Author: Paikar Mustafa
Law Graduate, 2019
Law College Dehradun, Uttarakhand
The advent of the 21st century witnessed a wave of technology in the world we know and want to live in. The widespread use of computers and internet made the existing technological system efficiently run at unimaginable speed. Keeping of memos, inter alia, became a comparatively easy task for people effluent in and familiar with the use of technology. Almost every sector in our day to day lives is being made computerized and technologically efficient ways to keep up with the developments that focus on making life easy have been readily utilized.
The banking sector in India was no novice in adopting technological advancements and the surge of this development witnessed digital transactions, e-banks, electronic transactions, ATMs, cashless transactions, loans and deposit via internet et al. To put it precisely, the Banking sector is the biggest beneficiary of the IT revolution, the importance of which can be realised in the prevailing pandemic times, when the whole world is amidst the severest of crises of COVID-19 taking a toll on the lives of people, forcing social gatherings and physical appearance to go null. While the infotech revolution has catered to the needs and easy accessibility for people having the dimmest of means to avail them, it has wide opened the influx of unlawful doings in what is the least known and most trusted domain to keep safe the most considerate resources of people- their money.
Cyber Crime has no definitive explanation and can be understood as a crime committed targeting computer via network. With the modernization of internet and technological revolution that includes the availability of smartphones and internet access in every hand, the tasks such as internet banking, online shopping, digital transactions can be done within a matter of seconds.
Subsequently, Cyber predators have taken advantage of this revolutionary phase and have fed on the lacunas in this system. Most cyber-crimes include hacking, phishing, spamming, etc. With regard to Banking sector - ATMs skimming, Account hacking, Spam Fraud calls convincing people to give their personal information directly linked to Bank Account by luring them with any fake schemes and profits etc. ATM machines are used as a host to commit crime, wherein, the machine is tampered to copy the data (PIN number) of the user thereby replicating it and duping money with the person unaware to the highest degree.
The tech-savvy offenders have created a consortium where they pose as a legitimate organisation and deceive people in funding them in the name of savings. Between the bank and the customer, there is a long list of unknown and unrecognised intermediaries who for the greed of monetary profits loot people. The anonymity of the web and the uncertainty of internet has rendered serious projection in the cyber-crimes. Credit card frauds and Saving schemes frauds are common sights in these times that require a steady regulation inn place to combat the same.
As per the data made available by the Reserve Bank of India, 13,083 and 11,997 cases related to ATM/credit/debit cards and net banking frauds were reported by the banks during 2014-15 and 2015-16 (up to December 2015), respectively. In addition, 44,679 and 49,455 cybersecurity incidents were recorded during 2014 and 2015, including phishing, scraping, malicious code, website intrusion, denial of service, etc., as per the details submitted to and monitored by the Indian Computer Emergency Response Team (CERT-In). The RBI stated that the total number of frauds reported by Scheduled commercial banks and select FIs during Financial Year 2019-20 is 84,545 and the amount involved therein is Rs 1,85,772.42 crore.[i]
In the financial year 2018-19 Fraud of Rs 71500 crore worth was detected in Indian Banking System while over 90 percent of these losses were to the government owned banks.[ii]
The constant rise in cybercrime in the banking sector, which mainly includes “insiders”, has alarmingly concerned people with no proper redressal to their grievances at all. In effect, Bank branches take time to register a complaint or detect an online fraud. The cumbersome procedure of which a common man is mostly unaware adds to the fear and torments of the public. Besides, the online black market referred to as “Dark Web” contains personal details of account holder’s financial worth. The cyber-security at the core is the main issue. The authorities [EP2] are without any exhaustive procedures, independent investigations and training techniques to combat and detect these frauds. The existing authorities viz., National Nodal Agency established under section 70-A of the IT Act, 2000 in respect of critical Information Infrastructure Protection; Indian Computer Emergency Response Team under section 70B for the collection and reporting of incidents relating to cyber-crimes should work in close proximity with Cyber Police Stations or Cyber cells in any Police Station where the aggrieved come as a first resort to find solution. The cyber Crime and Fraud Management committees formed by the Banks should on a regular basis monitor the complaints being lodged. The Police officers or local administration should be efficient in Cyber Crimes and Fraud Management Education and the certification of officers in these field should be made mandatory so as to ensure that the problem detected on the first instance should not go untracked because of inefficiency of the system and responsible authorities.
The field to chase and detect is global with changing addresses and more trained minds escaping detection. The statutory remedy at hand is dealt under Information Technology Act, 2000 which in itself is a half-baked law, rudimentary in its application. The sphere of cyber-crimes is increasing every minute and Banking sector remains the foremost branch of its modus operandi. The Reserve Bank of India has time and again come up with guidelines for the bank to ensure the cybersecurity of the customer with the liberty to the banks to modify it as the situation warrants. The Reserve Bank of India, taking into cognizance the steep hike in the cybercrimes in financial sector recently issued a comprehensive circular[iii] to all banks in India urging them to implement a cyber security framework . It provides for an ideal, robust and resilient approach to be adopted by the banks which address, and tackles risks posed by the cyber criminals by including adaptive incident response management and recovery system to deal with adversities.
Some guidelines inter alia are listed as follow:
1) Identify and assess risks, technologies implemented, regulatory compliance, delivery channels (online / mobile, etc.), organizational culture, internal and external challenges, and risk management and control processes and policies in place.
2) Continuous surveillance through vulnerability testing through an SOC (Security Operations Centre) that continues to update the nature of emerging cyber threats
3) IT infrastructure to promote security measures to be introduced by the bank after the readiness evaluation and to ensure that network connections to the database are allowed by a well-defined procedure and only by approved staff.
4) Formulating a Cyber Crisis Management Plan (CCMP) that will concentrate primarily on: identifying, reacting, restoring and containing different forms of cyber threats, including and not limited to: distributed denial of services (DDoS), ransom / crypto ware, disruptive malware, business email fraud including spam, email phishing, spear phishing, whaling, vishing fraud, drive-by downloads, browser gateway fraud etc.
5) Sharing of Cyber Security information: It is reiterated that banks need to report all cyber security incidents to the Reserve Bank of India. It was emphasized that global collaboration among entities facilitates timely measures in containing cyber risks.
Safeguard Against Cyber Crimes: Suggestions and Practice.
The banking system in any nation provides for the backbone of its economy. The “give and take” nature of Banking sector keeps the malady of financial emergency at bay. to combat cybercrimes flourishing in the banking sector and protect the customers the specialised security teams along with highly trained officers should be constituted for each and every branch of the banks that focus on the detection of cyber frauds and redressal mechanism.
Cyber awareness at the ground level should be made part of education, as it is rightly said: “prevention is better than cure”. The people must be made cyber system conscious and educated to prevent themselves from falling right into the pit of manipulation dug for them. Any employee or person intricately found linked with a crime must be expelled with all the liabilities terminating its employment.Section 43-A of the Information Technology Act, 2000 fixes the liability on the body corporate possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates. This includes the liabilities of the institutions associated with banks in direct relation to the customers. Further section 72 A of the Act provides for the punishment for disclosure of information in breach of lawful contract, which is imprisonment up to 3 years and a fine not exceeding 5 lakh rupees. Further section 66-C of the Act provides for punishment for identity theft which is imprisonment for 3 years and fine up to 1 Lakh rupees. Section 66-D of the Act provides punishment for cheating by personation by using computer resources which is imprisonment up to 3 years and fine up to 1 lakh rupees.
Threat Intelligence technologies should be built up to determine the patterns of crimes including the latest vulnerabilities and exploits. The legislature should take immediate but well-planned steps in drafting a comprehensive statute with due consideration filling the void of the complexities created by existing statute and creating a room for improvisation. While the Act has been successful insofar as it addresses the misuse of technology and provide remedy for several cybercrimes, the application of the Act still remains in the generality of the crimes. The growth of cybercrimes has hit almost every sector of Human working which needs to be addressed in specificity of the offence related to a particular sector, here, financial sector. Whereas the Act mentions punishment for computer related offences- damage to computer system; the recent times have seen development in crimes such as phishing where the criminals acquire sensitive information such as usernames, password, credit and debit card details etc. Data protection laws in Internet banking remain the other grey area to be addressed by the legislation.
The wave of digitalization and the prefix “electronic” qualifying daily activities have become an indispensable part of daily conduct of humans cutting through the storm of pandemic crisis. Today, there is no single branch of any bank that is not on the verge of digitalisation, but the expansion cannot be merely celebrated without considering its lived realities. The watch guard by the States has to be doubled at the national and international level. The physical crimes have a series of checks and barrier when the commission of these crimes is played out. The cybercrimes being abstract in commission are easy to commit cross border and without any strong mechanism between states to detect the commission and apprehend the criminals, the risks remain at large. While such provision finds mention in section 75 of the IT Act which provides that “the Act shall apply for offence or contravention outside India” the discrepancies in offences strictly mentioned in IT Act and those which are committed holds ground for evading the law. The cooperation between nation states is therefore imperative to build a robust framework sustaining mechanism to implement, formulate and apply rules internationally or as a matter of bilateral agreement.
The cyber-security is the least talked, discussed and deliberated issue globally let alone India. The feeble legal structure has added to the rise in crime and increase in potential threat. In a nation like ours brimming with a population with people hailing from a rural background; where the right to education, equality and elimination of discrimination is a daily struggle to be achieved on the foundation of the Constitution, the data protection is the least attentive requirement that prevails in the conscious of the general public. While the technological upgradation has become a mandate in the contemporary times, the vices attached with it by far remain unknown and stifled.
[i]. https://wap.business-standard.com/article-amp/finance/84-545-bank-fraud-cases-involving-about-rs-1-85-trn-reported-in-fy20-rti-120072701383_1.html [ii]. https://www.google.co.in/amp/s/m.economictimes.com/news/economy/finance/bank-fraud-touches-rs-71543-crore-in-2018-19-rbi-annual-report/amp_articleshow/70895326.cms [iii] https://m.rbi.org.in//Scripts/NotificationUser.aspx?Id=10435&Mode=0