DAMODARAM SANJIVAYYA NATIONAL LAW UNIVERSITY

SABBAVARAM, VISAKHAPATNAM, A.P., INDIA

PROJECT TITLE:
IT FAILURES IN BANKING

SUBJECT: BANKING & NEGOTIABLE INSTRUMENTS

NAME OF THE FACULTY: Pr0f. P. Bayola Kiran

NAME OF THE CANDIDATE - POLAM KRISHNA CHAITHANYA

REDDY

ROLL NUMBER - 2017064

SEMESTER - VI
 ACKNOWLEDGEMENT

I w0uld like t0 express my special thanks 0f gratitude t0 my teacher Pr0fess0r P. Bayola

Kiran wh0 gave me the g0lden 0pp0rtunity t0 d0 pr0ject 0f “IT FAILURES IN BANKING”
which c0vers different aspects 0f which als0 helped me in d0ing a l0t 0f research and field
w0rk and I came t0 kn0w ab0ut s0 many new things I am really thankful t0 sir.
 IT FAILURES IN BANKING
ABSTRACT

Banking isn’t the only sector which encounters major IT outages observed so publicly
in the media. In recent years, we have seen the instances of Facebook privacy breach or even
Google Plus struggling with technology and/or security issues that are widely publicised.
Banks shouldn’t be singled out by any means, larger companies across the board encounter
issues when trying to modernize, but banks are the ones looking after everyone’s money,
meaning they must be held to higher standards on resiliency than others.
Looking at the route of the problem one will find a technical debt, this is where
inefficient systems and infrastructure issues buildup over a period of years. Systems are
created by features being added rather than replaced, and what you end up with is payment
systems that might be decades old. These long outdated and ill-equipped systems are unable
to work in the age of Open Banking, this instance is similar to the Government of India’s
technology base which is ancient, user interface is not user friendly and all other problems
with security being at the top of vulnerable to threat list as the security measures are often
outdated in many Government websites in India.
Since April 2018, the Financial Conduct Authority in U.K has required UK banks to
publicly disclose major operational or security problems and how they are responding to
them, designed to ensure that customers are better informed. Through analysing the latest
reports from 30 banks and building societies, it identified 302 incidents affecting customer
transactions in the last nine months of 2018, suggesting that problems with payment
processing are very common. According to The Guardian, six of the UK’s biggest banks had
at least one failure every two weeks, with the Treasury select committee recently launching
an inquiry into such banking failures.
This topic will be in relation to the
1.Information Technology Act 2000
2. Payments and Settlements Act 2007
3. Banker's book Evidence Act 1891
and other sources
The topic deals with security measures that banks undertake to protect the customers
and penalities for the IT offences done by the Banks and others.
 Another major problem is bank frauds where there are two types which are done by
incompetence of the banks to maintain security on their IT desk, and the others which are
done bypassing the adequate/up-to-date/required security opted by the bank.
In the first one there will be negligence of the bank and will be liable, whereas in the
second there is no fault of the bank and the perpetrator will be liable solely for his acts.
Reserve Bank of India has provided, through numerous circulars containing
guidelines for Bank Fraud Classifications and Reporting, to furnish uniform reporting and to
prevent duplicate reporting of the same cases by two or more involved branches.
 CHAPTERISATION

1. INTRODUCTION
2. BASIC STANDARDS PRESCRIBED BY COMPETENT AUTHORITY
3. PUNISHMENTS AND PENALTIES
4. BANK FRAUD CLASIFICATION
5. PREVENTION OF IT BREACH IN BANKS
(SAFEGUARDS)
6. E-BANKING OPERATIONAL ISSUES
7. INVESTIGATION PROCEDURE
8. CONCLUSION
9. BIBLIOGRAPHY
 INTRODUCTION

Corporate Governance constitutes the accountability framework of a bank. IT

Governance is an integral part of it. It involves leadership support, organizational structure
and processes to ensure that a bank’s IT sustains and extends business strategies and
objectives. Effective IT Governance is the responsibility of the Board of Directors and
Executive Management.
Access to reliable information has become an indispensable component of conducting
business, indeed, in a growing number of banks, information is business.
Today, almost every commercial bank branch is at some stage of technology
adoption: core banking solution (CBS), or alternate delivery channels such as internet
banking, mobile banking, phone banking and ATMs
Bank frauds occur in all departments of banking business. They can be classified
accordingly. The classification permits better understanding of the problem. In the
classification, the mode of commissions, detections, investigation and prevention are so
different that it is best to study and handle them separately. The three classes are:

1. Traditional or Classical Frauds. They mostly involve manipulations of documents

and materials, etc. It shall be logical to consider their huge variety individually. It has
been done in Pt I of the book.

2. E-Banking Frauds. They are also known as Online Banking Frauds, Internet
Banking Frauds, Computer-Related Banking Frauds, Mobile Banking Frauds,
etc.

3. Amount-involved-wise Classification. RBI has also introduced classification of

Bank frauds on the basis of the amount involved in the frauds. It is convenient for
reporting and record.

The various chapters in the project discuss most of the important aspects of Bank Frauds.
They provide the basic knowledge to all concerned, how they are perpetrated, how they can
be prevented, how they can be detected, who the fraudsters are and how they should be
handled by all those who are concerned with the increasing menace, namely the banker, the
investigator, the prosecutor (or the defence), the judge and above all the victim customer-
who is the real primary sufferer.
 Bank frauds, on the basis of technology, have two major classes - Classical Bank Frauds
and E-banking Frauds. Classical frauds are also known as Traditional Frauds. They mostly
involve manipulations of documents and material property. The huge variety of Traditional
frauds includes:
(a)Cheque frauds of a large variety, including fake formats, stolen cheques, drafts,
Banker’s cheque, altered amounts, substituted beneficiary, etc.
(b)Fake Signatures frauds. They may be by free hand forgery, electronic copy of
signatures or even traced signatures; most of the times it is free-hand forgery.
(c)Spurious Fingerprints frauds and etc.
E-Banking Frauds
E-banking frauds are also known as Online Banking Frauds, Internet Banking Frauds,
Computer–related Bank Frauds, Mobile Banking Frauds. The large variety (and that is
expanding) includes:
(a)Identity Theft frauds,
(b)Credit Cards frauds
(c)ATM frauds
(d)NEFT/EFT Frauds, etc.
(e)Internet E-banking Frauds
(f)Money Laundering
(g)Telemarketing
(h)Phishing
(i)Social Engineering Fraud and etc.
E-banking frauds are becoming a big menace to all concerned as most of the money lost
in frauds is now via E-banking frauds.
 2. BASIC STANDARDS PRESCRIBED BY COMPETENT AUTHORITY

“The term Internet Banking or E-Banking Internet both are used as synonymous. E-
Banking is one of the major parts of E-Financing. E-Banking is web-based banking. In other
words E-Banking refers to the banking operations, which is done over World Wide Web
(www). However, more comprehensive and well-established definition is given by the United
Nations Conference on Trade and Development (UNCTAD). This definition covers almost
all area of E-Banking.”1
Use of Information Technology by banks and their constituents has grown rapidly and
is now an integral part of the operational strategies of banks. The Reserve Bank, had,
provided guidelines on Information Security, Electronic Banking, Technology Risk
Management and
CyberFrauds (G.Gopalakrishna Committee) vide a circularwhich is mentioned below :
Circular DBS.CO.ITC.BC.No.6/31.02.008/2010-11 dated April 29, 2011, wherein it
was indicated that the measures suggested for implementation cannot be static and banks
need to pro-actively create/fine-tune/modify their policies, procedures and technologies based
on new developments and emerging concerns.
Since then, the use of technology by banks has gained further momentum. On the
other hand, the number, frequency and impact of cyber incidents / attacks have increased
manifold in the recent past, more so in the case of financial sector including banks,
underlining the urgent need to put in place a robust cyber security/resilience framework at
banks and to ensure adequate cyber-security preparedness among banks on a continuous
basis. In view of the low barriers to entry, evolving nature, growing scale/velocity,
motivation and resourcefulness of cyber-threats to the banking system, it is essential to
enhance the resilience of the banking system by improving the current defences in addressing
cyber risks. These would include, but not limited to, putting in place an adaptive Incident
Response, Management and Recovery framework to deal with adverse incidents/disruptions,
if and when they occur.
“The Dr. C Rangarajan committee report in the early 1980s was the first step towards
computerization of banks. This phase introduced many products and facilities in the banking
sector as part of its reforms measure. In 1991, under the chairmanship of M. Narasimham, a
committee was set up by his name which worked for the liberalization of banking practices.
Efforts are being put to give a satisfactory service to customers. Phone banking and net
1
INFORMATION ECONOMY REPORT 2007-2008, United Nations Conference on Trade and Development
banking were introduced. The entire system became more convenient and swift. Time is
given more importance than money. Thus online banking/E- banking has arrived to serve
technology savvy customers.”2

“The guidelines are not “one-size-fits-all” and the implementation of these

recommendations need to be risk based and commensurate with the nature and scope of
activities engaged by banks and the technology environment prevalent in the bank and the
support rendered by technology to the business processes.” Banks with extensive leverage of
technology to support business processes would be expected to implement all the stipulations
outlined in the circular. “For example, banks which do not offer transactional facilities in
internet banking would not be required to implement specific measures for transactional
internet banking facility outlined in the guidelines. Further, various instructions in “IT
operations” chapter like detailed configuration management practices may not be necessary
for banks that do not develop or maintain critical applications internally, though such
practices may be expected from the external vendor providing such services.”3
The Group’s report was largely technology neutral except in exceptional
circumstances where a specific technology/methodology may be suggested due to legal
reasons or for enhanced security or for illustrative purpose. It is clarified that except where
legally required, banks may consider any other equivalent/better and robust
technology/methodology based on new developments after carrying out a diligent evaluation
exercise.
In E-banking, the core security areas that must be addressed are confidentiality,
integrity and availability. A key concern is that of privacy. One cannot expect to do business
on the internet without addressing the privacy concerns of customers who do business with
the bank. Security in online banking is typically provided through the use of a user ID and
password. These and other security measures must be installed and must be effective to
prevent not only the breach of privacy, but other security concerns like the alteration of data,
IT fraud, etc.
Cyber Security Policy to be distinct from the broader IT policy / IS Security
Policy of a bank
In order to address the need for the entire bank to contribute to a cyber-safe
environment, the Cyber Security Policy should be distinct and separate from the broader IT
2
RBI through circular DBS.CO/CSITE/BC.11/33.01.001/2015-16
3
Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds-
Implementation of recommendations, DBS.CO.ITC.BC.No. 6/31.02.008/2010-11, RBI/2010-11/494
policy/IS Security policy so that it can highlight the risks from cyber threats and the measures
to address/mitigate these risks.
The size, systems, technological complexity, digital products, stakeholders and threat
perception vary from bank to bank and hence it is important to identify the inherent risks and
the controls in place to adopt appropriate cyber-security framework. “While identifying and
assessing the inherent risks, banks are required to reckon the technologies adopted, alignment
with business and regulatory requirements, connections established, delivery channels, online
/mobile products, technology services, organisational culture and internal & external
threats.”4 Depending on the level of inherent risks, the banks are required to identify their
riskiness as low, moderate, high and very high or adopt any other similar categorisation.
“Riskiness of the business component also may be factored into while assessing the inherent
risks. While evaluating the controls, Board oversight, policies, processes, cyber risk
management architecture including experienced and qualified resources, training and culture,
threat intelligence gathering arrangements, monitoring and analysing the threat intelligence
received vis-à-vis the situation obtaining in banks, information sharing arrangements (among
peer banks, with IDRBT/RBI/CERT-In), preventive, detective and corrective cyber security
controls, vendor management and incident management & response are to be outlined.”5
1. Roles/Responsibilities and Organizational structure for fraud risk management. 6:
“(a) Indian banks follow the RBI guideline of reporting all frauds above 1 crore to their
respective Audit Committee of the Board. Apart from this, banks are also putting up a
detailed annual review of frauds to their Audit Committee of the Board. The Board for
Financial Supervision (BFS) of RBI has observed that in terms of higher governance
standards, the fraud risk management and fraud investigation must be ‘owned’ by the bank’s
CEO, Audit Committee of the Board and the Special Committee of the Board.”7
(b) Special Committee of the Board for monitoring large value fraud
“Banks are required to constitute a special committee for monitoring and follow up of
cases of frauds involving amounts of 1 crore and above exclusively, while the Audit
Committee of the Board (ACB) may continue to monitor all the cases of frauds in general.
Most retail cyber frauds and electronic banking frauds would be of values less than 1 crore
and hence may not attract the necessary attention of the Special Committee of the Board.

4
E-BANKING FRAUDS AND FRAUD RISK MANAGEMENT, Tactful Management Research Journal ISSN: 2319-
7943, Mr. Rupesh. D. Dubey and Dr. Anita Manna
5
Ibid
6
Cyber Security Framework in Banks, DBS.CO/CSITE/BC.11/33.01.001/2015-16, RBI/2015-16/418
7
Ibid
Since these frauds are large in number and have the potential to reach large proportions, it is
imperative that the Special Committee of the Board be briefed separately on this to keep them
aware of the proportions of the fraud, modus operandi and the steps taken by the bank to
mitigate them. The Special Committee should specifically monitor and review the progress of
the mitigating steps taken by the bank in case of electronic frauds and the efficacy of the
same in containing fraud numbers and values at least on a quarterly basis.”8
Under the Payment and Settlements Act 2007, the Reserve Bank is the designated
authority for the regulation and supervision of payment systems under this Act. No person,
other than the Reserve Bank, shall commence or operate a payment system except under and
in accordance with an authorisation issued by the Reserve Bank under the provisions of this
Act.
The Reserve Bank shall have right to access any information relating to the operation
of any payment system and system provider and all the system participants shall provide
access to such information to the Reserve Bank.

OBLIGATION OF BANKS AND THE ONLINE BANKING

There are certain obligations which the banker is supposed to fulfill. They are-
1. Banks have to maintain secrecy of customers account .
This obligation dates back to 1924 where in a case popularly known as
Tourniercase9, in which it was held that banker should not disclose customers financial
position and the nature and the details of his account to anybody, since it may effect his
reputation, credit worthiness and business. Now with the advent of new technology, this
obligation has become a difficult task for there are hackers who can operate others account.
Bankers are not in a position to trace them. They come to know only when the customer
informs them of some irregularity in their transaction. Hence, to meet out this obligation,
banks have to update their technology to the requirement.
2. Banks are also under obligation (public duty), to produce documents to the court
whenever called for.10 In earlier days this was easy as the documents where either in printed
or in written form and readily available with the banks. Banks keep these information’s in
electronic form as it is easier and cheaper to store and retrieve and also ensures speedier
communication/transmission. Information Technology Act, 2000 was drafted to facilitate

8
ibid
9
Tournier v. National Provincial & Union Bank of England, (1924), K.B., 461.
10
Section 4 of Bankers Books Evidence Act, 1891.
users of electronic communication similar to other paper based or oral testimony means.
Records can be kept in electronic form. Electronic form means information generated, sent,
received or stored in media, magnetic, optical, computer memory, micro film, etc. Now in the
eyes of law written records means electronic records which can be produced before the court
like it was produced previously.
3.The other obligation on the banker is to provide proper service to the customer.
Otherwise the bank is answerable. Not providing proper service attracts Consumer
Law which amounts to deficiency in providing service. It has been held in Vimal Chandra
Grover v. Bank of India,11 that banking is a business transaction of a bank and customers of
a bank are consumers within the meaning of Section 2(1) (d) (ii) of the Act. This obligation
extends to electronic banking also.

3. PUNISHMENTS AND PENALTIES

11
AIR. 2000 SC 2181.
 Basel Committee on Banking Supervision, in its “Consultative Document on
Operational Risk”, defines “operational risk” as the risk of direct, or indirect, loss resulting
from inadequate or failed internal processes, people and systems, or from external events.
This definition includes legal risk .
The Information Technology Act, 2000 (IT Act, 2000) was enacted to handle certain
issues relating to Information Technology. The IT Amendment Act, 2008 has made further
modifications to address more issues such as cyber crimes. It is critical that impact of cyber
laws is taken into consideration by banks to obviate any risk arising there from.
A. Guidance for Banks
Roles and Responsibilities and Organizational Structure
“Board: The Risk Management Committee at the Board-level needs to put in place,
the processes to ensure that legal risks arising from cyber laws are identified and addressed. It
also needs to ensure that the concerned functions are adequately staffed and that the human
resources are trained to carry out the relevant tasks in this regard
Operational Risk Group: This group needs to incorporate legal risks as part of
operational risk framework and take steps to mitigate the risks involved in consultation with
its legal functions within the bank.
Legal Department: The legal function within the bank needs to advise the business
groups on the legal issues arising out of use of Information Technology with respect to the
legal risk identified and referred to it by the Operational Risk Group.”12
Computer related offences and Penalty/Punishment
The IT Act, 2000 as amended, exposes the banks to both civil and criminal liability.
The civil liability could consist of exposure to pay damages by way of compensation upto
5crores under the amended Information Technology Act before the Adjudicating Officer and
beyond five crore in a court of competent jurisdiction. There could also be exposure to
criminal liability to the top management of the banks given the provisions of Chapter XI of
the amended IT Act and the exposure to criminal liability could consist of imprisonment for a
term which could extend from three years to life imprisonment as also fine. Further, various
computer related offences are enumerated in the aforesaid provisions.
(a) “Legal risk and operational risk are same. Most risks are sought to be covered by
documentation, particularly where the law is silent. The Basel-II accord covers “legal risk”
under “operational risk.” Documentation forms an important part of the banking and financial
12
Cyber Security Framework in Banks, DBS.CO/CSITE/BC.11/33.01.001/2015-16, RBI/2015-16/418
sector. For many, documentation is a panacea to the legal risks that may arise in banking
activities. But then, it has also been realized and widely acknowledged that loopholes do exist
in documentation.”13
(b) “Legal risks need to be incorporated as part of operational risks and the position need to
be periodically communicated to the top management and Board/Risk Management
Committee of the Board.”14
(c) “As the law on data protection and privacy, in the Indian context are in an evolving stage,
banks have to keep in view the specific provisions of IT Act, 2000 (as amended in 2008),
various judicial and quasi-judicial pronouncements and related developments in the Cyber
laws in India as part of legal risk mitigation measures. Banks are also required to keep abreast
of latest developments in the IT Act, 2000 and the rules, regulations, notifications and orders
issued there under pertaining to bank transactions and emerging legal standards on digital
signature, electronic signature, data protection, cheque truncation, electronic fund transfer
etc. as part of overall operational risk management process.”15
Cyber crime is a collective term encompassing both “cyber contraventions” and
“cyber offences”. The word “cyber” is synonymous with computer, computer system or
computer network. Thus, cyber crime may be defined as any illegal act that involves a
computer, computer system or computer network, i.e., any illegal act for which knowledge of
computer technology is essential for its perpetration, investigation, or prosecution.
The mens rea in case of “cyber crime” comprises of two elements. First, there must be
“intent to secure access to any program or data held in any computer, computer system or
computer network. Secondly, the person must know at the time that he commits the actus
reus that the access he intends to secure is unauthorized. The intent does not have to be
directed at any particular program or data or at programs or data held in any computer,
computer system or computer network.
“Mens rea” is a state of mind. Under criminal law, mens rea is considered as the
“guilty intention” and unless it is found that the “accused’ had the guilty intention to commit
the “crime’ he cannot be held “guilty’ of committing the crime.16
The difference between “cyber contravention” and “cyber offence” is more about the
degree and extent of criminal activity rather than anything else. For example, a mere
unauthorized access to a computer, computer system or computer network may amount to
13
Vakul Sharma: Information Technology Law and Practice: Cyber Laws & Laws relating to E-commerce, 6th ed
14
ibid
15
ibid
16
Director of Enforcement v M.C.T.M. Corp Pvt Ltd, (1996) 2 SCC 471
“cyber contravention” but for a “cyber offence” it is the specific criminal violation that
resulted from the unauthorized access to a computer, computer system or computer network
or computer resource that has to be taken into consideration.
“IDBI Bank found guilty of violation of S. 43-A IT Act; held, corporate entity
dealing with personal sensitive information/data has obligation without any exception,”
it was decided by TELECOM DISPUTES SETTLEMENT AND APPELLATE TRIBUNAL
NEW DELHI on August-13-2019 in the case of IDBI BANK V. Sudhir S. Dhupia. 17 in this
case there was a phishing email answered by the respondent Sudhir, by which 81,000 got
transacted from his bank to the fraudster’s account, the phishing email was using the domain
of the IDBI bank which is [email protected], idbi.co.in is a domain registered to
the bank and since the email was from the bank’s domain, it was held guilty as per section 43
read with section 85 of the IT ACT 2000, which is Penalty and compensation for damage to
computer, computer system, etc. and offences by companies. The bank was also held liable
under section 43A of the IT ACT 2000 which is compensation for failure of protecting data.
The court concurred with the view of the Adjudication officer in making the bank liable
under sec 43 because under 43(g) as a person “provides any assistance to any person to
facilitate access to a computer, computer system or computer network in contravention of the
provisions of this Act, rules or regulations made thereunder” 18. The court has accepted this on
the reasoning that the bank having no adequate security measures, email received by the
customer which belongs to the domain of the bank, to which the bank had no reply, so the
court came to the conclusion that the bank is guilty of providing assitance to the fraudster.
This case is relevant to this chapter because the present chapter deals with
Punishments and penalties, here the court has penalised the bank for not maintaining
adequate security measures.

4. BANK FRAUD CLASIFICATION

Classification of bank frauds is based upon various considerations including the

following:19
1. Law-based classification
2. Technology-based classification

17
MANU/TD/0008/2019
18
Sec. 43(g) of Information Technology act 2000
19
Chapter 2.3, BR Sharma: Bank Frauds Prevention & Detection, 4th ed.
 3. Reserve Bank of India’s Reporting-based classification
4. Fraud Amount-based classification
5. Fraudster-based (or fraud-based) classification.
They are further sub-divided based mainly on the nature and Modus Operandi of the
fraudsters or nature of the instruments involved in the frauds.
E-banking, in India, is comparatively new. So are the E-banking frauds. A monstrous
scenario, however, of the frauds vis-a-vis their extent and modus operandi is emerging. Their
detection, prevention, investigation and meeting their challenges are also being tackled with
great earnestness. E-banking frauds are a different species from the traditional frauds, literally
unearthly, at times. The losses are colossal. Cheque Truncation System (CTS), NEFT, EFT,
wire transfer, M-banking and E-banking (Internet, online) banking modes are creating new
formats for bank frauds and also modes for their prevention, detection and handling! They
may not defy investigations but some cases are extremely tricky and full of hurdles.
E-bank frauds involve, as already seen, manipulations, alterations, obliterations,
hiding, eliminations and corruption of electronic documents, messages, e-mails, SMSs,
digital data, digital signatures, command menu and software used in E-banking. Money-
laundering (to convert “black” money into “white” money) also involves E-frauds. They
include illegal and unauthorised use of the equipment, protocol and software (algorithms)
used in E-banking. They are usually committed for wrongful gains by converting the illegally
gotten gains. But the fraud can be for revenge, for embarrassment, for mischief, for sadistic
pleasure or to prove IT prowess to self or to friends. E-Bank frauds involve huge money.
They are committed day-in and day-out.
E-banking fraud spectrum is vast: loss-wise, ingenuity-wise, format-wise and novelty-
wise. They are new species. The public, in general, are ignorant, though increasingly
becoming aware of the depredations, usually at a high cost. The high technology is daunting.
The fear of the new and the unknown the very names of E-banking, M-banking, Net-banking
create an aura of awe among most of us But the scenario is changing fast.
The scenario, however, cannot last indefinitely. The Indian Government has come up
with laws (The Information Technology Act, 2000 and its amendments from time-to-time, to
update it as per need) to deal with the computer and other online and internet crimes. The
investigating agencies are employing specialists to investigate such crimes and the forensic
institutions are creating IT Forensics cells to deal with such crimes. Further, new highly
efficient fraud prevention technologies are coming up continuously. They are proving quite
effective, increasingly.
PHISHING :
Acc. To oxford learners Dictionary “The activity of tricking people by getting them
to give their identity, bank account numbers, etc. over the Internet or by e-mail, and then
using these to steal money from them.”

It is classified as a cyber crime, so what if the user gets tricked and enters his
credentials and loses his money, will the bank will be liable to return the money or can the
bank take it off their shoulders saying it’s the user’s fault. This can be answered as it was
held in the case of The Branch Manager, State Bank of India and Ors. vs. The Managing
Director, Nakoda Chemicals Ltd..20 that if the bank had not provided adequate security
facilities as prescribed by the competent authorities, then the banks would be liable. In the
present case there was no 2 factor authentication provided by the SBI to the user as
prescribed by the Guidelines of Information Security, Electronic Banking, Technology Risk
Management and Cyber Frauds issued by the Reserve Bank of India(RBI) on 29.4.2011.. The
2 factor authentication can be a OTP, SMS or any of the security measures mentioned by the
guidelines. The bank contended that the user typed his bank credentials in a PHISHING
website, so his money was lost, and the part of his credentials was the password, which he
gave away, but the tribunal said that even if password was given there was no adequate
security as if there was adequate security, then the money would not be gone without the
authorisation of the user, the fault is on bank as per the guidelines, so bank is liable under sec.
43A of IT act 2000 and has to pay the lost amount that is 18 lakh + interest + cost of
litigation.

In the above case, the judgement would’ve been different if there was a 2 factor
authentication and the user gave his authorisation to give the funds.

20
MANU/TD/0007/2020
 5. PREVENTION OF IT BREACH IN BANKS
(SAFEGUARDS)

Bank fraud prevention is a multiple-dimensional process involving control over men,

materials and situations. It is a multi-professional task, involving bankers, police
investigators, forensic experts, lawyers, judges and the public at large. Further, it needs
effective antifraud perceptions, policies, strategies, checks and balances, supervisions, real-
time scrutiny of bank transactions, eternal vigilance, rules, regulations and effective scientific
tools to fight the menace of ever increasing innovative frauds and of colossal losses. The
bankers, in fraud prevention, have certain effective specific perceptions, policies and
strategies to safeguard the banks’ transactions to make them invulnerable to fraud. It is, in
short, creation of a mechanism which makes the perpetration of frauds extremely difficult, if
not impossible. Further, when a fraud is perpetrated, the bank must have an in-built system to
detect it, investigate it or get it investigated, prosecute the perpetrator and to secure deterrent
punishment.
“In 2009, the Internet fraud has resulted in a loss of ` 6.6 Crores to Indian Banks from
233 reported cases. The number of credit card frauds rose from 2994 case involving ` 532
lakhs to 12959 case involving ` 3654 lakhs in 2008. It is steadily increasing According to
Orissa government statistics, over 13,000 credit card fraud cases were reported in India
between April and December 2009. The loss of revenue stood at approximately ` 36.5 crore
in 2008. A loss of ` 1147 lakhs in such transactions belonged to ICICI Bank which reported
over 8280 cases. According to RBI, 2008 report, the number of fraud cases reported was
2658 in 2005, 2568 in 2006 and 2933 in 2007 in public sector banks in India.”21
“Currently the penetration of technology in terms of internet in India is very low. It is
just 8.5% in India with just 121 million people hooking to the online facility. A minor part of
this segment is aware and uses the internet banking facility. Even in this small segment there
is a resistance towards adopting the technology based services like banking on the internet
due to lack of confidence in security of their data.”22
The inputs include relevant concepts, policies and proper machinery to handle frauds.
They help to understand the mechanism of the perpetration of frauds and thereby thwart
future frauds. They help to detect, investigate and resolve the perpetrated frauds. Above all
they provide leads to prevent frauds which are being committed; or, which are being planned
or even contemplated. They indicate the sources and the improved modes of collection of
evidence, which, in turn, help to prosecute and punish the fraudsters and act as deterrent to
the would-be fraudsters or the recidivists and make them realise that frauds do not pay, and
are hazardous.
It is the prerogative, rather the responsibility and the duty of the bank management to
evolve proper anti-fraud concepts and frame effective policies to contain the expanding
crime. Brainstorming of the top professionals from the concerned departments (banks,
police), forensics institutions, prosecution and even judiciary can provide potent polices and
perceptions. There is increasing realisation that fighting the menace conjointly is a better,
more effective and less costly proposition. In some of the countries they hold meetings from

21
B.P.Gupta, V.K.Vashistha, H.R.Swami, Banking and Finance, Ramesh Book Depot, Jaipur-New Delhi (2008).
22
Chapter – 3 E-BANKING, E-PAYMENTS AND E-FRAUDS, shodhganga.inflibnet.ac.in.
time to time on one platform. They also promote research to improve the modes, methods and
instruments to reduce the depredation of the fraudster.
Components of fraud risk management:
(i) Fraud prevention practices
“A strong internal control framework is the strongest deterrence for frauds. The fraud
risk management department along with the business/operations/support groups, continuously
reviews various systems and controls, to remove gaps if any, and to strengthen the internal
control framework. The following are some of the fraud prevention practices that are
recommended for banks.”
(a) Fraud vulnerability assessments
“Fraud vulnerability assessments should be undertaken across the bank by the fraud
risk management group. Apart from the business and the operations groups, such assessment
also cover channels of the bank such as branches, internet, ATM and phone banking, as well
as international branches, if any. During the course of a vulnerability assessment, all the
processes should be assessed based on their fraud risk. Controls need to be checked and
improvements suggested for tightening the same. These should be reviewed in the fraud
review councils.”23
‘Mystery Shopping’ is an important constituent of vulnerability assessment.
Transactions are introduced in ‘live’ scenarios to test the efficacy of controls. The results of
the mystery shopping exercises should be shared with the relevant groups in the fraud review
councils and be used for further strengthening of controls.

(b) Review of new products and processes

“No new product or process should be introduced or modified in a bank without the approval
of control groups like compliance, audit and fraud risk management groups. The product or
process needs to be analysed for fraud vulnerabilities and fraud loss limits to be mandated
wherever vulnerabilities are noticed.”24
(c) Fraud loss limits
“All residual/open risks in products and processes need to be covered by setting ‘fraud- loss'
limits. 'Fraud-loss' limits need to be monitored regularly by the fraud risk management group
and a review needs to be undertaken with the respective business group when fraud loss

23
E-BANKING FRAUDS AND FRAUD RISK MANAGEMENT, Tactful Management Research Journal ISSN: 2319-
7943, Mr. Rupesh. D. Dubey and Dr. Anita Manna
24
ibid
amount reaches 90% of the limit set. In case it is difficult to set a fraud- loss limit, a limit on
the total number or total value of frauds may be defined. For the purpose of deciding how
much a product or a process has used up the limit set, the cumulative value of frauds in that
product or process during the financial year needs to be considered.”25
IT breach in banks have an adverse effect on a bank’s reputation, IT breach includes,
deletion of data by outsiders, losing data, allowing phishing sites to get hold of bank’s
domain and etc. IT breaches now a days are not common, in the case of ICICI Bank Ltd. vs.
Ramdas Pawar.26 The bank had not maintained a sever properly, so a fraudster got hold of
the bank’s registered domain and started sending emails to the customers, a customer fell
prey to the phishing mail and lost his money, the bank pleaded contributory negligence, but
the court didn’t accept it and acquitted the customer and held the bank liable for the
negligence in safeguarding their mail server.

6. E-BANKING OPERATIONAL ISSUES

Financial institutions, their card associations, and vendors are working to develop a n
Internet payment infrastructure to help make electronic commerce secure. Many in the
banking industry expect significant growth in the use of the Internet for the purchase of goods
and services and electronic data interchange. The banking industry also recognizes that the

25
ibid
26
MANU/TD/0036/2019
Internet must be secure to achieve a high level of confidence with both consumers and
businesses .
Sound management of banking products and services, especially those provided over the
Internet, is fundamental to maintaining a high level of public confidence not only in the
individual bank and its brand name but also in the banking system as a whole. Key
components that will help maintain a high level of public confidence in an open network
environment include:
1. Security
2. Authentication
3. Trust
4. Non-repudiation
5. Privacy
6. Availability
“Security is an issue in Internet banking systems. The office of the comptroller of
currency (OCC) expects national banks to provide a level of logical and physical security
commensurate with the sensitivity of the information and the individual bank’s risk tolerance.
Firewalls are frequently used on Internet banking systems as a security measure to protect
internal systems and should be considered for any system connected to an outside network.
Firewalls are a combination of hardware and software placed between two networks through
which all traffic must pass, regardless of the direction of flow. They provide a gateway to
guard against unauthorized individuals gaining access to the bank’s network.”27
Authentication is another issue in an Internet banking system. Transactions on the Internet or
any other telecommunication network must be secure to achieve a high level of public
confidence. In cyberspace, as in the physical world, customers, banks, and merchants need
assurances that they will receive the service as ordered or the merchandise as requested, and
that they know the identity of the person they are dealing with.
Trust is another issue in Internet banking systems. As noted in the previously, public and
private key cryptographic systems can be used to secure information and authenticate parties
in transactions in cyberspace. A trusted third party is a necessary part of the process. That
third party is the certificate authority.
A certificate authority is a trusted third party that verifies identities in cyberspace. Some
people think of the certificate authority functioning like an online notary. The basic concept
is that a bank, or other third party, uses its good name to validate parties in transactions. This
27
Vakul Sharma: Information Technology Law and Practice: Cyber Laws & Laws relating to E-commerce, 6th ed
is similar to the historic role banks have played with letters of credit, where neither the buyer
nor seller knew each other but both parties were known to the bank. Thus the bank uses its
good name to facilitate the transaction, for a fee.
Non-repudiation is the undeniable proof of participation by both the sender and receiver in a
transaction. It is the reason for which the public key encryption was developed, i.e., to
authenticate electronic messages and prevent denial or repudiation by the sender or receiver.
Although technology has provided an answer to non-repudiation, cyber laws are not uniform
in the treatment of electronic authentication and digital signatures. The application of cyber
laws to these activities is a new and emerging area of the law.
Privacy is a consumer issue of increasing importance. National banks that recognize and
respond to privacy issues in a proactive way make this a positive attribute for the bank and a
benefit for its customers. Public concerns over proper versus improper accumulati on and use
of personal information are likely to increase with the continued growth of electronic
commerce and the Internet. Providers who are sensitive to these concerns have an advantage
over those who do not.
Generally, to maintain the IT infrastructure of the banks, they hire some expertise,
what if this experts take control of the servers without the knowledge of the banks, this thing
happened in Abhyudaya Co-Op. Bank Ltd., Vashi 'Branch, Navi, Mumbai. In the case of :
The State of Maharashtra vs. Rajkumar Kunda Swami, 28 accused Rajkumar K. Swami
was working as a clerk in Abhyudaya Co-Op. Bank Ltd., Vashi Branch, Sector 17, Navi
Mumbai and looking after the maintenance and repair of the computers in the said Bank since
1997 and all the accounts and transactions were computerised in the Bank since 1995. The
complainant has further stated that respondent/accused committed fraud to the extent of Rs.
81 lacs by opening fictitious accounts in his own name and manipulated the credit entries in
the said accounts without depositing any amount, by tampering with the computer data in the
computers, and he has withdrawn amounts from the said accounts and thus defrauded the
Bank.
The accused was charged under sec 65- Tampering with computer source documents,
66 - Computer related offences, 71 - Penalty for misrepresentation, 72 - Penalty for Breach of
confidentiality and privacy, and 73- Penalty for publishing electronic signature Certificate
false in certain particulars. of the IT Act 2000.
What if the bank’s IT sever is compromised and has been used as a phishing trap to
lure the users into revealing their information. This happened in the case of ICICI Bank vs.
28
MANU/MH/1380/2001
Umashankar Sivasubramanian and Ors..29 where respondent lost 6.5 lakhs, the
bank(appellant) pleaded that adequate security was present as per the guidelines and the
respondent was at fault because he answered a phishing email. The respondent claimed that
he answered the email because it was from the appellant bank and gave his information, he
has no idea that it was from a 3 rd party, the bank also contended that their server mail transfer
system doesn’t allow any 3rd party to create email on the domain of the bank. The
investigation concluded that the phishing email was from the bank’s domain and the email
was the sub-domain of the bank to which the bank had no reply, then the tribunal acquitted
the respondent of contributory negligence on the user by the bank and the tribunal directed
the bank under sec.43A - Compensation for failure to protect data, 66 - Computer related
offences and 85-Offences by companies of the IT Act 2000 to pay the lost amount 6.5 laks
and 50 thousand as incidental expenses.
In the present case if the respondent answered phishing of any other email not
belonging to the bank, then the judgement would’ve been different.

7. INVESTIGATION PROCEDURE

An “investigation” means search for material and facts in order to find out whether or
not an offence has been committed. It was held by the Supreme Court in Roopchand Lal v
State of Bihar,30 that the investigation under the Code, taken in several aspects and stages,
ending ultimately with the formation of an opinion by the police as to whether, on the
material covered and collected, a case is made out to place the accused before the magistrate
for trial, after the submission of either a charge-sheet or a final report, is dependent on the
nature of the opinion, so formed. The formation of the opinion that no case against the

29
MANU/TD/0001/2019
30
AIR 1968 SC 117
accused is made out, is a final step in the investigation, and that final step is to be taken only
by the police and by no other authority.31
Chapter XII of the Code provides for the statutory right of the police to carry out
investigation. The investigation under this Chapter proceeds on the first information. That is,
when any information disclosing a cognizable offence is laid before the office-in- charge of a
police station, he has no option but to register the case on the basis thereof.
“In India, the banking fraud is not so alarming compared to US and European banking
sector, still it poses formidable challenge to Indian banking industry. Its effect can be felt
from the fact that in the year 2004 number of cyber crime(IT act 2000 category) were 347 in
India which rose to 481 in 2005 showing an increase of 38.5% while I.P.C. category crime
stood at 302 in 2005 including 186 cases of cyber fraud and 68 cases cyber forgery. Thus the
increasing in frauds in India is matter of concern and such frauds should be dealt with firmly.
Otherwise e-banking may become a mere tool in the banking services.”32
In the present day global scenario, the banking system has acquired new dimensions.
The banking system has entered into competitive markets in areas covering resource
mobilization, human resource development, customer services and credit management. “Due
to these ever expanding banking services, the bank frauds have increased in last 5 years.”33
Any officer of the Reserve Bank duly authorised by it in writing in this behalf, may
for ensuring compliance with the provisions of the Payment and Settlements Act 2007 or any
regulations, enter any premises where a payment system is being operated and may inspect
any equipment, including any computer system or other documents situated at such premises
and call upon any employee of such system provider or participant thereof or any other
person working in such premises to furnish such information or documents as may be
required by such officer.
Subject to the provisions of sub-section (2) of sec. 15, any document or information
obtained by the Reserve Bank under sections 12 to 14 (both inclusive) shall be kept
confidential.
“The Reserve Bank may call for from any system provider such returns or documents
as it may require or other information in regard to the operation of his payment system at
such intervals, in such form and in such manner, as the Reserve Bank may require from time
to time or as may be prescribed and such order shall be complied with.”34
31
State of Haryana v Ch. Bhajan Lal, AIR 1992 SC 604.
32
Chapter 6.2, BR Sharma: Bank Frauds Prevention & Detection, 4th ed
33
ibid
34
Sec. 12 of Payment and Settlements ACT 2007
 “The Reserve Bank shall have right to access any information relating to the operation
of any payment system and system provider and all the system participants shall provide
access to such information to the Reserve Bank.”35
But this confidential information can be disclosed by the Reserve bank as per sub
clause(1) of sub-section 2 of section 15 to people who are authorized or the people to whom
providing the information is necessary to protect the security/policy/operational interests of
the bank and public.
The Reserve bank under section 16 of Payment and Settlements act 2007 has the
power to carry audit and security inspections of the bank and it shall be the duty of the system
provider and the system participants to assist the Reserve Bank to carry out such audit or
inspection, as the case may be.
As per section 17 of the Payment and Settlements Act 2007, the reserve bank has the
power to issue directions if the Reserve Bank is of the opinion that a payment system or a
system participant is engaging in omission or course of conduct that results, or is likely to
result, in systemic risk being inadequately controlled or this omission is likely to affect the
payment system, the monetary policy or the credit policy of the country, the Reserve Bank
may issue directions in writing to such payment system or system participant requiring it,
within such time that the Reserve Bank specifies to cease and desist from engaging in the act,
omission or course of conduct or to ensure the system participants to cease and desist from
the act, omission or course of conduct or to perform such acts as may be necessary, in the
opinion of the Reserve Bank, to remedy the situation.
POLICE INVESTIGATION IN FRAUDS
The police investigate cognizable offences, which involve dishonesty and criminal
intent. The offence may be brought to their notice by anyone. In bank frauds it is, usually, the
banker, the customer, the auditor. Even the public is enjoined upon to report cases of
corruption, breach of trust or counterfeiting to the police under section 39 of Code of
Criminal Procedure, 1973.
“Power of police officer and other officers to enter, search, etc.—(1) Notwithstanding
anything contained in the Code of Criminal Procedure, 1973 (2 of 1974), any police officer,
not below the rank of a Inspector, or any other officer of the Central Government or a State
Government authorized by the Central Government in this behalf may enter any public place
and search and arrest without warrant any person found therein who is reasonably suspected

35
Sec. 13 of Payment and settlements Act 2007
or having committed or of committing or of being about to commit any offence under this
Act.”36
Explanation - For the purposes of this sub-section, the expression “public place”
includes any public conveyance, any hotel, any shop or any other place intended for use by,
or accessible to the public.
“In this technology driven world of laptops, personal digital assistance devices and
mobile phones, one is always wired and accessible. These devices have blurred the
boundaries between “public” and “private”. For example, using mobile phone while traveling
means accessing “computer network” [section 2(1)(j)] and the provisions of sub-section (1)
may be used against a person if such a person is reasonably suspected or having committed or
of committing or of being about to commit any offence under this Act.”37
Interestingly, the sub-section (1) does not debar police officer and other officers from
searching and arresting any person who is out on a “public place” after having committed an
offence in the confines of a private place (home).
In addition to cognizable offences, the police may also take up the following types of
cases:
1.Possession of assets by a banker disproportionate to his known sources of income.
2.Cases which involve non-official persons and private records.
If the case has been referred to a police agency and they have taken up investigations,
the departmental proceeding should not be held in abeyance. It should be started or continued
during police investigations as if there is no other investigation. The reasons for the same:
1.The defaulter may be retiring soon.
2.His continuation in the department may incur losses.
3.Non-action might lead to serious disciplinary problems.

The police agencies which take up investigation of bank frauds, there are the local
police, district crime branch or State Criminal Investigation Department (CID) or the Central
Bureau of Investigation (CBI). The Reserve Bank of India has issued guidelines1 relating to
the reporting of bank fraud cases to the various police and other agencies in their master
circular2 on classification and Reporting of bank fraud cases.

36
Sec. 80 of Code of criminal procedure, 1973.
37
Chapter 26.2, Public Place & Use of Technology, Vakul Sharma: Information Technology Law and Practice:
Cyber Laws & Laws relating to E-commerce, 6th ed.
 Legally, any of the police agencies can take up the investigation of a cognizable bank
fraud. However, in nationalised banks frauds, mainly the amount involved in the fraud
determines the investigator:
1.Amount over Rs 5 crore: Banking Securities & Fraud Cell (BS&FC) investigates.
2.Amount between Rs 25 lakhs and 5 crore: CBI investigates.
3.Amount less than Rs 25 lakhs: local police (or CID) investigates.
4.CBI also investigates inter-State or international cases.
Ordinarily, the BS&FC acts as the focal point. All cases may be reported to it. The
cell passes the case to the right agency. BS&FC has three offices: at Delhi, Bombay and
Bengaluru.
Usually the following types of cases are referred to the local police:
1.Cases where immediate arrest of the fraudster(s) is needed.
2.Cases in which there is danger of destruction, mutilation or theft of evidence
(documents). The local police take possession of such documents (evidence) immediately.
3.The crime is of local character, within the jurisdiction of local police.
4.All cases, where the authorities are not sure about the right agency.

The district police usually have special CIA. Likewise, all States have CID. They are
headed by Senior Police Officers ranging from a DIG to a Director-General.
The CID has branches at district headquarters as well as in important towns. Bankers
can register fraud cases with these branches.
CIDs have investigators who are specialists with proper training and experience in the
investigation of white-collar crime. They are better equipped and have better resources.
These agencies investigate:
1.Cases of intra-State ramifications.
2.Complicated cases, beyond the resources of the local police station.
3.All cases of bank frauds from State’s co-operative banks as well as non-nationalised
banks.

The Central Bureau of Investigation, commonly known as the CBI, is the Central
Government’s ace investigating agency for all important crimes including bank frauds.
The CBI is headed by a police officer of the rank of a Secretary of a Ministry of
Central Government. It has branches in all states as well as in important towns. The CBI has
a forensic science laboratory to provide scientific assistance in its investigations.
 The CBI has a special Bank Fraud Cell, composed of highly experienced and properly
trained investigators. They have proper scientific, technical and other material sources to
carry out the work efficiently, though the staff strength always trail behind the need due to
ever-increasing workload.
The CBI investigates bank frauds cases of the following types:
1.Cases referred by the Central Vigilance Commission.
2.Bank fraud cases from nationalised banks.
3.Cases having inter-state ramifications or involving more than one bank.
4.Cognizable offences of all nationalized banks.
5.All complicated cases referred by the state police or other agencies.
6.All bank frauds having national and international ramifications.
7.Cases involving large amounts.
8.Cases involving senior bank, government or government-undertaking. officers.
9.Cases involving foreigners or foreign banks.

8. CONCLUSION

The Bank Frauds through internet has become a common issue, these frauds coupled
with the bank’s inability to provide adequate security had provided a clear way for internet
fraudsters to launder money from customers. RBI has been failing to inspect the security
systems of the banks regularly, that is why the banks since the authority is not showing any
concern have started to ease out on security systems through this saving money and cutting
expenses. The bank frauds which we discussed in the above cases are the result of the failure
to provide adequate security by the banks, the RBI didn’t inspect these banks, so they were
cutting costs on their security equipment. RBI being a regulatory body should be vigilant and
impose strict penalty to the banks who are not maintaining adequate security.
 Internet security has become a prime necessity for any organization, be it a record
keeping organization to the banks handling money, internet security is a paramount in the
present days, to which the Govt. of India has been taking it lightly. Even many documents
being held in the National Informatics Centre’s server are not secured. The payment gateways
of many Govt. sites are using very less encrypted security which are prone to hacking, the
govt. sites get constantly hacked, recent example is the hacking of the GHMC belonging to
the Greater Hyderabad Municipal Corporation, fortunately no one lost their money, this site
contains payment options for paying Property Tax, Water Bill, etc.
I can conclude by saying that the internet security in India is subpar to that of the
security systems of other countries whose sites get hacked inspite of having adequate
security. India needs to step up the internet security measures, till now it has been not given
importance.

9. BIBLIOGRAPHY

CASES
1. Tournier v. National Provincial & Union Bank of England, (1924), K.B., 461.
2. Vimal Chandra Grover v. Bank of India,AIR. 2000 SC 2181.
3. IDBI BANK V. Sudhir S. DhupiaMANU/TD/0008/2019
4. Director of Enforcement v M.C.T.M. Corp Pvt Ltd, (1996) 2 SCC 471
5. The Branch Manager, State Bank of India and Ors. vs. The Managing Director,
Nakoda Chemicals LtdMANU/TD/0007/2020
6. ICICI Bank Ltd. vs. Ramdas Pawar. MANU/TD/0036/2019
 7. The State of Maharashtra vs. Rajkumar Kunda Swami, MANU/MH/1380/2001
8. ICICI Bank vs. Umashankar Sivasubramanian and Ors.MANU/TD/0001/2019
9. Roopchand Lal v State of BiharAIR 1968 SC 117
10. State of Haryana v Ch. Bhajan Lal, AIR 1992 SC 604.
BOOKS
1. Vakul Sharma: Information Technology Law and Practice: Cyber Laws & Laws
relating to E-commerce, 6th ed.

2. BR Sharma: Bank Frauds Prevention & Detection, 4th ed

3. B.P.Gupta, V.K.Vashistha, H.R.Swami, Banking and Finance, Ramesh Book Depot,

Jaipur-New Delhi (2008).
JOURNALS
Tactful Management Research Journal- ISSN: 2319-7943 - E-BANKING
FRAUDS AND FRAUD RISK MANAGEMENT, Mr. Rupesh. D. Dubey and Dr. Anita
Manna