchants (POS purchases)
• Cloning/duplication of credit/debit card
• Phishing scams where the information has been revealed by the customer himself
• Leakage of PIN/credit card/debit card numbers by the handlers of such information/payment gateways/banks (voluntary or involuntary like hacking, physical intrusion, data breach)
• Usage of stolen/duplicate/cloned mobile SIM card to receive one time password (OTP) of mobile/net banking and transaction made using such information

Responsibilities and liabilities of banks

Nabbing a cyber fraudster who might have committed the offence sitting at a distant location possibly on a foreign shore will be difficult for a common person. What are the legal recourses that can be taken to recover the lost amount? But what happens when the bank or other intermediaries like telecom companies fails to provide adequate security measures to protect the customer from illegal and fraudulent transfers? What happens when there is a lapse on the part of the banks and other intermediaries during such fraudulent transaction?

Generally intermediaries are not liable for the offence committed by the users or third parties using their network or system. However, they might be liable for non-compliance of due diligence requirements under the law.  A body corporate handling sensitive personal data (which includes financial information such as bank account, credit card or debit card or other payment instruments, password)  and stores such information in a computer, is required to  maintain reasonable security practices and procedures to protect such data. If due to negligence of the body corporate in handling such sensitive personal data causes wrongful loss to such person, the body corporate is liable to pay adequate damages as compensation to such person.

Now days, most banking functions have moved to core banking system and a large number of transactions are made using internet banking, mobile banking or use of debit/credit cards. A significant number of urban and semi-urban customers of the banks use debit/credit cards for their every day purchases through e-commerce sites or withdrawal of money through ATMs. The banks are in possession of sensitive personal information of their customers including account numbers, PIN, credit/debit card numbers and other financial information of the customer in an electronic form. The banks are responsible for protection of such information from unauthorized usage through maintaining reasonable security procedures laid down in different rules and regulations issued by RBI and other bodies. Some of the important rules and guidelines which govern maintenance of reasonable security standards for banks include, Master Circular –   Know your Customer (KYC) norms, Anti-Money Laundering standards, Combating of financial terrorism, Obligations of banks under Protection of Money Laundering Act, 2002 and  by RBI and other international standards for information technology security (ISO standards).

Breaches in data security by the banks and telecom operators

Some of the common breaches in security procedures by banks and telecom operators include:

• Non-compliance of KYC norms of customers by banks. Most of the proceeds of the fraudulent transactions are transferred either in “mule accounts” (accounts of innocent persons are used to transfer money in promise of payment of a certain percentage) or in accounts where the identity of the customers cannot be verified. Such accounts are generally created by using either apparently fraudulent documents or no proper documents as such.
• Non-compliance of KYC norms by the telecom operators while issuance of duplicate SIM card. In a large number of cases, the fraudster has obtained a duplicate SIM card of the victim’s mobile, which was later used to receive one time password or make mobile banking transaction. Due to issuance of duplicate SIM card, the victim’s original SIM will get disabled and he will not be able to receive transaction messages.
• Non installation of CCTVs or non-working of CCTVs in banks, ATMs which is a necessary security procedure for banks
• No mechanism to identify and flag suspicious transaction patterns
• Failure to notify the customer of suspicious transactions (either through SMS or email) on a live basis

How to recover lost money through fraudulent bank transfers under Information Technology Act?

One can file an application before the Adjudicating Officer appointed under Section 46 of Information Technology Act, 2000 claiming breach of reasonable security procedures by the bank. An analysis of selected cases ordered by the Adjudicating Officer in the state of Maharashtra revealed that the banks and telecom operators in most cases have failed to maintain reasonable security procedures, including non-compliance of KYC norms, Anti-money laundering guidelines, and automatic suspicious transaction monitoring facilities. As per Section 43A of Information Technology Act, 2000 the banks and other intermediaries who have failed to maintain reasonable security procedure must pay adequate damages as compensation to such person to cover the loss. The Adjudicating Officer has the power to adjudicate in the matters where the claim does not exceed Rs 5 crores. The bank must prove that they have maintained reasonable security procedures to prevent such fraudulent acts. In case the bank fails to prove that they have maintained reasonable security procedure, the Adjudicating Officer who has the powers of a Civil Court, may order the bank to pay damages as compensation to the victim.

How to file a complaint in the state of Maharashtra:

• Application must be made in a specified format (Download form)
• Application must be accompanied by an application fee of Rs 50 along with appropriate fees as per the amount of compensation claimed (rates provided below) by a Demand draft drawn in the name of “Adjudicating Officer Information Technology Act” payable at Mumbai.

• The application must be made to Adjudicating Officer, c/o Directorate of Information Technology, 7th Floor, Mantralaya, Madam Cama Road, Hutatma Rajguru Chowk, Nariman Point, Mumbai – 400021

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:  

https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA