The month of May is very hot in most parts of India. This year, it has been unusually hot for the Indian banking and the IT services industry too. Leading Indian banks (ICICI Bank, HDFC Bank, AXIS Bank etc) exposed by Cobrapost have been accused of serious violations of norms. IT companies involved in card payment processing services (ElectraCard Services, Enstage Inc) have been in news for compromise of their systems leading to a $45 million theft from ATMs across 27 countries. This has raised alarm bells regarding adequacy of systemic controls in these industries. Their capability to prevent and respond to such incidents is under global scrutiny.
Preventing frauds and ensuring consumer protection has been the cornerstone of various policies mandated by RBI for the banks. They attempt to ensure that customers are correctly identified through ‘know your customer’ (KYC), the permanent account number (PAN) quoted is not fictitious and customer accounts are genuine. Compliance audits are conducted at regular intervals to make sure that these guidelines are followed.
Similarly, the IT industry, though it lacks any regulatory control, has been observing client-mandated policies. Certifications like ISO 27001 and PCI DSS are now quite normal for Indian IT companies, which provide IT services to clients.
In spite of these precautionary measures, violations are rampant. The problem lies in implementation and enforcement of established policies.
Implementation, more often than not, is mainly done for compliance purposes. Once the audits are over, normal ways of doing business returns.
Enforcements are weak. Punishments for violations, if any, in banking are mostly pecuniary in nature. The IT industry, shockingly, doesn’t even face this minimal pecuniary threat as it is under no regulatory control.
No wonder then that the banks named in the Cobrapost expose allegedly indulged in serious malpractices without any apparent fear. They violated KYC norms, used fictitious PAN cards and helped customers open fictitious NRO accounts. The IT services companies mentioned above, on the other hand, had their systems compromised by criminals for reported intercontinental theft using cloned debit cards of RAK Bank of Dubai and National Bank of Muscat.
If this kind of scenario has to stop, our response to these incidents needs to be much stronger. It is common knowledge that if a person forges a signature or presents a false document for an anticipated gain, he is charged with forgery under the Indian penal code (IPC). In the present case, banks which have been found allegedly helping customers open fictitious accounts based on forged or false documents are yet to be similarly charged.
Similarly, the Indian IT companies whose systems were compromised and led to hackers changing withdrawal limits on debit cards of banks, cannot be considered as unfortunate victims. They were entrusted the work of processing payments by these banks. It was for them to ensure safety and security of transactions. This trust reposed on these companies has been violated due to the alleged hacking of their systems. While the banks have gone on record stating that they will try every measure to recover the money, there is nothing which is being considered to fix the criminal responsibility of the companies involved in such a major cross-border crime.
Fortunately, in order to strengthen the response we don’t need to look far. Provisions of the IPC are sufficient to deal with forgery, cheating and criminal conspiracy. In case of any future event of a similar nature, penal sections of IPC can be applied. Along with this, shifting the burden of proof of innocence on the accused institutions or companies will make the response even more effective.
Hence, slight changes in the system along with effective enforcement will ensure that the Indian banking systems are not exposed and the IT services sector doesn’t face such credibility issues. Response to incidents which eventually lead to wrongful loss to somebody and wrongful gain to somebody else is a criminal offence and has to be dealt with as per the provisions of criminal law. Effective steps to establish criminal liability in these recent cases will make sure these industries don’t face such rough weather in future.
