Banking and Insurance Law -Cover Page-

DR. RAM MANOHAR LOHIYA NATIONAL LAW UNIVERSITY

2019-20
BANKING AND INSURANCE LAW

Project On Topic
“ELECTRONIC FUND TRANSFER: AN ANALYSIS OF LEGAL
FRAMEWORK AND CHALLENGES”

SUBMITTED TO SUBMITTED BY

DR. APARNA SINGH NEHA KUMARI BIND

ASSTT. PROF. (LAW) ROLL NO. : 170101086
DR. RMLNLU, LUCKNOW 3 rd YEAR (6TH SEMESTER)
Banking and Insurance Law -Table of Contents-

TABLE OF CONTENTS

ACKNOWLEDGEMENT ............................................................................................................................. I
INTRODUCTION………………………………………………………………………………………….1
FORMS OF ELECTRONIC BANKING AND ELECTRONIC PAYMENT IN INDIA ………………....2
LEGAL REGIME OF ELECTRONIC BANKING IN INDIA…………………………………………….4
MAJOR ISSUES: SECURITY AND PRIVACY ......................................................................................... 9
E-ROUTE TO BANK IN TIMES AHEAD ................................................................................................ 14
SUGGESTIVE MEASURES AND CONCLUSION…………………………………………………......16
BIBLIOGRAPHY………………………………………………………………………………………….II
Banking and Insurance Law -Acknowledgement-

ACKNOWLEDGEMENT

The importance of research in Academics cannot be emphasized enough. While classroom

teaching helps a student with understanding the fundamental concepts of a subject, research papers

like this push one towards the detailed analysis of particular topics.

The fundamentals of my understanding of this topic were established with the classroom lectures

of Dr. Aparna Singh, Assistant Professor (Law) at this University. She has since guided me on

this topic for which I am very grateful. I am also grateful to Dr. Madhu Limaye Library, Dr.

Ram Manohar Lohiya National Law University, Lucknow which provided me with the required

support both in the form of books and online database which has been of immense value to this

project.

This research was only built upon existing research of stalwarts in the field of law, parts of which

have been reproduced and duly cited. I am thankful to the authors of all such existing research.

Finally, I acknowledge the support of my peers, the blessings of my parents and the never ending

grace of the almighty which has been the driving force of everything good in my life including this

research paper.

I
Banking and Insurance Law -Electronic Fund Transfer-

INTRODUCTION
The adoption of technology has brought a sea change to the Indian banking sector, especially in
the post-reforms period. The growth and development of information technology in the 80s and
the advancement in computer networking has helped the banks to automate the transactions. With
the development of internet and subsequent introduction of e-commerce, m-commerce and
Automated Teller Machines (ATMs), the industry has witnessed structural and functional changes.
Electronic fund transfer (EFT) system owes its origin to the introduction of the first automated
teller machine (ATM) in the mid-1960s. The ATM was able to handle account transfers, accept
deposits, and dispense cash using a standard magnetic stripe card and personal identification
number (PIN).
The term EFT refers to the application of computer and telecommunication technology in making
or processing payments. It is a descriptor that defines payment vehicles which use electronic
networks instead of cash or cheques to conduct a transaction. EFT networks are divided into two
main types: wholesale and consumer.1
In India, the push towards electronic banking was initiated by the Reserve Bank of India with the
help of various recommendations made by the Committees constituted from time to time for
development of information technology infrastructure. In 1994, the main objective was to furnish
recommendations on technology issues regarding payment systems made by Rangarajan
Committee Reports on Computerization of Banks. Some of the recommendations made by the
Committee included the establishment of EFT system, introduction of MICR clearing in more than
100 banks and promotion of card culture. In the same year, legislations on EFT and other electronic
payment modes were proposed. A set of EFT Regulations were recommended by the Reserve Bank
under the Reserve Bank of India Act, 1934 and amendment to the Bankers’ Books Evidence Act,
1891. Subsequently, the EFT was launched by the Reserve Bank in 1995 with a view to
modernizing funds transfer in the country and speed up the transfer of funds between and among
the banks. The committee under the chairmanship of Dr. A. Vasudevan further recommended
upgradation of technology in the banking sector which included legal framework of electronic
banking, technology plans for banks, outsourcing of technology and services and computerization
of Government transactions.2 The RBI set up a ‘Working Group’ on Internet Banking to examine
different aspects of Internet Banking. The focus of the group was on three major areas of banking:
technology and security issues, legal issues and regulatory and supervisory issues. 3 Considering
and recognizing the importance of the above issues, the Government of India enacted Information
Technology Act, 2000 (IT Act, 2000) to provide legal recognition to electronic transactions. An
amendment to the RBI Act was also made which empowers the Reserve Bank to regulate electronic
fund transfer among banks and financial institutions.

1
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=927473.
2
Sonia Chawla and Ritu Singhal, “India and the World: The Changing Paradigms in the Banking Sector due to
Technological Advancements” Prajnan, Vol. 39, 130 (2010-11).
3
Working Group on Internet Banking, 2001 under the Chairmanship of S. R. Mittal.

1
Banking and Insurance Law -Electronic Fund Transfer-

FORMS OF ELECTRONIC BANKING AND ELECTRONIC PAYMENT SYSTEMS IN

INDIA
E-Banking is an umbrella term for the process by which a customer performs banking transactions
by electronic means without visiting the brick-and-mortar institution.4 E-Banking is defined as the
automated delivery of new and traditional banking products and services directly to customers
through electronic, interactive communication channels. E-Banking is characterized with several
aspects of E-power such as:
a) Power of information
b) Power of execution
c) Power of choicer
d) Power of speed
e) Power of convenience
f) Power of economy
Forms of Electronic Banking
1. Internet Banking: Banking transaction which takes place in a virtual ambience on the website
of a banking company or a financial institution is termed as Internet banking. The essence of
internet banking likes in online access of banking and financial services by customers. The major
advantages emerging out of internet banking is that the customer can carry out basic banking
transactions at any time in the day, irrespective of the time on the clock. Transaction is
automatically reconciled and updated in all the required data tables, thereby reducing the workload.
It was ICICI Bank which initiated electronic banking revolution in India when they introduced
internet banking in 1997 under the brand name ‘Infinity’. 5 This was soon followed by HDFC and
Global Trust Bank in 1999. Since then, many public sector banks and commercial banks like State
Bank of India (SBI), Bank of India (BOI), Bank of Baroda (BOB), Punjab National Bank (PNB),
Syndicate Bank, Allahabad Bank and many more have taken up electronic form of banking as a
part of banking practices.
2. Mobile Banking:
The biggest limitation of internet banking is the requirement of computer or laptop with internet
connection. Mobile banking addresses this fundamental limitation of internet banking by reducing
the customer requirement to just a mobile phone. The kind of banking and financial service that
gives a real-time mobile access to customers on the move is called ‘mobile banking’. Mobile
banking refers to banking activity carried out on a mobile phone. Mobile banking facility is an
extension of internet banking. Banking is enabled even when a person is on the move.
3. Telephone Banking: Telephone banking refers to dialing a telephone number using a telephone
to access the account, transfer funds, request statements or cheque book simply by following
recorded message and pressing the corresponding keys on the phone. 6 It allows customers to check

4
R. K. Uppal and N. K. Jha, Online Banking in India, 120 (Anmol Publications, New Delhi, 1st edition, 2008).
5
Deepak Kumar, Shashi Kapoor et. al. “Internet Banking: A New Paradigm” published in E-banking in India-
Challenges and Opportunities, 125 (New Century Publications, New Delhi, 1st edition, 2007).
6
Seema Kapoor and Deepak Dhingra, “Application of Information Technology in Banking” published in E-banking
in India- Challenges and Opportunities, 106 (New Century Publications, New Delhi, 1st edition, 2007).

2
Banking and Insurance Law -Electronic Fund Transfer-

account at convenient time and get simple things done without visiting bank premises. Telephone
banking, can be defined as a secure, fast and convenient way to obtain a range of services by using
a telephone without visiting the branch, e.g. account information, conduct of transactions, report
loss of ATM card, order a cheque book, etc. Following are the features of telephone banking:
a) Available to any individual customer of the branch
b) Requirement of customer to apply for the facility in the application form
c) Real-time service
4. Automated Teller Machine (ATM): ATM is an electronic machine operated by the customer
himself to make deposits, withdrawals and other financial transactions. It is a step towards
improvement in customer service. ATM facility is available to customers 24 hours a day. ATMs
have given an edge to banks and financial institutions in efficiently carrying out their operations.
5. Plastic Money: Plastic cards also known as plastic currency involving electronic device in their
functioning are fast gaining popularity as a convenient mode of payment. So what are the banking
technologies which are used through cards? The following is the list of types of plastic cards:
a) Credit Card
b) Charge Card
c) Debit Card
d) Co-branded Card

Electronic Payment System

Electronic payment system is a convenient way of making a purchase or paying for a service
without holding cash or having to go through the process of completing a cheque. Electronic
payment system constitutes an important segment of the E-Banking service. The biggest advantage
claimed by the electronic payments is that they are the convenient ways of completing cash-based
transactions. Various payment methods adopted in electronic payment environment are described
as follows:
1. Digital Cheques: Electronic payment devices involving the use of networking services whereby
the e-customer issues digital cheques to e-merchant malls to settle transactions carried over the
internet are known as digital cheques. Digital cheques are similar to paper cheques issued in
physical banking environment.7 Digital cheque system is carried over the internet with adequate
in-built security.
2. Electronic Cash: Electronic cash, also known as digital money, refers to a payment system
used in online banking and financial services scenario. It is an internet payment system which
combines computerized convenience with security and privacy. Electronic cash is an attractive
mode of payment for online shopping, combines the benefits of credit and debit cards and
exclusively used only by the owner. Electronic cash is accepted based on identification and
verification of the owner or user. Electronic cash issuing bank is known as e-mint which is

7
Preety Sharma and Pooja Mehta, “Plastic Money” published in E-banking in India- Challenges and Opportunities,
113 (New Century Publications, New Delhi, 1st edition, 2007).

3
Banking and Insurance Law -Electronic Fund Transfer-

authorized to sign the electronic cash. Security mechanisms such as digital signature algorithms
are used to ensure security of e-cash. 8
3. Electronic Purse (E-purse): E-purse is a wallet size smart card, embedded with programmable
chip which stores e-money to be used in a virtual trading environment for making payments is
known as “electronic purse”. E-purse is electronically loaded with money by the e-mint or the
banker in virtual environment. It is used for making payment for any e-transaction. Authenticity
of the user is verified with the help of card vending machine installed at the merchant’s e-mall. It
is a facility of convenient mode of payment to pay the bills for each transaction. E-purse is charged
after being used when its value gets depleted.
4. Electronic Card: An electronic card with a PIN used in internet trade transactions is known as
‘electronic card’. There are four entities comprising the working of the electronic credit, such as
the consumer who e-shops, the e-merchant, the E-Banking institution of the merchant and the card
issuing bank. Credit card transactions are handled by the merchant server, merchant bank, and the
card issuing bank.9

LEGAL REGIME OF ELECTRONIC BANKING IN INDIA

Legal issues relating to electronic transaction processing at banks are very many and the need to
address them by amending some of the existing Acts and by promoting legislation in a few hitherto
unexpected areas has assumed critical urgency. Necessary legislative support is essential to protect
the interests as much of the customers as of the banks and their branches in several areas relating
to electronic banking and payment systems. This is specially required to establish the credibility
of ECS and EFT schemes based on the electronic message transfer. It was noticed by the Working
Group on Internet Banking10 that the banks providing internet banking service, and customers
availing the same, were entering into agreements defining respective rights and liabilities in respect
of internet banking transactions. The said Working Group recommended, “A standard format or
minimum consent requirement to be adopted by banks may be designated by the Indian Banks’
Association, which should capture all essential conditions to be fulfilled by the banks, the customer
and relative rights and liabilities arising there from. This will help in standardizing documentation
as also develop standard practice among bankers offering internet banking facility.” 11 While
discussing the legal risks, it is also essential to address risks arising out of noncompliance with the
statutory requirements which also involve reputational risks. Legal risks arise out of ambiguities
in the statutes also. In order to understand these risks, it is important to first study the legal
framework of electronic banking in India.
1. Information Technology Act, 2000 Prior to the Amendment Act of 2008, IT Act, 2000 boasted
of only two provisions dealing with computer related issues, i.e. Sections 43 and 66. The
Amendment Act of 2008 Information Technology Act, 2000: S. 43- Penalty and Compensation

8
Ibid.
9
Ibid.
10
Available at: http//rbidocs.rbi.org.in/docs/Publication Report/Pdfs/21595.pdf (Accessed on January 25, 2012).
11
Id, at para 92.

4
Banking and Insurance Law -Electronic Fund Transfer-

for damage to computer, computer system, etc. If any person without permission of the owner or
any other person who is in charge of a computer, computer system or computer network –
(a) accesses or secures access to such computer, computer system or computer network or
computer resource
(b) downloads, copies or extracts any data, computer data base or information from such computer,
computer system or computer network including information or data held or stored in any
removable to rage medium;
(c) introduces or causes to be introduced any computer contaminant or computer virus into any
computer, computer system or computer network;
(d) damages or causes to be damaged any computer, computer system or computer network, data,
computer data base or any other programmes residing in such computer, computer system or
computer network;
(e) disrupts or causes disruption of any computer, computer system or computer network;
(f) denies or causes the denial of access to any person authorised to access any computer, computer
system or computer network by any means;
(g) provides any assistance to any person to facilitate access to a computer, computer system or
computer network in contravention of the provisions of this Act, rules or regulations made
thereunder,
(h) charges the services availed of by a person to the account of another person by tampering with
or manipulating any computer, computer system, or computer network,
(i) destroys, deletes or alters any information residing in a computer resource or diminishes its
value or utility or affects it injuriously by any means (i) Steals, conceals, destroys or alters or
causes any person to steal, conceal, destroy or alter any computer source code used for a computer
resource with an intention to cause damage, he shall be liable to pay damages by way of
compensation not exceeding one crore rupees to the person so affected.
There are some areas specific to banks and customers or the banking sector as a whole which are
explained as follows:
a) Intermediary: The definition of the term ‘intermediary’ has been amended in the year 2008.
S. 2(w)- "Intermediary" with respect to any particular electronic records, means any person who
on behalf of another person receives, stores or transmits that record or provides any service with
respect to that record and includes telecom service providers, network service providers, internet
service providers, web hosting service providers, search engines, online payment sites, online-
auction sites, online marketplaces and cyber cafes cannot be regarded as free from doubts. To
make banks governed by all the provisions applicable to intermediaries would result in unintended
consequences and may even expose the banks to penal provisions under IT Act, 2000.
b) Encryption: Any data transferred online is subject to the risk of being intercepted and misused.
Encrypting data before transferring it over the internet will go a long way in safeguarding against
such interception. If encryption of data is adopted by all entities which provide service through
internet, then it would be beneficial in protecting customers’ privacy and in protecting other forms
of data. RBI has stipulated SSL/128bit encryption as minimum level of security. Similarly, SEBI

5
Banking and Insurance Law -Electronic Fund Transfer-

has stipulated 64/128bit encryption for online trading and services. These encryption standards,
however, do not meet the international standards. Information Technology (Certifying Authorities)
Rules, 2000 requires internationally proven encryption techniques to be used for storing
passwords. An Encryption Committee constituted by the Central Government under Section 84A
of the IT Act, 2000 is in the process of formulating rules with respect of encryption. A minimum
and reasonable level of encryption should be suggested by the banking sector. S. 84A- Modes or
methods for encryption The Central Government may, for secure use of the electronic medium and
for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.
c) Data Protection: Section 43A of IT Act, 2000 deals with the aspect of compensation of failure
to protect data. S. 43A- Compensation for failure to protect data Where a body corporate,
possessing, dealing or handling any sensitive personal data or information in a computer resource
which it owns, controls or operates, is negligent in implementing and maintaining reasonable
security practices and procedures and thereby causes wrongful loss or wrongful gain to any person,
such body corporate shall be liable to pay damages by way of compensation, not exceeding five
crore rupees, to the person so affected. Until these prescriptions are made, data is afforded security
and protection only on the basis of an agreement made between the parties or as specified by the
law. Explanation (ii) to Section 43A, however, is worded in such a way that it is still unclear
whether it would be possible for banks to enter into agreement which stipulates such standards for
protecting data. Whether a negligence or mala fide on the part of the customer would make the
bank or financial institution liable or whether by affording too much protection to banks, a
customer is made to suffer two extremes of the situation. The need is for striking a balance between
consumer protection and protection of banks from liability due to no fault of theirs.
2. Negotiable Instruments Act, 1881 Under Negotiable Instruments Act, cheque includes
electronic image of a truncated cheque and a cheque in electronic form. Cheque Truncation is a
method of payment processing where under movement of the paper instrument is truncated by
substituting with electronic transmission of the cheque details or data. The Shere Committee
examined the legal issues pertaining to cheque truncation and indicated that the definition of
presentment in the Negotiable Instruments Act may have to be amended for adoption of cheque
truncation system in India. Under the Negotiable Instruments Act, 1881, cheques would have to
be presented for payment to drawee or drawer bank. Without such presentment, no cause of action
arises against the drawer. The definition of a cheque in electronic form contemplates digital
signature with or without biometric signature and asymmetric crypto system. Since the definition
was inserted in 2002, it is understandable that it has captured only digital signature and asymmetric
crypto system being in force and in the absence of such agreement or any law, such reasonable
security practices and procedures, as may be prescribed by the Central Government in consultation
with such professional bodies or associations as it may deem fit.
3. Experiences drawn from Judicial Pronouncements In Umashankar Sivasubramaniam v.
ICICI Bank,12 the complainant alleged that his account was wrongfully debited due to negligence
on the part of the bank. ICICI contended that the case refers to phishing and the blame of

12
(Petition No. 2462/2008 dated 18.04.2010).

6
Banking and Insurance Law -Electronic Fund Transfer-

negligence lies with the customer who would need to file an FIR. The bank also raised the objection
that the matter cannot be brought under the purview of IT Act, 2000. The Adjudicating Authority
found ICICI bank guilty of the offences under Section 85 read with relevant clauses of Section
43A of the IT Act and directed the bank to pay a sum of Rs12,85,000. The case of Avnish Bajaj v.
State,13 discussed the criminal liability of a network service provider being Baazee.com for third
party data or information made available by them on their site. The court held that on conjoint
reading of Section 67 and 85 of the IT Act, 2000, it may be concluded that on the basis of principle
of deemed criminal liability, a case may be made out against any director of a company even
though the company may not be arrayed as an accused provided the ingredients laid in the section
are satisfied. In ICICI Bank v. Ashish Agarwal,14 before the State Consumer Forum, Raipur, an
appeal was filed against the order of district forum, Raigarh directing the appellant bank to pay
Rs49,912.36/- which was allegedly not withdrawn by him from his account and also Rs.5000/- as
compensation for the mental agony and Rs3,000 as litigation cost on account of deficiency in
service. The State Commission, observe that the respondent was negligent in giving information
regarding the password to the third person and hence the bank was not liable for deficiency of
service. In Rishi Gupta v. ICICI Bank,15 before the Consumer Disputes Redressal Forum,
Bangalore, the complainant sought an order directing opposite party bank to refund Rs230,000/-
along with interest of 24% per annum which was lost by the complainant on account of alleged
negligence of the opposite party and for an order directing the bank to pay Rs.100,000/- as damages
for negligence of service. The District forum, dismissing the complaint, observed that in providing
confidential details of his online banking to a third party in response to an email purported to be
issued by the opposite party bank, without verifying with the opposite party bank, the complainant
had acted negligently and he cannot put the blame on bank manager, secretary or other officer shall
also be deemed to be guilty of the contravention and shall be liable to be proceeded against and
punished accordingly. Before the Consumer Disputes Redressal Forum, Bangalore, in M/s
Pachisia Plastics v. ICICI Bank Ltd.,16 the complainant was filed alleging deficiency of service on
the part of the ICICI Bank on the ground that an amount of Rs.1,18,000 was unauthorized debited
from the account of the complainant through net banking. The Forum dismissed the complaint on
the ground that there was no deficiency of service on the part of the bank.
4. Payment and Settlement Systems Act, 2007 The aforementioned legal provisions of IT Act,
NI Act maybe dealing with electronic transactions, however, the words ‘banks’ and ‘banking
transactions’ are not expressly mentioned in any of the provisions and the judicial pronouncements
also either address the liabilities of service providers or deficiency of service on the part of the
banks. In India, prior to 2007, there was no enactment which expressly dealt with the issue of EFT.
To address this lack of legislation pertaining to EFT, Payment and Settlement Systems Act was
enacted in 2007 (PSS Act). The PSS Act, 2007 provides for the regulation and supervision of
payment systems in India and designates the Reserve Bank as the authority for that purpose and

13
150(2008) DLT769, 2008(105) DRJ721
14
State Consumer Disputes Redressal Commission, Raipur- (Appeal No. 435/2009)
15
CC No. 514 of 2010.
16
CC No. 1059 of 2008.

7
Banking and Insurance Law -Electronic Fund Transfer-

all related matters. The Reserve Bank is authorized under the Act to constitute a Committee of its
Central Board known as the Board for Regulation and Supervision of Payment and Settlement
Systems (BPSS),17 to exercise its powers and perform its functions and discharge its duties under
this statute also provides the legal basis for “netting” and “settlement finality”. Under the PSS Act,
two Regulations have been made by the Reserve Bank of India, namely, the Board for Regulation
and Supervision of Payment and Settlement Systems Regulation, 2008 and the Payment and
Settlement Systems Regulations, 2008. PSS Act and the directions and guidelines issued
thereunder, deal to certain extent with the issue. Section 2(1)(c) of the Act is more wide in its
coverage than the EFT Act of US in that it does not restrict itself to transfer of funds initiated
through electronic means but deals with transfer initiated by a person by other means and is settled
electronically, thereby bringing within its ambit Electronic Clearing system (ECS), auto-debit
instructions etc. Any person desirous of commencing or operating a payment system needs to apply
for authorization under the PSS Act.18 The application for authorization has to be made as per
Form A under Regulation 3(2) of the Payment and Settlement Systems Regulations, 2008. The
application is required to be duly filled up and submitted with the stipulated documents to the
Reserve Bank. The Reserve Bank will endeavour to dispose of all applications received for
authorization within six months from the date of their receipt. The Reserve Bank can refuse to
grant authorization under the PSS Act, 2007. However, the Reserve Bank has to give a written
notice to such an applicant giving the reasons for refusal and also a reasonable opportunity of being
heard. The Reserve Bank is empowered to revoke the authorization granted by it, if the system
provider contravenes any provisions of the Act or Regulations, fails to comply with its orders/
directions or violates the terms and conditions under which the authorization was granted to it. The
aggrieved applicant or aggrieved system provider can appeal to the Central Government within 30
days from the date on which the order of refusal or revocation is conveyed to him. The Reserve
Bank is empowered to prescribe the format of payment instructions, size and shape of instructions,
timings to be maintained by payment systems, manner of funds transfer criteria for membership
including continuation, termination and rejection of membership, terms and conditions for
participation in the payment system, etc.
The Reserve Bank is empowered to call for from the system provider returns, documents and other
information relating to the operation of the payment system. The system provider and all system
participants are required to provide Reserve Bank access to any information relating to the
operation of S. 7. The Reserve Bank, in order to ensure compliance of the provisions of the PSS
Act and the Regulations made thereunder, can depute an officer authorized by it to enter any
premises where a payment system is being operated, inspect any equipment, including any
computer system or document, and call upon any employee of the system provider or participant
to provide any document or information as required by it. The PSS Act defines “netting” and
legally recognizes settlement finality. It states that a settlement, whether gross or net, will be final
and irrevocable as soon as the money, securities, foreign exchange or derivatives or other

17
Payment and Settlement Systems Act, S. 3.
18
S. 5

8
Banking and Insurance Law -Electronic Fund Transfer-

transactions payable as a result of such settlement is determined, whether or not such money,
securities or foreign exchange or other transactions is actually paid. In case a system participant is
declared insolvent, or is dissolved or is wound up, no other law can affect any settlement which
has become final and irrevocable and the right of the system provider to appropriate the collaterals
contributed by the system participants towards settlement or other obligations. Under the PSS Act,
operating a payment system without authorization, failure to comply with the terms of
authorization, failure to produce statements, returns information or documents or providing false
statement or information, disclosing prohibited information, non-compliance of directions of
Reserve Bank violations of any of the provisions of the Act, Regulations, order, directions etc., are
offences punishable for which Reserve Bank can initiate criminal prosecution. Reserve Bank is
also empowered to impose fine for certain contraventions under the Act. In order to make the
process of electronic funds transfer smooth and effective, the Reserve Bank has been issuing a
number of guidelines to deal with the various aspects of and procedures for electronic fund
transfer.19 Further, so as to help banks to identify and control fraudulent alterations in cheques, the
Reserve Bank has issued instructions that no changes or corrections should be carried out on the
cheques other than for date validation purposes, if required. For any change in the payee’s name,
courtesy amount, i.e. amount in figures or legal amount, i.e. amount in words, etc., fresh cheque
forms should be used by customers. As regards various aspects of customer service, the Reserve
Bank has been issuing directions or guidelines from time to time to deal with certain aspects like
reconciliation of transactions at ATMs failure, enhance security measures for online card
transactions, etc. In addition to these measures a customer also has the recourse to general law.
Therefore, in India though there is no specific legislation which deals only with ‘electronic fund
transfer’, certain concerns have been dealt with in the Payment and Settlement Systems Act, Rules,
Regulations, directions, etc. issued thereunder as well as the provisions of general law.

MAJOR ISSUES: SECURITY AND PRIVACY

There are a plethora of risks and issues which are associated with EFT a few of those issues have
already been mentioned above which lacunae in the provisions of IT Act,2000 and NI Act.
However, for the purpose of this paper, the major issues which I intend to cover in detail are the
issues of security and privacy.
Security: Security refers to the protection of the integrity of EFT systems and their information
from illegal or unauthorized access and use. Security risk arises on account of unauthorized access
to a bank’s critical information stores like accounting system, risk management system, portfolio
management system, etc.20 For instance, hackers operating through internet can access, retrieve
and use confidential customer information and can also implant virus. As the use of EFT systems
becomes widespread and common among banks, the growing connectivity between information
systems, the Internet and other infrastructure create opportunities for attacks on such systems.

19
Puja Arora, Deepak Kumar et. al. “Role of Information Technology in Banking Sector” published in E-banking in
India- Challenges and Opportunities (New Century Publications, New Delhi, 1st edition, 2007)
20
Supra note 12 at 20.

9
Banking and Insurance Law -Electronic Fund Transfer-

Funds can be removed in currency instantly without review of individual transactions by officials.
EFT crime is often difficult to detect because funds or data can be removed or manipulated by
instructions hidden in complex computer software and often it happens that the dynamics of the
criminal action are understood only by a few experts within the banking institution.
It is therefore, important to ensure that any disruptions of critical information systems are
prevented and managed effectively and efficiently to minimize their impact. The security team for
important projects must be top notch and the security solutions must be effective ones. Security is
widely recognized as a quintessential factor which comes to the fore in times of disaster. Security
controls need special attention due to the open nature of internet and the pace of technological
change. A high degree of security is especially important to the future development and use of
EFT as it is a relatively new technology which is challenging much older and well-established
traditional payment systems.21 It is difficult at present to assess the level of EFT security violations
because of underreporting of EFT crime, paucity of information about EFT security, and a lack of
informed public discussion, although considerable public concern is voiced.
Payment systems and financial institutions must be able to guarantee, at least to some reasonable
degree, the safety of assets entrusted. They must be able to protect both funds and data against
theft, loss, and misuse. Users must be assured that transactions will be carried out according to
their instructions. The adequacy of EFT security systems is important, not only because the
customers are entitled to protection of their accounts and to the confidentiality of the information
they provide, but also because an unacceptable number of security failures is likely to undermine
public confidence in banks and financial institutions, thereby weakening the economy of the
country and eventually the national security and RBI has been taking note of this. In whatever for
money may exist, it becomes an object of greed and a target for criminal activity. The availability
of ATMs and point-of-sale (POS) terminals enables the customers to carry less cash in their
pockets. Automatic deposit of payrolls and social security checks would reduce the volume of
thefts from mailboxes. Merchants will suffer fewer losses from bad checks and credit card fraud.
There are EFT procedures through which customer involvement with the system is facilitated and
funds are quickly removed, often without another human having overseen the process. EFT
systems involve many third parties in encoding, transmitting, or storing data, thereby providing
many vulnerable points where security could be breached. The data needed for EFT systems are
easily aggregated and accessed, therefore, creating a value in addition to the value of the existing
funds. This also creates a dimension of security concern in relation to EFT systems. EFT
technologies can lose data through failure of hardware components, communication links, or
deterioration of storage media. Where there is no backup documentation, such data loss can
seriously compromise the EFT system. Some experts assert that most EFT crime is never detected,
or if detected is not reported. Banks are often reluctant to publicize EFT losses for various reasons
such as fear of compromise of public confidence, weakening of their reputation, increase of
insurance premiums, etc.

21
Selected Electronic Funds Transfer Issues: Privacy, Security, and Equity”, Background Paper (March 1982) at 45
available at: http://www.fas.org/ota/reports/8223.pdf

10
Banking and Insurance Law -Electronic Fund Transfer-

Losses from individual accounts may go undetected by the account owners because they are so
small. Quite often, managers and law enforcement officials are not qualified to detect computer-
based crimes and frauds, and are unlikely to challenge either the machine or the computer experts
on the workings of the system.22 Computer criminals, on the other hand are said to be young,
intelligent, enthusiastic computer buffs with no prior criminal record. EFT crimes are generally
aimed at theft of funds, destruction of data or causing disruption or destruction of the EFT system.
Employees of the institution are frequently the source of EFT crime, mainly due to easy access to
the systems. They may hide unauthorized procedures within programs by building in instructions
to abort or divert authorized transactions, and then remove this procedure from the computer’s
memory bank. Unauthorized copying of either programs or data, such as account numbers and
PINs, usually cannot be detected or traced. Credit card fraud is one of the biggest threat to security
of EFT as credit card fraudsters employ numerous modus operandi to commit fraud. Credit card
frauds are committed in the following ways:
a) Criminal deception by use of unauthorized account or personal information
b) Illegal or unauthorized use of account for personal gain
c) Misrepresentation of account information to obtain goods or services. 23
The internet has provided ideal ground for fraudsters to commit credit card fraud in an easy
manner. Fraudsters have recently begun to operate on a transnational level. In the banking sector,
the most common form of phishing has been by email pretending to be from a bank where the
sinister asks to confirm your personal information for reasons like upgrading of server, etc. The
email contains a link to fake website which is a look alike or in other words, ‘HUMSHAKAL’ of
the genuine site. The customers, believing that the link sent is from the bank, enter the information
which is asked for and sent it into the hands of identity thieves. In India, there have been phishing
attempts over ICICI Bank, UTI Bank, HDFC Bank, SBI, etc. in which the modus operandi was
similar. Apart from the general banking scams, some of the recent phishing attacks which took
place in India have been RBI phishing scam, IT Department phishing scam, World Cup 2011 scam
and Google scam. The IT Act, 2000, though does not define phishing, however, provisions
contained in Sections 66, 66A, 66B and 66D are applicable to phishing activities. 24
As an area of focus of security issue, user authentication assumes a great significance in EFT as
customers log on to the system from different locations without any physical means of
authentication. This is the reason public key encryption was developed, i.e. to authenticate
electronic messages and prevent denial or repudiation by the sender or receiver. No customer
should later claim that any particular transaction was not transacted by him or her. Therefore,
proper authentication and authorization mechanism using encryption and digital signature should
be established. Availability is another important component in maintaining a high level of public
confidence in a network environment. Users of network expect to systems 24 hours a day, 7 days
a week. Moreover, to ensure security in EFT, establishment of trust among parties is essential.

22
Ibid.
23
Tej Paul Bhatia, Vikram Prabhu, et. Al “Understanding Credit Card Frauds” Cards Business Review (2003)
24
Sonia Chawla and Ritu Singhal, “India and the World: The Changing Paradigms in the Banking Sector due to
Technological Advancements” Prajnan, Vol. 39, 130 (2010-11)

11
Banking and Insurance Law -Electronic Fund Transfer-

This can be established through a trusted third party designated as a Certification Authority. Digital
certificates may play an important role in authenticating parties and therefore, establishing trust in
EFT systems.
Privacy The protection of data finds its roots in the individual's right to privacy doctrine. 25 The
right to privacy is explicitly contained in or has been inferentially found to exist in the constitutions
of most developed nations and the jurisprudential parameters of privacy rights explored in various
forums. However, the specific privacy issue related to protection of personal data became an issue
of growing concern with the advent of computerized systems which could store and disseminate
large amounts of information with relative ease via automated processes. The Indian Constitution,
though, does not define privacy but a plethora of Supreme Court decisions have affirmed that right
to privacy is a right concomitant to right to life and liberty enumerated in Article 21 of the
Constitution. However, in the modern era when cyberspace is fast evolving as a new branch of
jurisprudence, privacy has been facing numerous challenges, particularly in the banking sector
where it has become an issue.
In terms of information and record keeping, privacy appears to mean the ability to keep certain
personal information guarded from other people or to restrict its use, except when a person freely
chooses to permit its disclosure or use. In the modern society, itis difficult to keep all personal
information absolutely confidential. In practice, individuals generally seek to restrict some kinds
of personal information to those who have a legally defined or socially sanctioned need to know,
or to those who can provide some benefit or service in return. Information may expose one to
censure or punishment, it may threaten one’s reputation, social status, or self-esteem, it may give
others some advantage or power over oneself, or lessen one’s advantage over others in competitive
situations. Information concerning income, debts, or financial transactions may in some situations
do all of these things. This is one of the reasons as to why people are particularly sensitive to
privacy when it comes to payment systems.
Privacy is regarded as an attribute of individuals and the focus is on those activities through which
they are able to control and restrict access to personal information. The information so protected
is “confidential.” One way in which privacy can be violated is by illegal or unauthorized access to
EFT and other telecommunication systems. However, it also cannot be ruled out that possibility
remains that EFT systems and services themselves, through their normal functions and operations,
may intrude on the privacy of users. In order to obtain extra bit of convenience of credit card,
customers are willing to provide additional personal information, such as place of employment,
and level of earnings. As long as the information is used by the recipient only for the limited
purpose for which it was intended, privacy is not usually considered to have been invaded because
the information was provided in order to gain certain benefits. Banks and financial institutions
should provide privacy of the data and the transaction in all circumstances except in cases where
they are instructed by the competent legal authority or the Government to divulge the same.

25
Vinita Bali, “Data Privacy, Data Piracy: Can India Provide Adequate Protection For Electronically Transferred
Data?” 21 Temp. Int'l & Comp. LJ 105 2007.

12
Banking and Insurance Law -Electronic Fund Transfer-

Just as the use of financial data for authorizing the acceptance of payments and the extension of
credit is advantageous to the customer, the denial of such services because of erroneous or
incomplete data represents a significant disadvantage. Thus, the customers need to know what
information is recorded about them and how they can correct inaccuracies. In many ways EFT can
enhance the privacy of financial transactions. An ATM transaction is clearly more impersonal and
anonymous than one conducted through a human teller. Electronic transactions cannot be signed
over to a third party by the recipient like in case of a cheque. The coding of information as
electronic signals minimizes the possibility of casual or accidental perusal of information.
India at present does not have a specific data protection law. Personal Data Protection Bill, 2006
was introduced in the Rajya Sabha to provide protection of personal data and information of
individual collected for a particular purpose. The Bill has not been passed at all. Data protection
and privacy provisions are scattered and sparse in coverage in the existing legislations. The
existing data protection laws are strewn in laws pertaining to information technology, intellectual
property, crimes, and contractual relations. Under increasing pressure from BPO operations and
call centers in India that handle large volumes of data from the United States and Europe, the
Indian government contemplated the passage of a comprehensive law protecting data. However,
despite urgency of the matter and pressure from internal and external fronts, the enactment of data
protection legislation kept on getting delayed.
Among these, the most prominent one has been IT Act, 2000 26 which specifically pertains to the
use of electronic data. Section 43A deals with the aspect of compensation for failure to protect
data. Section 43(b) of the Act, affords cursory safeguards against breaches in data protection. Its
scope is limited to the unauthorized downloading, copying or extraction of data from a computer
system and unauthorized access and theft of data from computer systems. Section 43(b) fails to
meet the breadth and depth of protection that the EU Directive mandates. It makes little effort to
ensure that internet service providers or network service providers, as well as entities handling
data, be responsible for its safe distribution or processing. Furthermore, the liability of entities is
diluted in Section 79 of the Act, which inserts "knowledge" and "best efforts" qualifiers prior to
assessing penalties.27 A network service provider or intermediary is not liable for the breach of
any third party data made available by him if he proves that the offence or contravention was
committed without his knowledge, or that he had exercised all due diligence to prevent the
commission of such offence or contravention. Similarly, while Section 85 of the Act does invoke
entity liability, such liability is limited to the specified illegal acts under the IT Act, 2000, which
does not offer broad protection of data.
With regard to damages available in the event of a breach of data privacy, Section 43(b) is deficient
in that the maximum penalty for this breach is monetary compensation in the paltry amount of
approximately $220,000. The maximum monetary damages available for a breach, which can
potentially be worth several times more, is clearly inadequate in a transnational context. The law
makes no differentiation based on the intentionality of the unauthorized breach, and no criminal

26
Income Tax Act, 1961 (Act 43 of 1961).
27
Supra note 158 at 119.

13
Banking and Insurance Law -Electronic Fund Transfer-

penalties are associated with a breach of Section 43(b). 28 Section 65 offers protection against
intentional or knowing destruction, alteration, or concealment of computer source code. Section
66, while offering no clear language that protects personal data, offers limited protection when
personal data is destroyed, deleted or altered. In addition to these protections, Section 72 of the
Act of 2000 offers some protection for breaches of confidentiality and privacy. In contrast to the
IT Act of 2000, the EU Directive envisions much broader violations associated with breach of data
security than the limited sphere of the IT Act of 2000. The E.U. Directive provides for protections
in the entire chain of control of data and creates systems of security and associated penalties within
the various stages of data processing. For instance, the Directive prescribes limits to the collection
of personal data, requiring that a purpose for the data collection be articulated. The Directive also
requires that data must be obtained by lawful and fair means and, where appropriate, with the
knowledge or consent of the data subject. Personal data should be relevant to the purposes for
which they are to be used and to the extent, necessary for those purposes, should be accurate,
complete and kept up-to-date.
The Indian system of data protection, therefore, at best can be at best described as a spider’s web:
many protections are offered through various sources and the web traps some violations, but gaps
and holes remain through which others slide through. Even though the Amendment Act of 2008
has strengthened the IT law in India by insertion of more penal provisions, yet it is not adequate
to lend enough protection and confidentiality to data. Banking sector is one of the highly affected
sectors due to this lack of privacy in EFT systems.
E-ROUTE TO BANK ON IN TIMES AHEAD
The Reserve Bank has been pro-active in working towards improvement of EFT systems in India.
It vigorously promotes the use of electronic modes of payments over paper based ones as they are
cost effective and more efficient. The increase in the spread of NEFT to approximately 87,000
branches and RTGS to around 85,000 branches in 2012 highlights the success of the initiatives
taken by RBI in this regard. Earlier this year, in a bid to make it easier for bank customers to repay
loans via digital channel, the Reserve Bank asked all banks to accept NEFT as one of the electronic
modes of payment. The Apex Bank issued the directive in the wake of receiving several complaints
from customers regarding non-acceptance of NEFT by banks for credit to loan accounts. Steps
have been initiated by RBI to replace the existing RTGS system with the Next Generation Real
Time Gross Settlement (NG-RTGS) by adopting the latest technology and new business models. 29
At present, about 31 non-banking entities have been permitted to operate issuance of pre-paid
instruments, providing cross-border in-bound money transfer, card payment network and ATM
network. Payment systems, therefore, are no more the exclusive domain of banks and financial
institutions. Entry of non-banking entities will promote competition and provide more choices to
the customers.
No technological innovation is free from challenges and IT is no exception to it. RBI in capacity
of a regulator and a supervisor proactively addresses the risks associated with EFT and from time

28
Id. at 124.
29
Supra note 77 at 23.

14
Banking and Insurance Law -Electronic Fund Transfer-

to time issues guidelines for secured E-Banking and advises the banks on control mechanisms to
combat attacks such as theft, fraud and phishing. The electronic delivery channels have to
incorporate and undertake sufficient security measures to prevent misuse and fraud. The banking
industry may be keyed up for the challenge, however, it must be borne in mind that fraudsters are
continuously on the prowl and ever ready to pounce on any chinks in the armor. Therefore,
designing of security system, implementation of security measures, availability and access to
customers should be directed towards maintaining high security standards which would be at par
with domestic as well as international standards. Poor security would create operational,
reputational and legal risks for banks as they would be deemed to have provided inappropriate
protection for customers’ personal data. Bank supervisors should encourage banks to review the
integrity of the data used by their risk management systems.
On the legal front, the infrastructure for promoting E-Banking has not been put in a comprehensive
manner. India does not have a licensed certifying authority appointed by the Controller of
Certifying Authorities to issue digital signature certificates. To counter this lacuna, banks may be
allowed to apply for a license to issue digital signature certificate under Section 21 of IT Act, 2000
and function as certifying authority for facilitating electronic banking. Towards this fulfillment,
Reserve Bank may recommend to the Central Government for notifying the business of certifiying
authority as an approved activity under Section 6(1)(o) of Banking Regulation Act. Section 40A
(3) of IT Act, 2000, Income Tax Act, 1961 recognizes only payments through a crossed cheque or
bank draft, where such payments exceed Rs.20,000/-, for the purpose of deductible expenses. As
the primary intention of this provision is to prevent tax evasion by ensuring transfer of funds
through recognized accounts, EFT also satisfy the intent of the provision and such transactions
should be recognized by the provision. The Income Tax Act needs to be amended accordingly. 30
The Consumer Protection Act, 198631 defines the rights of consumers in India and is applicable to
banking service as well. Presently, the rights and liabilities of customers availing internet banking
services are determined by bilateral contracts between the banks and the customers. It is not yet
clear whether any bilateral agreement defining customer’s rights and liabilities, which are adverse
to consumers than what they enjoy in traditional banking scenario will be legally tenable. It is
therefore, open to interpretation by courts depending on the facts and circumstances of each case.
The IT Act, even though, provides for penalty for various cyber offences enumerated in its
provisions, the liability of banks is not yet clear. Section 72 provides for penalty for breach of
privacy and confidentiality. Section 79 provides for data travelling through their network subject
to certain conditions. Here also, the liability of banks for breach of privacy is not clear and this
aspect needs a detailed legal examination. Whether Section 43A read with Section 72 and 72A of
the IT Act, 2000 presently address the issue of data protection adequately or whether they need to
be supplemented by long-term measures which can help facilitate effective and efficient protection
and preservation of data would depend on the prescriptions by the Central Government.

30
Selected Electronic Funds Transfer Issues: Privacy, Security, and Equity”, Background Paper (March 1982) at 45
available at: http://www.fas.org/ota/reports/8223.pdf (Accessed on Jan 27, 2020)
31
Consumer Protection Act, 1986 (Act 68 of 1986).

15
Banking and Insurance Law -Electronic Fund Transfer-

SUGGESTIVE MEASURES AND CONCLUSION

1. All banks which are using EFT systems and those which are moving towards high level of
computerization must formulate a security policy stating the objectives and system controls which
could be devised and implemented to protect the integrity of the important information and data.
3. Risk Management Cells should be established in the banks, particularly those which are
resorting to EFT systems for making and receiving payments. Material containing personal
information about another person, with the intent to cause or knowing that he is likely to cause
wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach
of a lawful contract, such material to any other person shall be punished with imprisonment.
6. Authentication tools of biometric technology such as finger print recognition, face recognition,
iris recognition, voice recognition and finger or hand scan should be put to use more frequently.
This kind of technology is highly beneficial as it is ideal for rural masses which form the major
part of the Indian population, it is accurate and provides strong authentication and offers mobility
7. The operating systems in banks’ computers should be timely updated to prevent virus and other
types of malware attacks such as hacking and fraud. Moreover, latest versions of the licensed
software should be installed in the computerized systems so that it keeps the internal as well as
external security threats in check.
8. From the customer’s point of view, it is important that the banks should resort to cheque
truncation system as it would result in minimizing the arrears and delays caused due to couriers.
9. Banks should develop outsourcing guidelines to manage effectively, risks arising out of third
party service providers such as risks of disruption in service, defective service and personnel of
service gaining intimate knowledge of banks systems and misusing the same.
10. With the growing popularity of e-commerce, it has become essential to set up inter-bank
payment gateways for settlement of EFT transactions. Inter-bank payment gateways should have
capabilities for both gross and net settlement, so that they fit into the scheme of things of both
RTGS and NEFT systems.
11. SSL/128 bit encryption must be used as a minimum level of security. Adequate firewalls and
related security measures should be taken to ensure privacy to the banks participating in payment
gateway.
13. IT Act, 2000 should be further amended to encompass the principles contained in the Directive,
and the parallel OECD principles related to limitation of data collection, data quality, specified
purpose, use limitation, security safeguards, individual participation and accountability.
The issues of security and privacy are still looming large and EFT systems still have a long way
to go before they become fool proof modes of E-Banking. It must also be kept in mind that increase
of E-Banking transaction does not mean that physical banking should be completely eliminated.
Physical banking is still vital to the growth of banking sector in India and it cannot be done away
with, particularly, from the point of view of banker-customer relationship. Not only there are
number of legal aspects connected with this relation, but it is of vital importance that the relation
should be a healthy one for which some part of traditional banking has to be retained.

16
 Banking and Insurance Law -Bibliography-

BIBLIOGRAPHY

BOOKS
 ML Tannan, Tannan’s Banking Law and Practice in India (LexisNexis India, 23rd edition, 2010)
 R. K. Uppal and Rimpi Jatana (eds.), E-Banking in India- Challenges and Opportunities (New
Century Publications, New Delhi, 1st edition, 2007)

ARTICLES & REPORTS

 Deepak Kumar, Shashi Kapoor et. al. “Internet Banking: A New Paradigm” published in E-
banking in India- Challenges and Opportunities (New Century Publications, New Delhi, 1st
edition, 2007).
 Leena Kakkar, “Economics of ATM” published in E-banking in India- Challenges and
Opportunities (New Century Publications, New Delhi, 1st edition, 2007).
 Puja Arora, Deepak Kumar et. al. “Role of Information Technology in Banking Sector” published
in E-banking in India- Challenges and Opportunities (New Century Publications, New Delhi).
 Raveendranath Hebbar, “The Big, Bad World of Computer Frauds and Crimes” Vinimaya, Vol.
11, 85 (2005-06).
 R. K. Uppal, “Banking Sector Reforms and E-Banking in India” published in E-banking in India-
Challenges and Opportunities (New Century Publications, New Delhi, 1st edition, 2007).

STATUTES
 Banking Regulation Act, 1949 (Act 10 of 1949)
 Consumer Protection Act, 1986 (Act 68 of 1986)
 Information Technology Act, 2000 (Act 21 of 2000)
 National Electronic Funds Transfer System Procedural Guidelines, 2011
 Negotiable Instruments Act, 1881 (Act 26 of 1881)
 Payment and Settlement Systems Act, 2007 (Act 51 of 2007)

ELECTRONIC SOURCES
 http://rbidocs.rbi.org.in/rdocs/RTGS/DOCs/RTGEB1110.xls (Accessed on January 25, 2020)
 Neeraj Aarora, “Phishing Scams in India and Legal Provisions” available at:
http://www.neerajaarora.com/phishing-scams-in-india-and-legal-provisions (Accessed on Jan.
24, 2020).
 Selected Electronic Funds Transfer Issues: Privacy, Security, and Equity”, Background Paper
(March 1982) at 45 available at: http://www.fas.org/ota/reports/8223.pdf (Accessed on Jan. 23,
2020).

II