Legal Issues in E Banking

Transcription

1 Legal Issues in E 5 th Feburary

2 Concept of E Banking We understand that Internet Banking and Mobile Banking is part of E Banking. May be Core Banking and ATM Banking also are easily recognizable as parts of E Banking But What is the legal definition? Is there a legal definition? Should there be a legal definition? 2

3 What is E-Money? Is it different from the money we know? A Mechanism guaranteed by a sovereign authority, universally used exchange and a common denominator for valuing and acquiring goods Like Cryptocurrency :eg: Bitcoin

4 What is E-Money? Is it simply the Right to Money exercised through electronic documents? Money in the Bank Money in a Stored Value Card Money in a Prepaid Card linked to an earmarked repository of legacy money in the Bank? Money drawable with a Debit Card linked to an earmarked repository of legacy money in the Bank? Or a mobile app like an UPI or BHIM or USSD message etc Money drawable as a loan through a Credit Card?

5 What is E-Money Essence of Money is Recognition by the sovereign authority as a guaranteed debt Bitcoin does not fit the bill It is only the Rupee wherever it is sitting, that can be used to make payment for goods and services by providing an electronic instruction that can be classified as E-Money

6 What distinguishes E Banking? Traditional Banking used Paper as the means of Recording of transactions Exchange of material instructions between the Banker and Customer Account opening was a contract under Indian Contract Act using paper based offer and acceptance documents Interaction with the customer was face to face With the ledger clerk initiating a transaction branch manager who authenticates a transaction the cashier who dispenses cash E Banking uses an electronic document or an electronic device for either record keeping or for interaction 6

7 What distinguishes E Banking It encompasses Records in electronic form Account opening is still a paper based contract Internet Banking details are often only in electronic form Hardware both at the Bank and the Customer end Hardware in an intermediary place such as the ATM Network that connects the customer with the back end system All applications that run at the Bank, Customer end and at the Intermediary level in ATMs 7

8 Legal Definition? There is no separate definition. The derived definition E Banking means Banking with the use of electronic documents. Or accepting, for the purpose of lending or investment, of deposits of money from the public, repayable on demand or otherwise, and withdrawable by cheque, draft, order or otherwise using electronic documents in the process Use of electronic documents implies use of electronic devices 8

9 Is a Mobile Wallet an E-Bank RBI licenses Payment Banks which can accept deposits and run a wallet If there is a wallet without payment banking license Is it also E Banking? Wallets are not used for lending but only for bill payments. Hence Wallets are not Banks in the traditional sense even if they carry Payment bank license But they are part of the eco system of handling money in the economy which hitherto was a secondary Banking function such as Trade Bills collection Payment by Cheques etc

10 Advent of Internet banking Originated in 1997-ICICI bank Now extended as a service by most banks Viewing of Account transactions Funds transfer within the bank (NEFT) Fund transfer outside the banks (RTGS) Bill payments Virtual Banking scenario Anywhere, Anytime Banking 10

11 E Banking and Virtual Banking Physical Existence Virtual Banking Involves a Bank which may not have a physical existence E Banking is a mode of transaction with a physical Bank Currency Virtual Bank may use Virtual Currency and not use physical currency at all (eg: Linden Dollars, Game points, E bid coupons) E Banking Is a mirror of physical banking and hence represents physical currency whose records are kept in electronic form In India only Physical Society Banks can offer Internet Banking All other bank like transactions need to be classified as E Commerce and not E Banking. 11

12 Card Banking Credit Cards Identity for request for credit Debit Cards Identity for request for payment out of account Conforms to BR Act definition of or otherwise (used in withdrawal means) Prepaid/stored value cards Is a bank branch in itself with the functions of a ledger clerk and passing officer combined. Cashier is outside the domain Virtual Cards Short life customized self created ATM Cards Access control for identification 12

13 Card Banking Storage of Information Magnetic Stripe or Chip Elementary identity particulars or more It is a data storage device or Media as per ITA 2008 The card swiping device reads the data and transmits the data. It is a Computer as per ITA 2008 RFID tagged/near field communication contact less cards EMV standard with Microprocessor Chip 13

14 Social Media/E Mail Banking 14 Facebook/Twitter Send a message to the facebook page Send a message to a Twitter account Send payment to an address Receiving Bank issues a payment authorization with a Pin acceptable at an ATM Customer ID is linked to the social media account/e Mail account Transmission of instruction is through the Internet

15 App based banking Bank specific App Linked to a Bank Multi bank App (Wallet) Is a Bank in itself. Apps that enable peripheral interaction with the core banking system Apps that are capable of carrying out full fledged transactions of money transfers in and out. 15

16 UPI and BHIM Direct transfer from Bank to Bank through NPCI gateway No need to know the Bank accounts mapped by the NPCI Recognizes a Virtual Payment Address or the Mobile Number as the Bank ID Convenient but not fully assessed for the risks involved. 16

17 Hashtag banking-kotak (Jifi) Jifi customers can receive account updates on Twitter as a Direct Message (DM) by simply tweeting with predefined hashtags. The bank s dedicated Twitter will send out these messages Jifi is a zero interest current account with no minimum balance conditions, initial payment of just Rs. 5,000/-. All balances over Rs. 25,000/- automatically move into term deposits 17

18 New Forms of Banking On the Non Internet Mobile Network USSD Based Banking IVR Banking Aadhar Based Banking Biometric used as a trigger for starting a Banking transaction Blockchain based Banking? Yet to be fully assessed for Indian Banking use

19 Technological Overview Electronic Documents held in a data base server Transaction applications are hosted in an application server Access is through an authentication gateway or Firewall 19

20 E Banking architecture Database Authentication Domain Server/ Application server 20 Bank Employees

21 Legal Aspects of E Banking 21

22 What is the Applicable Law? All laws and regulations applicable to Banking RBI Act, Banker s Book Evidence Act, Banking Regulation Act, Negotiable Instrument Act, Consumer Protection Act, Indian Contract Act Superimposed with the law applicable for use of electronic documents..ita 2008 Payment and Settlement Act 2007 Under review now Regulations of RBI from time to time

23 What are the legal responsibilities Conduct Banking as per Banking law and regulations If not, be responsible for the liabilities that may arise. Conduct Banking which is Secure from the view point of the customer Besides protecting its own interests

24 Responsibilities under ITA 2000/8 Enter into a valid Banker Customer Contract Application form on paper? Terms on website? Enforceability of Click Wrap and Standard form contracts Enforceability of undigitally signed contracts and transaction instructions Responsibility for following insecure methods of storage, processing, transmission of sensitive personal data, critical banking transaction data, evidence handling Responsibility for omissions and commissions of outsource agents 24

25 When Fraud Occurs Root cause could be Criminal activity of an outsider Negligence of the customer Technology failure Negligence of the Bank Criminal activity of an employee 25

26 Principle of Proximate cause.. When multiple factors cause a problem, And between multiple innocent persons he who had an opportunity to prevent last and failed to do so is more responsible than the others The important point to note is that the proximate cause is the nearest cause and not a remote cause. 26

27 Vicarious Liability Principle Section 85 and Section 79 of ITA 2000/8 as well as IPC recognizes that Liabilities can be borane by persons who have not been beneficiaries or perpetrators of a fraud solely because they had a responsibility for security and were negligent. 27

28 Direct Liability.. Assistance and Abetment are considered equal to commission of a contravention under Section 43 and Section 84B Passive Assistance can be implied through negligence 28

29 Bank s Role.Cyber Security Reasonable Security Practice under Section 43A Due Diligence under Section 79 Ability to provide assistance to designated authorities under Sections 69.69A,69B, 70B etc Ability to preserve evidence under Section 65 and other laws such as IPC 29

30 Where Liabilities can arise.. 30

31 Bank s Role.Cyber Security ISO or PCI DSS etc are only means to an end and not the end in itself Banks Role is to maintain an infrastructure which takes into account all reasonable security measures to prevent losses occurring to its customers and to itself. Reasonable is subject to interpretation and can be stretched Principal guideline is the law of the land and includes what RBI mandates 31

32 Follow RBI Guidelines Cyber Security Framework of June 2, 2016 Continuation of GGWG guidelines of 2011 Continuation of the Internet Banking guidelines of

33 Follow RBI Guidelines.. Internet Banking Guidelines 2001 Wanted Banks to adopt Cyber Insurance Assume legal risk if digital signatures are not used GGWG guidelines of 2011 Wanted Banks to mandatorily conduct ITA 2008 compliance exercise Gave a comprehensive structure for information security management including Organizational structure, Outsource agents management, Customer education etc besides technical requirements How much of these guidelines we have complied with? 33

34 Follow RBI Guidelines Cyber Security Framework of June 2, 2016 Required a Gap analysis to be completed by July 31, 2016 Required compliance by September 30,

35 Cyber Security Framework 24 baseline controls indicated Cyber SOC mandated To include monitoring of zero day vulnerabilities Cyber Incidents to be Reported 35

36 Salient Features of the CSF-2016 Board s responsibility increased Board to be approved of the Gap report to be submitted to RBI (by July 31, 2016) Board to approve Cyber Security Policy (by Sept 30, 2016) Continuous Surveillance indicated Not Audit approach good for the day and time the auditor signs off. Requires setting up of an SOC either on its own or in consortium 36

37 Salient Features of the CSF-2016 Banks to assume responsibilities for data with its sub contractors suitable systems and processes across the data/information lifecycle need to be put in place by banks. 37

38 Salient Features of the CSF-2016 Cyber Crisis Management Plan to be developed Wider than the DRP/BCP Should incorporate CERT IN and IDRBT suggestions CCMP Should address the following four aspects: (i) Detection (ii) Response (iii) Recovery and (iv) Containment 38

39 Salient Features of the CSF-2016 Zero day vulnerabilities/attacks to be taken note of Mere patching of vulnerabilities insufficient Requires maintenance of Honeypots either on own or on consortium basis Ransomware/Cryptoware defense to be built Threats such as business frauds including spam, phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, etc. to be guarded against 39

40 Salient Features of the CSF-2016 Cyber Security Preparedness indicators to be developed and audits to be conducted against such measurable parameters Summary level information to be reported to RBI CISO Forum to be used for sharing information 40

41 Key Measures Phishing Identify and Bring down Phishing websites ASAP Use legally acceptable means of access and not commercially convenient methods Digital Signatures instead of passwords or biometrics Don t Rely on 2F authentication Neither legally sound nor technically secure 41

42 Website malware Watch every page of the Bank s website in real time for injection of malware either through modified content or advertisements 42

43 ATM Watch 43 ATMs are extended Bank premises Includes ATMs managed by other Banks or agents A Customer may consider his Bank as responsible for any loss arising out of his visit to the ATM. Malfunctioning CCTVs, guards or installation of card skimmers, lebanese loop, key blocking matchsticks, etc are the responsibilities of the Bank

44 Five Commandments R Gandhi, ED- RBI Thou shall know your customer Thou shall know your employee Thou shall keep your IT Systems up-todate and free of all risky components Thou shall provide for maximum IT Governance Thou shall ensure continued Cyber Security Awareness 44

45 Limited Liability for E Banking Frauds Draft RBI Circular dt August 11, 2016 RBI/ / DBR.No.Leg.BC./ / (Rajinder Kumar) Chief General Manager

46 Applicability Which Banks? All Scheduled Commercial banks (including RRBs) All Cooperative Banks What type of Frauds Applies to both Internet/Mobile and Card Transactions This is a Draft Circular and has been released for public comments to be sent to RBI before August 31, 2016

47 Highlights: In case of Loss arising out of a Fraud 1) Customer will not be liable: Where fraud/negligence is on the part of the bank; Third party breach where the customer notifies the bank within three working days of receiving communication from the bank regarding unauthorized transaction. Any transaction in which the customer has notified loss of card or loss of credentials to the Bank. 2) Where customer s negligence is established, customer will be liable. What is Negligence is however needs a debate 3) In cases where customers involvement is not clearly established (third party breaches ) if there is a delayed reporting and the customer reports within 4 to 7 working days, customer may be liable but the liability will be limited to a maximum of ) In case of third party breaches if there is a delayed reporting and the customer reports beyond 7 working days, Customer may be liable and the liability will be determined based on Bank s Board approved policy.

48 Background DBOD Circular of April Customer Service - Reversal of Erroneous Debits Arising on Fraudulent or Other Transactions Refers back to DBOD circular of May and DBOD Circular dated February 15, 1978 Advises banks to adhere to the guidelines and procedure for opening and operating deposit accounts to safeguard against unscrupulous persons opening accounts mainly to use them as conduit for fraudulently encashing payment instruments

49 Background Notes that banks have also not restored funds promptly to customers even in bona-fide cases but deferred action till completion of either departmental action or police interrogation With a view to redressing the grievances of the customers in this regard, we have reviewed the position and advise that (i) in cases where banks are at fault, the banks should compensate customers without demur, and (ii) in cases where neither the bank is at fault nor the customer at fault but the fault lies elsewhere in the system, then also the banks should compensate the customers ( upto a limit) as part of a Board approved customer relations policy.

50 Background Notes and Recognizes the increased thrust on financial inclusion and customer protection as the two crucial pillars of financial stability and considering the recent surge in customer grievances relating to unauthorised transactions resulting in erroneous debits to their accounts/cards, the criteria for determining the customer liability in these circumstances have been reviewed. The revised directions in this regard are set out in the circular

51 Requirements a) appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers; b) robust and dynamic fraud detection and prevention mechanism; c) mechanism to assess the risks (for example, gaps in the banks existing systems) resulting from unauthorised transactions and measure the liabilities arising out of such events; and d) appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom.

52 Customer s Responsibility Banks must ask their customers to mandatorily register for alerts for electronic banking transactions. The alerts shall be sent to the customers through different channels ( or SMS) offered by the banks The customers must be advised to notify the bank concerned of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction.

53 24X7 reporting infrastructure To facilitate this, banks must provide customers with 24x7 access through multiple channels (at a minimum, via website, phone banking, SMS, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting fraudulent transactions that have taken place and/or loss or theft of payment instrument such as card, etc. immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. must record the time and date of delivery of the message and receipt of customer s response,

54 Liability of Customer A customer s entitlement to zero liability shall arise where the security architecture and systems of the bank for electronic banking transactions are not able to protect the customer in the following events (a) Fraud/ negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not) (b) Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.

55 Limited Liability of a customer 7. A customer shall be liable for the loss occurring due to fraudulent transactions in the following cases: (a) In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

56 Limited Liability of a customer (b) In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction, the customer liability shall be limited to the transaction value or 5000/-, whichever is lower. Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per bank s Board approved policy.

57 Bank s Policy.. Banks shall provide the details of the bank s policy in regard to customers liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank s policy.

58 Reversal Timeline for Zero Liability/ Limited Liability On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer s account within 10 working days from the date of such notification by the customer. Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.

59 Resolution of Complaint Further, banks shall ensure that: (i) a complaint is resolved within 90 days from the date of reporting; and (ii) in case of debit card/bank account the customer does not lose out on interest, and in case of credit card the customer does not bear any additional burden of interest.

60 Board approved Policy for Customer Protection Policy Banks need to clearly define the rights and obligations of customers in case of unauthorised transactions in specified scenarios. Banks shall formulate/ revise their customer relations policy, with approval of their Board, to cover aspects of customer protection, including the mechanism of creating customer awareness on the risks and responsibilities involved in electronic banking transactions and customer liability in such cases of unauthorised electronic banking transactions. The policy must be transparent, non-discriminatory and should stipulate the mechanism of compensating the customers for the unauthorised electronic banking transactions and also prescribe the timelines for effecting such compensation, based on the circumstances of each case. The policy shall be displayed on the bank s website along with the details of grievance handling/ escalation procedure. The instructions contained in this circular shall be incorporated in the policy.

61 Burden of Proof The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank. The bank s above policy shall also specify the maximum time period for establishing customer liability after which the bank shall compensate the customer.

62 Reporting and Monitoring Requirements The banks shall put in place a suitable mechanism and structure for reporting of the customer liability cases to the Board or its Committee. The reporting shall, inter-alia, include volume/number of cases and the aggregate value involved and distribution across various categories of cases viz., card present transactions, card not present transactions, internet banking, mobile banking, ATM trasanctions, etc. The Standing Committee on Customer Service in each bank shall review, on a monthly basis, the unauthorised electronic banking transactions reported by customers or otherwise, as also the action taken thereupon, the functioning of the grievance redress mechanism and take appropriate measures to improve the systems and procedures.

63 Requirements on the part of the Bank Ensure SMS/E Mail alerts Define the policy for delayed information of transaction disputes beyond 7 days Ensure mechanism to collect evidence of a fraud to prove customer s negligence

64 Requirements on the pat of the Customer Notify loss of card Notify any potential loss of credentials Check SMS alerts and raise a dispute within 3 days

65 Watal Committee Report- Submitted on 9 th December 2016 An Overview 65 naavi

66 Objective Committee formed vide order dated 23 rd August 2016 Objectives To recommend changes to different Acts such as PSS Act, RBI Act, Banking Regulation Act, ITA 2000, TRAI, PMLA, ITAct To leverage on UIDAI To introduce a single window system of Payment Gateway for all card systems Rules for creating payment history for digital payments Incentivize Digital transactions 66 naavi

67 Recommendations 13 recommendations Implementing Institutions and Timeline indicated 67 naavi

68 R1: New Regulations Recommends replacement of PSSA 2007 with PSSA-2017 to address the following drawbacks No regulatory mandate for Promotion of competition Competition and innovation objective of Payment regulation may be in conflict with the Central Banking responsibilities No Consumer protection 68 naavi

69 R1: New Regulations No obligation on authorized payment systems to provide open access to all PSPs Clear explicit framework to apply for regulatory sandbox permits not present No framework to deal with systemically important payment systems, whose disruption could lead to financial instability Present law is silent on Data Protection 69 naavi

70 R1: New law Recommendations 70 (a) Payment Regulation is independent of Central banking (b) Make Board of Payment Settlement System (BPSS) more independent by inducting members from outside RBI. To be called PRB (Payment Regulatory Board) Chaired by RBI Chairman, majority members from outside RBI RBI Will have overriding powers in case of conflicts naavi

71 R-2: Update PSSA 2007 Include promotion of competition and innovation as a priamry objective Every regulation made by PRB must be preceded by a competition impact assessment Cost Benefit analysis such that Lesser the risk, lesser the regulation Settlement risk, operational risk, business risk 71 naavi

72 R-2: Update PSSA Consumer Protection should be one of the primary objectives PRB must issue regulations and also create public awareness All PSPs must effectively disclose the terms of service and provide regular statements of accounts for free Consumers should not be liable for losses arising out of unauthorized transactions or system malfunction naavi

73 R-2: Update PSSA 2007 Consumer Protection should be one of the primary objectives Every PSP must have an internal dispute resolution mechanism to resolve consumer complaints. Any consumer not satisfied with the internal dispute resolution process or outcome will have right to approach the PRB. Decision of PRB is subject to appeal before SAT. (Securities Appellate Board) 73 naavi

74 R-2: Update PSSA 2007 Open Access A payment system must provide access to authorised PSPs in an objective, non-discriminatory and proportionate manner. A direct PSP must not discriminate between authorised indirect PSPs of the same category in providing access. Terms of accessing one payment system cannot restrict an authorised PSP from accessing another Payment system Access to payment systems including RTGS should be opened up to non-bank PSPs subject to proportionate restrictions. 74 naavi

75 R-2: Update PSSA 2007 Regulating Systemic Risk The Central Government must issue rules on the criteria for designating a payment system as systemically important. Central Government may designate any payment system as sstemically important through a reasoned order All systemically important payment systems will be regulated by the RBI 75 naavi

76 R-2: Update PSSA Regulatory Governance All regulations must be approved by the PRB. Regulations must be made in a transparent manner stating the objectives of the reglation, how the regulation achieves its intended purpose, a study of its costs and bnefits, competition impact assessment and public consultation The PRB must consider comments received from the public and publish the comments along with a general account of response. naavi

77 R-2: Update PSSA Regulatory Governance The law must create an accountable regulator with specific performance reporting obligations; The law must ensure regulatory responsiveness and ensure that innovative business models are permitted without jeopardizing consumer protection and financial stability Any person aggrieved with any regulatory action should have a right to appeal to an independent tribunal (SAT) naavi

78 R-2: Update PSSA 2007 Data Protection and Security The law shall provide for protection of personal payments data by the payments systems as well as the PSPs. PSPs may access personal data based only on explicit consent basis PSPs may process personal data for fraud detection purposes 78 naavi

79 Thank You For More Information: Query using the Android App: Cyber Law Guru Available for free download in Google