Stories of bank accounts being hacked and money being stolen are common. But bank customers duped in such online frauds often find there is no easy remedy available to them. Banks usually blame it on the customers themselves. According to official data, over 9,300 cases involving credit cards, ATM cards and Internet banking fraud were reported between April and December 2014, resulting in losses of Rs 60 crore. That figure is a gross understatement, according to cyber fraud experts.
The reason is simple: the Reserve Bank of India (RBI), has not told banks how they should classify online fraud. Indeed, according to my sources, ICICI Bank used to report such cases based on actual complaints of fraud. However, HDFC Bank would report only proven cases of fraud, not just complaints. So, with an almost equal number of ATMs and cards in use, HDFC Bank regularly reported a tiny fraction of ICICI Bank's number for cases of online fraud. My sources add that ICICI Bank then requested the RBI to define online fraud so that all banks reported fraud as per a common definition. But a hands-off RBI refused to do anything. Left to them, banks naturally chose to underplay the cases of online fraud. Result: we don't even have actual data for online fraud, say credible sources.
Admittedly, the number of customers affected would be a small part of all bank customers who use online banking, ATMs, credit cards etc. But it is disturbing that, between the RBI, internal policies of banks, the Information Technology (IT) Act and sundry codes of conduct and the criminal justice system, there is no well-defined policy on how to provide quick redress to victims of online bank fraud. Prime Minister Narendra Modi's "Digital India" mission envisages that we live a lot more of our lives in cyberspace. But the lack of clear thinking about security, safety and redress is in sharp contrast to the PM's ebullience about Digital India .
Left to them, banks would play down every case of online fraud. The first instinct is to blame the customer for not keeping their ATM/credit cards safely. This has gone on for years. Then, in June 2014, a business paper ran an article saying "Reserve Bank of India moves to protect victims of online fraud" with a comforting opening: "All those who've fought long, painful battles with their banks over online fraud through access to passwords can take some comfort. Victims should henceforth be much better protected from financial disaster thanks to a new directive... While the banks aren't too keen on the change and most are yet to formally accept it, they don't seem to have a choice. The Reserve Bank of India has the last word on banking rules and the directive is part of the code prepared by its Banking Codes and Standard Board of India (BCSBI) unit, which seeks to ensure that customers do not get a raw deal."
Really? The BCSBI, a white elephant set up by the RBI, sets voluntary codes of conduct. Banks have no obligation to follow them. All the BCSBI code says is that if you act fraudulently or without reasonable care, you will be responsible for all losses on your account. What's new about this? And who will decide whether the customer has acted with care? The onus can easily be shifted to the customers just as before. "Also, your liability for the misuse of your card will be limited to the amount stipulated in the terms and conditions governing the issue of the card," says the code. The fact is T&C are always in unreadable legalese, printed in a small font, and in grey colour. Does this kind of code change the customers' situation even one bit?
The irony is, today multiple agencies are involved in handling online fraud but there is no coordination or the principle binding their actions. You can complain to the bank, the Ombudsman, to the police - and, in Maharashtra, to what is called a Cyber Crime Court. The police have little time or resources for this kind of crime because it involves expensive physical investigation at multiple locations, for which there are no budgets. The RBI is trying to make the transaction process safer but will not put the onus of preventing fraud on banks. Strangely, it is the Cyber Crime Court that has provided speedy justice in Mumbai under the 2000 IT Act.
What can be done? Unlike BCSBI, in the UK, the Financial Redress Agency has framed rules that force banks to refund the wrong payment/withdrawal immediately unless it has evidence that there is a reason to refuse a refund. "Your bank may ask you to answer some questions and fill out a form confirming what has happened, but it cannot delay your refund while it waits for you to return the form... Your bank can only refuse a refund for an unauthorised payment if it can prove you authorised the transaction". FCA explicitly states that "your bank cannot simply say that use of your password, card and PIN conclusively proves you authorised a payment." The bank has to prove that the customer acted fraudulently or with gross negligence. FCA also gives customers as many as 13 months to report an unauthorised transaction.
These rules are based on a simple principle: The party that is in the best position to solve the problem long-term should be responsible for cyber fraud. Banks happen to be that party. How hard is it for RBI to wake up to this? Let's hope something so simple and sensible gets highlighted in the drumbeat of Mr Modi's "Digital India".
The writer is the editor of www.moneylife.in
Twitter: @Moneylifers
Disclaimer: These are personal views of the writer. They do not necessarily reflect the opinion of www.business-standard.com or the Business Standard newspaper
