Prashant Mali, President, Cyber Law Consulting, advises BFSI segment to conduct regular IT Act 2000 Compliance Audits
Mehul Dani: You have fought numerous cyber-crime cases. Please tell nature & scope of such crimes happening in the BFSI segment in India in recent times.
Prashant Mali: While the adoption of information technology for banking services offers unprecedented convenience, cost-effectiveness and speed of delivery, it is riddled with several external threats and suffers from lack of coordination. Even though the advanced analytics on banking platforms attempt to prevent fraudulent transactions, such transactions continue, as several banks and telecom companies fail to comply with suggested and mandated safety norms. Major commercial banks have also been accused of not filing reports of suspicious transactions, an obligatory requirement when there has been an instance of unsatisfactory identification, which allows for speculation that more fraudulent transactions are attempted than are reported.
In recent times, financial services industry is becoming a prime target for cybercrime in the nature of financial fraud, identity theft, unauthorised access, loss of data, denial of service attacks, phishing, skimming, spyware or malware attacks, key logging, and other internet-based frauds. Hackers and organised criminal groups with potential government funding have been constantly developing and improving techniques to circumvent information security controls and safeguards, in order to commit fraud, financial theft and other cybercrimes with advanced capabilities to execute persistent and targeted attacks.
What is your estimate of the total number of cyber-crimes and amount of loss to the Indian BFSI sector in 2016-17?
India has witnessed a massive surge in cybercrime incidents in the last 10 years – from just 23 in 2004 to 72,000 in 2014-15. As per the government’s cyber security arm, Computer Emergency Response Team-India (CERT-In), 62,189 cyber security incidents were reported in just the first 5 months of 2015-16.
How vulnerable is the BFSI segment in India to different kinds of cyber crimes? Are PSUs more prone vulnerable?
With ever-increasing use of technology in the banking system, cyber frauds have proliferated and are becoming even more sophisticated in terms of use of novel methods. The data reveals that more than 95% of fraud cases and amount involved in fraud comes from commercial banks. Among the commercial banks, public sector banks account for just about 18% of total number of fraud cases, whereas in terms of the amount involved, the proportion goes as high as 83%.
This is in stark contrast with private sector banks, with around 55% of number of fraud cases, but just about 13% of the total amount involved in such cases. The PSUs are more vulnerable in case of big-ticket frauds (`1 crore or above) in terms of both number of fraud cases reported and total amount involved.
To what extent banks in India are exposed to various risks in the digital payment space, which is increasing of late post demonetization?
As more penetration happens, more frauds would come to limelight. In places like Noida, Jharkhand and Haryana, there are villages who are involved only in digital frauds. Banks should invest in digital literacy and invest in making police machinery cyber aware.
Please cite a few inspiring instances you have pursued.
Following are 3 landmark BFSI cases won by me:
Case No 1: Sanjay Dhande V/s ICICI BANK & Vodafone. Dhande was given compensation of `18 lakhs for online banking fraud and it was held that the data which telecom companies hold is ‘sensitive personal data’ under section 43a of the IT Act, 2000.
Case No 2: Chander Kalani Vs SBI. Money was transferred to bank accounts in London on the basis of just the email by breaking the fixed deposits of an NRI when he was abroad. Fraud amount was `63 lakh, interim amount given was `17 lakh and compensation granted by the authority was `40 lakh. In his order to SBI, the presiding officer has observed that the Banking Codes and Standard Board of India (BCSBI) unit has issued a Code of Bank’s Commitment wherein customers of such fraud will be liable to the extent of `10,000 only and the bank has to make good the rest of the amount. But acceptance of this code by banks is not visible.
Case No 3: Raatronics Vs Central Bank & Others. Mobile number in the KYC form was changed online from Central Bank’s database and fraud was committed. Raatronics, was defrauded of its account in the bank by changing the mobile number in the bank’s online database. Central Bank and Royal Bank of Scotland were asked to pay `8 lakh each for lack of due diligence. The adjudicating officer also ordered compensation of `1.3 lakh and `1.4 lakh for frauds committed upon users of SBI credit card and SBI int’l debit card.
