MECHANISM OF ELECTRONIC FUND TRANSFERS

– AN ANALYSIS OF LEGAL FRAMEWORK AND

Ms. Navita Aragarwal

Submitted by:

Jahnnavi Sarkhel

Section B, Roll 69

Semester VII

HIDAYATULLAH NATIONAL LAW UNIVERSITY

With the growth of Information and Technology it has revolutionized the entire world and the
banking industry is no exception to that. Early days of banking had seen fund transfer system
like direct currency exchange and written cheques. However nowadays with the emergence of
the wide use of the internet and mobile phones there was the introduction of the concept of
electronic transfer of funds.

There has been advancements in the field of e-commerce, m-commerce and with the introduction
of Automated Teller Machines (ATMs), there has a lot of structural and functional changes.
These changes in the technology has helped scale borders and improve the efficiency of
transactions.

Electronic Transfer of Funds or ETF is only the transfer of funds which is by any means other than
by paper instruments. It is done by electric modes, by telephonic modes or by magnetic tapes.
Therefore a transfer which is by a computerized network is called ETF.

ETF uses computer and technology instead of paper modes to have transactions. EFTs are done by
cards and codes. This all is done without any physical interference and is also called virtual
banking.

EFT owes its origin to when the first automated teller machine was introduced in the mid-1960s.
This ATM handled the account transfers, accepted deposits and facilitated the withdrawal of
instant cash with the help of a standard magnetic stripe card and a personal identification number
or PIN.1 With this the banks and financial institutions in America had entered the phase of EFT
systems.

1
Sienkiewicz, S., 2002. The Evolution of EFT Networks from ATMs to New On-Line Debit Payment Products.
[online] p.2. Available at: <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=927473##> [Accessed 30 November
2020].
 HISTORY OF EFT

In India the main shift towards electronic banking started with the help of the Reserve Bank of
India along with the several recommendations which were made by the Committees constituted to
develop information technology infrastructure.

In 1984, banks started using advanced technology to improve communication and working
between the branches. 2 In 1988, there was a plan for computerization of the banking sector which
was introduced. Few of the important recommendations were introduction and making use of the
Magnetic Ink Character Recognition (MICR) technology in 4 metro cities and introduction of
ATMs and credit cards.3

In 1994 there were recommendations furnished by the Rangarajan Committee Reports on

The Reserve Bank of India, under the Reserve Bank of India Act, 1934 recommended a set of EFT
regulations. Thereafter EFT was introduced by the RBI in 1995 along with the modernization of
fund transfer to help in speeding up the transfer of funds between and among banks.

In 1998 the Narsimha Committee Report, reported on issues like the strengthening the banking
system, upgradation of technology and development of human resources. There was emphasis laid
on the need for clarification on a lot of issues regarding EFT. 4

In 1999 the Indian Financial Network (IFINET) was inaugurated and this is the communication
backbone on the Integrated Payment and Settlement System (IPSS). The RBI also set up a
“Working Group” on Internet Banking 5 to look into the issues of technology, law and regulatory
issues related to electronic banking.

2
Chawla, S. and Singhal, R., 2010. India and the World: The Changing Paradigms in the Banking Sector due to
Technological Advancements. Prajnan, 39, p.130.
3
Ibid.
4
Ibid.
5
Working Group on Internet Banking, 2001 under the Chairmanship of S.R. Mittal.
The enactment of the Information Technology Act, 2000 provided a legal recognition to the
electronic transactions. RBI was amended and it empowers RBI to regulate the electronic fund
transfer among banks.

E Payment systems in India:

E-Banking means the automated delivery of the new and older banking services to the customers
directly through an automated, electronic and interactive communication channel.

In India, this concept is still evolving but it is expected to bring a lot of gain and productivity. The
RBI has taken a lot of steps to consolidate the existing payment systems and helped in upgrading
technology to establish an efficient and secure system for the development of e-banking in India.
 TYPES OF EFT

Direct Deposit: this lets people pay their employees electronically. After running payroll, the user
can notify their direct deposit service provider with the amount to deposit in each of the employee’s
bank account. Then the direct deposit provide transfers this money to the account of the employees
on payday.

Wire Transfer: this is a quick way to send money. It is used for large and infrequent payments as
there’s a fee involved. This can be done by wire transfers to pay vendors or by making large down
payments on a building or equipment.

ATM: it lets the customer bank without actually going inside a bank and talking to a teller. The
customer can withdraw cash, make deposits or transfer funds.

Debit cards: it allows the customer to make EFT transactions. The debit card can be used to move
money from business bank account. It can be used to make purchases and pay bills whether online,
in person or over the phone.

Electronic cheques: these are similar to the paper cheques, but used electronically. One can enter
their bank account number and routing number to make payments.

Mobile wallets: it allows the customer to pay bills, transfer money to accounts or to receive
payments over the phone.

Personal computer banking: it lets the customer make banking transaction with their computers or
mobile devices. It is done to move money and to avail other banking services.
 LEGAL PROTECTION FRAMEWORK

Proper legislative protection is necessary to ensure that customers, banks and branches protected
when it comes to EFT schemes.

1. Information Technology Act, 2000 (IT Act, 2000)

Before the Amendment Act, 2008, it only had 2 provisions related to computer issues, i.e., Sections
43 & 66. After the amendment there is a stronger protection which is afforded to data.

a. Intermediary: this term was amended in 2008. It means:

Intermediary with respect to any particular message, means any person who on behalf of
another person receives, stores or transmits that message or provides any service with
respect to that message.

Banks are not referred directly but the term is wide to include banks who receive payments on
behalf of customers through electronic messages. The terms “includes telecom service providers,
network service providers, internet service providers, webhosting service providers, search
engines, online payment sites, online auction sites, online market places and cyber cafes” are also
included within its meaning. To make banks included in the meaning of intermediaries it would
result in unintended consequences and may expose them to the penalties under IT Act 2000.

b. Encryption: data which is transferred online can be intercepted and misused. Therefore
encrypting it is done to protect it. It is beneficial to give protection to data.

RBI has stipulated SSL/128 bit encryption to give minimum security. SEBI stipulates 64/128 bit
encryption. However both these do not meet the international standards.

c. Data protection: section 43A of the IT Act provides compensation for failure to protect data.

2. Judicial Pronouncements

In Umashankar Sivasubramaniam v. ICICI Bank 6 the complainant alleged that his account was
debited wrongfully because of negligence on part of the bank. The bank contended that there was

6
Umashankar Sivasubramanian v. ICICI Bank, Civil Jurisdiction Petition No. 2462 of 2018.
phishing involved and it was due to customer’s negligence. The Adjudicating Authority found the
bank guilty under Section 85 read with Section 43A of the IT Act.

In ICICI Bank v. Ashish Agarwal7, before the State Consumer Forum, Raipur, an appeal was filed
against the order of district forum, Raigarh directing the appellant bank to pay Rs. 49,912.36 which
was allegedly withdrawn from his account and also a payment of Rs. 5000 was to be made for
mental agony along with Rs. 3000 for litigation costs. According to the State Commission, the
respondent was at fault because he was negligent enough to give information regarding the
password to 3rd party and therefore the bank was not liable for deficiency of service.

3. Payment and Settlement Systems Act, 2007

The Payment and Settlement Systems Act was enacted in 2007 (PSS Act). It provides for
regulation of payment systems in India and designates the RBI as the authority. RBI can create a
Committee of its Central Board known as the Board for Regulation and Supervision of Payment
and Settlement Systems (BPSS).

This act is very wide in its coverage and is not restricted to transfer of funds through only electronic
means but also deals with transfer by other means which are settled electronically.

A person cannot commence or operate a payment system unless they are authorized by the RBI.
For that they need to apply as per Form A in the PSS Act with the required documents. Reserve
Bank will consider factors like the need for the proposed payment system, the technical standards
and design of proposed system, the security procedures and terms and conditions of operation of
the proposed system, the procedure for netting of payment instructions, risk management
processes, financial status of the applicant, experience of management and integrity of applicant,
consumer interests, monetary and credit policies and other relevant factors while deciding on an
application.

RBI can depute an officer under the PSS Act to see all payment systems are being operated under
the provisions of the act. The Act requires that all system provider should disclose the terms and

7
ICICI Bank v. Ashish Agarwal, Appeal No. 435/2009.
conditions including the charges, limits of liability, etc. They also are required to keep documents
and all their contents confidential and are prohibited from disclosing them all.

Payment system without authorization, failure to comply with the terms of authorization, failure
to produce statements, returns information or documents or providing false statement or
information, disclosing prohibited information, non-compliance of directions of Reserve Bank
violations and they are all punishable by fine.
 DRAWBACKS

EFT’s have a major drawback in that there’s a plethora of risks involved in such transactions.

Security:

Security means the protection of the integrity of the EFT system from the illegal use and access.
Bank’s critical information stores like the accounting systems, portfolio management systems, and
risk management are always at risk. Hackers can access these controversial information and can
also implant virus.

Because of how widespread the use of EFT system is, it is very difficult to detect crime as funds
can be manipulated easily. It is very important that these disruptions are handled well against funds
and data theft, and loss and misuse. These should be protected so that the public confidence in
banks is not undermined and thereby it might result in weakening of the economy and national
security.

The internet provides an ideal ground for credit card fraud and some operates at transnational
levels by faking sites and credit card generators. In February of 2007, 3 people were arrested in an
online credit card scam where they misused the credit card details to book air tickets. In Rourkela,
the police busted a racket where credit card fraud worth Rs. 12.5 lakh was involved.

ATMs are also often rigged to steal ATM card number and the PIN. Phishing is also done to
fraudulently acquire sensitive information like passwords, login IDs, ATM PINs and credit card
information by portraying as a trustworthy business or person. There have been several phishing
attempts over ICICI Bank, UTI Bank, HDFC Bank, SBI, etc.

Privacy:

Privacy is a concept which exists in every developed nations’ constitution. With the advent of
computerized systems which can store and give out a tonne of data, privacy has become a growing
concern. The Indian Constitution does not define privacy but a number of important Supreme
Court judgements have laid down that privacy falls under the ambit of Article 21.

Privacy means to keep certain data personal and to protect it from other people. However with the
growth of cyberspace it is not possible to keep all things confidential. Data like income, debts or
financial transactions can threaten one’s reputation or self-esteem or may make some other have
undue advantage over some.

Illegal access to EFT may intrude the privacy of the users. The banks and the financial institutions
who have access to the data of their users must protect such. Even if the website is outsourced the
banks should take responsibility.

Generally people know there’s some limitation to privacy as they give out some information to
derive benefits. Such data are useful for distribution of goods and services.

EFTs make it easy to collect and store data and it is machine-readable so it’s easier to manipulate
and aggregate. They also take less time to record and extract data by using ATMs because the
physical location of the user can be known. EFTs also use keys such as account numbers or social
security numbers which all can integrate other information about the users.

India does not have any specific data protection law. The Personal Data protection Bill of 2006
was introduced but not passed. Only related law in this field is the IT Act of 2000. Section 43A
deals with the compensation for data protection failure, Section 43(b) deals with safeguards against
breach of data protection but its scope is limited and it fails to meet the standard of the EU Directive
mandate. It only provides a paltry sum of $220,000 as compensation while the actual damage
suffered might be worth a lot more.

Indian system of data protection is like a spider’s web, while a lot of protection is offered, the gaps
and holes still remain. The Amendment Act of 2008 strengthened the act but it does not give
adequate protection.
 SUGGESTIONS AND CONCLUSION

A lot of recommendations can be adopted by the Indian government regarding the improvement
of the current EFT scenario.

1. The customers should be allowed to pick their own PIN number from the very beginning.
2. The computers in these financial institutions should be enclosed and well secured with
limited access given to the employees. All their sign-in procedures should be recorded and
monitored to guard the information from any kind of intrusion.
3. Sophisticated technology should be used to guard against unauthorized data or intrusions.
4. There should be encryption for transmission and storage of data and the data should be
encoded with the actual encryption keys used being under tight control. This should not be
easy for the common man to decode.
5. There should be expensive techniques used for backup of computer processing, data
storage, communication lines and power sources.
6. There is a dire need for a new body of legislation to govern EFT transactions and to prevent
EFT crimes. This will balance the customer-bank relations.

Technology is a two-way bridge, while it provides easier ways to develop the machinery, it is
almost certain that there will be loopholes and the protection can be breached.

Electronic banking should have strict legislations and managements with good technology,
physical protection and there should be a level of security at a cost effective manner. The current
legislations are not enough for a secure EFT regime and it encourages the offenders as these is no
strict punishment. And at the same time, it weakens the trust placed on financial institutions.

Therefore the need of the hour is to establish an independent body to protect and secure the data
and funds of the users.