Cyber crime and bankers liability
Introduction: Bank’s prime duty is to keep the customer information confidential and safe. Use of internet, digitization and virtualization has increased the cyber risk.Reserve bank of India has come out with circular on customer protection, limiting Liability of customers in Unauthorized Electronic Banking Transactions.
Cyber crime can be monetary or non-monetary. Cyber crime is an offence committed to harm the reputation, financials or bother mentally against individuals or groups or nations using networks. Cyber crime is a criminal activity using computer and network.
Cyber risks represent the possibility that technologies, processes and practices at the bank can be circumvented, allowing unauthorized users to modify and/or delete key applications and information, which will affect the accuracy or integrity of processing. Access or extract protected or sensitive information (e.g., Intellectual property- IP, Proprietary Information, Credit Card Information, Personal identifiable information), Disrupt computer-controlled operations or access to online systems in prospect of cyber crime means theft of identity, data.Cyber threats are exploited by Unsophisticated attackers, Sophisticated attackers, Organized crime, State sponsored attacks, Organized crime, etc.
Emerging Trends of Cyber crime and its impact: Cyber security requires more attention in financial sector. Now the technology support is omnipresent, so the Infrastructure that support must be sophisticated. Technology is adopted by banks for end to end financial transactions. Now financial transactions are processed on real time basis without human intervention. Users demanding faster, efficient, easier and safe /secure way of transactions. Financial sectors are providing services anywhere, any time. World is interconnected and all organizations are targets for cyber attacks. Financial sectors are more vulnerable than other organizations due to their nature of business and dealing with money. Banks have kept their system to open for their customers and they become easier targets .Customers want rich experience, easy and fraud free transactions. System connected to a network can be compromised. Vulnerability in software and network are the easy target of cyber attackers and protecting these resources are the main focus of the organization. Now a day’s data breach from phishing attacks and social engineering shows increasing trend. From social media cyber attackers get information because social media is easily accessible and peoples’ tendency is to share personal information. Now a day’s mobile phones, tablets, laptops or other wireless devices are showing increasing trends and initially they are not designed with the security aspects kept in mind. Now world is interconnected, security is weak. So cyber criminals attempt to attack on important resources. Retail stores, restaurants are easy target of cyber criminals. In 2014, Cyber attackers have stolen 76 million customerscontact information like name, emailaddress, phone number of JPMorgan Chase & Co. Cyber attack can be done in many ways through ransom ware, crypto ware, destructive malware, business email frauds, spam, email, phishing, vishing, drive by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, password related frauds etc.
Phishing: Cyber criminals create fake emails that look like ‘real’ emails from your bank or financial institution asking you to reply with personal information. Be extra cautious if you’re ever asked to provide sensitive information (your name, password, account number, PIN) – Bank would never ask for this by email. Also avoid links in emails that take you to websites other than your online banking site.
Malware: This is malicious software that cyber criminals spread online and can get onto your computer in a number of ways. While you believe you’re banking safely, it can Steal account information by capturing your keystrokes, such as the credit card or bank card number you entered or images you’ve chosen to authenticate your identity.Hijack your account and transfer funds without your knowledge. This is done with software that launches a hidden browser window on your computer that logs in and accesses your account.
Pharming:Cyber criminals involve redirecting your access to a legitimate website to a fake website (also known as “spoofing”) that looks like the genuine one, but isn’t. It may look very similar to your online banking site and include extra fields on forms that you enter (PIN, date of birth, mother’s maiden name) and, without realizing it, you submit this information directly to your bank and to the attacker.
Recently Wanna Cry and Petya hited the world. At present there are two types of companies in the world, one is those who have been hacked and others are those who don’t have been hacked. Cyber criminals now a day’s not prefer in mass malicious attacks they prefer targeted attacks. Cyber criminals now started to pursue organizations that work with financial information and payment tools instead of attacking end-users. Recently a gang dubbed as Carbanak used computer viruses to infect company networks with malware including video surveillance enabling it to see and record everything that happened on staff’s screen. This virus able to instruct the computer or system to transfer money from the banks accounts to their own or even able to instruct cash machines to dispense cash at specific time of the day.
Another concern is from insiders, it is easier for an insider to carry out cyber attack because they are aware about their system and procedure. Companies have no option to trust their employees and provide them access to systems. Now a day’s cyber war among states, nations also increases day to day.
Cyber attacks destroy the system and procedure of the organizations. It also blackmails the organization. The numbers of cyber incidents, frequency and impact have increased more in the case of financial sectors including banks. So there is a need to prepare a robust cyber security/resilience framework at banks to ensure adequate cyber security.
Guidelines for banks: cyber security concern is increasing so RBI has come with guidelines that Banks have to make cyber-security policy as per complexity of business and acceptable level of risk approved by the board to combat cyber threats.
Cyber risk vary from bank to bank depends upon the size, complexity of technology, digital products so banks identify the inherent risks and prepare the cyber security framework.
Bank has to test the vulnerabilities at regular interval of time and set up security operations centre for continuous surveillance.
Bank should design the IT architecture to take care of the security measure. Bank should record in writing the risk cost or potential cost to enable appropriate supervisory assessment. Bank should implement minimum cyber security baseline and resilience.
Many times banks allow access of networks/database for business and operational requirement and not closed due to oversight make the network/database vulnerable. Hence Banks need to review network security.Unauthorized access is not allowed, process and responsibility is well defined.
As a custodian, bank should not compromise customer information at any cost. They have to prepare well defined Cyber Crisis Management plan.
Bank should comprehensively check risk/preparedness through qualified or competent professionals. There is awareness among stakeholders and employees.
Reserve bank of India has decided to collect cyber incident report both summary level information as well as details on information security incidents. Any assessment gaps in preparedness to be reported to RBI immediately.
Banks are dealing with data of customers, banks have to maintain the customers information confidentiality at all level.
Guidelines on customer protection in Unauthorized Electronic Banking Transactions: Customer grievances related to unauthorized transactions now a days, increased in electronic banking transactions. Electronic banking transactions can be divided in to two categories:
- Remote/Online payment transactions like internet banking, mobile banking, pre-paid payment instruments and
- Face-to Face payment transactions such as payment through Card or mobile phone, ATM, POS etc.
Banks system and procedure designed in such a way that customers feel safe in carrying out electronic banking transactions. For this banks must have
- Systems and procedures to ensure safety and security of electronic banking transactions of customers
- Robust and dynamic fraud detection and prevention mechanism
- Mechanism to assess the risks from unauthorized transactions and the liabilities arising from it
- Appropriate measure to mitigate the risks and protect themselves from the liabilities arising due to such frauds
- System of continually and repeatedly advising customers how to protect themselves from electronic banking frauds
Banks advice their customers to mandatorily register for SMS alerts and e-mail alerts for electronic banking transactions.
Customers must be advised to notify their bank about unauthorized electronic banking transactions at the earliest after the occurrence of such transactions and informed that the longer the time taken to notify the bank higher will be the risk of loss to the bank/customer.
Bank must provide customers 24*7 accesses through multiple channels like website, phone banking, SMS, e-mail, IVR, toll free helpline for reporting unauthorized transactions. The loss/fraud reporting system of the bank should also ensure immediate response is sent to the customer acknowledging the complaint along with the registered complaint number with time and date. This is important in determining the extent of a customer’s liability.
The Banks may not offer facility of electronic transactions, other than cash withdrawals to customers who donot provide mobile numbers to the bank. On receipt of report of unauthorized transactions from the customer, banks must take immediate steps to prevent unauthorized transactions in the account.
Guidelines about limited liability of a customer:A customer has entitlement to zero liability for the unauthorized transaction in following circumstances
- Contributory fraud negligence/ deficiency on the part of the bank
- Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction.
Limited liability of a customer: A customer is liable for the loss occurring due to unauthorized transactions in the following cases:
- When the loss is due to negligence by a customer, such as sharing of credentials, the customer will bear the entire loss until he reports the unauthorized transaction to the bank. Any loss occurring after the reporting of unauthorized transaction shall be borne by the bank.
- If unauthorized transactions lies neither with the bank now with the customer, but lies elsewhere in the system and there is a delay(of four to seven working days after receiving the communication from the bank on the part of the customer in notifying the bank of such a transaction value or the amount mentioned as below ,whichever is lower.
Maximum liability of a customer
|Type of Account||Maximum liability in RS.|
|All other SB accounts||10000|
|Pre paid payment Instruments and Gift Cards||10000|
|Current /cash Credit/Overdraft accounts of MSMEs||10000|
|Current accounts/Cash Credit/Overdraft Accounts of individuals with annual average balance limit up to Rs.25lakh||10000|
|Credit card with limit up to Rs.5lakh||10000|
|All other current /Cash Credit /Overdraft Accounts||25000|
|Credit cards with limit above Rs.5lakh||25000|
If delay in reporting is beyond seven working days, the customer liability shall be determined as per the bank’s Board approved policy. Bank shall provide details of policy in regard to customer’s liability at the time of opening of the account. Overall liability of the customer in third party breaches,where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system is as follows
|Time taken to report the fraudulent transaction from the date of receiving the communication||Customer’s liability in Rs.|
|Within 3 working days||Zero liability|
|Within 4 to 7 working days||The transaction value or the amount mentioned in above table|
|Beyond 7 working days||As per bank’s Board approval policy|
The number of working days shall be counted as per the working schedule of the home branch of the customer excluding the date of receiving the communication.
Reversal timeline for Zero Liability/Limited liability of customer: The bank shall credit the amount involved in the unauthorized electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer(without waiting for settlement of insurance claim, if any).Banks may at their discretion decide to waive off any customer liability in case of unauthorized electronic banking transactions even in cases of customer negligence. The credit shall be value dated to be as of the date of the unauthorized transaction.
Banks shall ensure that:
- Complaint is resolved and the liability of the customer, if any established within such time as specified in the bank’s Board approved policy, but not exceeding 90days from the date of receipt of the complaint and customer is compensated as per provisions.
- In case of debit card /bank account, the customer does not suffer loss of interest and in case of credit card; the customer does not bear any additional burden of interest.
Board Approved policy for customer protection:Unauthorized debits to customer account showing to customer negligence/bank negligence /banking system frauds/third party breaches, bank need to clearly define the rights and obligations of customers in case of unauthorized transactions. Banks formulate customer relations policy with approval of their Boards to cover aspects of customer protection, including the mechanism of creating customer awareness on the risks and responsibilities involved in electronic banking transactions. The policy must be transparent, non-discriminatory and mechanism of compensating the customers unauthorized electronic banking transactions. Banks shall put in place a suitable mechanism and structure for the reporting of the customer liability .The reporting include volume/number of cases and the aggregate value involved and distribution across various categories of cases viz. Card present transactions ,card not present transactions ,internet banking, mobilebanking, ATM transactions etc.
Conclusion:Cyber threat is universal and preventive measures are must to safe guard from the threat. Hence Bank has to prepare IT Governance policy as a subset of cyber security policy that covers the usage of all of the Bank’s Information Technology and communication resources, including all computer-related equipment, including portable PCs, terminals, workstations, telecomm equipment, networks, databases, printers, servers and shared computers, and all networks and hardware to which this equipment is connected. All software including purchased or equipment taken on rent or on outsourced model or licensed business software applications, Bank written applications, employee or vendor/supplier-written applications, computer operating systems, firmware, and any other software residing on Bank-owned equipment.
Policy to clearly define that technologies, processes and practices at the bank cannot be circumvented; allow only authorized users to modify and/or delete key applications and information, which will affect the accuracy or integrity of processing.
Banks have to prepare cyber crisis management team headed by Chairman Key functional.
Bank has to prepare Cyber Crisis Management Plan with concept to Identify, Protect, Detect, Respond, Recover and Learn basis.
Ongoing crisis: Detect control Recover Remediate
Post crisis: Post Incident Analysis Reporting Crisis Prevention Plan
So we can say that eternal vigilance is useful for safe and secure financial system.
References: RBI circular’s/RBI speeches
Prabhat Singh Suman
Union bank of India
Chief manager (Faculty)