By – Advocate Nitin Parihar, Co-Founder of Meridian Law Chambers
Smartphones and the internet have quite literally brought our banks into our hands, changing how we initiate or complete financial transactions. Initially, this was expected to increase convenience, where we can transact freely and go cashless, but this convenience brought some negative aspects. As a criminal lawyer, I have witnessed countless instances of cyber fraud. While technology is evolving fast, cyber frauds are evolving, might I say, at a much faster pace. We are seeing cases where funds are getting diverted, and people are being duped out of their lifetime earnings almost daily. So, when we talk of the legal void in protecting digital transactions, I must remind you that the legal void exists not because of the absence of laws but due to their implementation.
The Illusion of a Legal Void in Banking System
There’s a widespread misconception that our nation does not have adequate laws to protect its citizens against digital fraud in the banking system. In reality, a legal framework is very much in place, including specific provisions under the Information Technology Act, 2000, the Indian Penal Code, and several Reserve Bank of India (RBI) guidelines. As counsel to the RBI, I have seen how proactive the institution has been in advising banks to adhere to Know Your Customer (KYC) norms and strengthen internal monitoring systems. However, gaps remain due to collusion between bank employees and cybercriminals. The RBI’s Annual Report (2023) showed that financial sectors faced over 13 lakh cyber-attacks between January and October 2023. That’s an average of 4,400 attacks daily.
The Curious Case of Fake Bank Accounts
Today, if you see any fraud, money stuck somewhere, spamming, or spoofing, a little digging will tell you they all involve a common link—fake accounts. At first, money gets transferred into these fake accounts and then diverted to somewhere else. Now, the real question is, how do these fake accounts come into existence?
When we open a bank account, there’s a mandatory requirement for customer verification through Aadhaar and KYC. Despite these verification protocols, criminals bypass the safeguards. This happens because most of the time, some individuals in the bank are in cahoots with the criminals, acting as enablers for cybercriminals and operating as a part of the bigger nexus. In other terms, we can call them overground workers in terrorism, just like we have OGWs in terrorism.
In our profession, we see that sometimes the funds of a fraud case in Kashmir get traced somewhere else, say, in Kolkata, some remote district of Maharashtra, or in Karnataka. This happens because the fraudsters want to create a complex system. Suppose you have been duped with, say, INR 10,000. For INR 10,000, you are not likely to go all the way from Kashmir to Kanyakumari to contest a case. These criminals take advantage of these gaps and continue exploiting the unsuspecting public. However, this systematic issue calls for stricter implementation of existing laws like the RBI’s circular on KYC compliance rather than creating new provisions. Instead, our focus should be on implementing the laws in both letter and spirit and making India’s banking system accountable.
Insurance for Digital Transactions
There’s also a requirement for digital insurance. Just like we purchase insurance for our valuables like homes or cars, banks should offer indemnity against cyber fraud. Mandating banks to contribute a portion of their net profits toward such a fund could help lower the impact on customers while promoting the need for stronger security measures. I am sure that the moment these stringent policies come into force, the rate of cybercrimes will reduce.
Securing Card Transactions
Due to our online banking habits, our card details get saved on many websites, most of which are likely to sell this data to third parties. This is how our credentials go into the public domain. I think now is the correct time for banks to come up with something like dynamic CVVs. Dynamic CVV could offer better protection. Dynamic CVV can help achieve two-factor security for our credit cards, debit cards, and other digital transactions. Nowadays, we are heavily dependent on payment gateways like Google Pay or CRED for our day-to-day transactions, which are often supported by two-factor authentication.
Banks have their apps, but most of them are not user-friendly. In addition, most of the time, customers receive an automated call in English or Hindi. Many victims are senior citizens or unfamiliar with English, which makes it difficult for them to understand the process or transaction. This is why banking systems must become more local to prevent fraud. To protect customers from different educational backgrounds and regions, banks need to get local in their approach. For instance, there can be a proper mechanism for making any transaction over INR 5,000. Something like a pop-up in vernacular language can help the sender understand how much they are transferring and to whom.
Mandatory Reporting of Cyber Frauds
CERT-In recorded over 23,158 incidents of cybersecurity involving banks in 2023. However, there is a high chance that most cases go unreported due to a lack of awareness or fear among victims. In this circumstance, mandatory reporting of cyber fraud by fintech and banks can ensure transparency and a faster response mechanism.
Our country’s current liability framework tends to place the burden on customers unless they are able to prove “gross negligence.” However, fresh mandates that direct banks to fund unauthorized transactions, unless they prove the neglect was on the customers’ part, can make them accountable. I believe such measures can also encourage banks to invest more in cybersecurity.
Data Protection Standards
Following the Digital Personal Data Protection Act (2023), banks are classified as data fiduciaries that are responsible for safeguarding customer information. I believe that aligning existing data protection standards with global norms can strengthen India’s cybersecurity framework. Notably, cybercrime often does not follow borders. This is why we need cross-border cooperation mechanisms to eliminate transnational threats.
Besides these, our nation must focus on expediting the consumer grievance redressal mechanism to reduce legal challenges. I think introducing specialized banking ombudsman forums with cyber expertise can further benefit Indian banks and address customers’ cybersecurity concerns. However, mandating strict liability regimes and eliminating loopholes from existing law implementation can prove more useful against evolving cyber threats.