The Adjudicator of Tamil Nadu jolted Indian Bankers out of their cozy slumber by his decision on April 12, 2010 in the case of Umashankar Sivasubramaniam Vs ICICI Bank. In this case, the adjudicator PWC Davidar held ICICI Bank liable to pay damages to the extent of Rs 12.85 lakh on an alleged "phishing" fraud
Requires Free Membership to View
incident involving fraudulent transfer of an amount of Rs 6.46 lakh. In the ICICI Bank
phishing fraud case, the Adjudicator clearly documents reasons why he considers it necessary to
hold the bank liable not only to repay the involved amount, but also interest and other
expenses.In my opinion, ICICI Bank should be glad that it escaped with only a financial liability instead of also being held liable for criminal liabilities under several sections of the Information Technology Act 2000 (ITA 2000) and the Indian Penal Code (IPC). There was (and still is), a possibility that criminal liabilities would have stuck on
several officials of the bank for this phishing fraud
incident, including Managers of two of its branches, the CISO, the Directors and the Chairman of
the Bank, as well as resulted in jail sentence for the officials.
The ICICI Bank phishing fraud case judgment is a landmark judgment in India for several reasons,
some of which can be highlighted here.
1. It is a revelation for many in India to realize that there is a judicial office called the
"Adjudicator", which it can deliver such decisions. Though Adjudicators are in place for every
State and Union Territory in India since March 25, 2003, few have recognized their presence and
role. There have been hundreds of phishing
fraud cases involving banks over the past few years in India, and a few customers have tried to
take legal action for recovery of their losses. However, most phishing fraud victims have
approached the Banking Ombudsman or consumer courts in the past. The ICICI bank phishing fraud case
was the first instance when a victim recognized the correct jurisdiction for such disputes, and
approached the Adjudicator.
2. Most professionals in the banking industry had so far failed to recognize the fact that "phishing" is
an offence that falls within ITA 2000. Section 66 (as well as Section 43) can be invoked in such
cases. This finding of the Adjudicator has really opened the eyes of the ignorant, and recognized
the latent potential of the ITA 2000. This is the second beneficial aspect of the ICICI Bank
phishing fraud case's decision.
3. The ICICI Bank phishing fraud case's decision traces the cause of the phishing loss to
inadequate implementation of security in general, and non usage of digital signatures in
particular. Therefore, this phishing
fraud is likely to open up a spate of new security initiatives in the banking sector.
Hopefully this decision will convince Boards of most banks to include a discussion on "How to
introduce digital signatures in the bank" in their next meeting's agenda.
Banking law and practice from times immemorial is clear that if money is withdrawn from the
customer's account through forgery, there is no mandate for the customer to pay. Hence this loss
due to phishing
fraud has to be borne by the Bank. This law practice is also applicable to the withdrawals
through electronic instructions. Unless the customer is part of a conspiracy to defraud the Bank
using phishing, he cannot be held liable in such circumstances. So in phishing fraud cases, mere
negligence in not being able to differentiate an impersonated e-mail from a normal e-mail from the
Bank cannot make the customer liable for passing of a forged payment instruction.
In cases such as phishing fraud, banks are trying to change these established principles by adding
some fine print clauses to their application forms, which the Reserve Bank of India has failed to
observe and correct. Consumers consider these as "unfair banking practices". Judiciary however
holds the last say on such matters to decide if "fine print clauses which are unconscionable and
affecting the basic tenets of Banking law and practice and forced on the unsuspecting customers at
the time of opening of accounts" are valid or not.
Additionally, ICICI Bank was at fault in the current instance for having been grossly negligent in
meeting "know your customer" (KYC) norms, and facilitating the fraudster to commit this phishing
fraud. The bank was also inexplicably naïve in deleting electronic evidence which should have been
preserved, and deplorably complicit with the fraudster in not initiating even a Police complaint at
their end as soon as the phishing fraud came to light.
What many do not know is that this phishing
fraud incident could be a case of a possible diversion of funds for terrorist activities—in
addition, ICICI Bank tried to place itself in the position of a "Co-Beneficiary" of the phishing
fraud while trying to wriggle out of its liability. This self defeating approach of the bank (which
has been documented during the trial) may come to haunt them later as a criminal liability, if this
phishing fraud case lands up in a Court—either on appeal or when the Police pursue investigations
on criminal aspects of the case to its logical end.
Thisphishing
fraud case will remain for a long time the "Game Changer" for the Banking community in India.
As a remedial measure, it is essential for ICICI Bank as well as other bankers to immediately
undertake an ITA 2008 compliance audit of their activities, and take up appropriate compliance
measures. This is essential so that when "phishers" attack them next time, banks are in a better
frame of mind to fight the attacker—not the hapless customer.
Na.Vijayashankar (Naavi) is a former banker. He is the founder of www.naavi.org and is a
techno-legal information security consultant.