Project on Project on Internet Banking - Report of RBI Working Group
Legal Issues involved in Internet Banking (Contd)

Secrecy of Customer's AccountThe existing regime imposes a legal obligation on the bankers to maintain secrecy and confidentiality about the customer’s account. The law at present requires the banker to take scrupulous care not to disclose the state of his customer's account except on reasonable and proper occasions.

While availing the Internet banking services the customers are allotted proper User ID, passwords and/or personal identification numbers and/or the other agreed authentication procedure to access the Internet banking service and only users with such access methodology and in accordance with the agreed procedure are authorized to access the Internet banking services. In other words a third party would not be able to withdraw money from an account or access the account of the customer unless the customer had divulged his/her password in the first place.

However, if the password or the identification number is misplaced or lost or gets into the hands of the wrong person and such person procures details about the customers account then the banker may be faced with legal proceedings on the grounds of violation of the obligation to maintain secrecy of the customer's accounts. This concern of the bankers is very high especially in the case of joint accounts where both the parties share one personal identification numbers or relationship numbers and operate the account jointly. Further, by the very nature of Internet the account of a customer availing Internet banking services would be exposed to the risk of being accessed by hackers and inadvertent finders.

The Internet banking services at present are being provided by most of the banks by systems which are only accessible through "secure zones" or SSL (Secure Sockets Layer) to secure and authenticate the user through a secure browser. Most of the banks have adopted 128 Bit strong encryption which is widely accepted worldwide as a standard for securing financial transaction. To reduce the risk of the customers’ account information being accessed by third parties, it is very important that the banks continue to be obliged to protect the customer account. However, it is equally important to note that the banks may still be exposed to the risk of liability to customers and hence they should adopt all reasonable safety controls and detection measures like establishment of firewalls, net security devices, etc. Further, banks should put in place adequate risk control measures in order to minimize possible risk arising out of breach of secrecy due to loss/ misplacement/ theft of customers’ ID/PIN, etc.

Revocation and Amendment of Instructions: The general revocation and amendment instructions to the banks are intended to correct errors, including the sending of an instruction more than once. Occasionally, a revocation or amendment may be intended to stop a fraud. Under the existing law, banks are responsible for making and stopping payment in good faith and without negligence. In an Internet banking scenario there is very limited or no stop-payment privileges since it becomes impossible for the banks to stop payment in spite of receipt of a stop payment instruction as the transactions are completed instantaneously and are incapable of being reversed. Hence the banks offering Internet banking services may clearly notify the customers the time frame and the circumstances in which any stop payment instructions could be accepted.

Rights and Liabilities of the Parties: Typically, the banker-customer relationship is embodied in a contract entered into by them. The banks providing the Internet banking services currently enter into agreements with their customers stipulating their respective rights and responsibilities including the disclosure requirements in the case of Internet banking transactions, contractually. A Standard format/minimum consent requirement to be adopted by the banks offering Internet banking facility, could be designed by the Indian Banks’ Association capturing, inter alia, access requirements, duties and responsibilities of the banks as well as customers and any limitations on the liabilities of the banks in case of negligence and non-adherence to the terms of agreement by customers.

One of the major concerns associated with Internet Banking has been that the Internet banking transactions may become untraceable and are incredibly mobile and may easily be anonymous and may not leave a traditional audit trail by allowing instantaneous transfer of funds. It is pertinent to note that money-laundering transactions are cash transactions leaving no paper trail. Such an apprehension will be more in the case of use of electronic money or e-cash. In the case of Internet Banking the transactions are initiated and concluded between designated accounts. Further Section 11 of the proposed Prevention of Money Laundering Bill, 1999 imposes an obligation on every Banking Company, Financial Institution and intermediary to maintain a record of all the transactions or series of transactions taking place within a month, the nature and value of which may be prescribed by the Central Government. These records are to be maintained for a period of five years from the date of cessation of the transaction between the client and the banking company or the financial institution or the intermediary. This would apply to banks offering physical or Internet banking services. This will adequately guard against any misuse of the Internet banking services for the purpose of money laundering. Further the requirement of the banking companies to preserve specified ledgers, registers and other records for a period of 5 to 8 years, as per the Banking Companies (Period of Preservation of Records) Rules, 1985 promulgated by the Central Government also adequately takes care of this concern

Maintenance of Records: Section 4 of the Bankers’ Books Evidence Act, 1891, provides that a certified copy of any entry in a banker’s book shall in all legal proceedings be received as a prima facie evidence of the existence of such an entry. The Banking Companies (Period of Preservation of Records) Rules, 1985 promulgated by the Central Government requires banking companies to maintain ledgers, records, books and other documents for a period of 5 to 8 years. A fear has been expressed as to whether the above details of the transactions if maintained in an electronic form will also serve the above purpose. The Group is of the considered opinion that that this has been adequately taken care of by Section 7 and Third Schedule of the Information Technology Act, 200

Inter-Bank Electronic Funds Transfer: The Electronic Funds Transfer via the Internet, in its present form is provided only between accounts with the same bank. The transaction is effected by the originator who gives the electronic payment order to one branch of a bank offering the Internet banking facility ("the Sending Branch"). The electronic instruction is processed by the backend software of the branch to confirm the account number and the person’s identification and instruction is issued by the Sending Branch to the branch having the account of the beneficiary ("Beneficiary Branch") to credit the account of the beneficiary. The Sending Branch debits the account of the originator at its end. At present there is no clearing mechanism in place for settlement of inter-bank electronic funds transfer. The entire gamut of electronic funds transfer and the legal issues and risks involved in the same are currently being examined by a committee set up by the Reserve Bank of India. The 4th Schedule to the Information Technology Act, 2000 has amended the Reserve Bank of India Act. 1934 empowering the Reserve Bank of India to regulate electronic funds transfer between banks and banks and other financial institutions.

Miscellaneous: During the course of deliberations, the Group discussed certain issues where the legal position is not clear but have a bearing on Internet banking. Certain issues have also not been addressed by the Information Technology Act, 2000. Such issues are briefly discussed below. The Consumer Protection Act 1986 defines the rights of consumers in India and is applicable to banking services as well. The issues of privacy, secrecy of consumers’ accounts and the rights and liabilities of customers and banks, etc. in the context of Internet banking have been discussed in earlier paragraphs. In cases where bilateral agreements defining customers rights and liabilities are adverse to consumers than what are enjoyed by them in the traditional banking scenario, it is debatable whether such agreements are legally tenable. For example, whether a bank can claim immunity if money is transferred unauthorizedly by a hacker from a customers account, on the pretext that it had taken all reasonable and agreed network security measures. In a traditional banking scenario, a bank has normally no protection against payment of a forged cheque. If the same logic is extended, the bank providing I-banking may not absolve itself from liability to the customers on account of unauthorized transfer through hacking. Similar position may obtain in case of denial of service. Even though, The Information Technology Act, 2000 has provided for penalty for denial of access to a computer system (Section-43) and hacking (Section - 66), the liability of banks in such situations is not clear. The Group was of the view that the banks providing Internet banking may assess the risk and insure themselves against such risks

There was no specific enactment in India which protects privacy of customers. Bankers’ secrecy obligation mostly followed from different case laws. In UK, the Data Protection Act 1984 specifically prohibits personal data from being disclosed for purposes other than for which the data is held. This prohibits use of customer data relating to their spending habits, preferences etc., for any commercial purpose. The Office of the Comptroller of Currency have also issued directions to US banks enforcing customers’ privacy. The Information Technology Act, 2000, in Section 72 has provided for penalty for breach of privacy and confidentiality. Further, Section 79 of the Act has also provided for exclusion of liability of a network service provider for data travelling through their network subject to certain conditions. Thus, the liability of banks for breach of privacy when data is travelling through network is not clear. This aspect needs detailed legal examination. The issue of ownership of transactional data stored in banks’ computer systems also needs further examination.

The applicability of various existing laws and banking practices to e-banking is not tested and is still in the process of evolving, both in India and abroad. With rapid changes in technology and innovation in the field of e-banking, there is a need for constant review of different laws relating to banking and commerce. The Group, therefore, recommends that the Reserve Bank of India may constitute a multi disciplinary high level standing committee to review the legal and technological requirements of e-banking on continual basis and recommend appropriate measures as and when necessar.