Project on Project on Internet Banking - Report of RBI Working Group
Summary of Recommendations

Keeping in view the terms of reference, a number of recommendations have been made in preceding articles. A summary of these recommendations is given in this and the next article.

1. The role of the network and database administrator is pivotal in securing the information system of any organization. Some of the important functions of the administrator via-a-vis system security are to ensure that only the latest versions of the licensed software with latest patches are installed in the system, proper user groups with access privileges are created and users are assigned to appropriate groups as per their business roles, a proper system of back up of data and software is in place and is strictly adhered to, business continuity plan is in place and frequently tested and there is a robust system of keeping log of all network activity and analyzing the same.

2. Organizations should make explicit security plan and document it. There should be a separate Security Officer / Group dealing exclusively with information systems security. The Information Technology Division will actually implement the computer systems while the Computer Security Officer will deal with its security. The Information Systems Auditor will audit the information systems.

3. Access Control Logical access controls should be implemented on data, systems, application software, utilities, telecommunication lines, libraries, system software, etc. Logical access control techniques may include user-ids, passwords, smart cards or other biometric technologies

4. Firewalls At the minimum, banks should use the proxy server type of firewall so that there is no direct connection between the Internet and the bank’s system. It facilitates a high level of control and in-depth monitoring using logging and auditing tools. For sensitive systems, a stateful inspection firewall is recommended which thoroughly inspects all packets of information, and past and present transactions are compared. These generally include a real-time security alert.

5. Isolation of Dial Up Services: All the systems supporting dial up services through modem on the same LAN as the application server should be isolated to prevent intrusions into the network as this may bypass the proxy server.

6. Security Infrastructure: PKI is the most favoured technology for secure Internet banking services. However, it is not yet commonly available. While PKI infrastructure is strongly recommended, during the transition period, until IDRBT or Government puts in place the PKI infrastructure, the following options are recommended.M

   • Usage of SSL, which ensures server authentication and the use of client side certificates issued by the banks themselves using a Certificate Server.

   • The use of at least 128-bit SSL for securing browser to web server communications and, in addition,

   • encryption of sensitive data like passwords in transit within the enterprise itself.

7. Isolation of Application Servers: It is also recommended that all unnecessary services on the application server such as ftp, telnet should be disabled. The application server should be isolated from the e-mail server.

8. Security Log (audit Trail): All computer accesses, including messages received, should be logged. All computer access and security violations (suspected or attempted) should be reported and follow up action taken as the organization’s escalation policy.

9. Penetration TestinThe information security officer and the information system auditor should undertake periodic penetration tests of the system, which should include:

   • Attempting to guess passwords using password-cracking tools

   • Search for back door traps in the programs.

   • Attempt to overload the system using DdoS (Distributed Denial of Service) & DoS (Denial of Service) attacks

   • Check if commonly known holes in the software, especially the browser and the e-mail software exist.

   • The penetration testing may also be carried out by engaging outside experts (often called ‘Ethical Hackers’).

10. Physical Access Controls: Though generally overlooked, physical access controls should be strictly enforced. The physical security should cover all the information systems and sites where they are housed both against internal and external threats.

11. Back up & Recover The bank should have a proper infrastructure and schedules for backing up data. The backed-up data should be periodically tested to ensure recovery without loss of transactions in a time frame as given out in the bank’s security policy. Business continuity should be ensured by having disaster recovery sites, where backed-up data is stored. These facilities should also be tested periodically.

12. Monitoring against threats: The banks should acquire tools for monitoring systems and the networks against intrusions and attacks. These tools should be used regularly to avoid security breaches.

13. Education & Review: The banks should review their security infrastructure and security policies regularly and optimize them in the light of their own experiences and changing technologies. They should educate on a continuous basis their security personnel and also the end-users.

14. Log of Messages: The banking applications run by the bank should have proper record keeping facilities for legal purposes. It may be necessary to keep all received and sent messages both in encrypted and decrypted form. (When stored in encrypted form, it should be possible to decrypt the information for legal purpose by obtaining keys with owners’ consent.)

15. Certified Products The banks should use only those security solutions/products which are properly certified for security and for record keeping by independent agencies (such as IDRBT).

16. Maintenance of Infrastructure: Security infrastructure should be properly tested before using the systems and applications for normal operations. The bank should upgrade the systems by installing patches released by developers to remove bugs and loopholes, and upgrade to newer versions which give better security and control

17. Approval for I-banking All banks having operations in India and intending to offer Internet banking services to public must obtain an approval for the same from RBI. The application for approval should clearly cover the systems and products that the bank plans to use as well as the security plans and infrastructure. It should include sufficient details for RBI to evaluate security, reliability, availability, auditability, recoverability, and other important aspects of the services. RBI may provide model documents for Security Policy, Security Architecture, and Operations Manual.

1. The banks providing Internet banking service, at present are only accepting the request for opening of accounts. The accounts are opened only after proper physical introduction and verification. Considering the legal position prevalent, particularly of Section 131 of the Negotiable Instruments Act, 1881 and different case laws, the Group holds the view that there is an obligation on the banks not only to establish the identity but also to make enquiries about integrity and reputation of the prospective customer. The Group, therefore, endorses the present practice but has suggested that after coming in to force of the Information Technology Act, 2000 and digital certification machinery being in place, it may be possible for the banks to rely on digital signature of the introducer.

2. The present legal regime does not set out the parameters as to the extent to which a person can be bound in respect of an electronic instruction purported to have been issued by him. Generally authentication is achieved by security procedure, which involves methods and devices like user-id, password, personal identification number (PIN), code numbers and encryption etc., used to establish authenticity of an instruction. However, from a legal perspective a security procedure needs to be recognized by law as a substitute for signature. In India, the Information Technology Act, 2000, in Section 3(2) provides for a particular technology (viz., the asymmetric crypto system and hash function) as a means of authenticating electronic record. This has raised the doubt whether the law would recognize the existing methods used by banks as valid methods of authentication. The Group holds the view that as in case of other countries, the law should be technology neutral.

3. In keeping with the view that law should be technology neutral, the Group has recommended that Section 3(2) of the Information Technology Act, 2000 needs to be amended to provide that in addition to the procedure prescribed there in or that may be prescribed by the Central government, a security procedure mutually agreed to by the concerned parties should be recognized as a valid method of authentication of an electronic document / transaction during the transition period.

4. Banks may be allowed to apply for a license to issue digital signature certificate under Section 21 of the Information Technology Act, 2000 and function as certifying authority for facilitating Internet banking. Reserve Bank of India may recommend to Central Government for notifying the business of certifying authority as an approved activity under clause (o) of Section 6(1) of the Banking Regulations Act, 1949.

5. Section 40A(3) of the Income Tax Act, 1961 recognizes only payments through a crossed cheque or crossed bank draft, where such payment exceeds Rs. 20000/-, for the purpose of deductible expenses. Since the primary intention of the above provision, which is to prevent tax evasion by ensuring transfer of funds through identified accounts, is also satisfied in case of electronic transfer of funds between accounts, such transfers should also be recognized under the above provision. The Income Tax Act, 1961 should be amended suitably.

6. Under the present regime there is an obligation on banks to maintain secrecy and confidentiality of customer’s account. In the Internet banking scenario, the risk of banks not meeting the above obligation is high on account of several factors like customers not being careful about their passwords, PIN and other personal identification details and divulging the same to others, banks’ sites being hacked despite all precautions and information accessed by inadvertent finders. Banks offering Internet banking are taking all reasonable security measures like SSL access, 128 bit encryption, firewalls and other net security devices, etc. The Group is of the view that despite all reasonable precautions, banks will be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking/ other technological failures. The banks should, therefore, institute adequate risk control measures to manage such risk.

7. In Internet banking scenario there is very little scope for the banks to act on stop-payment instructions from the customers. Hence, banks should clearly notify to the customers the timeframe and the circumstances in which any stop-payment instructions could be accepted.

8. The banks providing Internet banking service and customers availing of the same are currently entering into agreements defining respective rights and liabilities in respect of Internet banking transactions. A standard format / minimum consent requirement to be adopted by banks may be designed by the Indian Banks’ Association, which should capture all essential conditions to be fulfilled by the banks, the customers and relative rights and liabilities arising there from. This will help in standardizing documentation as also develop standard practice among bankers offering Internet banking facility

9. The concern that Internet banking transactions may become a conduit for money laundering, has been addressed by the Group. Such transactions are initiated and concluded between designated accounts. Further, the proposed Prevention of Money Laundering Bill 1999 imposes obligation on every banking company to maintain records of transactions for certain prescribed period. The Banking Companies (Period of Preservation of Records) Rules, 1985 also require banks to preserve certain records for a period ranging between 5 to 8 years. The Group is of the view that these legal provisions which are applicable to all banking transactions, whether Internet banking or traditional banking, will adequately take care of this concern and no specific measures for Internet banking is necessary.

10. The Consumer Protection Act, 1986 defines the rights of consumers in India and is applicable to banking services as well. Currently, the rights and liabilities of customers availing of Internet banking services are being determined by bilateral agreements between the banks and customers. It is open to debate whether any bilateral agreement defining customers rights and liabilities, which are adverse to consumers than what is enjoyed by them in the traditional banking scenario will be legally tenable. Considering the banking practice and rights enjoyed by customers in traditional banking, it appears the banks providing I-banking may not absolve themselves from liability to the customers on account of unauthorized transfer through hacking. Similar position may obtain in case of denial of service. Even though, The Information Technology Act, 2000 has provided for penalty for denial of access to a computer system (Section-43) and hacking (Section – 66), the liability of banks in such situations is not clear. The Group was of the view that the banks providing Internet banking may assess the risk and insure themselves against such risks.

11. The Information Technology Act, 2000, in Section 72 has provided for penalty for breach of privacy and confidentiality. Further, Section 79 of the Act has also provided for exclusion of liability of a network service provider for data traveling through their network subject to certain conditions. Thus, the liability of banks for breach of privacy when data is traveling through network is not clear. This aspect needs detailed legal examination. The issue of ownership of transactional data stored in banks’ computer systems also needs further examination.