The GGWG (G Gopalakrishna Working Group) was an exercise at revising the 10 year old report of the SR   Mittal Group which first addressed the requirements of the Internet   Banking Era. Compared to the task which was ahead of the Mittal Group,   GGWG was in a far more advantageous position since there was a decade   old experience on both technology as well as the legal aspects of   Technology Banking.

 Not withstanding some good work reflected in the GGWG,  it appears   that the GGWG could have done far better than what it has done. This is   more glaring in the chapters on Cyber Fraud and Legal Issues.

 While Naavi.org will analyse the report in greater detail in subsequent   articles, we shall focus on one  issue in the working of such   critical working groups of RBI which is a matter of grave concern at   this point of time. It is the issue of  composition of the working  group to keep vested interests out of the working group or adequately   balance their presence with other counter stake holders.

 In the SR Mittal Group,(SRMG) there were 10 members. Of these, three were   from RBI. One was from IDRBT, One was from IIT, One from i-Flex   solutions Ltd, and five from Commercial Banks. Out of the Bank   representatives,  one was  from ABN Amro Bank, one was    from SBI  and Two  were from ICICI Bank.

 In the GGWG, there are 13 members and 4 more were invitees. Of these 17   persons associated with the working group, 6 were from RBI. There was   one from IIT and another from IISc. There was one from KPMG and another   from Deloitte. There was one from IDRBT, one from IBA and one from DSCI.
There was one from IDBI Intech Ltd . There was one Advocate and the rest   two were from Commercial Banks. Of these, one was from SBI and another   was from ICICI Bank.

In both the committees it may be seen that there was no representation of   the Customers of Banks who are the focus of the Banking business. While   RBI is the regulator and has to be present in full strength,    academicians were required to add technical inputs. The presence of IT   Companies like i-flex or IDBI Intech and commercial banks including SBI,   ICICI Bank, ABN Amro Bank has to be however considered as inappropriate   in view of the conflicting interests these have on the outcome of the   working group recommendations.

In the SRMG, the ICICI Bank had a double representation.  Banks such   as Canara Bank or Bank of India or Bank of Baroda etc had no   representation in either of the committees. If RBI wanted to broad base   the composition of the group, there was a need to accommodate a   Customer’s representative who is the focus of the recommendations on   Cyber Frauds and legal issues.

It is well known that Banks are using Customers as Guinea Pigs in the   introduction of technology and IT companies who have supplied    faulty and insecure applications for Banking are forcing Banks to adopt   e-Banking which is woefully short of information security from the   customer’s perspective. Banks such as ICICI Bank are particularly   noteworthy for shortchanging the customer’s interests for commercial   gains. However they seem to have a huge say in the working group.
In the SRMG group, ICICI representative even submitted a dissenting report   which was rightly over ruled by the committee. In the recent days, ICICI   Bank has been in the forefront of Phishing frauds. Also in the   recommendations of this Working group, ICICI Bank was having a direct   conflict of interest having lost the Phishing case against S.   Umashankar.

    I will point out some instances in the report where it appears that there   is an attempt to twist the recommendations in favour of Banks against   the interest of Customers.
Firstly, the Working group has blindly incorporated certain statements   about the case of S.Umashankar Vs ICICI Bank which are factually   incorrect. For example at two places where a mention about the case has   been made, it has been stated that ICICI Bank has obtained a stay on the   judgement with a deposit of only Rs 50,000/- as against the decreed
amount of Rs 12.85 lakhs.
I want to bring to the notice of the Chairman of the Working Group and the   Deputy Governor of RBI that  the correct position is that ICICI   Bank has been granted a stay subject to the hearing of the appeal   against a deposit of Rs 5.50 lakhs. The net unrecovered loss of the   customer is Rs 4.95 lakhs and the deposit ordered was higher than the   amount of loss. The working group has not verified any documentation   before incorporating the erroneous statement indicating as if only a   nominal deposit has been made to get the stay.

     The working group is also silent on another Phishing fraud that followed   the Umashankar judgement where ICICI Bank accepted its liability and   agreed to pay up one Mr Dwarak Ethiraj without contest. The report also   does not speak of the Nikhil Futan Vs HDFC Bank case in Mumbai District   Consumer Forum where the Bank was again made liable. Most of the   Consumer forum cases quoted in favour of ICICI Bank were cases where   they were dismissed for lack of jurisdiction since the victims did not   know that the correct forum was the Adjudicating Officer and not the   Consumer forum. Phishing is not a Service deficiency issue but is a   Cyber Crime issue and though the Mumbai District Consumer Forum assumed   jurisdiction and went ahead with the trial in the Nikhil Futan case,   rejection by other Forums is not indicative of the lack of merits of the   case. Also most of these cases failed against the Banks due to   inadequate representations from the victims.

    The quoted cases also fail to mention an important German Court case where   the Court held the Bank liable for phishing though there was proof to   say that the Customer had a key logger trojan in his computer.
The quoting of different cases in the report are therefore misleading and   the Working group could have exercised better diligence before the   details were incorporated in the report.
It would be appropriate if the Working group publishes a correction at   least to revise the amount of deposit made by ICICI Bank in the case of   Umashankar’s case from Rs 50,000/- to Rs 5,50,000/-. If not, the report   would be faulty and misleading.
I had recently filed an RTI application to RBI to know about the number of   Phishing cases reported to them through the mandatory fraud reports.   Unfortunately RBI refused to provide the information stating in one case   that the frauds are not classified to indicate the Phishing frauds   separately or that the information is in an application specific format
and cannot be provided. This only indicated a reluctance on the part of   RBI to reveal to the world at large how many Bank customers are being   taken for a ride with the introduction of faulty technology.
Though in most of the Phishing cases Banks try to blame the customer for   answering the phishing mail, they fail to disclose that in many cases,   there is an insider involvement and even when the customer has not   answered the phishing e-mail, fraudulent withdrawals continue to take   place.
As an experienced banker I have my own views on how the risks can be   mitigated but this is not the place to discuss that in detail.

     However, having ICICI Bank as a prominent member of both committees was not   appropriate for RBI. Perhaps  HDFC Bank could  have been   included in GGWG instead of ICICI Bank and  Canara Bank or Bank of   India could not have been invited instead of SBI. New participants could   have been able to bring in some new ideas.
Having accommodated the important stake holder like ICICI Bank and SBI,   there was no reason why RBI could not have included a representative of   a Bank Customer or even a Phishing Victim himself in the working group.
I personally have enough information with me to say that Internet Banking   has been rendered extremely risky because Banks are ignoring the ITA   2000/2008 provisions on digital signatures and are also openly flouting   the recommendations of the SRMG in many respects. Instead of correcting   these anomalies, GGWG appears to have been wrongly guided to include   certain recommendations which show  inadequate understanding of ITA   2008 and its implications when seen along with PMLA and NI Act.

     At one place, the report wants to make the 2F authentication as Electronic   Signature without appreciating the difference between identity and data   integrity. At another place the working group laments that there is no   punishment for “Attempt” to commit Phishing when in fact it is actually   incorporated in ITA 2008. As could be expected, the vested interests   have managed a remark that the Government may consider another   legislation to absolve the Banks from liabilities of negligence.

All these show that the GGWG has been misdirected probably by some members   who had vested interests in supporting a weak IS implementation for   commercial considerations.

Unfortunately the working group has not done enough research to find out   what was happening in the Phishing scenario and whether it is the Banks   who are more negligent and reckless than the hapless customer.

I have already brought to the notice of both RBI and IBA of the lack of   proper follow up from their end to tighten the security in electronic   banking. Unfortunately neither RBI nor IBA has been responsive enough in   this regard.

     The GGWG has now suggested setting up a standing committee to take the   recommendations forward. I would like to request RBI that at least now   it should not allow vested interests to get into the standing committee.
In case it is felt necessary to give representations to the Commercial   Banks, the representation should not be limited to only few Banks. Also   the participation of the Banks should be balanced with appropriate   representation from the Bank customer’s side.

   If RBI does not take proper note of this concern they will find that the   Standing committee would be infiltrated by organizations with vested   interests and dilute the regulatory role of RBI.

Naavi of Naavi.org

Be Sociable, Share!