INTERNET BANKING AND ITS CHALLENGES IN INDIA
The aim of this article is to evaluate the existence of Internet Banking in India and the law governing the same.
A sound and effective banking system is the backbone of an economy. The economy of a country can function smoothly and without many hassles if the banking system backing it is not only flexible but also capable of meeting the new challenges posed by the technology and other external as well as internal factors. The importance and role of information technology for achieving this benign objective cannot be undermined. There is an urgent need for not only technology upgradation but also its integration with the general way of functioning of banks to give them an rim in respect of services provided to the customers, better housekeeping, optimising the use of funds and building up of management information system for decision making. The technology has the potential to change methods of marketing, advertising, designing, pricing and distributing financial products and services and cost savings in the form of an electronic, self-service product-delivery channel. The technology holds the key to the future success of Indian Banks. Thus, "Internet Banking”(1) is the need of the hour, which cannot be lost sight of except at the cost of elimination from the competition. The existence of Internet banking also becomes inevitable due to the standards required to be matched at the international level. Thus, the domestic as well as the international standards mandates the adoption of Internet banking at the earliest possible moment.
II. IMPORTANCE OF INFORMATION TECHNOLOGY
The benefits and advantages of information technology for the smooth and efficient functioning of the banking business cannot be disregarded and sidelined. Its proper and methodical use can bring the following advantages (2):
(1) Sound Payment System: The first advantage originating from the use of technological advances relates to the Payment systems, which form the lifeline of any banking system. The payments in India are largely cash based although there are non-cash based payments as well. The usage of electronic means of funds movement and settlement is still in its stages of formative years. The various forms of electronic based payment, such as credit cards, Automated Teller Machines (ATMs), Stored Value cards, Shared Payment Network Service (SPNS) etc, are emerging at an incredible speed. Many banks have made initiatives aimed at electronic modes of funds movement. While this is a positive development, it needs to be ensured that such funds transfers are made in a high level of security so that no unauthorised usage occurs in the newer modes being implemented by banks. It is this area, which has been the focus of attention by the Reserve Bank - and the efforts have now resulted in the form of the Structured Financial Messaging Solution (SFMS). The SFMS incorporates adequate security measures, including that of Public Key Infrastructure (PKI), with encryption software equivalent to some of the best security measure in the world. The use of the SFMS over the INFINET would automatically provide safe, secure and efficient funds transfers with the added benefit of the settlement of inter-bank funds transfers taking place in the books of account of banks, maintained with the Reserve Bank, thereby providing for finality of the settlement. Further, the message formats used in SFMS are very similar to those used by SWIFT, resulting in ease of usage by the banking community in the country. This secure messaging backbone can be used for a number of intra-bank applications also.
(2) Sound Financial System: The information technology revolution has significantly benefited the financial system. In particular, there are four key areas in which the financial system has experienced the benefits of the technology revolution: product development, market infrastructure, risk control and market reach. In the process, technology has changed the contours of three major functions of financial intermediaries: access to liquidity, transformation of assets and monitoring of risks. The Indian financial system is adapting itself to these developments and is acquiring a customer-centric focus. The proliferation of Automated Teller Machines (ATMs), networking of these ATMs and Shared Payment Network based ATMs have been features which have been welcomed by the banking public. Other innovations already within the domain of banks and financial systems in India include Internet Banking, Electronic Funds Transfer and 'Anywhere/ Anytime Banking', all of which have a high level of technology embedded in the systems offering these services. In recent years, the Reserve Bank has assigned priority to upgrading the technological infrastructure of the Indian financial system. Efforts have been made to modernise clearing and payment through Magnetic Ink Character Recognition (MICR) based cheque clearing, Electronic Clearing Services and Electronic Funds Transfer (ECS and EFT) and the Centralised Funds Management System (CFMS).
(3) Effective Regulation and Supervision: The information technology has a great potential of effective regulation and supervision of various financial institutions and banks. With fast growth in technology and the increasing complexities of technology motivated developments in the financial markets, the regulated are more pro-active than the regulators on modernization of products and services, especially in countries like ours where there are multiple regulators and central banks face a growing task in drawing abreast and equipping themselves with an range of tools to deal with the regulatory implications of a technology induced fast changing financial world. These developments necessitate a qualitative change and fine tuning in the relationship between the regulator and the regulated. The technology has brought alterations to decades old attitude and practices, in a more effective, economical and competitive manner.
(4) Effective Currency Management: The impact of technology on the issuances of Bank Notes and Currency Management by Central bank is apparent. The technology offers us immense opportunities to significantly improve our performance of this core function. Given the high value and volume of currency in circulation, the vast geographic spread of currency operations, the largest distribution channel for the supply of currency, prevalent marked preference for cash and currency handling practices, currency management in India is a challenging and strenuous task. In 1999, the Reserve Bank of India announced a "Clean Note Policy" to bring about improvements of the quality of notes in circulation and technology has played an indispensable role in enabling the Bank to provide better quality notes to the general public. The information technology makes the task of currency management easy, effective, economical and speedier.
(5) Monetary and Financial Stability: One of the critical activities undertaken by Central bank to ensure monetary and financial stability is to provide the banking sector with finality of settlement. The payment and settlement systems are the conduits through which monetary policy measures are transmitted to the financial and then the real economy. The information technology revolution has given rise to an extraordinary increase in financial activity across the globe. The progress of technology and the development of worldwide networks have significantly reduced the cost of global funds transfer. The technology has, in fact, placed at the disposal of Central bank a desirable selection of instruments to manage and eliminate risks in payment and settlement systems. Electronic trading platforms have reduced the gap between trade finalisation and trade reporting and settlement and in the process have significantly reduced risks arising from the trading and settlement process. The Real Time Gross Settlement Systems (RTGS Systems) have been the preferred mode of settlement for large value funds transfers by central banks globally to minimise settlement and systemic risk. The RTGS systems would not have been possible without the network and information system capabilities to transmit payment messages to the settlement agency and process funds transfer instructions in real time. Delivery versus payment systems to reduce credit risks is securities settlement systems also owe their origin to the technological capability to harmonise positions in settlement banks and depositories in real time. The triumph of Information Technology has perhaps been the introduction of Continuous Linked Settlement, which ensures payment versus payment settlement of very large value foreign exchange transactions thus completely eliminating the risks in cross border transactions.
III. CHALLENGES BEFORE INTERNET BANKING
The information technology in itself is not a panacea and it has to be effectively utilized. The concept of Internet banking cannot work unless and until we have a centralised body or institution, which can formulate guidelines, regulate, and monitor effectively the functioning of Internet banking. The most important requirement for the successful working of Internet banking is the adoption of the best security methods. This presupposes the existence of a uniform and the best available technological devices and methods to protect electronic banking transactions. In order for computerisation to take care of the emerging needs, the recommendations of the Committee on Technology Upgradation in the Banking Sector (1999) may be considered. These are:
(1) Need for standardisation of hardware, operating systems, system software, application software to facilitate interconnectivity of systems across branches
(2) Need for high levels of security
(3) Communication and networking - use of networks which would facilitate centralised databases and distributed processing
(4) Need for a technology plan with periodical upgradation
(5) Need for business process re-engineering
(6) Need to address the issue of human relations in a computerised environment
(7) Need for sharing of technology experiences
(8) Need of Payment systems which use information technology tools. The Reserve Bank of India has played a lead role in this sphere of activity - with the introduction of cheque clearing using the MICR (Magnetic Ink Character Recognition) technology in the late eighties.
The Reserve Bank of India constituted a "Working Group on Internet Banking" which focused on three major areas of I-banking, i.e., (i) technology and security issues, (ii) legal issues and (iii) regulatory and supervisory issues. These areas are selected in such a manner that the problems faced by banks and their customers can be minimized to the maximum possible extent. The Group recommended certain guidelines for the smooth and proper working of Internet banking. These centralised guidelines would bring uniformity in the selection and adoption of security measures, with special emphasis on a uniform procedure. The security of Internet banking transactions would not be jeoparadised if these security mechanisms are adopted. This is because the success of Internet banking ultimately depends upon a uniform, secure and safe technological base, with the most advanced features.
The RBI has accepted the recommendations of the Group, to be implemented in a phased manner. The RBI has issued (3) the following guidelines through a Circular for implementation by banks in this regard:
(1) Technology and Security Standards: The technology and security standards are of prime importance as the entire base of Internet banking rests on it. If the technology and security standards are inadequate, then Internet banking will not provide the desired results and will collapse ultimately. The RBI realizing this crucial requirement issued the following guidelines in this regard:
a. Banks should designate a network and database administrator with clearly defined roles as indicated in the Group's report. (Para 6.2.4 of the Report)
b. Banks should have a security policy duly approved by the Board of Directors. There should be a segregation of duty of Security Officer / Group dealing exclusively with information systems security and Information Technology Division, which actually implements the computer systems. Further, Information Systems Auditor will audit the information systems. (Para 6.3.10, 6.4.1)
c. Banks should introduce logical access controls to data, systems, application software, utilities, telecommunication lines, libraries, system software, etc. Logical access control techniques may include user-ids, passwords, smart cards or other biometric technologies. (Para 6.4.2)
d. At the minimum, banks should use the proxy server type of firewall so that there is no direct connection between the Internet and the bank's system. It facilitates a high level of control and in-depth monitoring using logging and auditing tools. For sensitive systems, a stateful inspection firewall is recommended which thoroughly inspects all packets of information, and past and present transactions are compared. These generally include a real time security alert. (Para 6.4.3)
e. All the systems supporting dial up services through modem on the same LAN as the application server should be isolated to prevent intrusions into the network as this may bypass the proxy server. (Para 6.4.4)
f. PKI (Public Key Infrastructure) is the most favoured technology for secure Internet banking services. However, as it is not yet commonly available, banks should use the following alternative system during the transition, until the PKI is put in place:
1. Usage of SSL (Secured Socket Layer), which ensures server authentication and use of client side certificates issued by the banks themselves using a Certificate Server.
2. The use of at least 128-bit SSL for securing browser to web server communications and, in addition, encryption of sensitive data like passwords in transit within the enterprise itself. (Para 6.4.5)
g. It is also recommended that all unnecessary services on the application server such as FTP (File Transfer Protocol), telnet should be disabled. The application server should be isolated from the e-mail server. (Para 6.4.6)
h. All computer accesses, including messages received, should be logged. Security violations (suspected or attempted) should be reported and follow up action taken should be kept in mind while framing future policy. Banks should acquire tools for monitoring systems and the networks against intrusions and attacks. These tools should be used regularly to avoid security breaches. The banks should review their security infrastructure and security policies regularly and optimize them in the light of their own experiences and changing technologies. They should educate their security personnel and also the end-users on a continuous basis. (Para 6.4.7, 6.4.11, 6.4.12)
i. The information security officer and the information system auditor should undertake periodic penetration tests of the system, which should include:
1. Attempting to guess passwords using password-cracking tools.
2. Search for back door traps in the programs.
3. Attempt to overload the system using DDoS (Distributed Denial of Service) & DoS (Denial of Service) attacks.
4. Check if commonly known holes in the software, especially the browser and the e-mail software exist.
5. The penetration testing may also be carried out by engaging outside experts (often called 'Ethical Hackers'). (Para 6.4.8)
j. Physical access controls should be strictly enforced. Physical security should cover all the information systems and sites where they are housed, both against internal and external threats. (Para 6.4.9)
k. Banks should have proper infrastructure and schedules for backing up data. The backed-up data should be periodically tested to ensure recovery without loss of transactions in a time frame as given out in the bank's security policy. Business continuity should be ensured by setting up disaster recovery sites. These facilities should also be tested periodically. (Para 6.4.10)
l. All applications of banks should have proper record keeping facilities for legal purposes. It may be necessary to keep all received and sent messages both in encrypted and decrypted form. (Para 6.4.13)
m. Security infrastructure should be properly tested before using the systems and applications for normal operations. Banks should upgrade the systems by installing patches released by developers to remove bugs and loopholes, and upgrade to newer versions, which give better security and control. (Para 6.4.15)
(2) Legal Issues: The adoption and switch over to Internet banking will also raise certain legal issues and disputes in the future which have to be anticipated and remedial measures for the same need to be adopted. Further, these issues should also be compatible with the existing laws, particularly the Information Technology Act, 2000. The RBI, keeping in mind these factors, has issued the following guidelines in this regard:
a. Considering the legal position prevalent, there is an obligation on the part of banks not only to establish the identity but also to make enquiries about integrity and reputation of the prospective customer. Therefore, even though request for opening account can be accepted over Internet, accounts should be opened only after proper introduction and physical verification of the identity of the customer. (Para 7.2.1)
b. From a legal perspective, security procedure adopted by banks for authenticating users needs to be recognized by law as a substitute for signature. In India, the Information Technology Act, 2000, in Section 3(2) provides for a particular technology (viz., the asymmetric crypto system and hash function) as a means of authenticating electronic record. Any other method used by banks for authentication should be recognized as a source of legal risk. (Para 7.3.1)
c. Under the present regime there is an obligation on banks to maintain secrecy and confidentiality of customers' accounts. In the Internet banking scenario, the risk of banks not meeting the above obligation is high on account of several factors. Despite all reasonable precautions, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking/ other technological failures. The banks should, therefore, institute adequate risk control measures to manage such risks. (Para 7.5.1-7.5.4)
d. In Internet banking scenario there is very little scope for the banks to act on stop-payment instructions from the customers. Hence, banks should clearly notify to the customers the timeframe and the circumstances in which any stop-payment instructions could be accepted. (Para 7.6.1)
e. The Consumer Protection Act, 1986 defines the rights of consumers in India and is applicable to banking services as well. Currently, the rights and liabilities of customers availing of Internet banking services are being determined by bilateral agreements between the banks and customers. Considering the banking practice and rights enjoyed by customers in traditional banking, banks' liability to the customers on account of unauthorized transfer through hacking, denial of service on account of technological failure etc. needs to be assessed and banks providing Internet banking should insure themselves against such risks. (Para 7.11.1)
(3) Regulatory and Supervisory Issues: The banks operating in real space are regulated and supervised by the RBI on regular basis. This regulation and supervision is required to be extended to Internet banking as well. Thus, the RBI has issued the following guidelines in this regard:
1. Only such banks which are licensed and supervised in India and have a physical presence in India will be permitted to offer Internet banking products to residents of India. Thus, both banks and virtual banks incorporated outside the country and having no physical presence in India will not, for the present, be permitted to offer Internet banking services to Indian residents.
2. The products should be restricted to account holders only and should not be offered in other jurisdictions.
3. The services should only include local currency products.
4. The 'in-out' scenario where customers in cross border jurisdictions are offered banking services by Indian banks (or branches of foreign banks in India) and the 'out-in' scenario where Indian residents are offered banking services by banks operating in cross-border jurisdictions are generally not permitted and this approach will apply to Internet banking also. The existing exceptions for limited purposes under FEMA i.e. where resident Indians have been permitted to continue to maintain their accounts with overseas banks etc., will, however, be permitted.
5. Overseas branches of Indian banks will be permitted to offer Internet banking services to their overseas customers subject to their satisfying, in addition to the host supervisor, the home supervisor.
Given the regulatory approach as above, banks are advised to follow the following instructions:
a. All banks, who propose to offer transactional services on the Internet, should obtain prior approval from RBI. Bank's application for such permission should indicate its business plan, analysis of cost and benefit, operational arrangements like technology adopted, business partners, third party service providers and systems and control procedures the bank proposes to adopt for managing risks. The bank should also submit a security policy covering recommendations made in this circular and a certificate from an independent auditor that the minimum requirements prescribed have been met. After the initial approval the banks will be obliged to inform RBI any material changes in the services / products offered by them. (Para 8.4.1, 8.4.2)
b. Banks will report to RBI every breach or failure of security systems and procedure and the latter, at its discretion, may decide to commission special audit / inspection of such banks. (Para 8.4.3)
c. The guidelines issued by RBI on 'Risks and Controls in Computers and Telecommunications' vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated 4th February 1998 will equally apply to Internet banking. The RBI as supervisor will cover the entire risks associated with electronic banking as a part of its regular inspections of banks. (Para 8.4.4, 8.4.5)
d. Banks should develop outsourcing guidelines to manage risks arising out of third party service providers, such as, disruption in service, defective services and personnel of service providers gaining intimate knowledge of banks' systems and misutilizing the same, etc., effectively. (Para 8.4.7)
e. With the increasing popularity of e-commerce, it has become necessary to set up 'Inter-bank Payment Gateways' for settlement of such transactions. The protocol for transactions between the customer, the bank and the portal and the framework for setting up of payment gateways as recommended by the Group should be adopted. (Para 8.4.7, 188.8.131.52 - 184.108.40.206)
f. Only institutions who are members of the cheque clearing system in the country will be permitted to participate in Inter-bank payment gateways for Internet payment. Each gateway must nominate a bank as the clearing bank to settle all transactions. Payments effected using credit cards, payments arising out of cross border e-commerce transactions and all intra-bank payments (i.e., transactions involving only one bank) should be excluded for settlement through an inter-bank payment gateway. (Para 8.4.7)
g. Inter-bank payment gateways must have capabilities for both net and gross settlement. All settlement should be intra-day and as far as possible, in real time. (Para 8.4.7)
h. Connectivity between the gateway and the computer system of the member bank should be achieved using a leased line network (not through Internet) with appropriate data encryption standard. All transactions must be authenticated. Once, the regulatory framework is in place, the transactions should be digitally certified by any licensed certifying agency. SSL / 128 bit encryption must be used as minimum level of security. Reserve Bank may get the security of the entire infrastructure both at the payment gateway's end and the participating institutions' end certified prior to making the facility available for customers use. (Para 8.4.7)
i. Bilateral contracts between the payee and payee's bank, the participating banks and service provider and the banks themselves will form the legal basis for such transactions. The rights and obligations of each party must be clearly defined and should be valid in a court of law. (Para 8.4.7)
j. Banks must make mandatory disclosures of risks, responsibilities and liabilities of the customers in doing business through Internet through a disclosure template. The banks should also provide their latest published financial results over the net. (Para 8.4.8)
k. Hyperlinks from banks' websites, often raise the issue of reputational risk. Such links should not mislead the customers into believing that banks sponsor any particular product or any business unrelated to banking. Hyperlinks from a banks' websites should be confined to only those portals with which they have a payment arrangement or sites of their subsidiaries or principals. Hyperlinks to banks' websites from other portals are normally meant for passing on information relating to purchases made by banks' customers in the portal. Banks must follow the minimum recommended security precautions while dealing with request received from other websites, relating to customers' purchases. (Para 8.4.9)
Thus, the guidelines issued by the RBI have taken care of the challenges to be faced by the Internet banking. The Reserve Bank of India has directed that all banks offering Internet banking services, with immediate effect, should adopt the Group's recommendations. Even though the recommendations have been made in the context of Internet banking, these are applicable, in general, to all forms of electronic banking and banks offering any form of electronic banking should adopt the same to the extent relevant. Further, all banks offering Internet banking are advised to make a review of their systems in the light of these guidelines and report to Reserve Bank the types of services offered, extent of their compliance with the recommendations, deviations and their proposal indicating a time frame for compliance. The first such report must reach the RBI within one month from 14-06-2001(4). The banks not offering any kind of I-banking may submit a 'nil' report. The banks who are already offering any kind of transactional service are advised to report, in addition to those mentioned in paragraph above, their business models with projections of cost / benefits etc. and seek RBI's post-facto approval.
IV. INTERNET BANKING AND IT ACT, 2000
The Internet banking cannot operate properly unless it is in conformity with the Information Technology Act. 2000 (hereinafter referred to as Act). A holistic approach should be adopted, the purpose of which should be to bring uniformity and harmony between the provisions of the Act on the one hand and the guidelines issued by the RBI on the other. It must be appreciated that in case of conflict between the provisions of the Act and the guidelines, the former would prevail. The following provisions of the Act has a direct bearing on the functioning of Internet banking in India:
(1) The authentication of electronic records for the purposes of Internet banking should be in accordance with the provisions of the Act (5),
(2) The electronic records duly maintained for the purposes of Internet banking would be recognized as legally valid and admissible (6),
(3) The digital signature affixed in a proper manner would satisfy the requirement of signing of a document for the purposes of Internet banking (7),
(4) Any kind of paper work, which is required to be filed in the government offices or its agencies, would be deemed to be duly filed if it is filed in the prescribed electronic form (8). Thus the paper formalities can be effectively substituted with electronic filings for Internet banking purposes,
(5) The banking business requires certain documents or records to be retained for a fixed period. In Internet banking such documents or records can be retained in an electronic form (9),
(6) The rules, regulations, order, bye-law, notification or any other matter pertaining to Internet banking can be published in the Official Gazette or Electronic Gazette, as the case may be (10),
(7) The Internet banking presupposes the existence of attribution and certainty. If any electronic record is sent by the originator himself, by his agent, or by an information system programmed by or on behalf of the originator to operate automatically, then the electronic shall be attributed to the originator (11),
(8) The requirement of acknowledgement of documents sent for the purposes of Internet banking is adequately safeguarded by the Act (12),
(9) The Internet banking may require to determine the time and place of dispatch and receipt of electronic records. This problem can be easily solved by applying the provisions of the Act (13),
(10) The Internet banking would require the secured electronic records for its proper working. Where any security procedure has been applied to an electronic record at a specific point of time, then such record shall be deemed to be a secure electronic record from such point of time to the time of verification (14),
(11) A digital signature meeting the specified requirements would be deemed to be a secured digital signature for carrying out Internet banking transactions (15),
(12) The Central Government has the power to prescribe the security procedures to give effect to the provisions of the Act, having regard to the commercial circumstances prevailing at the time when the procedure was used (16). Thus, the Central Government can specify safety measures and security procedures for Internet banking under the provisions of the Act.
(13) The Controller of Certifying Authorities (CCA) can issues licences to the Certification Authority under the IT Act, 2000 (17). The Certifying Authority is assisted by the Registration Authority, which is created at the level of the organisations subscribing to the services of the Certifying Authority .The Reserve Bank would function as a Registration Authority (RA) for the proper functioning of Internet banking.
Thus, the information Technology Act, 2000 has laid down the basic legal framework conducive to the Internet banking in India. In case of any doubt or legal problem, the provisions of the Act can be safely relied upon. It must be noted that the object of the Act is to facilitate e-commerce and e-governance (18), which are essential for the functioning of Internet banking in India. There may be challenges of Internet banking which cannot be tackled appropriately with the existing legal framework. To meet such challenge appropriate amendments can be made either to the Act itself or a separate new law dealing specifically with the Internet banking can be enacted.
The adoption of Internet banking in India will have its own advantages to both the banks and the ultimate customers. The use of information technology will not only reduce the costs of operation but also would be effective, easy to maintain, speedier and highly competitive. The banks cannot remain standoffish from this concept of Internet banking, and they should bring apposite changes to meet the necessities and challenges of Internet banking. The challenges posed by the Internet banking are mostly of procedural nature, which can be easily counterbalanced by adopting suitable technological and security measures. The domestic standards of banking have to be in conformity with the well-known international standards and in the near future international dealings from India would be a reality, which are presently not liberal enough. No system or institution can hope to benchmark it against international standards without making optimal use of technology. There can be no doubt about the enormous potential and emancipated opportunities offered by advances in technology. However, there are pre-requisites and preparations, which have to be made before the full benefits of the technology can be harvested.
© Praveen Dalal. All rights reserved with the author.
* Consultant and Advocate, Delhi High Court, India.
(1) Internet Banking should not be confused with e- banking, which merely uses computers for selective purposes only (like e-fund transfer). Internet banking is a wider term, which includes e banking.
(2) Source: www.rbi.org.in, and address delivered by Shri Vepa Kamesam, Deputy Governor, Reserve Bank of India at Central Bank of Sri Lanka, Colombo on August 20, 2003.
(3) Internet Banking in India – Guidelines, DBOD.COMP.BC.No.130/ 07.03.23/ 2000-01(June 14, 2001)
(4) Date of issuance of Circular by the RBI.
(5) Section 3
(6) Section 4
(7) Section 5
(8) Section 6
(9) Section 7
(10) Section 8
(11) Section 11
(12) Section 12
(13) Section 13
(14) Section 14
(15) Section 15
(16) Section 16
(17) Section 21
(18) Refer Statement of Objects and Reasons