Data Protection and Internet Banking

Introduction

Internet banking is very similar to that of traditional banking. The basic difference lies with the fact that, all that is done with ones bank account such as accessing account and information, payments, etc. is done through a computer rather than the traditional manner of visiting the bank concerned to complete the necessities.

It is seen that every major bank offers internet banking. The charges for this may vary from bank to bank. But it is noted as a norm that banks do not charge any fee for the creation of an internet banking account but it is also to be noted that they do place a fee/charge upon business transactions. Internet banking has become more of a “need” and less of a “Convenience” in the current day.

The security measure taken upon by the banks would vary from bank to bank. The internet banking facilities that are provided in India seem to be far fewer than those that are provided in developed countries like USA, UK, Australia, etc. there seem to various legal issues that mostly seem unaddressed with regard to internet banking such as the jurisdiction within which the contended transaction would fall under, the issue with regard to protection of privacy of the account holder, establishment of the identity of the account holder, etc .

To address the above mentioned and more legal issues and problems that might be faced due to internet banking, RBI had issued a set of Guidelines in June, 2001. This advised banks to seek prior approval from RBI before offering transactional services on the internet. In another notification that was issued in July, 2005, the position was review and RBI advised that while offering of internet banking services would be governed by the above mentioned guidelines, no prior approval of RBI would be required to offer internet banking services.

However, banks were to ensure compliance with the following conditions:

1. Internet banking policy was to be approved by the bank’s board
2. The policy fits into the banks overall Information Technology and Information Security policy and ensures confidentiality of records and security systems.
3. The policy takes into account operational risk.
4. The policy clearly lays down the procedure to be followed in respect of “Know Your Customer” requirements, and
5. The policy broadly meets the parameters laid down in the earlier circular.

Rbi Guidelines

The RBI had set up a ‘working group on internet banking’ to examine various aspects of it. The group had focused upon three issues:

1. Technology and securities issue
2. Legal issues
3. Regulatory and supervisory issues.

Technology And Security:

1. Bank’s were to designate network and database administrator with clearly defined roles. This is so because there was noted to be a necessity of knowledge which would help install software in the manner that would be prescribed by the developer as well as the fact that the software’s need to be updated and patches used to protect against hackers. The administrator was also required to create access accounts for various users as well as maintain them. Back up of the data and recovery are essential for the business as well as continuity of the business. The above mentioned would be the necessity behind a database administrator.
2. Banks were to have a security policy duly approved by its Board of Directors. There would have to be a separation of duty of Security Officer / Group, dealing exclusively with information systems security and Information Technology Division which actually implements the computer systems. Further, Information Systems Auditor were to audit the information systems.
3. Banks were to introduce logical access controls to data, systems, application software, utilities, etc. Logical access control techniques would include user-ids, passwords, other biometric technologies.
4. At the minimum, banks were to use the proxy server type of firewall so that there would be no direct connection between the Internet and the bank’s system. This would facilitate a high level of control and in-depth monitoring using logging, auditing tools.
5. Systems supporting dial up services through modem on the same LAN as the application server were to be isolated to prevent the intrusions into the network as this has a possibility of bypassing the proxy server.
6. PKI (Public Key Infrastructure), the most favored technology for secure Internet banking services, yet as it is not yet commonly available, banks would have to use the following alternative system during the transition, until the PKI would be put in place:

1. Usage of SSL (Secured Socket Layer), which ensures server authentication and use of client side certificates issued by the banks themselves using a Certificate Server.
2. The use of at least 128-bit SSL for securing browser to web server communications and, in addition, encryption of sensitive data like passwords in transit within the enterprise itself.

7. Recommended that all unnecessary services on the application server such as FTP (File Transfer Protocol), telnet were to be disabled. The application server is to be isolated from the e-mail server.
8. All computer accesses, including messages received, are to be logged. Security violations (suspected or attempted) should be reported and follow up action taken should be kept in mind while framing future policy. Banks need to acquire tools for monitoring systems and the networks against interference and attacks. These tools should be used often to avoid security breaches. The banks are to review their security infrastructure and security policies regularly and optimize them in the light of their own experiences and changing technologies. They should educate their security personnel and also the end-users on a continuous basis.
9. Physical access controls ought to be stringently enforced. Physical security must cover all the information systems and sites where they are housed, both against internal and external threats.
10. Banks must have proper infrastructure and schedules for backing up data. The backed-up data ought to be from time to time tested to ensure recovery without loss of transactions in a time frame as given out in the bank’s security policy.
11. All bank applicants need to have proper record keeping facilities for legal purposes.
12. Security infrastructure ought to be properly tested before using the systems and applications for normal operations.

Legal Issues

1. Taking into account the legal position prevailing, there is an requirement on the part of banks not only to establish the identity but also to make enquiries about integrity and reputation of the potential customer. Therefore, even though request for opening account can be received over Internet, accounts must be opened only after appropriate introduction and physical verification of the identity of the customer.
2. From a legal perspective, security procedure adopted by banks for authenticating users needs to be recognized by law as a substitute for signature. In India, the Information Technology Act, 2000, in Section 3(2) provides for a particular technology (viz., the asymmetric crypto system and hash function) as a means of authenticating electronic record. Any other method used by banks for authentication should be recognized as a source of legal risk.
3. Under the present regime there is an obligation on banks to maintain secrecy and confidentiality of customers’ accounts. In the Internet banking scenario, the risk of banks not meeting the above compulsion is high on account of several factors. Despite all reasonable safety measures, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking/ other technological failures. The banks should, therefore, institute adequate risk control measures to manage such risks.
4. Internet banking set-up there is very little scope for the banks to act on stop payment instructions from the customers. Hence, banks should clearly notify to the customers the timeframe and the situation in which any stop-payment instructions might be accepted.
5. The Consumer Protection Act, 1986 defines the rights of consumers in India and is applicable to banking services as well. The rights and liabilities of customers availing of Internet banking services are being determined by bilateral agreements between the banks and customers. Considering the banking practice and rights enjoyed by customers in traditional banking, banks’ liability to the customers on account of unauthorized transfer through hacking, denial of service on account of technological failure etc. requires to be assessed and banks providing Internet banking ought to insure themselves against such risks.

Regulatory And Supervisory Issues:

As recommended by the Group, the existing regulatory framework over banks will be extended to Internet banking also. In this regard, it is advised that:

1. Only such banks which are licensed and supervised in India and have a physical presence in India will be permitted to offer Internet banking products to residents of India. Thus, both banks and virtual banks incorporated outside the country and having no physical presence in India will not, for the present, be permitted to offer Internet banking services to Indian residents.
2. The products should be restricted to account holders only and should not be offered in other jurisdictions.
3. The services should only include local currency products.
4. The ‘in-out’ scenario where customers in cross border jurisdictions are offered banking services by Indian banks (or branches of foreign banks in India) and the ‘out-in’ scenario where Indian residents are offered banking services by banks operating in cross-border jurisdictions are generally not permitted and this approach will apply to Internet banking also. The existing exceptions for limited purposes under FEMA i.e. where resident Indians have been permitted to continue to maintain their accounts with overseas banks etc. will, however, be permitted.
5. Overseas branches of Indian banks will be permitted to offer Internet banking services to their overseas customers subject to their satisfying, in addition to the host supervisor, the home supervisor.

Given the regulatory approach as above, banks are advised to follow the following instructions:

1. All banks, who propose to offer transactional services on the Internet should obtain prior approval from RBI. Bank’s application for such permission should indicate its business plan, analysis of cost and benefit, operational arrangements like technology adopted, business partners, third party service providers and systems and control procedures the bank proposes to adopt for managing risks. The bank should also submit a security policy covering recommendations made in this circular and a certificate from an independent auditor that the minimum requirements prescribed have been met. After the initial approval the banks will be obliged to inform RBI any material changes in the services / products offered by them.
2. Banks will report to RBI every breach or failure of security systems and procedure and the latter, at its discretion, may decide to commission special audit / inspection of such banks.
3. The guidelines issued by RBI on ‘Risks and Controls in Computers and Telecommunications’ vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated 4th February 1998 will equally apply to Internet banking. The RBI as supervisor will cover the entire risks associated with electronic banking as a part of its regular inspections of banks.
4. Banks should develop outsourcing guidelines to manage risks arising out of third party service providers, such as, disruption in service, defective services and personnel of service providers gaining intimate knowledge of banks’ systems and misutilizing the same, etc., effectively.
5. With the increasing popularity of e-commerce, it has become necessary to set up ‘Inter-bank Payment Gateways’ for settlement of such transactions. The protocol for transactions between the customer, the bank and the portal and the framework for setting up of payment gateways as recommended by the Group should be adopted.
6. Only institutions who are members of the cheque clearing system in the country will be permitted to participate in Inter-bank payment gateways for Internet payment. Each gateway must nominate a bank as the clearing bank to settle all transactions. Payments effected using credit cards, payments arising out of cross border e-commerce transactions and all intra-bank payments (i.e., transactions involving only one bank) should be excluded for settlement through an inter-bank payment gateway.
7. Inter-bank payment gateways must have capabilities for both net and gross settlement. All settlement should be intra-day and as far as possible, in real time.
8. Connectivity between the gateway and the computer system of the member bank should be achieved using a leased line network (not through Internet) with appropriate data encryption standard. All transactions must be authenticated. Once, the regulatory framework is in place, the transactions should be digitally certified by any licensed certifying agency. SSL / 128 bit encryption must be used as minimum level of security. Reserve Bank may get the security of the entire infrastructure both at the payment gateway’s end and the participating institutions’ end certified prior to making the facility available for customers use.
9. Bilateral contracts between the payee and payee’s bank, the participating banks and service provider and the banks themselves will form the legal basis for such transactions. The rights and obligations of each party must be clearly defined and should be valid in a court of law.
10. Banks must make mandatory disclosures of risks, responsibilities and liabilities of the customers in doing business through Internet through a disclosure template. The banks should also provide their latest published financial results over the net.
11. Hyperlinks from banks’ websites, often raise the issue of reputational risk. Such links should not mislead the customers into believing that banks sponsor any particular product or any business unrelated to banking. Hyperlinks from a banks’ websites should be confined to only those portals with which they have a payment arrangement or sites of their subsidiaries or principals. Hyperlinks to banks’ websites from other portals are normally meant for passing on information relating to purchases made by banks’ customers in the portal. Banks must follow the minimum recommended security precautions while dealing with request received from other websites, relating to customers’ purchases.

2. The Reserve Bank of India have decided that the Group’s recommendations as detailed in this circulars should be adopted by all banks offering Internet banking services, with imediate effect. Even though the recommendations have been made in the context of Internet banking, these are applicable, in general, to all forms of electronic banking and banks offering any form of electronic banking should adopt the same to the extent relevant.
3. All banks offering Internet banking are advised to make a review of their systems in the light of this circular and report to Reserve Bank the types of services offered, extent of their compliance with the recommendations, deviations and their proposal indicating a time frame for compliance. The first such report must reach us within one month from the date of this circular. Banks not offering any kind of I-banking may submit a ‘nil’ report.
4. Banks who are already offering any kind of transactional service are advised to report, in addition to those mentioned in paragraph above, their business models with projections of cost / benefits etc. and seek our post-facto approval.

Data Protection Law

A database can be technically explained as machine readable compilation of information. It cannot come within the meaning of the expression “Copyright” under Section 14 of the Copyright Act 1957. Data protection is aimed at protecting the informational privacy of individuals. An investigative report appearing in “The Sun” journal that an Indian BPO employee sold bank account details of Britons to the reporter of the said journal (which was even caught on camera) raised hue and cry and safety of the information and integrity of the BPOs’ and their employees. India being one of the major BPO hubs and as India has an edge even over China as regards service sector there is a crying need to have a law in this respect. India at present does not have any specific legislation to protect databases.

The Information Technology Act, 2000 [ITA] was amended in the year 2006 in the aftermath of incidents resulting in data thefts to provide for provision against data thefts and failure to protect data.

Under the ITA, the terms “Data’, “Computer Database”, “Computer Resource” have been defined as under:

“Data” means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network and may be in any form (including computer printouts, magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.

“Computer Database” means a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video that are being prepared or have been prepared in a formalised manner or have been produced by a computer, computer system or computer network and are intended for use in a computer, computer system or computer network.

“Computer Resource” means computer, communication device, computer system, computer network, data, computer database or software.

By the Information Technology Amendment Act, 2006, Section 43A was inserted to provide specifically compensation against bodies corporate who fail to protect data. This provision states that damages by way of compensation upto to Rs.5 Crores [Rupees Five Crores] may be awarded in the case a wrongful loss of data or any wrongful gain achieved out of data.

The US Position:

Due to the ECHR directives, US had to enact the “Safe Harbour Principles (SHP)” which are however not totally compliant of the EU Directives. However the European Commission approved the Safe Harbour Principles of US in the year 2000. The underlying objectives of SHP are to protect information and its privacy, free flow of information and to promote e-commerce. The US views the private data as a commodity whereby if a person wants to barter his private data against discounts offered by a departmental store he is free to do that. If the discounts are worth more to a consumer rather than his privacy, he or she can sign up for the same which will allow retailers to tract his spending habits.

With regard to data collection, SHP has the following features:

Notice: Notice need to be given to the data subject (consumer) explaining the need to collect data. The notice should also state the purpose of data collection, for what it will be used and how will it be used, who will have access to it and how the data will be kept secured.

Choice: The data subject should have choice as to opt out of the collection and forward / transfer the data to third parties.

Access: The consumer should be provided access to data and to validate the personal information, or to rectify it, alter it or to delete any erroneous information.

Third Party Transfer and Adherence: Every Third Party to whom data is sent should comply with SHP.

Date Integrity: Data must be relevant and reliable for the purpose it was collected for.

Security: Reasonable protection and security measures should be provided for protection of data.

Enforcement: Every organisation that has personal data has to guarantee its adherence to SHP, examine and amicably settle consumer complaints and report violations of SHP.

The UK Position:

The United Kingdom has enacted the Data Protection Act, 1998 in consonance with the EU Directive. The Act is quite comprehensive and it clearly defines some important terms like “Data”, “Data Subject”, “Personal Data” as under:

“Data” means information which—

1. is being processed by means of equipment operating automatically in response to instructions given for that purpose,
2. is recorded with the intention that it should be processed by means of such equipment,
3. is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
4. does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68;

“data subject” means an individual who is the subject of personal data;

The Eight UK Principles for Data Protection are contained in Schedule – I of the said Act. They are as follows:

1. There should be fair and lawful processing of data.
2. Data Controllers should ensure that data is used only for lawful and specified purposes and should not carry out any processing which is incompatible with those purposes.
3. Data Controller should hold only personal data that is adequate and relevant and not excessive in relation to the purpose for which it is held.
4. All personal data are accurate and up to date.
5. Personal data shall not be kept for longer than necessary for the specified purpose or purposes.
6. Processing of personal data should be carried out in accordance with the rights of the data subjects under the Act.
7. Adequate, appropriate, technical and organisational measures should be taken against unauthorised or unlawful processing and accidental loss, destruction or damage to the personal data.
8. Data Controllers are obligated not to transfer data to countries that do not have adequate level of data protection. [The Eight Principle is in line with Article 25 of the EU Directive]

Conclusion

On a comparison of the provisions of the Indian IT Act, 2000 with Data Protection Act, 1998 one can understand that in the IT Act there is no emphasis on protection of personal data. Article 300A of the Constitution ensures the right not to be deprived of property except by authority of the law. However, this right can be claimed only against the State and not against private individuals or employees. However, though a personal data may be considered as an intangible property for service industry, in absence of any law supporting such a treatment cannot be accorded. Since a personal data cannot be protected under the existing Intellectual Property Laws, a specific legislation is required probably in line with the Data Protection Act, 1998 of the UK. Despite subscribing to National No Call Registry, we continue to receive cold calls, spam sms, more particularly from our own service providers like the bank in which we have our account, or our telephone services provider whose service we engage, since they have access to the information provided by us and they misuse it with impunity.