Supreme Court ruling on e-records is a timely reminder for banks
Computer outputs (printed on paper, stored, recorded or copied in optical or magnetic media produced by a computer) are “secondary”, the court said. These are susceptible to tampering, alteration, transposition and excision and a whole trial based on them could lead to a travesty of justice, it observed in a concurrent order on Civil Case No 4226 of 2012. Failings in the banking sector on this count are best reflected in the CAG findings pertaining to the farm loan waiver scheme of 2008.
Of the 9,334 cases taken for scrutiny, 2,824 records were found to have been tampered with, overwritten or altered.
Audit trails
Responding to an RTI query, the RBI told S Dheenadhayalan, an activist, that it had advised banks to identify key risks that threaten computerised banking operations.
Banks must develop or design adequate internal control policies and procedures to mitigate risks, the RBI had said in a circular way back in February 1998. All transactions must be entered and accepted “once and only once, data accurately entered, standing data changes authorised and accurately entered.”
Sufficient audit trails, it said, must be maintained and placed with security procedures so that they cannot be altered.
But not many banks, including those in the public sector, seem to have gone the distance to ensure compliance. For instance, Indian Bank, according to Dheenadhayalan, admitted under the RTI that at least one of its branches was in possession of a standalone computer. In March 2010, the bank told Deepak Flexo Packs of Virudunagar, Tamil Nadu, that it had revised the waiver claim on its account from Rs 32.53 lakh to Rs 5.84 lakh.
Related data on how it arrived at the figure could not be retrieved since the system had crashed, he said. Pressed further, the bank merely said it was an isolated incident because it had occurred in a standalone computer.
As for policy of providing standalone computers at branches, there existed none. In some cases, standalones were provided for training staff. Some banks use them for routine administrative work which need not be connected to or fall under electronic data processing (EDP).
Standalone does not imply parallel tracking of factual reports. These computers could be used to generate convenient statement of claims, according to Dheenadhayalan.
In another case, Punjab National Bank made an inadvertent error in notifying claims while invoking the Sarfaesi Act on Raju Industries, Bangalore. A corrigendum issued by the bank in June 2010, said the figure of Rs 33.92 lakh quoted in the possession notice was a mistake, and it must be read as Rs. 12.60 lakh.
Vigilance Commission alert
The Central Vigilance Commission (CVC) was forced to take note of frauds perpetrated on banks using passwords of other employees.
The CVC observed in a circular dated November 30, 2010, that bank employees in certain cases were not maintaining secrecy of their passwords.
“Instances are still coming to our notice where frauds of large amount have been committed by misusing the passwords of employees,” it noted. It should be ensured that all employees maintain secrecy of their passwords and keep changing them as frequently as possible, the circular said, adding that banks may evolve systems and procedures to ensure the same.
Instances of casual approach by any password holder should be dealt with ruthlessly by the bank concerned as the same may put huge amounts of funds at risk, the CVC noted.
Chief Vigilance Officers, it said, may take suitable action and regularly monitor the secrecy of passwords and apprise the Commission of action taken. They should report compliance in the matter by including this aspect in monthly reports being submitted to the Commission.
COLLECTIONS :BANKING NEWS, AIBEA
R.B.KISHORE