Register now or log in to join your professional community.
A casual mention of a customer's debit balance at the counter may reveal the customer's indebtedness to the Bank to another customer.
Privacy and Banking: Do Indian Banking Standards Provide Enough Privacy Protection?
Posted by Elonnai Hickok at Nov22,201001:40 PM | Permalink
Banking is one of the most risky sectors as far as privacy is concerned due to the highly sensitive and personal nature of information which is often exchanged, recorded and retained. Although India has RBI guidelines and legislations to protect data, this blog post looks at the extent of those protections, and what are the areas that still need to be addressed.
1. Introduction
Banking is one of the most at risk sectors for privacy violations due to the sensitive and highly personal nature of information that is exchanged, recorded, and retained. Individuals must trust banks with personal identifying information, their financial records, the access information to their accounts, and their credit history. Thus, privacy violations are not taken lightly and heavily impact the individual whose privacy was violated. Ways in which a violation of privacy can take place in the banking sector include: sharing personal information with third parties without consent for marketing purposes, stolen or lost banking number or card, sharing personal information or allowing access to third parties without informed consent, inadequate notification to an individual concerning what will be done with their data, collecting more personal data than is necessary, refusal to provide financial records upon request by client, incorrectly recording personal information, and loss of a clients personal data due to improper security measures.
2. Examples of privacy violations in the banking sector:
There have been many instances in which one of the above violations has occurred. The examples below demonstrate that a privacy violation of any nature is never as simple as “the disclosure of personal data” or “unauthorized access”. Each violation has a unique context that raises important questions that must be answered when forming privacy legislation, while at the same time demonstrating the need for a certain level of privacy protection to be applied across the board in the financial sector.
2.1 Bank of America:
An example of very common privacy violation by Bank of America was reported by the Utility Consumers' Action Network. In the case Bank of America was charged for selling the personal information (social security numbers, bank account numbers etc) of35 million customers to marketers and third parties without informing individuals. Bank of America is now settling for $14 million, and agreeing to change its privacy policies, its Web site, and its privacy procedures. Perhaps the most alarming element to this story is that Bank of America violated its own privacy policy [1].
§ This example raises the question of who should be regulating the banking sector. If the banking sector should be subject to audits more frequently or more stringently? Under what circumstances should data transfer be permitted i.e. can financial institutions disclose encrypted account numbers to non-affiliated third parties as long as the access code is not provided? The need for a customer’s personal data to be distinguished between public and non-public information.
2.2 Punjab National Bank
In 2008 in the case of the Punjab National Bank vs. Rupa Mahajan Pahwa a bank was charged of issuing a duplicate passbook of a joint saving bank account of a husband and wife being maintained with “operational instructions” of either or survivor, to an unauthorized person. The bank was held accountable for the disclosed information, and was charged a fine with the instructions to look into the conduct of the officials who were supplying information to the unauthorized individual. The fact that a bank employee permitted an unauthorized person access to personal information raises the question of whether privacy legislation should require that employees in the financial sector go through training on privacy procedures [2].
This example further demonstrates the need for:
2.3 Canara Bank
In the case of Canara Bank vs. Dist Registrar and Collector the district Registrar, entered into Canara's banks premise and inspected its books and documents. After inspecting the documents they found an error, and seized the material. The bank argued that though the Registrar could inspect the documents, they did not have the authority to seize the documents without notice to the persons affected. The ruling of the case held that the exclusion of illegitimate intrusions into privacy depends on the nature of the right being asserted, and the way in which it is brought into play [3]. This case demonstrates that context is a crucial element of protecting privacy and defining the right to privacy, and raises the question of how privacy legislation should define context for the financial sector.
3. What are the current privacy standards for the banking sector in India?
Below are questions pertaining to privacy concerns and the corresponding regulations that exist in the banking sector?
3.1. Customary/Statutory Banking Law
Both in banking customs as well as statutes, there is a standardized, recognized obligation of secrecy. The wording in the following section is reproduced identically in many banking related acts including: SBI Act,1955 – Section44, SBI (Acquisition and Transfer of Undertakings)1980 – Section13, Credit Information Companies Act2005 -section29, and The Public Financial Institutions Act,1983 -section3. The section is applicable to the respective Bank as a whole and its directors, local boards, auditors, advisers, officers or other employees of the State Bank, and creditors are required in addition to affirm an oath of secrecy as provided [4].
Section44. Obligation as to fidelity and secrecy: Obligation as to fidelity and secrecy.(1) The State Bank shall observe, except as otherwise required by law, the practices and usages customary among bankers, and, in particular, it shall not divulge any information relating to or to the affairs of its constituents except in circumstances in which it is, in accordance with the law or practice and usage customary among bankers, necessary or appropriate for the State Bank to divulge such information. (2) Every director, member of a Local Board or of a Local Committee, auditor, adviser, officer or other employee of the State Bank shall, before entering upon his duties, make a declaration of fidelity and secrecy as in the form set out in the Second Schedule.
In Shankarlal Agarwalla v. State Bank of India, AIR1987 Cal29, a customer owned261 bank currency notes of Rs. l.000/-each. Following the demonitisation of high value currency notes in1978, he tendered these notes to the bank along with the requisite declaration and instructed the bank to credit his Current Account with the amount. The bank made declaration made by the customer available to the Income-tax Department who issued a notice under Sec.226(3) of the Income-tax Act, attaching the said sum. Later the sum was released. The Calcutta High Court observed that among the duties of the banker towards the customer was the duty of secrecy. Such duty is a legal one arising out of the contract and was not merely a moral one. Breach of it could, therefore, give a claim for nominal damages or for substantial damages if injury is resulted from the breach. It was, however, not an absolute duty. but was a qualified one subject to certain exceptions. The instances being (l)the duty to obey an order under the Bankers' Books Evidence Act. (2) cases where a higher duty than the private duty is involved, as where danger to the State or public duty may supersede the duty of the agent to his principal, (3) of a bank issuing a writ claiming payment of an overdraft, stating on the face the amount of overdraft, and (4) the familiar case where the customer authorises a reference to his banker. The learned Judge further observed that the State Bank of India was directed by the Reserve Bank of India and the Ministry of Finance to furnish all particulars regarding deposit of bank notes to the Income-tax Department as soon as such notices were received. This instance had, therefore, come within the exceptions. The recent Payment and Settlement Systems Act ,2007 imposes privacy obligations on those who manage online payment and settlement systems such as RTGS/NEFT etc. Section22 of the Act enjoins “system provider” not to disclose the existence or contents of any document or part of any information given to him by a system participant, except where disclosure is:
(a) Required under the provisions of this Act
(b) Made with the express or implied consent of the system participant concerned
(c) In obedience to the orders passed by a court of competent jurisdiction
(d) In obedience of a statutory authority in exercise of the powers conferred by a statute.
3.2 Reserve Bank of India regulations
The Reserve Bank of India has periodically issued guidelines, regulations and circulars which require banks to maintain the confidentiality and privacy of customers. Thus, the Master Circular on Credit Card Operations of banks issued by the RBI in July2010 contains an elaborate set of provisions on “Right to Privacy” and “Customer Confidentiality” under a section titled ‘Protection of Customer Rights’. The provisions inter alia, forbid the banks from making unsolicited calls, delivering unsolicited credit cards and from disclosing customer information to any third party without specific consent. Similarly, the Master Circular on Customer Service in banks issued in2009 contains a detailed clause on Customer Confidentiality Obligations. The clause reaffirms the customary banking obligation of secrecy and extends it by forbidding the usage of customer information for “cross-selling purposes”. It imposes a restriction on data collection by requiring Banks to “ensure that information sought from the customer is relevant to the perceived risk, is not intrusive, and is in conformity with the guidelines issued in this regard”.
In2006, the Reserve Bank of India along with several banks of the Indian Banks Association (IBA) established a body called the Banking Codes and Standards Board of India to evolve a set of voluntary norms which banks would enforce on their own. A number of guidelines and notices have been produced by the BCSBI including the “Code of Bank's Commitment to Customers” which most banks in India adhere to. Enforcement is through a seriece of internal Grievance redressal mechanisms within each bank including a designated “Code Compliance Officer” and an Ombudsman.
Though these guidelines do provide differing and useful degrees of security and privacy, the lack of legislative oversight and enforcement allows the standards to be applied per institution and per-contract and enforcement is not guaranteed through parliamentary sanctions.
3.3 What legislation applies to data protection in the banking sector?
Banks are governed by the Information Technology Act2000 as amended in2008. The latter amendments contain provisions that enjoin inter alia, banks to adopt reasonable security practices with respect to their databases. Customers of banks can, under the IT Act, obtain compensatory relief for losses arising out of data leakages as well as unauthorised disclosure of information by the banks for gain.
Do you need help in adding the right keywords to your CV? Let our CV writing experts help you.
