DAMODARAM SANJIVAYYA NATIONAL LAW UNIVERSITY

VISAKHAPATNAM

PROJECT TITLE: CONFIDENTIALITY AND DATA PROTECTION IN

ELECTRONIC FUND TRANSFER

SUBJECT: BANKING LAW

NAME OF THE FACULTY: Ms. BUSHRA QUASMI

NAME OF THE CANDIDATE: C ANAND HITESH

ROLL NO. : 2016027
SEMESTER: VI

1
 ACKNOWLEDGMENT

Firstly, I am, highly grateful to Ms. Bushra Quasmi, Asst. Prof, Damodaram Sanjivayya
National Law University, for her support and guidance throughout this project. We
acknowledge with deepest sense of gratitude and for her guidance and support throughout the
course of this project.

Secondly, I would also like to thank all information providers without whom this project
would have been incomplete.

2
TABLE OF CONTENTS

S.No. CONTENT Page No.

1. Acknowledgment 2
2. Abstract 4
3. Objective of the study 5
4. Significance of the study 5
5. Scope of the study 5
6. Review of literature 5
7. Research methodology 5
8. Introduction 6
9. Forms of Electronic banking and electronic payments in India 7
10. Electronic Payment System 10
11. Legal Regime of Electronic banking in India 13
12. Major issues: Security and Privacy 17
13. Suggestive Measures 23
14. Conclusion 24
15. Bibliography 25

ABSTRACT

This paper aims to make a detailed study of electronic fund transfers in India and its
importance in the banking sector of the country. Like every article or paper, the introductory

3
chapter will map the emergence of electronic fund transfer and will briefly outline the historical
background attached to it. The second chapter will cover the modes of electronic banking and
types of electronic payment systems in India. The third and the four chapters, which form the
core of this paper, will dwell on the legal regime of EFTs in India and the issues concerned
with EFTs respectively. The fifth and the last chapter, i.e. the concluding one will throw light
upon the future road map on the touchstone of EFTs, in other words, it will analyse the
effectiveness of the electronic payment system and further suggest the improvements which can be
made to it, especially pertaining to the security and privacy of the EFT systems. Modern
financial institutions have cashed in on the electronic business opportunities of the Internet by
developing numerous payment systems to meet various payment service requirements.
Advanced computer systems and telecommunications technology are being used to offer fast,
convenient, and secure ways to conduct financial transactions at service and security levels
that are hardly or never achieved by traditional payment systems. In this paper, we examine
the function and operation flow of the electronic funds transfer process as well as its security
control mechanism. To evaluate telecommunication and data security techniques, a standard-
leading inter-bank payment system called the Society for Worldwide Inter-bank Financial
Telecommunications System is introduced. Some important security features are investigated
in detail. Security means the protection of the integrity of electronic funds transfer (EFT)
systems and their information from illegal or unauthorized access and use. Although the loss
per theft appears to be greater than for paper-based payment systems, there is no real evidence
that EFT systems to date have resulted in a higher than average crime rate. Why, then, is the
security of EFT systems an important public concern and potentially a major policy issue? In
comparison with other payment systems, EFT appears to have some additional vulnerability.
In particular, electronic banking and financial services have immense growth potential via the
Internet. Some of the most important security issues involve electronic money and digital
cash. As more and more companies jump onto the information superhighway with interactive
web sites, information security becomes an important issue in digital economy. A security
mechanism is used to enforce a security policy. Security mechanisms for web servers and
clients address vulnerabilities of the software, operating system, and communication channel.

OBJECTIVES OF THE PROJECT

The main objective of the project is to know whether data protection in electronic fund
transfer is efficient enough in this present system.
4
 SIGNIFICANCE OF THE PROJECT

The significance of the project is to make the readers aware about the various measures to
protect data in electronic fund transfers between banks.

REVIEW OF LITERATURE

The researcher had taken the information from the articles, Websites and books, which
provided a lot of help for completion of the project. The information in the articles and
websites have been cited properly.

RESEARCH METHODOLOGY

Research methodology used was doctrinal methodology. Doctrinal methodology includes

doing research from books, articles, journal, case study, newspapers and also taking the help
of web article and pdf.

INTRODUCTION

The adoption of technology has brought a sea change to the Indian banking sector,
especially in the post-reforms period.1 Technology has helped the banking companies towards

1
Economic Reforms which took place in 1991, i.e. Liberalization, Privatization and Globalisation
(LPG), also known as the New Economic Policy.
5
reaching the doorsteps of the customers by scaling geographical barriers of branch banking and
easing the time, resource and volume constraints. The growth and development of information
technology in the 80s and the advancement in computer networking has helped the banks to
automate the transactions.2 With the development of internet and subsequent introduction of e-
commerce, m-commerce and Automated Teller Machines (ATMs), the industry has witnessed
structural and functional changes. In addition to scaling borders, technology has enabled the
banks to change strategic behavior, improve their efficiency and cut down on transaction
costs. Beginning its journey in Indian banking as an enabler, technology over a period of time
has transformed into a business driver, and is fast becoming an inseparable part of banking
process. It has become essential that banks adopt innovative methods of computerization and
communication so as to afford a well-designed, strong and transparent financial infrastructure,
backed by efficient payment and settlement systems.

Electronic fund transfer (EFT) system owes its origin to the introduction of the first automated
teller machine (ATM) in the mid-1960s. The ATM was able to handle account transfers, accept
deposits, and dispense cash using a standard magnetic stripe card and personal identification
number (PIN). With the introduction and acceptance of ATMs, the American banks and financial
institutions entered the era of EFT systems. The term EFT refers to the application of computer and
telecommunication technology in making or processing payments. It is a descriptor that defines
payment vehicles which use electronic networks instead of cash or cheque to conduct a
transaction. EFT networks are divided into two main types: wholesale and consumer.
Wholesale networks are generally used by banks and financial institutions for large-dollar
electronic transfers. Consumer networks provide for a variety of electronic payment services
used by consumers and generally move small-dollar amounts.

In India, the push towards electronic banking was initiated by the Reserve Bank of India with the
help of various recommendations made by the Committees constituted from time to time for
development of information technology infrastructure. In 1984, the banks started executing
advanced technology in their internal system to improve the working and communication between
the branch offices. In 1988, the exhaustive plan for computerization of the banking sector was
2
R. K. Mittal and Sanjay Dhingra, “Technology in Banking Sector: Issues and Challenges” Vinimaya, Vol. 27,
14 (2006-07).

6
declared.3 The major recommendations included operationalization of Magnetic Ink Character
Recognition (MICR) technology in four metropolitan cities, framing of uniform regulations for
clearing houses, introduction of credit cards and ATMs. In 1994, the main objective was to
furnish recommendations on technology issues regarding payment systems made by Rangarajan
Committee Reports on Computerization of Banks. Some of the recommendations made by the
Committee included the establishment of EFT system, introduction of MICR clearing in more
than 100 banks and promotion of card culture. In the same year, legislations on EFT and other
electronic payment modes were proposed. A set of EFT Regulations were recommended by
the Reserve Bank under the Reserve Bank of India Act, 1934 and amendment to the Bankers’
Books Evidence Act, 1891. Subsequently, the EFT was launched by the Reserve Bank in 1995 with
a view to modernizing funds transfer in the country and speed up the transfer of funds between
and among the banks.
EFT systems have many points of access where transactions can be affected in unauthorized
ways because of direct customer involvement with the dynamics of the systems, the use of
telecommunication lines, and the ways in which data are aggregated and transmitted among
and between sites and institutions. Funds can be removed in currency almost instantly without
review of individual transactions by officials. Because of the kinds of information recorded
and the way it is aggregated, EFT data have an economic value above and beyond the value of
the funds, and hence provide another source of temptation, It is possible, in theory, for large
banks of data to be destroyed by remote agents, creating the opportunity for maliciousness,
extortion, blackmail, or terrorism. EFT crime provides a sporting element, or intellectual
challenge, to some people that is perhaps as enticing as the opportunity for financial gain.
EFT crime is often difficult to detect because funds/data can be removed or manipulated by
instructions hidden in complex computer software; the dynamics of the criminal action may
be understood only by a few experts within the institution. EFT crime is poorly reported
because publicity may draw attention to ways of attacking the integrity of the EFT system,
may give organizations a poor public image, or may even raise insurance premiums. Existing
legislation may not be fully adequate or appropriate for prosecuting EFT crimes. A high
degree of security is especially important to the future development and use of EFT because
this is a relatively new technology that is challenging much older and well established
payment systems. Therefore, it is particularly dependent on the confidence of the public. The
3
Sonia Chawla and Ritu Singhal, “India and the World: The Changing Paradigms in the Banking Sector due to
Technological Advancements” Prajnan, Vol. 39, 130 (2010-11).

7
failure to gain and maintain the confidence of individual and organizational users during this
period of rapid development could ultimately undermine the stability of financial institutions
that have already heavily committed themselves to EFT systems and practices. It is difficult at
present to assess the level of EFT security violations because there is underreporting of EFT
crime, a paucity of information about EFT security, and a lack of informed public discussion,
although considerable public concern is voiced. Such evidence as is available suggests that
EFT security violation is not a severe problem, although the magnitude of loss in individual
EFT thefts may be much higher than that in conventional thefts from financial institutions.
While there are some dangers that giving these problems higher visibility through public
discussion may at first make them worse, the public is entitled to know what risks they are
exposed to in using EFT services. Furthermore, both law enforcement agents and financial
institutions would benefit by sharing information about vulnerabilities, defence strategies, and
security-enhancing technologies.

Some believe that both effective technology and sound management procedures exist for
adequately assuring EFT security, though even present technology and procedures are not all
widely used. There is as yet no clear and consistent set of industry wide security standards for
protection of computer systems. The use of security technology and procedures varies among
institutions. The cost of providing a reasonable degree of security–equal at least to that
provided for paper-based payment systems is probably not excessively high, but information
on this point is scanty. Better information about EFT security would allow Congress and State
legislatures to assess more effectively the possible need for new or modified legislation and or
regulations.

FORMS OF ELECTRONIC BANKING AND ELECTRONIC PAYMENT SYSTEMS IN

INDIA

Banking is an art. But electronic banking (E-Banking) is more of a science than an art. E- Banking
is knowledge-based and most scientific in using electronic devices of the computer revolution.
E-Banking is an umbrella term for the process by which a customer performs banking transactions
by electronic means without visiting the brick-and-mortar institution.4 E-Banking is defined as
the automated delivery of new and traditional banking products and services directly to
customers through electronic, interactive communication channels. The concept and scope of E-
Banking is still evolving. E-Banking is expected to result in high productivity and efficiency gain
for the bank. Several initiatives taken by the Government of India as well as the Reserve Bank
4
Working Group on Internet Banking, 2001 under the Chairmanship of S. R. Mittal
8
have facilitated the development of E- Banking in India. The Reserve Bank has made considerable
progress in consolidating the existing payment and settlement systems and in upgrading
technology with a view to establishing an efficient, integrated and secure system, which has
further helped in developing E-Banking in India.

Forms of Electronic Banking

Internet Banking: Banking transaction which takes place in a virtual ambience on the website of a
banking company or a financial institution is termed as Internet banking. The essence of internet
banking likes in online access of banking and financial services by customers. The basic difference
between internet banking and traditional banking is that in traditional banking, the customer is
required to personally visit the branch for making transactions, be it cash deposit or withdrawal,
or transfer of funds, or statement of accounts, while in internet banking, these operations can
be carried out through computers without physically visiting the bank branch. It is a win-win
situation for both the customer and the bank. The customer is relieved from influence of travelling
and the time saved can be effectively utilized in other productive ways. The greatest advantage of
internet banking is that it enables a customer to perform basic banking transactions through PC or
Laptop in any part of the world. Through internet, customers access the bank’s website for
checking and viewing their account details and performing the basic banking transactions.

Mobile Banking: “The account that travels with you”. With mobile banking facilities, one can
bank from anywhere, at anytime and in any condition. The biggest limitation of internet banking
is the requirement of computer or laptop with internet connection. This is not a big obstacle in
the US and European countries but it is a big barrier in countries like China and India. Mobile
banking addresses this fundamental limitation of internet banking by reducing the customer
requirement to just a mobile phone. The kind of banking and financial service that gives a real-
time mobile access to customers on the move is called ‘mobile banking’. Mobile banking refers to
banking activity carried out on a mobile phone. Mobile banking facility is an extension of internet
banking. Banking is enabled even when a person is on the move.

Telephone Banking: Telephone banking refers to dialing a telephone number using a telephone
to access the account, transfer funds, request statements or cheque book simply by following
recorded message and pressing the corresponding keys on the phone. It allows customers to
check account at convenient time and get simple things done without visiting bank premises.40

9
Telephone banking service makes use of an automated voice response system. It aims at
providing 24 hour service that is quick, convenient and secured for all customers. Telephone
banking, therefore, can be defined as a secure, fast and convenient way to obtain a range of
services by using a telephone without visiting the branch, e.g. account information, conduct of
transactions, report loss of ATM card, order a cheque book, etc.

Automated Teller Machine (ATM): ATM is an electronic machine operated by the

customer himself to make deposits, withdrawals and other financial transactions. It is a step
towards improvement in customer service. ATM facility is available to customers 24 hours a day.
ATMs have given an edge to banks and financial institutions in efficiently carrying out their
operations.

ELECTRONIC PAYMENT SYSTEM

Electronic payment system is a convenient way of making a purchase or paying for a service
without holding cash or having to go through the process of completing a cheque. Electronic
payment system constitutes an important segment of the E-Banking service. The biggest
advantage claimed by the electronic payments is that they are the convenient ways of
completing cash-based transactions. Various payment methods adopted in electronic
payment environment are described as follows:

Digital Cheques: Electronic payment devices involving the use of networking services whereby
the e-customer issues digital cheques to e-merchant malls to settle transactions carried over
the internet are known as digital cheques. Digital cheques are similar to paper cheques issued in
physical banking environment. Digital cheque system is carried over the internet with adequate
in-built security.

Electronic Cash: Electronic cash, also known as digital money, refers to a payment system used
in online banking and financial services scenario. It is an internet payment system which
combines computerized convenience with security and privacy. Electronic cash is an attractive
mode of payment for online shopping, combines the benefits of credit and debit cards and
exclusively used only by the owner. Electronic cash is accepted based on identification and
verification of the owner or user. Electronic cash- issuing bank is known as e-mint which is
authorized to sign the electronic cash. Security mechanisms such as digital signature algorithms

10
are used to ensure security of e-cash.
Electronic Card: An electronic card with a PIN used in internet trade transactions is known as
‘electronic card’. There are four entities comprising the working of the electronic credit, such
as the consumer who e-shops, the e-merchant, the E-Banking institution of the merchant and the
card issuing bank. Credit card transactions are handled by the merchant server, merchant
bank, and the card issuing bank.

Real Time Gross Settlement (RTGS)

Real Time Gross Settlement (RTGS) system is a fund transfer system where transfer of money or
securities takes place from one bank to another on a real time and on gross basis. Settlement
in real time means that payment transaction is not subjected to any waiting period. The
transactions are settled as soon as they are processed. Gross settlement means the transaction
is settled on one to one basis without bunching or netting with any other transaction. Once
processed, payments are final and irrevocable. RTGS caters to large value funds transfers
between banks.
RTGS system was introduced in India in 2004 and now extends to more than 85,000 bank
branches. The minimum amount to be remitted through RTGS is 2 lakh rupees. There is no upper
ceiling for RTGS transactions under normal circumstances. The Reserve Bank began witnessing
daily transactions of Rs. 44,000 crores through RTGS system in 2005.5 RTGS helps to enable
transfer of funds in a cheque-less environment. Transactions would be cleared electronically,
based on instructions provided by banks to the clearing cell of the RBI. These instructions take
the form of messages which will communicate debit or credit instructions by individual banks
through the RTGS platform. Under the RTGS system, a payer is required to inform his bank
to debit his account and credit the account of the payee’s bank with equal amount.
RTGS does not need that core banking should be implemented across participating banks, as
transactions are direct without any central processing or clearing operations. Any RTGS system
employs two sets of queues: one for testing outgoing funds availability and the other queue is for
processing debit or credit requests received from the Central Bank’s Integrated Accounting
System.

5
Narinder Kumar Bhasin, “Innovations in E-Banking- Real Time Gross Settlement” 9th AIMS International
Conference on Management (January, 2012) at 13.

11
National Electronic Funds Transfer (NEFT)

National Electronic Funds Transfer (NEFT) is a nation-wide payment system facilitating one-to-
one funds transfer. Under this scheme, individuals, firms and corporate can electronically transfer
funds from any bank branch to any individual, firm or corporate having an account with any
other bank branch in the country participating in the scheme. For being part of the NEFT
funds transfer network, a bank branch has to be NEFT- enabled, similar to RTGS. Individuals,
firms or corporate maintaining accounts with a bank branch can transfer funds using NEFT.
Even those individuals who do not have a bank account or are just walk-in customers can
also deposit cash at the NEFT- enabled branches with instructions to transfer funds using NEFT.
However, such cash remittances will be restricted to a maximum of Rs.50,000/- per
transaction. Such customers have to furnish full details including complete address, telephone
number, etc. NEFT, there, facilitates originators or remitters to initiate funds transfer transactions even
without having a bank account.
The maximum amount which can be remitted through NEFT is 2 lakh rupees. The
NEFT system is a vital part of core banking in India. An individual, firm or corporate intending
to originate transfer of funds through NEFT is required to fill an application form providing
details of the beneficiary like in RTGS and the amount to be remitted. The remitter authorizes
his bank branch to debit his account and remit the specified amount to the beneficiary. Some
banks offer the NEFT facility even through the ATMs. Walk-in customers, however, have to give
their contact details to the branch which would help the branch to refund the money to the
customer in case the credit could not be afforded to the beneficiary’s bank account or the
transaction is rejected or returned for any reason.
If it is not possible to afford credit to the account of the beneficiary for whatever reason,
destination banks are required to return the transaction to the originating branch within two hours
of completion of the batch in which the transaction was processed. Besides personal funds
transfer, the NEFT system can also be used for a variety of transaction including payment of
credit card dues to the card issuing banks. It is necessary to quote the IFSC of the beneficiary
card issuing bank to initiate the bill payment transactions using NEFT.

In case of successful credit to the beneficiary's account, the bank which had originated the
transaction is expected to send a confirmation to the originating customer through SMS or e-mail

12
advising of the credit as also mentioning the date and time of credit. For the purpose, remitters
need to provide their mobile number or e-mail-id to the branch at the time of originating the
transaction. The remitter can track the NEFT transaction through the originating bank branch or
its CFC using the unique transaction reference number provided at the time of initiating the
funds transfer.

LEGAL REGIME OF ELECTRONIC BANKING IN INDIA

Legal issues relating to electronic transaction processing at banks are very many and the need to
address them by amending some of the existing Acts and by promoting legislation in a few
hitherto unexpected areas has assumed critical urgency. Necessary legislative support is
essential to protect the interests as much of the customers as of the banks and their branches in
several areas relating to electronic banking and payment systems. This is specially required to
establish the credibility of ECS and EFT schemes based on the electronic message transfer.
It was noticed by the Working Group on Internet Banking that the banks providing internet
banking service, and customers availing the same, were entering into agreements defining
respective rights and liabilities in respect of internet banking transactions. While discussing
the legal risks, it is also essential to address risks arising out of non- compliance with the
statutory requirements which also involve reputational risks. Legal risks arise out of ambiguities
in the statutes also. In order to understand these risks, it is important to first study the legal
framework of electronic banking in India.

1. Experiences drawn from Judicial Pronouncements

In Umashankar Sivasubramaniam v. ICICI Bank, before the Adjudicating Authority under

Information Technology Act, in Chennai, the complainant alleged that his account was
wrongfully debited due to negligence on the part of the bank. ICICI contended that the case
refers to phishing and the blame of negligence lies with the customer who would need to
file an FIR. The bank also raised the objection that the matter cannot be brought under the
purview of IT Act, 2000. The Adjudicating Authority found ICICI bank guilty of the offences
under Section 85 read with relevant clauses of Section 43A of the IT Act, 2000 and
directed the bank to pay a sum of Rs. 12,85,000. ICIC bank has obtained a stay on the
judgment in an appeal filed by them before the Cyber Appellate Authority.

13
 In Avnish Bajaj v. State,6which was decided by the Delhi High Court, discussed the
criminal liability of a network service provider being Baazee.com for third party data or
information made available by them on their site. The court held that on conjoint reading
of Section 67 and 85 of the IT Act, 2000, it may be concluded that on the basis of
principle of deemed criminal liability, a case may be made out against any director of a
company even though the company may not be arrayed as an accused provided the
ingredients laid in the section are satisfied.

In ICICI Bank v. Ashish Agarwal,7 before the State Consumer Forum, Raipur, an appeal was
filed against the order of district forum, Raigarh directing the appellant bank to pay Rs.
49,912.36/- which was allegedly not withdrawn by him from his account and also Rs. 5000/-
as compensation for the mental agony and Rs. 3,000 as litigation cost on account of
deficiency in service. The State Commission, observe that the respondent was negligent
in giving information regarding the password to the third person and hence the bank was
not liable for deficiency of service.

The Reserve Bank will consider factors like the need for the proposed payment system, the
technical standards and design of proposed system, the security procedures and terms and
conditions of operation of the proposed system, the procedure for netting of payment
instructions, risk management processes, financial status of the applicant, experience of
management and integrity of applicant, consumer interests, monetary and credit policies and
other relevant factors while deciding on an application for authorization for commencing or
operating a payment system. The Reserve Bank will endeavor to dispose of all applications
received for authorization within six months from the date of their receipt. The Reserve Bank
can refuse to grant authorization under the PSS Act, 2007. However, the Reserve Bank has
to give a written notice to such an applicant giving the reasons for refusal and also a
reasonable opportunity of being heard.

The Reserve Bank is empowered to revoke the authorization granted by it, if the system
provider contravenes any provisions of the Act or Regulations, fails to comply with its

6
150 (2008) DLT 769
7
CC No. 514 of 2010.
14
orders/ directions or violates the terms and conditions under which the authorization was
granted to it.

The aggrieved applicant or aggrieved system provider can appeal to the Central
Government within 30 days from the date on which the order of refusal or revocation is
conveyed to him. The Reserve Bank is empowered to prescribe the format of payment
instructions, size and shape of instructions, timings to be maintained by payment systems,
manner of funds transfer criteria for membership including continuation, termination and
rejection of membership, terms and conditions for participation in the payment system, etc.
The Reserve Bank is empowered to call for from the system provider returns, documents
and other information relating to the operation of the payment system. The system provider
and all system participants are required to provide Reserve Bank access to any information
relating to the operation of the payment system. The Reserve Bank, in order to ensure
compliance of the provisions of the PSS Act and the Regulations made thereunder, can
depute an officer authorized by it to enter any premises where a payment system is being
operated, inspect any equipment, including any computer system or document, and call upon
any employee of the system provider or participant to provide any document or information as
required by it.

This Act also legally recognizes the loss allocation among system participants and
payment system, where the rules provide for this mechanism. It lays down the duties of the
system provider. The system provider is required to operate the payment system in accordance
with the provisions of the Act and the Regulations, the terms and conditions of authorization
and the directions given by the Reserve Bank from time to time. The system provider is also
required to act in accordance with the contract governing the relationship among the
system participants and the rules and regulations which deal with the operation of the
payment system.

The Act requires the system provider to disclose the terms and conditions including the
charges, limitations of liability etc., under the payment system to the system participants. The
Act also requires the system provider to provide copies of all the rules and regulations
governing the operation of the payment system and other relevant documents to the system
participants. The system provider is required to keep the documents and its contents,
provided to it by the system participants, as confidential and is prohibited from disclosing
the same, except in accordance with the provisions of law.
15
 MAJOR ISSUES: SECURITY AND PRIVACY

There are a plethora of risks and issues which are associated with EFT which in other
words has proved to be disadvantages of electronic banking. Few of those issues have already
been mentioned in the second chapter which lacunae in the provisions of IT Act, 2000 and NI
Act. However, for the purpose of this paper, the major issues which I intend to cover in detail
are the issues of security and privacy.

Security

Security refers to the protection of the integrity of EFT systems and their information from
illegal or unauthorized access and use. Security risk arises on account of unauthorized
access to a bank’s critical information stores like accounting system, risk management
8
system, portfolio management system, etc. For instance, hackers operating through
internet can access, retrieve and use confidential customer information and can also implant
virus. As the use of EFT systems becomes widespread and common among banks, the growing
connectivity between information systems, the Internet and other infrastructure create
opportunities for attacks on such systems. Funds can be removed in currency instantly
without review of individual transactions by officials. EFT crime is often difficult to detect
because funds or data can be removed or manipulated by instructions hidden in complex
computer software and often it happens that the dynamics of the criminal action are understood
only by a few experts within the banking institution.

It is therefore, important to ensure that any disruptions of critical information systems are
prevented and managed effectively and efficiently to minimize their impact. The security team
for important projects must be top notch and the security solutions must be effective ones.
Security is widely recognized as a quintessential factor which comes to the fore in times of
disaster. Security controls need special attention due to the open nature of internet and the
pace of technological change. A high degree of security is especially important to the
future development and use of EFT as it is a relatively new technology which is

8
‘Selected Electronic Funds Transfer Issues: Privacy, Security, and Equity”, Background Paper
(March 1982) at 45 available at: http://www.fas.org/ota/reports/8223.pdf (Accessed on Nov. 23, 2012)

16
challenging much older and well-established traditional payment systems. It is difficult at
present to assess the level of EFT security violations because of underreporting of EFT crime,
paucity of information about EFT security, and a lack of informed public discussion,
although considerable public concern is voiced.
Payment systems and financial institutions must be able to guarantee, at least to some
reasonable degree, the safety of assets entrusted. They must be able to protect both funds
and data against theft, loss, and misuse. Users must be assured that transactions will be carried
out according to their instructions. The adequacy of EFT security systems is important, not
only because the customers are entitled to protection of their accounts and to the
confidentiality of the information they provide, but also because an unacceptable number
of security failures is likely to undermine public confidence in banks and financial
institutions, thereby weakening the economy of the country and eventually the national
security and RBI has been taking note of this. In whatever form money may exist, it becomes
an object of greed and a target for criminal activity. The availability of ATMs and point-of-
sale (POS) terminals enables the customers to carry less cash in their pockets. Automatic
deposit of payrolls and social security checks would reduce the volume of thefts from
mailboxes. Merchants will suffer fewer losses from bad checks and credit card fraud.

There are EFT procedures through which customer involvement with the system is
facilitated and funds are quickly removed, often without another human having overseen
the process. EFT systems involve many third parties in encoding, transmitting, or storing data,
thereby providing many vulnerable points where security could be breached. The data
needed for EFT systems are easily aggregated and accessed, therefore, creating a value in
addition to the value of the existing funds. This also creates a dimension of security concern
in relation to EFT systems. EFT technologies can lose data through failure of hardware
components, communication links, or deterioration of storage media. Where there is no backup
documentation, such data loss can seriously compromise the EFT system.

Banks ATMs are rigged to steal both ATM card number and the PIN. The criminal team
sits nearby in a car receiving the information transmitted wirelessly from equipment they
install on the front of the ATM. The equipment called skimmer is mounted to the front of the
normal ATM card slot that reads the ATM card number and transmits it to the criminals
sitting in the car.144 At the same time, a wireless camera is disguised to look like a leaflet
holder and is mounted in a position to view ATM PIN entries. The thieves copy the cards
17
and use the pin numbers to withdraw money from many accounts in a short time directly
from the bank’s ATM. The unmanned ATMs without security guards are vulnerable to such
attacks.

In the banking sector, the most common form of phishing has been by email pretending to be
from a bank where the sinister asks to confirm you personal information for reasons like
upgrading of server, etc. The email contains a link to fake website which is a lookalike or in
other words, ‘HUMSHAKAL’ of the genuine site. The customers, believing that the link sent
is from the bank, enter the information which is asked for and sent it into the hands of
identity thieves. In India, there have been phishing attempts over ICICI Bank, UTI Bank,
HDFC Bank, SBI, etc. in which the modus operandi was similar. Apart from the general
banking scams, some of the recent phishing attacks which took place in India have been RBI
phishing scam, IT Department phishing scam, World Cup 2011 scam and Google scam. The
IT Act, 2000, though does not define phishing, however, provisions contained in Sections
66, 66A, 66B and 66D are applicable to phishing activities.
Availability is another important component in maintaining a high level of public
confidence in a network environment. Users of network expect to systems 24 hours a day,
7 days a week. Moreover, to ensure security in EFT, establishment of trust among parties
is essential. This can be established through a trusted third party designated as a Certification
Authority. Digital certificates may play an important role in authenticating parties and
therefore, establishing trust in EFT systems. A major area of concern in electronic
banking is the timely detection of security breach and incident response mechanism to
perform the necessary damage control exercise. Follow up and exception reporting of logs like
audit log, system log, users log, etc. become important tasks.

It is, indeed, the responsibility of the Board of Directors to ensure that appropriate
security control processes are in place for EFT, it also needs to be understood that the
substance of these processes needs special management attention because of the enhanced
security challenges posed by E-Banking. In a nutshell, controlling access to banks’ systems
has become more complex in the online environment in which attempts at unauthorized access
can emanate from anywhere in the world and therefore, it is necessary that the banks
critically assess all inter-related systems and devise access control measures to counter such
unauthorized access.

18
Privacy

The protection of data finds its roots in the individual's right to privacy doctrine. The right to
privacy is explicitly contained in or has been inferentially found to exist in the
constitutions of most developed nations and the jurisprudential parameters of privacy rights
explored in various forums. However, the specific privacy issue related to protection of
personal data became an issue of growing concern with the advent of computerized
systems which could store and disseminate large amounts of information with relative ease via
automated processes. The Indian Constitution, though, does not define privacy but a plethora
of Supreme Court decisions have affirmed that right to privacy is a right concomitant to
right to life and liberty enumerated in Article 21 of the Constitution. In terms of information
and record keeping, privacy appears to mean the ability to keep certain personal information
guarded from other people or to restrict its use, except when a person freely chooses to
permit its disclosure or use. In the modern society, it is difficult to keep all personal
information absolutely confidential. In practice, individuals generally seek to restrict some
kinds of personal information to those who have a legally defined or socially sanctioned need
to know, or to those who can provide some benefit or service in return. Information may
expose one to censure or punishment, it may threaten one’s reputation, social status, or self-
esteem, it may give others some advantage or power over oneself, or lessen one’s advantage
over others in competitive situations. Information concerning income, debts, or financial
transactions may in some situations do all of these things. This is one of the reasons as to
why people are particularly sensitive to privacy when it comes to payment systems.
Generally people accept limitations on their privacy, not because they have no choice, but
because they recognize that they would derive substantial benefits by providing the
information required of them. For example, the increased acceptability of one’s checks and the
ability to obtain credit are benefits that depend on willingness to provide personal and
financial information. The aggregation of data about many individuals provides other
indirect benefits. Such data are useful for the efficient distribution of goods and services and
the management of inventories. Usually anonymity for individuals can be assured when
data are aggregated. However, when data are collected under the expectation that they

19
will be aggregated and then are used on a disaggregated basis, this may be considered as a
violation of privacy. In payment systems, privacy is violated when data are, without the
individual’s consent, made available to and used by those not a party to the transaction,
for purposes other than those necessary to accomplish the transaction. Those other purposes
could range from organized market campaigns to Government surveillance to blackmail. If a
person has not consented to disclosure and use of information for a given purpose, personal
privacy is considered to have been violated even if the same information was willingly
provided by that person, either to another party or to the same party for a different
purpose.
Just as the use of financial data for authorizing the acceptance of payments and the
extension of credit is advantageous to the customer, the denial of such services because of
erroneous or incomplete data represents a significant disadvantage. Thus, the customers
need to know what information is recorded about them and how they can correct
inaccuracies. In many ways EFT can enhance the privacy of financial transactions. An ATM
transaction is clearly more impersonal and anonymous than one conducted through a
human teller.

The privacy concern is greater with EFT than with traditional banking systems due to the
following reasons:

a) EFT makes it easy to collect, organize, store and access larger amounts of data.
More data are machine-readable and machine-processable, making them easier to
manipulate and aggregate.

b) EFT requires less time to record and to extract data; thereby making it possible to
know the physical location of an individual as soon as he or she uses an ATM, or
to know details of a transaction as soon as it is completed.

c) EFT systems use keys such as account numbers, driver’s license numbers, or
social security numbers that might make it possible to find and integrate various
sources of information about the individual.

d) The inner workings of EFT systems are invisible to customers who have no way of
knowing what information they contain, who is using it, and for what purposes.

20
 e) Individual data can be organized and analyzed from multiple perspectives to
obtain the maximum amount of intelligence.

India at present does not have a specific data protection law. Personal Data Protection Bill,
2006 was introduced in the Rajya Sabha to provide protection of personal data and information
of individual collected for a particular purpose. The Bill has not been passed at all. Data
protection and privacy provisions are scattered and sparse in coverage in the existing
legislations. The existing data protection laws are strewn in laws pertaining to information
technology, intellectual property, crimes, and contractual relations. Under increasing pressure
from BPO operations and call centers in India that handle large volumes of data from the
United States and Europe, the Indian government contemplated the passage of a
comprehensive law protecting data. However, despite urgency of the matter and pressure from
internal and external fronts, the enactment of data protection legislation kept on getting
delayed.

Safeguards for protecting the security of systems are aimed at preventing misuse,
destruction, modification, or disclosure of data, theft of funds as a result of attacks on the
integrity of a system, i.e. violations of customer privacy which are not initiated by the
system’s designers, owners, manager, or operators.

Among these, the most prominent one has been IT Act, 2000 which specifically pertains to the
use of electronic data. Section 43A deals with the aspect of compensation for failure to
protect data. Section 43(b) of the Act, affords cursory safeguards against breaches in data
protection. Its scope is limited to the unauthorized downloading, copying or extraction of
data from a computer system and unauthorized access and theft of data from computer
systems. Section 43(b) fails to meet the breadth and depth of protection that the EU Directive
mandates. It makes little effort to ensure that internet service providers or network service
providers, as well as entities handling data, be responsible for its safe distribution or
processing. Furthermore, the liability of entities is diluted in Section 79 of the Act, which
inserts "knowledge" and "best efforts" qualifiers prior to assessing penalties. A network
service provider or intermediary is not liable for the breach of any third party data made
available by him if he proves that the offence or contravention was committed without his
knowledge, or that he had exercised all due diligence to prevent the commission of such
offence or contravention. Similarly, while Section 85 of the Act does invoke entity liability,

21
such liability is limited to the specified illegal acts under the IT Act, 2000, which does not
offer broad protection of data.

The Indian system of data protection, therefore, at best can be at best described as a
spider’s web: many protections are offered through various sources and the web traps some
violations, but gaps and holes remain through which others slide through. Even though the
Amendment Act of 2008 has strengthened the IT law in India by insertion of more penal
provisions, yet it is not adequate to lend enough protection and confidentiality to data.
Banking sector is one of the highly affected sectors due to this lack of privacy in EFT
systems.

SUGGESTIVE MEASURES
1. All banks which are using EFT systems and those which are moving
towards high level of computerization must formulate a security policy stating the
objectives and system controls which could be devised and implemented to protect
the integrity of the important information and data. These controls have to be
backed by regular monitoring, surveillance and auditing in order to maintain high level
of security.

2. Security infrastructure should be properly tested prior to using the systems and
applications for regular operations. The banks should keep upgrading the systems to
latest versions which would ensure better security and control.

3. Risk Management Cells should be established in the banks, particularly those

which are resorting to EFT systems for making and receiving payments. There are
various types of risks associated with E-Banking. Keeping in mind a plethora of
risks, it is essential that risk management system established in the banks is strong
and efficient and the personnel employed in the risk management cells are
educated and trained in handling computer systems.

4. Internationally, bank supervisors should strive towards developing comprehensive

approach towards managing risk associated with both internal and external security
exposures.

5. Security control procedures in banks should be modified and simplified which is quite

22
 essential for keeping pace with the rapid technological changes.

6. Authentication tools of biometric technology such as finger print recognition face

recognition, iris recognition, voice recognition and finger or hand scan should be
put to use more frequently. This kind of technology is highly beneficial as it is ideal
for rural masses which form the major part of the Indian population; it is accurate and
provides strong authentication, offers mobility and high level of security.

7. The operating systems in banks’ computers should be timely updated to prevent virus
and other types of malware attacks such as hacking and fraud. Moreover, latest
versions of the licensed software should be installed in the computerized systems so
that it keeps the internal as well as external security threats in check.

8. From the customer’s point of view, it is important that the banks should resort to
cheque truncation system as it would result in minimizing the arrears and delays
caused due to couriers of cheques. This would also cut down the time span of
cheque realization and the cost incurred in physical transportation of cheques.

9. Banks should develop outsourcing guidelines to manage effectively, risks arising out
of third party service providers such as risks of disruption in service, defective service
and personnel of service gaining intimate knowledge of banks systems and
misusing the same.

10. With the growing popularity of e-commerce, it has become essential to set up
inter-bank payment gateways for settlement of EFT transactions. Inter-bank payment
gateways should have capabilities for both gross and net settlement, so that they fit
into the scheme of things of both RTGS and NEFT systems.

CONCLUSION

Needless to say, the banks must keep pace with the appropriate technology if they have to ensure
better customer service. The role of EFT systems, as commenced by RBI, has been remarkable
in the banking industry. The two prominent payment systems, i.e. RTGS and NEFT, are a
part and parcel of Indian banking system and to an extent have been successful in reducing

23
risks associated with E-Banking, particularly in connection with payment and data protection.
However, the issues of security and privacy are still looming large and EFT systems still have a
long way to go before they become fool proof modes of E-Banking. It must also be kept in mind
that increase of E-Banking transaction does not mean that physical banking should be completely
eliminated. Physical banking is still vital to the growth of banking sector in India and it cannot
be done away with, particularly, from the point of view of banker-customer relationship. Not
only there are number of legal aspects connected with this relation, but it is of vital importance
that the relation should be a healthy one for which some part of traditional banking has to be
retained.

BIBLIOGRAPHY

1) Dr. S. Gurusamy, Banking Theory- Law and Practice (Tata Mcgraw Hill Education
Private Limited, New Delhi, 2nd edition, 2010)
2) R. K. Uppal and N. K. Jha, Online Banking in India (Anmol Publications Pvt. Ltd.,
New Delhi, 1st edition, 2008)

ARTICLES & REPORTS

1) “Full Throttle RTGS by July 1, daily deals now at Rs. 44k cr.” Economic Times (May
21, 2005)
2) Leena Kakkar, “Economics of ATM” published in E-banking in India- Challenges
and Opportunities (New Century Publications, New Delhi, 1st edition, 2007)
3) R. K. Mittal and Sanjay Dhingra, “Technology in Banking Sector: Issues and
Challenges” Vinimaya, Vol. 27, 14 (2006-07)
4) Vinita Bali, “DATA PRIVACY, DATA PIRACY: CAN INDIA PROVIDE
ADEQUATE PROTECTION FOR ELECTRONICALLY TRANSFERRED
DATA?” 21 Temp. Int'l & Comp. LJ 103 2007

24
25