Safeguarding the Interests of Banking and Credit Card Users

rajeshRajesh Aggarwal
Secretary, Department of Information
Technology, Government of Maharashtra

The banks claim that they are providing their customers with hassle free online security for banking and credit card. But we continue to see rise in numbers of online frauds.

On February 25, 2013, aspecial court of the I n f o r m a t i o n Technology (IT) Department of Maharashtra, presided by Rajesh Aggarwal, Secretary, Department of Information Technology, Government of Maharashtra, directed the Punjab National Bank (PNB), Pune, to pay Rs 45 lakh to Manmohan Singh Matharu, who has allegedly lost his money in a cyber crime called phishing attack.

A Landmark Judgment
While passing the landmark order, Rajesh Aggarwal commented that Pune police are “not sensitised to cyber crime… the majority of credit card and net banking fraud cases in Maharashtra is from Pune city.” On August 23, 2011, `80,10,000 was allegedly transferred fraudulently from the account of Poona Auto Ancillaries Private Limited with PNB, Pune. Managing director of the company, Manmohan Singh Matharu found his account allegedly hacked. According to the case, around 40 transactions of `2 lakh each had been made, and another transaction of `10,000 had been made, leading to a total financial loss of `80,10,000. After a complaint was filed, money to the tune of `37.6 lakh, transferred to different accounts, was frozen by the bank. The cyber cell of Pune police initiated a probe. Following the interim order of the special court, the PNB reversed this money to the complainant. In his order, Rajesh Aggarwal, Secretary, Department of Information Technology, Government of Maharashtra, states, “Criminals used accounts of PNB opened on fake papers to defraud the complainant. This indicates the bank has been very lax with KYC norms.”

Taking a view on the quality of investigation carried out by Pune police, the order has this to say, “After a lot of prodding by me, the police teams went to Gujarat, Kathua, etc., and recorded statements… they had many leads (IP addresses, ATM and CCTV footage etc) which could have been further pursued, but this has not been done. The crime is a well-planned conspiracy by many persons… all of them are roaming free… such a big cyber crime was not even reviewed by the Pune Police Commissioner or even the DCP, which indicates that Pune police are still not sensitised to cyber crimes.” The order by Rajesh Aggarwal also takes note of the mistake that has been made by the complainant. The order states that the complainant has share part of the blame as he responded to a phishing email, and did not subscribe to the extra secure corporate services being offered by the bank.

Banks are failing to protect information
In all, the special court of the Information Technology (IT) Department of Maharashtra, presided by Rajesh Aggarwal, Secretary, Department of Information Technology, Government of Maharashtra, took cognisance of 13 electronic frauds across the state. The special court came to the conclusion that various banks have failed to the personal information of the customers. In one case, the ATM was left unmanned and in another a duped customer was treated with contempt allegedly because he was speaking in his mother tongue. Pravin Bhatkar, who does not speak English, struggled to communicate with a bank representative who, the order notes, treated him with contempt. The order says, “I would request HDFC top management to sensitise its officials and staff that poor, lower middle-class, mother tongue-speaking customers should not be looked down upon.”

Rajesh Aggarwal
Secretary, Department of Information
Technology, Government of Maharashtra

“We must encourage the use of plastic money”

The judgements that you have passed in the cases of online banking frauds have struck a chord with many users of banking and credit card services. Tell us about the issues that led you to come up with this landmark judgement. 

Today the cases of net-baking fraud and credit card fraud are becoming quite common. You go to an ATM machine, and without your knowing the vital details of your card get copied. After that the fraudster creates a cloned card based on your data and siphons off your funds. Someone gets hold of your username and password, and they can basically empty your entire banking account.
Such cases are on the rise in the country. People are approaching various forums, but they are failing to have speedy resolution to their cases. At times they approach consumer forums. Sometimes they approach banking ombudsman and sometime they approach police station. There are various sections under which the victims of online fraud can approach the adjudicating officer. About 12 or 13 years have passed since the IT Act came into being, but we still don’t have much clarity about whom the people, the victims of online frauds, should approach in case they suffer a financial loss. When I was looking at all the cases before me, I learned that my predecessors have passed two-three orders, but these were based on some kind of compromise arrangement between the bank and the customer. So in the basic sense of the term, we don’t have a clear judgement. Only three years ago, the Tamil Nadu IT secretary had passed judgements in two cases as adjudicating officer, but these were stayed at that time by the cyber appellate tribunal. So effectively, these issues were not appealed in High Courts and Supreme Courts. Now this series of 13-14 judgements probably will lead to some sort of case law.

As you have stated in your judgement, in USA there is a law that the maximum penalty to the consumer is limited to $50. Why do not we have that kind of law over here? 

There are two-three issues in this. I have intentionally put on record what other countries like USA are doing. You see,global international banks, which are operating out of India, claim that they are following the best banking practices, but this is one international pro-consumer best practice that they are not yet following in India. Now under Section 46 and other associated sections, I cannot really direct the bank to go for insurance. Maybe, it is for RBI and others to really tell banks to have some pro-consumer measures in place. Insurance is one of the pro-consumer measures. Banks and other financial institutions have the wherewithal to follow thesecases to the logical conclusion; common man lacks the time and the financial resources. The common man needs to be supported, especially in cases where the IP happens to be fromoutside the country.

Your judgement has been well received by a large cross section of the society. But what is its legal validity? Can it be challenged? Are the banks making any effort to challenge it? 

I don’t know! It is up to the banks. I have passed some orders against banks, telecom companies, etc. Now it is their right, their  prerogative, to either accept the judgement or to challenge it in competent forums. As of now there is a vacancy in the cyber appellate tribunal,so in all probability they might go to the high court, if they want to appeal.

What is your vision for online security for banking and credit card users in the country? What kind of system should we have so that the banks are also not victimised by fraudsters and the interests of the common users are also safeguarded?

I would begin by saying that it is in the nation’s interest that the use of currency becomes less and less. We have to engineer a rise in the usage of plastic money, credit and debit cards, netbanking, etc. But while going electronic, you have to ensure that there is a well-designed security system in place. Again
the security system has to be balanced against the cost-benefit ratio. Across the world, banks basically take into account the amount of money that they are losing due to credit card  or online banking frauds, and to protect such losses from happening, they invest in security. RBI has issued guidelines regarding international use of credit cards;it has been advised that banks should use chips rather than magnetic strips. All these systems have to be in place. Security is like a cat and mouse game. The criminals keep mastering new ways of breaking or bypassing the security systems, so you have to constantly evolve and upgrade your systems.

Some banks have started offering high credit limit to their credit card users. The numbers of transactions happening in India are really small. So do people need such high credit card limits?

You cannot generalize the credit card limits. There are many credit card users who conduct very high value transactions. The generation of young executives are earning high salary, but they don’t even carry a Rs. 100 note in their wallet. They just have a bunch of credit cards. The younger generation is now shifting to plastic money. So you can’t generalise the issue of credit card limits; ultimately the limit has to be based on the needs of the user and the analysis of the card issuing bank.

In Maharashtra what kind of initiatives are you planning to deal with the menace of online frauds.
We are working with NASSCOM, Data Security Council of India and the police to strengthen our cyber police stations. We are trying to provide adequate training to the cops who are manning these police stations.The use of technology for investigation of cyber crimes has to be encouraged. 


Pravin Bhatkar had complained of misuse of `1.94 lakh on his credit card. His account showed a debit towards the recharge of mobile accounts he didn’t hold. He got his credit card deactivated as the bank started to send him non-payment notices. In another case, the mobile had stopped working because telecom companies had issued duplicate SIM cards that the consumers hadn’t asked for. In one case the complainant managed to uncover more details than the police did. The orders passed by Rajesh Aggarwal takes note of banking practices abroad, particularly Section 909 of the Electronic Fund Transfer Act of the US, under which customers are insured against e-frauds beyond $50. In his order, Rajesh Aggarwal says, “It is quite sad to see global banks operating in India proclaiming very loudly that they are following best practices, but not giving Indian customers the same level of protection that they offer abroad.”