Bank in the pocket: hazards of m-commerce
The usage of technology has transformed the banking sector from branch banking to core banking and now has ushered an era of “branch in my pocket”. Though the banking fundamentals have remained the same, banks have enhanced product delivery, multi-channel transaction processing, minimal transaction costs, and substantially increased operational efficiency. This has greatly impacted their overall profitability & output in the sector. Along with these benefits have come several threats against banks and users of electronic mode of transactions challenging the security of this means of transaction. Banking industry has taken several initiatives in the area of cyber security and data protection, yet nothing seems to be sufficient to secure the e-transaction completely. This bulletin discusses the initiatives taken by banks to secure the e-transactions and the measures adopted to secure the data privacy of users and to secure their data in the era of mobile banking.
1.0 The regulatory framework: tracing history
In 1995, the electronic fund transfer (“EFT”), a retail funds transfer system enabling customers to transfer funds from one account to another and from one region to another, without any physical movement of instruments was introduced. The banks were permitted to offer internet banking facilities based on the Board-approved internet banking policy without prior RBI approval. As a step towards risk mitigation in the large value payment systems, the RTGS was operationalised by the RBI in March 2004, which enabled settlement of transactions in real time, on a gross basis. RTGS is fully secured electronic funds transfer system where banks and customers can receive payments on real time basis. The RTGS System is operated by the RBI. In 2005, National Electronic Funds Transfer (“NEFT”) system was introduced which was a more secure, nation-wide retail electronic payment system to facilitate funds transfer by the bank customers, between the networked bank branches in the country. This system facilitates electronic retail transfers between bank branches using Structured Financial Messaging Solution (SFMS) and secured by Public Key Infrastructure technology.1
In 2006, the RBI along with several banks of the Indian Banks Association established a body called the Banking Codes and Standards Board of India2 to evolve a set of voluntary norms. Accordingly, the “Code of Bank‟s Commitment to Customers” was prepared for banks in India to adhere to. The enactment of the Payment and Settlement Systems Act, 2007 empowered the Reserve Bank of India (“RBI”) to regulate and supervise the payment and settlement systems in the country, give authority to permit the setting up/continuance of such systems and to call for information/data and issue directions
from/to payment system providers. The Information Technology Act provided legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly known as “electronic commerce”, which involve the use of alternatives to paper-based methods of communication and storage of information.3 Some of the initiatives taken so far to a secured e-transaction include: The IT (Amendment) Act 2008 (“IT Act”), RBI‟s guidelines on Mobile Banking and pre-paid Value Cards, Guidelines on Internet Banking and Mobile banking guidelines. Essentially, the IT Act has laid the foundation for strengthening cyber security and data protection in India with introduction of section 43A that mandates body corporates to implement „reasonable security practices‟ for protecting „sensitive personal information‟.4 The IT Act formally introduces the concept of data protection in Indian law, ushers in the concept of “sensitive personal information” and provides for fixation of liability on a body corporate to preserve and protect such sensitive personal information.5 It also provides for civil and criminal liability for failure to protect personal data and information.6
Further, there are other legislations that also support the security concern in different ways. The Public Financial Institutions Act mandates the obligation of a public financial institution for fidelity and secrecy. The Credit Information Companies (Regulations) Act puts obligation on companies regarding accuracy and security of credit information. The Consumer Protection Act provides that disclosing confidential data and not performing contractual obligation amounts to deficiency of service.7 The Indian Telegraph Act regulates telegraphs for the transmissions of information and signals wherein the government has the exclusive power to intercept messages.
2.0 Mobile banking
With the rapid growth in the number of mobile phone subscribers in India (about 261 million as at the end of March 2008 and growing at about 8 million a month), banks have been exploring the feasibility of using mobile phones as an alternative channel of delivery of banking services.8 In addition, there were successful mobile banking systems around the world to demonstrate that mobile banking can be effective. Vodafone‟s M-PESA service in Kenya had grown to 6.5 million customers in the two years since its launch by 2009 and was invaluable in expanding microfinance in a country where law and order problems hindered and endangered loan officers in the field. In the Philippines, a service called GCASH was thriving since 2004. In light of the above, RBI introduced “Mobile Payment in India – Operative Guidelines for Banks”.
The crucial aspects of the RBI Guidelines on M-Banking are, among others, the following:
- Only such banks which are licensed and supervised in India and have a physical presence in India will be permitted to offer mobile payment services to residents of India.
- The services should be restricted to only to bank accounts/ credit card accounts in India which are KYC/AML compliant.
- Only Indian Rupee based services should be provided.
- Banks may use the services of Business Correspondents for extending this facility, to their customers. The guidelines with regard to use of business correspondent would be as per the RBI circular on Business correspondents issued from time to time.
- The RBI guidelines on “Know Your Customer (KYC)” and “Anti Money Laundering (AML)” as prescribed by RBI from time to time would be would be applicable to customers opting for mobile based banking service.
- Banks should offer mobile based banking service only to their own customers and should have a system of registration before commencing mobile based payment service to a customer.
- Banks should have a secure technology and should ensure confidentiality, integrity, authenticity and non-repudiability.
- The Information Security Policy of the banks may be suitably updated and enforced to take care of the security controls required specially for mobile phone based delivery channel.
- To facilitate the mobile payments 4 digit customer mPIN may be issued and authenticated by the bank or by a mobile payment application service provider appointed by the bank. Banks and the various service providers involved in the m-banking should protect the mPIN using end to end encryption, allow the mPIN to be in clear text anywhere in the network or the system and authenticate the mPIN in tamper-resistant hardware such as HSM (hardware security modules) while storing them in a secure environment.
- Proper level of encryption should be implemented for communicating from the mobile handset to the bank‟s server or the server of the mobile payments service provider, if any. Proper security levels should be maintained for transmission of information between the bank and the mobile payments service provider.
3.0 Threat perception, initiatives and suggestions
The increasing usage of online & mobile channels along with dependency on third parties is driving banks in India to invest in e-security. There has been a conscious effort from the RBI to emphasize the need for information security by means of providing frameworks and guidelines. The customer centric security initiatives include, implementation for login password policy, password change at first login mandated, account locking after unsuccessful attempts, session timeout after stipulated time, use of strong SSL certificate, strong logout process (e.g. closing browser window to delete the cache), system generated ID for account access, password expiry after stipulated time, etc. For customer education and awareness, banks are publishing dos and don‟ts for secure transactions. Banks also provide special instructions for avoiding phishing; publish consumer centric security policy on bank‟s website and security messages on different communications channels. Banks are conducting dedicated customer awareness programs and providing demo for secure usage of banking services.
Banks need to align their security initiatives to the global security standards for efficiently & effectively mitigating the real threats by ensuring that security is considered right from the design phase of any product or service. Though the security initiatives in banks are primarily driven by a centralized security function, the responsibility of security is fairly distributed among the different functions, realizing the old adage of „security is every body‟s responsibility‟. The focus is still on arranging in-house resources except for few specialized services like Application Security testing. There is a significant scope for banks to further outsource these services, leveraging the expertise of external service providers and consultants.9
Banks in India are strategically adopting newer technologies to deliver better customer services, cut costs and gain competitive advantage. The banks are responding to the contemporary security challenges through a formal security function that derives inspiration from leading security standards for overseeing security initiatives in the banks. Lack of customer awareness, insecure customer endpoints and their likely impact on security of banking systems makes end-users the “soft target”. With increased digitization of customer information, increased levels of customer awareness on privacy and IT Act, privacy has emerged as an important focus area for banks in India. However, privacy is yet to be factored in the banking environment. In response to these developments, banks in India need to undertake an inclusive privacy program that ensures protection of their customers‟ information all through its lifecycle.
1 PKI is the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on networks. PKI integrates digital certificates, public-key cryptography, and certificate authorities into total, enterprise-wide network security architecture. A typical enterprise‟s PKI encompasses the issuance of digital certificates to individual users and servers; end-user enrollment software; integration with certificate directories; tools for managing, renewing, and revoking certificates; and related services and support.
2 Please visit http://www.bcsbi.org.in/ for details (As visited on July 07, 2011)
3For details regarding banking regulations and its evolution, please see our bulletin of September 2008 – http://www.psalegal.com/upload/publication/assocFile/IPR&TECHNOLOGYBULLETIN-ISSUEIX.pdf
4 For details regarding the risk involved in e-transaction and steps taken by RBI, please see our bulletin of August 2009 – http://www.psalegal.com/upload/publication/assocFile/BANKING-LAWS-BULLETIN- ISSUE-II_1288782887.pdf
5 Section 43A of the IT Act.
6 Refer to sections 43A and 72A, newly introduced. For details please see our bulletin of December 2010 – http://www.psalegal.com/upload/publication/assocFile/ENewslineDecember2010.pdf
7 Smt Ramala Roy vs. Rabindra Nath Sen, 1994 (I) CPR 66
8 For details refer to http://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=1365 (As visited on July 07, 2011)