Empowered by the Reserve Bank of India (“RBI”) Act, 1934 and the Payment and Settlement Systems Act, 2007, RBI has taken several initiatives in the recent past for ensuring development of technical and institutional infrastructure to meet the electronic payment system and banking needs of the country. With the increasing usage of mobile phones, mobile banking has become the latest banking method. In addition, for e-commerce transactions a gradual shift to cashless and online payments is happening in India. The banking and financial environment in India is changing and moving towards internet banking, online payments and e-banking, thereby compelling the regulatory bodies to react and provide secured environment for such transactions and the regulations to handle legal issues arising out of such electronic or mobile transactions.
The electronic payment system in India is burgeoning to match the international banking standards and cope up with the ever-growing challenges posed by the electronic systems. In this bulletin we will examine the most recent steps taken by regulators like RBI to simplify the vast banking regulatory system and increase its efficiency and how well prepared are the existing banking regulations to respond to the change in banking patterns.
1.Legal basis for a secured e-banking
The e-banking system is essentially an extension of traditional banking and, therefore, the existing banking laws and regulations that are applicable to traditional banking also extend to e-banking activities. The RBI, empowered under section 58(2)(pp) of the RBI Act,1 has taken several steps2 to secure electronic mode of transactions. Further, the Information Technology Act, 2000 (“IT Act”) granted legal recognition for transactions carried out by means of electronic data interchange. Though there are several risks3 involved in electronic transactions, yet the existing framework of law instills sufficient confidence in people to participate in electronic commerce in larger number.
The amendment to IT Act in 2008 introduced the concept of data protection through section 43A and imposed the obligation to follow reasonable security practices and procedures on all businesses handling sensitive personal data or information. This applies to
banks and all such forums that deal in e-transactions. Further, the explanation to section 43A defines the “reasonable security practices and procedures.” The parties involved in e- business are at liberty to identify the best security practices, and incorporate them in an agreement between them. Banks and financial institutions have the liberty to adopt the best security practices to safeguard their transactions. Finally, section 72A of the IT Act addresses issues emerging from data sabotage, and imposes heavy punishment4 for the offenders.
Generally, the banking transactions are conducted at a higher 128 encryption bit at Secured Socket Layer which is specially secured for banking purposes. The section 3(2) of the IT Act provides for the usage of asymmetrical crypto system with hash function as a secured form of technology for electronic transactions in banks. Banks are supposed to have logical access controls to data, systems, application software, utilities, telecommunication lines, libraries, and system software. The logical access control techniques include creating user-ids, passwords, smart cards or other biometric technologies for operating in the system. Most of the banks in India are well equipped with these electronic gears.
2.Regulation for mobile banking
Generally, RBI issues directions for banks for effective commercial transactions. However, with the growing usage of technology in the banking system and especially the penetration of mobile phone and ever increasing usage of mobile phones for banking, the government decided to have a regulation governing the mobile operators to safeguard the commercial transactions conducted through mobile phones. Following recommendation of Inter-Ministerial Group on delivery of financial services through mobile phone that asked Telecom Regulatory Authority of India (“TRAI”) to draw up guidelines to ensure high availability of associated communication services, the Mobile Banking (Quality of Service) Regulations 2012 (“Regulation”) was issued. Under the Regulation, every access provider, acting as bearer, has to facilitate the banks to use SMS and interactive voice response to provide banking services to its customers and deliver the message generated by the bank or the customer within 10 seconds. This has to be delivered within two seconds for unstructured supplementary service data, which is generally used by operators to inform pre- paid cards users about their balance on a real-time basis. All the operators are already using these facilities and hence, do not have to make additional investments.
In order to get the benefit of banking services such as cash deposit, cash withdrawal, money transfer and balance enquiry, the Regulation provide that the customer should be able to complete the transaction in not more than two stages. The access providers have been mandated to maintain records of mobile banking messages for six months for audit purposes and that TRAI shall monitor the quality of services offered by the mobile operators on a regular basis. The network service quality parameters for cellular mobile telephone services as specified in the Standards of Quality of Service of Basic Telephone Service (Wireline) and Cellular Mobile Telephone Service Regulations, 2009 (7 of 2009) has been made applicable to all mobile banking messages.
Further, every access provider has been provided with the obligation to protect the privacy and security of mobile banking communication and ensure the confidentiality of end-to-end encryption, integrity, authentication and non-repudiation of such communication in accordance with the standards certified by International Telecommunication Union or European Telecommunications Standards Institute or Telecommunication Engineering Centre or international standardization bodies such as Third Generation Partnership Project or Third Generation Partnership Project 2 or Internet Engineering Task Force or American National Standards Institute or Telecommunications Industry Association or Interim Standard or any other international standard as may be approved by the central government.
The Regulation provides that three customer centric parameters that have been addressed therein includes, time taken to deliver error and success confirmation message, transaction update on the system on a real time basis and success of delivery of financial transaction messages. As far as security of the transaction is concerned, the crucial components are authenticity and authorization, integrity, non-repudiation, and confidentiality. The GSM/CDMA system architecture takes care of end-to-end encryption, authentication, authorization, integrity and non-repudiation, which are governed by international standard bodies.
3.Catching up yet lags behind!
The RBI had issued a notification5 directing all banks to create a position of chief information officers as well as steering committees on information security at the board level. The notification examined various issues arising out of the use of information technology in banks and made recommendation in nine broad areas of IT governance, information security, IS audit, IT operations, IT services outsourcing, cyber fraud, business continuity planning, customer awareness programs and legal aspects. The notification provided guidelines which are fundamentally expected to enhance safety, security and efficiency in banking processes leading to benefits for banks and their customers. However, several banks are yet to implement these recommendations. Also, these banks have failed to train its staff regarding using the internet technological protection mechanism.
Further, the RBI has asked banks to provide a unique customer identification code to all its customers, which will help a bank to identify a customer, track the facilities availed, monitor financial transactions in various accounts, improve risk profiling, take a holistic view of the customer’s profile and smoothen banking operations for the customer. This will also help check e-frauds. Banks have so far failed to provide for higher encryption standards that could provide a more secure environment.
The mobile banking has opened a new channel for delivering services to banking customers, even in rural areas, and helps remove cumbersome and expensive paper processes. It is significantly cheaper and much more flexible. The RBI and TRAI have
undertaken several steps to ensure the flexibility, reliability, security and stability of any electronic or mobile banking system. Moving ahead, the proposed Banking Laws (Amendment) Bill, 2011 addresses several of the pertinent issues but they are yet far from being sync with the everyday advancing electronic systems. More changes have been suggested in the aforesaid bill yet it will be pertinent to see how far it will address the relevant issues that still concern any electronic or mobile transaction.
Authored by: Neeraj Dubey
1Section 58(2) “(pp) the regulation of fund transfer through electronic means between the banks or between the banks and other financial institutions referred to in clause (c) of section 45-I, including the laying down of the conditions subject to which banks and other financial institutions shall participate in such fund transfers, the manner of such fund transfers and the rights and obligations of the participants in such fund transfers”
2 For details please refer IPR & Technology Bulletin of September 2008 titled “Technology and electronic payment system in India” authored by Neeraj Dubey, available at http://www.psalegal.com/upload/publication/assocFile/IPR&TECHNOLOGYBULLETIN-ISSUEIX.pdf
3 For details please refer Banking Laws Bulletin of August 2009 titled “Risk management in e-banking” authored by Neeraj Dubey, available at http://www.psalegal.com/upload/publication/assocFile/BANKING-LAWS- BULLETIN-ISSUE-II_1288782887.pdf
4 Up to three years or fine up to INR 500,000 (approx US$ 9,000) and in some cases, both
5 RBI/2010-11/494; DBS.CO.ITC.BC.No. 6 /31.02.008/2010-11: “Guidelines on Information security, Electronic Banking Technology risk management and cyber frauds”