Chapter IX of the GGWG deals with Legal Issues.The committee has deliberated in detail on the impact of ITA 2000/8 and come up with several observations and a few recommendations. Our earlier point by point comment already presents some cryptic views and the comments below contain more details.
In particular, observations have been made on the following aspects.
(i) “Intermediary” as defined in ITA 2008
(iii) Data Protection
(iv) Computer related offences
(v) Banks as Certifying Authority
(vi) Online Nomination Facility
There has been references to select relevant cases to highlight the impact of law on Bankers.
The GGWG has also commented on Industry Wide considerations regarding Digital and Electronic Signatures, Sec 65B of Indian Evidence Act, Use ofÂ Two Factor (2F) authentication. It also discusses data protection aspects in Banking and refers to Data Protection Act of UK(DPA), Gramm Leach Bliley Act (GLBA) and Electronic Fund Transfer Act (EFA) of USA.
We shall examine each of these aspects individually in a series of articles.
This article provides further comments from the body of the Chapter IXÂ on the issue of Intermediary Status of Banks.
It is not clear why GGWG is interested in making an issue ofÂ the definition of “Intermediary” because its relevance to the banks is low.
The GGWG has raised the issue of whether Bank should be considered as an “Intermediary” or not under ITA 2008 and concludes that there is some uncertainty with respect to the meaning. The concern appears to beÂ that if the Banks are considered an “Intermediary” then they would be exposed to the requirements under Section 79 to practice “Due Diligence”.
In respect of contraventions occurring under ITA 2008 attributable to the Bank, the requirement of “Due Diligence” arises out of Section 85 of ITA 2008 and hence, in most cases of Cyber Frauds in Banks, “Due Diligence” would any way be required to avoid liability.
Bank’s role as “Intermediary” is therefore not very critical to determine the liability in respect of Cyber Frauds.
Section 79 covers the requirements of an Intermediary to determine the liability arising out of hosting of any third party information, data, or communication link.
In this context, the definition of an “Intermediary” as given in section 2(p) of ITA 2008 which states
“Intermediary” with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engineers, online payment sites, online-auction sites, online market places and cyber cafes”
has no ambiguity. It refers to an organization that receives, stores and transmits information on behalf of another person.
Banks receive information about the Customer and keep the records as owners of the information. Third party information is not received in the normal course of Banking business involving deposit or withdrawal of funds by a customer.
If however, a Bank is providing any other service other than accepting deposits for the purpose of lending, then only the question of the role of the Bank as an intermediary may arise.
In Traditional Â Banking, Bankers often render different services and assume roles other than the “Debtor-Creditor” relationship. Such relationship can be the “Agent-Principal” or “Bailor Bailee” or “Trustee-Beneficiary” etc.
Likewise ifÂ Digital banking services are rendered for other than core banking where the “Debtor-Creditor” relationship persists, then only the question of “Whether Bank is an Intermediary?” may arise in respect of such services. Such relationship may co-exist with the “Debtor-Creditor” relationship and hence it has to be examined with reference to the specific facts of the case.
In Credit Card transactionsÂ the relationship between the card holder and the Issuing Bank is one of Debtor-Creditor. In case Bank receives information from a Merchant or from an Acquiring Bank about the Card holder, it may become “Third Party Information” as to the relationship between the Bank and the Merchant or Acquiring Bank is concerned. Similar instances may arise if Bank is supporting insurance services or stock broking services etc.
If Banks are providing its infrastructure to other agencies who provide Cross Functional services to the CustomersÂ inÂ digital space the role as an “Intermediary” may get invoked.There are a few Banks who are allowing advertisements from third parties to appear on their websites though the earlier guidelines suggested otherwise. Such Banks would be exposed to “Intermediary” risk.
If the concern is for data leakage pertaining to Customer information, it is a “Data Protection” issue covered under Section 43 A and not an “Intermediary Issue”.
(… To Be continued)
Naavi of Naavi.org