Tamil Nadu’s IT secretary has ruled that the financial institution failed to put in place a foolproof Internet banking system with adequate levels of authentication and validation
In a verdict in the first case filed under the Information Technology (IT) Act in the country, Tamil Nadu IT secretary and adjudicator for the State, PWC Davidar has directed ICICI Bank to pay Rs12.85 lakh as compensation to a non-resident Indian (NRI) customer, who complained he lost money from his account due to phishing in 2007 in Chennai, reports PTI.
The order came on a petition filed by Umashankar Sivasubramaniam who claimed he received an email in September 2007 from ICICI Bank, asking him to reply with his Internet banking username and password, or else his account would become non-existent.
Though he replied, he found Rs6.46 lakh transferred from his account to that of a company, which withdrew Rs4.60 lakh from an ICICI Bank branch in Mumbai and retained the balance in its account.
In his application for adjudication filed under the IT Act to the State IT secretary on June 26, 2008, he held the bank responsible for the loss.
Mr Davidar, in his order, directed ICICI Bank to pay Rs12.85 lakh to Mr Sivasubramaniam, saying that the bank has been found guilty.
He said that there was no way by which customers could identify an email as being from a respondent bank (in this case, ICICI Bank). The Bank could have obtained a digital signature from the officer responsible for communicating with customers, thereby providing a layer in authentication of such mails.
There appeared to be no effort of that nature by ICICI Bank, Mr Davidar said, adding that access to the petitioner’s account details “reflects very poorly on ICICI’s systems and procedures in the event of a customer facing this situation.”
“ICICI (Bank) has appeared to function in a manner that would indicate it has washed its hands of the customer. The Bank seems not to have taken RBI’s directives seriously,” he said.
ICICI Bank has failed to establish that due diligence was exercised to prevent contravention of the nature of unauthorised access, Mr Davidar said, adding, “I find the petitioner justified in the instant case.”
“The Bank failed to put in place a foolproof Internet banking system with adequate levels of authentication and validation,” he added.