finance and privacy

7/29/2019 Finance and Privacy

1/25

Finance and Privacy


2/25

Page | 2

CCoonntteennttss

Finance and Privacy ................................................................................................................. 1Introduction ............................................................................................................................... 3Legislation ................................................................................................................................. 4

The Negotiable Instruments Act 1881 ................................................................................... 4The Prevention of Money Laundering Act 2002 .................................................................... 4The Bankers Book Evidence Act 1891 .................................................................................. 6Credit Information Companies (Regulation) Act 2005 ........................................................... 6The Insurance Act 1999 and Regulations .............................................................................. 9Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983 .................... 10Payment and Settlement Systems Act, 2007 ...................................................................... 10The Banking Regulation Act, 1949 ...................................................................................... 11Indian Income Tax Act 1961 ................................................................................................ 13Foreign Contribution Regulation Act, 2010 .......................................................................... 13

Guidelines and Policies........................................................................................................... 15RBI Guidelines .................................................................................................................... 15Fair Practice Code for Credit Card Operations: .................................................................. 15The Damodaran Report on Customer Service 2010 ........................................................... 15Gopalkrishna Working Group Report 2011 .......................................................................... 16

Case Laws .............................................................................................................................. 18Implementation ....................................................................................................................... 21International Best Practices .................................................................................................... 23

Recommendations .............................................................................................................. 23


3/25

Page | 3

IInnttrroodduuccttiioonnFinancial privacy involves the protection of consumers from unlawful access to financialaccounts by private and public bodies, and the unlawful disclosure, sharing, or commercialuse of financial information. Types of financial institutions include: banks, tax collectors,mortgage lenders, investment advisers, insurance companies, and real estate brokers.Typical types of financial transactions that consumers can engage in include: paying taxes,buying property, opening bank accounts, and investing in markets. In India this list expands toinclude micro-credit transactions, rural banking, transactions with banking intermediaries,transactions with money lenders & indigenous bankers, Chit funds, Nidhis, and mutual benefitfunds. Violations of privacy in the financial sector have the potential to cause serious damagedue to the highly sensitive information that is recorded, exchanged, and retained. Individualsmust trust financial institutions with a range of personal identifying information like theirfinancial records, access to information held in their accounts, and their credit history eachof which can be used either directly by banks and their employees, or indirectly by individuals for wrongful gain. Furthermore, government agencies such as the Income Tax departmentcollect large amounts of personal information, and records accumulated in the course of these

proceedings could violate an individuals privacy. In addition, the fact that Indian companiesnow offer outsourced financial services to financial institutions abroad vastly expands andglobalizes the number of people who could be affected by violations of privacy in the Indianfinancial sector. For countries that have enacted financial privacy legislation, the laws oftenwork to place the control of financial information into the hands of consumers. Institutionallythese are done through authorized consents, privacy policies, and opt in/opt out notices. InIndia, the practice of financial privacy is still taking hold. A 2010 DSCI survey on financialprivacy in India found that the percentage of Indian banks publishing privacy policies is stillvery low, and that the lack of consumer awareness and education also serve as obstacles tostrong financial privacy practices in India.

1Finally, the introduction of e-finance and e-

governance schemes come with the promise of universalizing financial services, but could

also turn, if the privacy implications are not carefully weighed, into a concentrated source offinancial information for control and misuse. In this context, and in light of the rapid digitizationthat the financial sector in India is undergoing, this chapter will discuss the ways old andnew in which financial privacy can be compromised and what legal safeguards exist.


4/25

Page | 4

LLeeggiissllaattiioonnIn India the privacy of financial information is protected through legislation, through bankingcustoms, guidelines and norms, and through relevant policies. Applicable Indian legislationthat provides privacy protection over financial information includes the following.

TThhee NNeeggoottiiaabbllee IInnssttrruummeennttss AAcctt 11888811

This Act regulates commercial transactions completed through 'negotiable instruments'. Priorto the Act's passage, transactions made by "negotiable instruments" were regulated under theIndian Contract Act 1872. A negotiable instrument means a promissory note, bill ofexchange, or cheque payable either to order or to the bearer. Negotiable instruments,therefore, are money/cash equivalents. The provisions are intended to determine who shouldbe held liable when payment is made using a fraudulent cheque and establish the duties ofbanks for verification. Thus, the provisions pertain to privacy to the extent that they work toprotect against fraud. Applicable sections of the Act include:

Liability: A banker acting in good faith and without negligence will not be held liablefor receiving a fraudulent cheque. 2 Similarly, if a cheque is issued and fraudulentlyendorsed, the individual whose endorsement was forged is not liable for fulfillingpayment of the cheque.

3Similarly, banks are not liable to fulfill payment of a

fraudulent cheque.4

Verification: It is the duty of the Bank to verify the genuineness of the (electronicimage) of the cheque and to detect any fraud forgery, or tampering.5

TThhee PPrreevveennttiioonn ooffMMoonneeyy LLaauunnddeerriinngg AAcctt 22000022

Money laundering is the process of disguising illegal sources of money in order to make itappear that the money originates from legitimate sources. Preventive measures against

money laundering taken by governments include the monitoring of banking customers andtheir business relations/financial transactions. Thus, the individual's interests in financialprivacy must compete with the interests of the government and investigative agencies inrequiring the disclosure of financial information.

The Anti-Money Laundering Act was passed in an attempt to curb money laundering. The Actestablishes and delegates investigative powers to five separate authorities: the Adjudicating

Authority6, the Director, the Deputy Director, the Assistant Director, and any authorityappointed under the act.7 Additionally, the Act puts in place an appellate tribunal meant toreceive complaints of aggrieved persons. Individuals who commit offenses under the Act areheld criminally liable.

Data Retention: The Act establishes two types of data retention policies. The first is areactive policy, laying out the procedure for retention of evidence collected. The secondis a proactive policy, laying out the types of information that Banks are required toretain on a daily basis.

1. Records obtained through a Survey or through Search and Seizure may be retainedonly for three months. If the records are to be retained for longer than three months,


5/25

Page | 5

this decision must be approved by the Adjudicating Authority.8

The person fromwhom the records were seized is entitled to copies of the records retained,

9and on

the expiry of the retention period, the seized records must be returned to theowner10

2. Banking companies, financial institutions, and intermediaries must maintain recordsof their clients transaction details including location and sum of money and the

identity of the relevant client.

11

Records are to be retained for a period of ten yearsafter the client has completed its last transaction with the banking company etc.12

Pro-active Disclosure: Banking companies, financial institutions, and intermediariesmust furnish the retained information to the 'Director'. How and by what procedure thisinformation should be furnished and maintained is to be determined by the CentralGovernment in consultation with the Reserve Bank.

13

Reactive Disclosure:

Power of Discovery: The Adjudicating Authority and the Director have powersanalogous to a civil court under the Code of Civil Procedure in matters such asdiscovery, inspection, and the right to compel the production of records.14

Power of Survey:Any 'Authority' authorized under the act has the power of survey

to enter into any place15

and inspect records16

, place marks of identification on therecords inspected by him, make copies of the records inspected by him, record thestatement of any person present, and ask for the furnishing of information.

17The

'Authority' can only enter into a place on the basis on the basis of material in hispossession, and for reasons recorded in writing. His/her search must also belimited to the area and for the purpose assigned.

18Furthermore, the 'Authority' must

forward a copy of the reasons that were recorded along with material collected inhis possession to the Adjudicating Authority in a sealed envelope and by meanswhich are prescribed by the Adjudicating Authority.

Search & Seizure: In addition to the power of discovery, the Director19

is given thepower of Search and Seizure, allowing him/her to: 1. enter and search any building,

place, vessel, vehicle, or aircraft 2. Break open the lock of any door, box, locker,safe etc 3. Seize any record or property 4. Examine on oath any person who isfound to be in possession or control of any record relevant for the purposes ofinvestigation under this Act.20 Safeguards to this power include the requirement thata report must be forwarded to a magistrate under section 173 of the Cr.P.C. or apolice report or a complaint has been filed for taking cognizance of an offense bythe Special Court constituted under the Narcotic Drugs and PsychotropicSubstances Act.21 Like the material gathered under survey, the authority mustforward a copy of the reasons recorded along with the material in his possession tothe Adjudicating Authority.

Search and Seizure without warrant: The Director, if satisfied based on information

discovered on the completion of a survey that any evidence will or is likely to beconcealed or tampered with, may enter the building or place and seize theevidence. This search does not require prior authorization.22

Lawful disclosure: Any information received or obtained by a Director or any otherauthority may be disclosed if it is determined to be in the public interest.

23

Redress: Onlybanks, financial companies, and intermediaries hurt or damaged by anyorder made by the Director may appeal and seek redress to the Appellate Tribunal. Bynot extending the ability to seek redress under the Act to individuals, the Act dilutes theprivacy of the individual

24.Note: the right to appeal given to banks, etc. under Section


6/25

Page | 6

26 is only in respect of an order made by the Director imposing a fine on them for notfulfilling their obligations. Individuals do not have this right.

TThhee BBaannkkeerrss BBooookk EEvviiddeennccee AAcctt 11889911

The Bankers Book Evidence Act was passed to amend the law of evidence with respect torecords, documents, and books kept by banks -referred to as 'Bankers Book' in the

legislation. The Act lays out broad safeguards and protections establishing how a BankersBooks should be secured and how Bankers Books can be used.

Authenticity of Data:Any printout of an entry in a Bankers Book must be accompaniedwith a certificate from the principal accountant or branch manager noting that the printoutis indeed a printout of the relevant entry.

25

Accuracy of Data: Any printout of an entry in a Bankers Book must be accompanied witha certificate from the person in charge of the computer system vouching that to the bestof his knowledge he was provided with all the relevant data and that it is reflectedaccurately on the print out.26

Security of Data: A certificate must also be made by the person in charge of the

computer system containing a description of the safeguards put in place to: ensure thatdata is entered only by authorized individuals, prevent and detect unauthorized changesin data, retrieve data that is lost due to system failure or for other reasons, the manner inwhich data is transferred from the system to various forms of removable media, themode of verification in order to ensure that data has been accurately transferred to suchremovable media, the mode of identification of such data storage devices, thearrangements for the storage and custody of such storage devices, the safeguards toprevent and detect any tampering with the system, and any other factor which will vouchfor the integrity and accuracy of the system.27

Disclosure of information: Banks are not compelled to proactively or reactively produce aBankers Book in a case to which the bank is not a party to prove the transactions and

contents found in a Bankers Book unless ordered to do so by a court or judge. 28 Whena court or judge 29does allow for a Banker's Book to be inspected, the bank must certifythat it is making available all related entries.

CCrreeddiitt IInnffoorrmmaattiioonn CCoommppaanniieess ((RReegguullaattiioonn)) AAcctt 22000055

Violations of privacy with respect to credit information arise when credit agencies share andexchange reports with insurers and employers. Based on this information entities can use theinformation to deny services and opportunities to individuals. The Credit InformationCompanies Regulations Act establishes the credit information companies to govern andregulate the use of individuals credit information. Credit information under the Act includesthe amounts and nature of loans, the nature of securities taken, the guarantee furnished orany other non-funding based facility granted by a credit institution to establish thecreditworthiness of any borrower. 30 Within the Act there are four bodies that handle andprocess credit information: 1.) the credit information company

31, 2.) the credit institution (that

is the State Bank of India), national banks etc.32, the specified user33, and the individualprovider of information. Individuals who commit offenses under the Act are held criminallyliable.

Privacy principles: The privacy principle mandate that every credit institution, creditinformation company, or specified user must set in place a system to regulate the


7/25

Page | 7

collection, processing, collating, recording, preservation, secrecy34

, sharing, and usageof credit information.

35Specifically:

the requirement to ensure that credit information is accurate, complete, andprotected against loss, use, or unauthorised disclosure;

36

the extent of the obligation to check the accuracy of credit information beforedisclosing it to credit information companies, credit institutions, or specified users;37

how credit information should be maintained, including the length of time it may beretained, and the manner of its deletion;

38

when credit information may be shared electronically;39

any other principles and procedures relating to credit information which the ReserveBank may consider necessary and appropriate and may be specified byregulations.40

Personal access: Any person who applies for a grant or sanction of credit facility, fromany credit institution, has the right to request a copy of the information it obtained fromthe credit information company. Borrowers and clients have the right to ask for theircredit information to be updated or corrected at anytime, and the credit institution,company, or specified user must comply within 30 days and only after it has been

certified as correct by the credit institution concerned.41

Unlawful Access: Unauthorised access to credit information is penalised with a fine

extending to INR1 lakh and up to INR 10,000 for every day that the unauthorised accesscontinues.42

Disclosure: Any information that is received by the credit information company is notpermitted to be disclosed to any person or for any other purpose than its specified user.When the information is disclosed to the specified user, it cannot be disclosed to anyother person or for any other purpose.43 The only exception to this rule is if required byany law in force.

Inspection: The Act provides for certain circumstances under which records can beinspected. In particular, the Reserve Bank, after authorisation by the central government

can inspect all the books and accounts of any credit information company or creditinstitution.44

Reactive disclosure: Credit information companies are also given authority, throughwritten notice and in such a way as established by the Reserve Bank, to require membercredit institutions to furnish information that it deems necessary to comply with the Act.45

CCrreeddiitt IInnffoorrmmaattiioonn CCoommppaanniieess 22000066 RReegguullaattiioonnss::

In 2006 guidelines under section 15(1) of the Credit Information Companies Act were notified.According to the regulations, Credit Companies are allowed to 1) provide information toindividual and corporate borrowers 2) provide data management services to member CreditInstitutions 3) collect, process, collate, and disseminate data/information related toinvestments made in Securities other than those issued by the Central Government.46 Theguidelines define 'data management services' as services which collect, store, devisesystems for retrieving, collating, analysing and distributing, publishing, disseminating data,information and other inputs to its members and specified users. 47 Personal data underthese regulations is defined as ' information about an identifiable individual, but does notinclude the name, title or business address of telephone number of an employee of the creditinformation company.

48Subject of information is defined as one to whom the data,

information, or credit information, relate to and includes a borrower, client, and a person. The


8/25

Page | 8

guidelines contain a number of important provisions relating to privacy:

Requirement to furnish information: If a member credit institution is given a notice toprovide information back to the Credit information institution, they must do so. 49

Privacy Principles: Credit information companies are to be guided by the followingprinciples. Information collected by the company should be:

Accurately recorded, collated, and processed Protected against loss

Protected against unauthorized access, use, modification, or disclosure.

Updation of information: Credit Institutions are required to update information on amonthly basis and take the necessary steps to ensure that the information is accurate,complete, and current.50

Security: Credit institutions must enforce clear procedure for authorizing its employeesto handle credit information on a need to know basis.

51Transfer of information must be

done through a secure medium.52

Secrecy: All employees of a Credit information company must sign a declaration offidelity and secrecy.53

Personal Access: Individuals have the right to access and correct personal creditrecords after proper identification. Requests for correction of material must be compliedby within 15 days by the Credit Information Company.

54Procedure to comply with this

must be established by the Credit Institution.

Data Collection Limitation: The data collected must be adequate, relevant, and notexcessive. An example of adequate data collection given in the regulations includes:name, father's name, address, gender, date of birth, contact telephone numbers, PAN,driving license, passport, voter identity card numbers, credit limit, outstanding balance,repayment history, amount and period of default, and primary/collateral securitytaken.

55

Disclosure of credit report: Credit Information Companies are allowed to share credit

reports only to: a specified user, to comply with a court order, tribunal, law enforcementagency, or statutory/regulatory authority under any applicable law, or when requestedby an individual borrower.

56If a borrower is denied credit or any other service on the

basis of his/her Credit Information Report, the Specified User who has denied credit isobligated to send the borrower a rejection notice within 30 days of the decision statingthe specific reasons for rejection along with a copy of the report, the name and addressof the Credit Information Company who issued the report, and the information that wasused to make the decision.57 If a borrower requests a report, he/she must pay a fee ofrs.100.

58

Monitoring use: Credit Information companies will monitor and review on a regularand ongoing basis the access, collection, and usage of a Credit Information Report by

the specified user in order to detect and investigate unusual or irregular patterns of useby them.59

Use of credit report: Credit information reports are allowed to be used to: take a creditdecision on a person who has made a written application to the specified user, to takea credit decision on a person who accepts liability for payment on a bill of exchangedrawn by a person who has applied to the specified user, to take a credit decision on aperson who draws a promissory note in favour of person who has applied to thespecified user for a renewal etc of credit, to take a credit decision on a person who


9/25

Page | 9

proposes to act as a guarantor for a person who has applied to the specified user, tomake informed and objective credit decisions, to deter concurrent borrowers and serialdefaulters, to keep adverse selection of customers to the minimum, to review andevaluate risk of its customers, to effectively discharge the statutory/ regulatoryfunctions. All other uses are prohibited.

60

Accuracy: The Credit Information Company must make all make all efforts to ensure

accuracy and completeness of data.

61

The Credit Institution is responsible for thecorrectness and accuracy of the data submitted to the Credit Information Company. 62Specified users must ensure that they are using latest credit information.

63

Proactive disclosure: The Credit Institution will ensure updates of the data by them tocredit information companies on a monthly basis.64\

Retention: Credit Information Companies and Credit Institutions will retain collectedand disseminated information for a minimum of seven years.

65Information relating to a

criminal offense will be retained permanently. Information relating to financial default orcivil offences will be removed after seven years since the reporting. All informationrelating to non-individuals will be permanent. 66

Anonymization: Personal information relating to an individual that is no longer

necessary should be destroyed, erased, or made anonymous.

67

Collection limitation: Personal data cannot be collected and included in a general

publication unless it is collected a lawful purpose directly related to the function oractivity of the credit institution.68 The Collector must ensure that the data collected isrelevant, up to date, and complete, that the collection does not intrude to anunreasonable extent on the personal affairs of the individual, and that the data issecured against loss, unauthorized access, use, modification or disclosure, andmisuse.69

Informed individuals: Before collecting information from individuals credit institutionsmust ensure that the concerned individual is informed of the purpose of the collection,if the collection is authorised or required under any law, whom the information will be

disclosed to. Accountability: The Credit information company is responsible for the personal data

that it is in possession of. This includes data that has been transferred to a third partyfor processing. The credit information will use contractual and other means to providecomparable levels of protection while the information is being processed by a thirdparty.

70

Privacy Procedures: Every Credit information company must include in their practicesand policies: protection of personal data, acceptance and disposal of complaints,security and privacy training, establishing compliance committees, appropriatedocumentation in relation to their members for furnishing and collecting data.

71

Remedies: An individual may file a written complaint before the Reserve Bank against

a credit information company, credit institution, or specified user. The Reserve Bank inturn can place a fine on the company for contravention or may reprimand the company.

TThhee IInnssuurraannccee AAcctt 11999999 aanndd RReegguullaattiioonnss

The 2010 regulations create a portal known as the IRDA Portal for the purpose of registeringthe referral company and enables collaboration between referral companies and insurers forthe establishment and sharing of the database of the customers of the referral company.

Furnishing Information: According to the 2002 regulations, the policyholder must


10/25

Page | 10

furnish all information that is sought from him by the insurer and any other informationwhich the insurer considers as having a bearing risk to enable the assessment of therisk for the policy.72 According to the 2010 regulations, the Authority may require theinsurer to furnish information as necessary.73

Requirements for database membership: For a referral company to be a part of thedata base there is a number if criteria that must be met by the referral company

including the company must have a database of customers acquire through itsbusiness, and it cannot be a company whose main business is acquisition and sale ofclient data.

74The referral company can also not be bound by any confidentiality

agreement in the matter of sharing the personal and financial database of itscustomers. 75

Powers of inspection: the Authority has the power to call for information forundertaking inspection of and conducting enquiries and investigations including auditof insurers, intermediaries, insurance intermediaries, and other organizationsconnected with the insurance business.76

Accountability: The Comptroller and Auditor General of India will audit the accounts ofthe Authority.

77

Penalties: The Authority has the power to cancel the registration of the insurer.

PPuubblliicc FFiinnaanncciiaall IInnssttiittuuttiioonnss ((OObblliiggaattiioonn aass ttoo FFiiddeelliittyy aanndd SSeeccrreeccyy)) AAcctt,, 11998833

Secrecy of Data: Public financial institutions are prohibited from divulging anyinformation relating to the affairs of its clients except in accordance with laws ofpractice and usage.78 To enforce this all banking employees must take an oath ofsecrecy before carrying out their duties.79 This obligation of secrecy is also found in theState Bank of India Act.

PPaayymmeenntt aanndd SSeettttlleemmeenntt SSyysstteemmss AAcctt,, 22000077

The Payment and Settlement Systems Act provides for the regulation and supervision ofpayment systems in India and designates the Reserve Bank of India as the authority tooversee connected and related matters. Specifically, the oversight board is known as theBoard for Regulation and Supervision of Payment and Settlement Systems. The purpose ofthe Act is to ensure that documents given by a service provider are accepted as evidence inthe courts. Relevant provisions include:

Confidentiality of Information:Any information obtained by the Reserve Bank must bekept confidential.80 Furthermore, the system provider i.e. any person who operates anauthorized payment system, is prohibited from disclosing the existence or contents ofany document or any part of any information given to him by a system participant. 81

Lawful Disclosure of Information: The Reserve Bank is allowed to disclose informationonly in four instances: 1. to protect the integrity, effectiveness, and security of thepayment system; 2. in the interest of banking or monetary policy; 3. in the course ofthe operation of the banking system; 4. or in the public interest.

82System providers

are allowed to disclose information in only three instances: 1. when it is required underthe provisions of the Act; 2. if it is expressly consented to by the system participant; or3. if it is in compliance with orders passed by a court or statutory authority.

83As an

additional safeguard, the provisions of the Bankers Book Evidence Act also apply to allinformation or documents maintained by the system provider.84

Privacy Policy: Every client or participant in the system must be made aware of the


11/25

Page | 11

terms and conditions including charges, limitations, and liabilities under the paymentsystem. Additionally, the clients must be supplied with copies of the rules andregulations governing the operation system etc.85

Reactive Disclosure: The system provider is required to provide the Reserve Bankwith any information that pertains to the operation of his/her payment system in theform and manner prescribed by the Reserve Bank.

86The Reserve Bank may ask any

system provider for: returns, documents, or other information pertaining to itsoperation of the payment system.87 The Reserve Bank may also access anyinformation relating to the operation of any payment system and system provider.

88

For the purpose of enforcing compliance with the Act, any officer of the RB may enterand inspect any premise where a payment system is being operated and may alsoinspect any equipment, computer system, and documents on the premises.

89

Audit: The Reserve Bank may conduct audits and inspections of the payment systemor participants.90

Penalty:

Failure to provide information: If a person fails to provide information as required byan officer making an inspection he is liable to a fine.

91

Unlawful disclosure: Any person who discloses information without authorization

will be held criminally liable.92

TThhee BBaannkkiinngg RReegguullaattiioonn AAcctt,, 11994499

The Banking Regulation Act was passed as a means of regulating the Banking industry. TheAct empowers the Reserve Bank of India (RBI) to regulate, control, and inspects the banks inIndia. A Tribunal is also established to investigate complaints made under the Act

Privacy Standards: Itis the obligation of the central government to set standards for theretention of banking books, accounts, and other documents.93

Inspection:The Act gives the RBI the authorization to undertake inspection of a banksbooks and accounts.

94

Breach Notification: A copy of the inspection report will be provided to the bankingcompany if requested.

95

Disclosure of information in the public interest: The Reserve Bank and the NationalBank, if they deem it to be in the interest of the public, the ability to publish anyinformation obtained under the Act.

96No banking company can be compelled by any

authority to produce or allow the inspection of any books, accounts, documents, orother information that the bank deems to be confidential in nature and whoseinspection would result in the disclosure of information relating to any reserves notshown in the published balance sheet, or any particulars not shown in respect with theprovisions made for bad and high-risk debts. 97

Pro-active disclosure: Every month each banking company is required to submit to theReserve Bank and to the Registrar a return that lists all of its assets and liabilities.98

Additionally, audit reports must be disclosed to the Reserve Bank within three monthsof completion.(Section 31)

Proactive discovery: The Tribunal constituted under the Act will have the powers of acivil court, and among other things have the power of discovery and production ofdocuments.

99An exception to this standard is that the Tribunal cannot compel the

Central Government or the Reserve Bank to produce any books, accounts, or otherdocuments that they claim are confidential in nature, to make any books or documents


12/25

Page | 12

part of the record of the proceedings of the Tribunal, or to give inspection of any booksor documents to any party.

100The Reserve Bank may also require that the liquidator of

a banking company furnish any statement or information relating or connected with thewinding up of the banking company.101

Know Your Customer Norms (KYC):102 One of the most effective methods of clientidentification and verification employed by Indian Banks is the Know Your Customer

Norms (KYC). The purpose of KYC is to provide a way for banks to ensure that theyaccept only legitimate customers, accurately identify their customers at eachtransaction, monitor customers' transactions to detect illegal activities, and implementprocesses to effectively manage risks posed by customers trying to misuse financialfacilities. The norms place the obligation of ensuring the secure and propermanagement of any banking company on the Reserve Bank. KYC requires:

103

Verification of identity: All financial transactions are to be undertaken only afterproper identification of the customer. Photocopies of proof of identification shouldbe verified against the original documents. No account may be openedanonymously,

Data retention: Full details of the name and address as well as the details of ID

documents should also be kept on record. All transactions (electronic included)should be retained for at least five years.104

Customer profiles: Banks are permitted to create customer profiles based on riskcategorization that include information pertaining to the customer's identity, socialand financial status, nature of business, and customers clients. Banks should onlycollect information that is relevant and not intrusive. The customer profile will not bedivulged or shared.

Circumstances of beneficiary: Banks are to clearly establish when customers arepermitted to act on behalf of another person/entity.

Due Diligence: Banks must perform 'due diligence' measures based on riskassessment. More intensive due diligence is to be carried out on 'high risk

customer's'. These include non-resident customers, high net worth individuals, andtrusts, charities, and NGOs.

Customer Identification Procedure: Banks must identify the customer and verify his/her identity by using reliable, independent source documents, data or information.'The nature of information/documents required to identify individuals should dependon the type of customer (individual, corporate etc.). For customers that are naturalpersons, the banks should obtain sufficient identification data to verify the identity ofthe customer, his address/location, and also his recent photograph. For customersthat are legal persons or entities, the bank should (i) verify the legal status of thelegal person/ entity through proper and relevant documents (ii) verify that anyperson purporting to act on behalf of the legal person/entity is so authorized and

identify and verify the identity of that person, (iii) understand the ownership andcontrol structure of the customer and determine who are the natural persons whoultimately control the legal person.'

Monitoring of Transactions: Banks should monitor large or complex transactionsand all unusual patterns that do not seem to have an economic or lawful purpose.In order to do this effectively, the bank may prescribe threshold limits for a particularcategory of accounts and pay particular attention to transactions which exceedthese limits. Banks should ensure that a record of transactions in the accounts ispreserved and maintained as required by Section 12 of the PML Act 2002.


13/25

Page | 13

Risk Management: Banks must adhere to audits, establish internal control systems,circulate lists of terrorist entities, report and identify suspicious transactions, andhave ongoing employee training programmes.

Though the norms act as an important safeguard for preventing fraudulent transactions, theycreate privacy risks given the amount of personal information that is collected, the lack of

redress available to individuals if information is inappropriately shared, and the unidentifiedtime period for which data can be retained. The norms hold that banks should not be over-intrusive in terms of the information they gather, but the guidelines do not strictly prohibit thecollection of certain types of information and do not place a limit on the amount of time thatdata can be retained. Thus, there is scope for over-collection of personal information bybanks. Additionally, the norms note that the information collected will be confidential and notsold to or shared with third parties, but do not hold banks liable if a violation of this natureoccurs.

IInnddiiaann IInnccoommee TTaaxx AAcctt 11996611

The Income Tax Act 1961 lays down the framework for collecting direct taxes in India and

establishes the Income Tax Authorities and their functions and powers. The Act is amendedannually through the Finance Act. The most relevant provisions to privacy under the act arethose relating to Search and Seizure. The Act gives six authorities power to search and seizewhat they believe to be undisclosed income or property and to make an order estimating theundisclosed income.

105Specific provisions include:

Authority: Specifically the authorities may enter into and search and seize any placewhere they have reason to suspect the presence of books, accounts, other documents,money, bullion, jewellery, or other valuable articles that have not been disclosed whenrequested. The Act assumes that any book, document, money etc found by theauthority belongs to such person, that the contents are true, and that the signaturesare authenticated.106

Data Retention: The books and documents seized under the Act are not to be retainedby the authorized officer unless the reasons for retaining them are recorded in writingand approved by the Chief Commissioner or the Commissioner.107

Appeal: If a person legally entitled to access to the seized books of accounts ordocuments objects to the order issued by the Chief Commissioner or Commissioner,he may apply to the Board requesting their return.

108

FFoorreeiiggnn CCoonnttrriibbuuttiioonn RReegguullaattiioonn AAcctt,, 22001100

The Foreign Contribution Act of 2010109

aims to regulate the acceptance and utilisation offoreign contribution or foreign hospitality by certain persons by empowering the governmentto prohibit contributions towards any activities detrimental to the national interest and formatters connected therewith or incidental thereto.110 In the context of the Act, foreigncontribution refers to donations and transfers of any article, currency or security made byforeign sources while foreign hospitality refers to the offering of providing a person with thecosts of travel to a particular county with free boarding, medical treatment, etc.

Under the Act, the government is conferred with the power to call for otherwise confidentialfinancial information relating to foreign contributions of individuals and companies if satisfiedthat acceptance of such contribution or hospitality would prejudicially affect:


14/25

Page | 14

the sovereignty and integrity of India; or

public interest; or

freedom or fairness of election to any Legislature; or

friendly relations with any foreign State; or

harmony between religious, racial, social, linguistic or regional groups, castes orcommunities.

111


15/25

Page | 15

GGuuiiddeelliinneess aanndd PPoolliicciieess

RRBBII GGuuiiddeelliinneess

Every year the Reserve Bank of India issues guidelines, regulations, and circulars that work

to enhance customer privacy by requiring banks to maintain the confidentiality and privacy ofcustomers. For example, the Master Circular on Credit Card Operations of Banks containsprovisions on The Right to Privacy, Customer Confidentiality, Fair Practices in DebtCollection, and Standards for Fraud Control. The Right to Privacy contains norms requiring:

Transparency: Banks should clearly state the most important terms and conditions forissue and usage of a credit card.

Confidentiality: Banks outsourcing the processing of work must ensure that theappointment of service providers does not compromise the quality of customer serviceor the banks' ability to manage credit, liquidity, operational risks, and the confidentialityof the customer records, respect customer privacy, and adhere to fair practices in debtcollection. The norms also oblige both banks and non-banking financial corporations to

preserve the confidentiality of customer details.112

Right to Privacy: Banks should avoid issuing unsolicited cards or loans

113or making

unsolicited phone calls,114 and requires that banks get the consent of card holdersbefore issuing or upgrading their credit cards.115

Breach Notification: If a bank is providing information under another law in force, itmust inform the customer.

116

Security: In order to combat fraud the guidelines suggest that, among other things,banks set up internal control systems to combat fraud and issue cards bearing thecardholder's photograph, PINs, and laminated signatures.117

FFaaiirrPPrraaccttiiccee CCooddee ffoorrCCrreeddiitt CCaarrdd OOppeerraattiioonnss::111188

This code is a subset of the RBI Master Circular on Credit Card Usage. The code ensuresconfidentiality of client account details unless disclosure is required by law, in the publicinterest, required by the bank to prevent fraud, or with the customer's consent. Specifically,the code ensures that personal information continues to be kept private and confidential evenafter a client is no longer the bank's customer, and that transaction details will not bedisclosed to a third party.

119

TThhee DDaammooddaarraann RReeppoorrtt oonn CCuussttoommeerrSSeerrvviiccee 22001100112200

In response to the growing use and penetration of 24x7 ATMS, Internet banking, debit cards,and mobile banking, in 2010 the RBI established a committee chaired by Shri. M.

Damodaran, former chair of the SEBI. The committee was tasked with reviewing the currentsystem of customer service, evaluating grievance redress mechanisms, examining thefunctioning and effectiveness of the Banking Ombudsman Scheme, looking into new methodsof leveraging technology for better customer service and better implementation of safeguards,and reviewing the roles of the directors and regulators. In their report, the committee foundmany issues with the current system and made recommendations for improvement. Out ofthese recommendations the following pertain to privacy:

Individual Access: Customers should have the ability to request digitally signed emailbank statements. These statements should be accepted by government authorities.


16/25

Page | 16

Accuracy: A passbook should be a mirror of the summary of transactions as appearingin the bank's books.

Transparency: If banks are going to suspend an account, they must inform the accountholder by SMS. Similarly, banks should inform customers via SMS when an accountnears a minimum balance. Banks should also clearly display a list of the mostimportant terms and conditions.

Data Bank: The IBA should establish a KYC Data Bank which can be relied upon forKYC purposes.

Identity: Banks should accept self-attested photographs and proof of address whenopening No Frills Accounts. Additionally, all credit and debit cards should contain aphotograph of the individual with a scanned signature.

Liability: Customers should be protected and not held liable for loss from ATM/PoSbanking transactions.

Security: Banks should put in place fraud detection and prevention systems. Theseshould include giving customers the option of blocking foreign IP addresses andrestricting account transfers to specified IP addresses. The committee also suggestedthat every ATM should be labelled with an ID for use when redressing a grievance.

Individuals should be able to easily block their ATM cards via SMS. Cameras should beplaced in ATMs so clear pictures can be taken of the individuals using them.

Data Retention: When a complaint is received, banks should preserve any CCTVrecordings until the grievance is fully resolved.

Redressal: In the case of fraudulent transactions the lost amount should be creditedback to the account. All grievances regarding mobile banking should be addressed bythe banks, and not the service providers.

GGooppaallkkrriisshhnnaa WWoorrkkiinngg GGrroouupp RReeppoorrtt 22001111112211

In April 2011 the RBI's Internet Banking guidelines were reiterated in the G GopalakrishnaWorking group on security in E-Banking. The working group created a report advising banks

to implement and follow the privacy policies and procedures established by the guidelines.However, the report is meant to enhance the current guidelines to ensure that electronicbanking privacy in India is on a par with international standards. Accordingly, the reportrecommends changes to the current Indian framework to make it more robust. These aremeant to set a common minimum standard for all banks to adopt, as well as lay down the bestpractices for banks to implement in a phased manner for a safer and sounder bankingenvironment. A few of the recommendations include:

Establish a Chief Information Security Officer;

Create and implement risk assessments;

Restrict internal and external access to information to a 'need to know' basis while notimpeding regulatory access to data/records and other relevant information;

Put in place strong data security measures;

Data transfers should be completed electronically rather than manually to avoid datamanipulation. Banks should also have a strong migration policy.

RBI should still be allowed the right to order inspection of the processing centre, thebooks, and the accounts.

Banks should put in place a transaction monitoring and surveillance process to identifyirregular transactions.

ATM cards should be chip based to make it more difficult to steal and reproduce data.


17/25

Page | 17

Boards and senior management of banks should ultimately be responsible for managingoutsourced operations. Banks must be transparent to the regulator about how muchinformation is outsourced, and the terms and conditions of contracts between banks andservice providers should be carefully defined.

Legal suggestions made by the committee include: Specify punishments for phishing;

Put in place and strengthen a legal system to ensure that banks are monitoringtransactions in compliance with Anti-Money Laundering legislation;

Redefine 'electronic cheque' under the Negotiable instruments Act;

Clarify the term 'intermediary' under the IT Act;

Clarify whether an individual can be bound by transactions entered into via electronicmeans;

Appoint specific agencies to help courts determine the value of electronic records(even if they have not been digitally signed);

Determine the legal encryption level under the IT Act and establish a committee under

section 84A to set rules regulating the use of encryption; Ensure that banks are not held criminally and civilly liable for fraud that a customer

commits;

Strengthen the data protection standards found under Sections 43A, 72, and 72A of theIT Act. These recommendations have been met with mixed reviews from the public, Forexample, critics pointed out that the IT Act already provides punishment for phishingattacks, and many worried about the proposal to exempt banks from liability.Regardless, the report acts as a comprehensive outline to the existing framework forbanking in India, and provides a way forward.

122


18/25

Page | 18

CCaassee LLaawwss112233Shri K.B. Gupta vs. Income Tax Department, CIC (Central Information Commission), 2009The appellant, Mr Gupta, had given information to the income tax authorities regarding ahawala ring (that is, a network of unofficial money brokers) being operated by Mr. Bhattar. Onthe basis of this information, the authorities carried out a widespread search and seizureoperation, which unearthed black money in the amount of about INR150 crores held byBhattar and his accomplices. The investigation discovered widespread hawala transactionsinvolving about 160 people, of whom Bhattar was the kingpin. The appellants claimed thatBhattar and his accomplices escaped by taking advantage of the 1997 Voluntary Disclosure ofIncome Scheme, an amnesty scheme in which the government encouraged citizens todeclare previously undeclared income by making it legal to do so without penalty.

124

Gupta used a Right to Information (RTI) Application to request information from the CPIO andthe Appellant Authority (AA) with respect to the Mr. Bhattars financial dealings, beneficiaries,and associates, all of whom were named in the summons notices, since Mr. Bhattar wasalleged to have been running a hawala racket.

The Commission, taking the larger picture of the security of the nation ruled that as it isindisputable that money laundering is an offence under the Prevention of Money Laundering

Act 2002, to deny information on the grounds of the RTI's privacy clause would be completelycontrary to the national interest. Hawala transactions not only destroy the economy but alsoadversely affect the security of the nation. Taking the view that the RTI Act Section 8 (1) jprivacy clause provides for disclosure if it is in the larger public interest, the Commission setaside the CPIO's and AA's earlier decisions and ordered that the relevant records requestedby the appellant be made available.

This case demonstrates that in context the larger good of the public interest overrides the

notion of privacy.

Mr. Suresh Kumar vs. Ministry of External Affairs, CIC, 2011In a 2011 case, the Central Information Commission took a similar position as in the caseabove. The appellant, Mr. Suresh, sought information through an RTI application regardingthe passport of Mr. Shah Jahan, a government official who allegedly travels frequentlyoverseas, particularly to the Gulf countries, without getting government permission. It wasalso alleged that Jahan was engaging in unauthorised money transactions and moneylaundering.

125

S. Umashankar vs ICICI Bank, 2010

In this landmark judgment under the Information Technology Act, which set the course for allphishing cases in India, it was rightly laid down that the banks are liable for all phishingactivities. Funds in the amount of INR 6646,000 were suddenly and without authorisationdebited from the account of the complainant, S.Umashankar, and posted to another ICICIaccount. Complaining to the bank resulted only in a promise to look into the matter and replywithin a month. A month later the bank replied, describing the loss of funds as a bankphishing fraud and, more important, blaming on the complainants, saying he had negligentlyallowed his user name and password to be compromised and failed to follow the bank's


19/25

Page | 19

instructions regarding fraudulent emails and security controls.126

The bank also said it could not trace the beneficiary, even though he is an ICICI accountholder who had gone through KYC norms verification. The adjudicating officer clearly ruledthat the bank failed to establish that due diligence was exercised to prevent unauthorisedaccess as laid out in Section 43 of the Information Technology Act. Moreover, the bank alsofailed to set up security controls with adequate levels of authentication and validation that

could have prevented this loss. Further, the officer maintained that there was a definitely adegree of complacency on the part of the banks officers in dealing with and resolving thisissue. The bank was incriminated under Section 85 of the IT Act (for lack of due diligence)and required to compensate the victim of the fraud under Section 46.The case set an important precedent. The bank had contended earlier that it has the right tointroduce any technology it wants but will not take absolute responsibility for fraud eventhough both the law and the RBI regulations favour the victim customer. This line of argumentwill not stand up any more.

Thomas Raju vs. ICICI Bank, 2011After the landmark April 12, 2010 judgment in the Umashankar case, the Tamil Naduadjudicator delivered a second judgment holding banks liable to repay customer losses due tounauthorised access. This was the case of Thomas Raju vs. ICICI Bank.127 Though thesecases are generally termed "phishing" cases, the bank's contention is always that no one canaccess a customer's account unless the customer shares his password; the banks try to paintall cases as customer negligence. However, in the case of Thomas Raju the customerclaimed not to have received any phishing email.

The adjudicating officer upheld Raju's argument that the bank should have conducted itselfresponsibly and failed to act with due diligence to prevent unauthorised access to his account.The bank was directed to pay Raju the missing amount of INR 162,800, and the accruedinterest, plus damages and expenses.It is heartening to know that the right precedents are being set, protecting the customer and

ensuring that errant banking and financial institutions are not let off the hook with flimsyexcuses.

Shankarlal Agarwalla vs. State Bank of India, AIR 1987, Cal 29In this case a customer owned 261 bank notes worth INR1000 each. In 1978, he turned in thenotes and asked the bank to credit his current account. The bank disclosed this transaction tothe income tax department, which in turn issued a notice under Section 226(3) of the IncomeTax Act. The Calcutta High Court observed that one of the bank's duties to the customer wassecrecy. This duty is a duty of contract and not just a moral obligation. Thus, if this duty isbreached, an individual could claim damages. The courts held that the State Bank of India

was directed by the Reserve Bank of India and the Ministry of Finance to furnish allparticulars regarding deposits of bank notes to the Income Tax Department as soon as suchnotes were received. Thus, this instance was not a violation.

Canara Bank vs. District Registrar and Collector 2004128

In the case of Canara Bank vs. District Registrar and Collector, the District Registrar enteredCanara Banks premises and inspected its books and documents. During this inspection theyfound an error, and seized the material. The bank argued that although the Registrar could


20/25

Page | 20

inspect the documents it did not have the authority to seize them without notice to the affectedcustomers. The Supreme Court of Indi ruled that the exclusion of illegitimate intrusions intoprivacy depends on the nature of the right being asserted and the way in which it is broughtinto play. This case demonstrates that context is a crucial element of protecting and definingthe right to privacy, and raises the question of how privacy legislation should define contextfor the financial sector.

Punjab National Bank vs. Rupa Mahajan Pahwa 2008129In the 2008 case of Punjab National Bank vs. Rupa Mahajan Pahwa, PNB was charged withissuing a duplicate passbook for a joint savings account to an unauthorised person. The bankwas held accountable for the disclosure, and was fined and instructed to look into the conductof the officials who supplied information to the unauthorised individual. The fact that a bankemployee permitted an unauthorised person access to personal information raises thequestion of whether privacy legislation should require employees in the financial sector to gothrough training on privacy procedures.


21/25

Page | 21

IImmpplleemmeennttaattiioonnIndia, unlike other countries like the United States, India does not have specific legislation or aframework regulating and protecting the privacy of financial data. Instead, as pointed out byMr. Vijayashankar, Cyber Law expert, the confidentiality and secrecy of financial data haveevolved as standard practice by banks over the years, and the existing legal protections forfinancial information have emerged out of anti-fraud provisions. Thus, privacy (specificallydata breaches) is not seen as a protected right (while fraud is) and privacy protection forfinancial information is established predominantly through individual contracts. Thesepractices, though effective in some circumstances, result in inconsistent and incompleteprotection for financial data. Additionally, the lack of enforcement leaves a large gap betweenpolicy and implementation.

For example, under statute and through policy, banks are responsible for investigatingcomplaints of fraudulent transactions. In practice, however, the onus is almost always placedon the customer. As another example, the KYC norms were developed to detect and preventmoney laundering, broadly understood in Indian law as any criminal act that uses the banks

as a facilitator. As part of the KYC procedures, banks are required to verify and identifycustomers, and are responsible for monitoring of their transactions and following up onanything suspicious. In practice, the KYC norms have become a document verificationchecklist that banks comply with because it's required. Due diligence is rarely given tothoroughly investigating of banking clients, and often the job of following through with the KYCnorms is outsourced by banks to another company.

Another weakness of the Indian banking regulatory framework is that the laws have not beenamended across the board to take into consideration e-transactions and Internet banking.Therefore, in some cases the same banking regulations that safeguard manual transactionsare being extended to electronic ones. This is proving to be inadequate, as privacy risks are

higher in the case of electronic transactions. The gaps in the Indian financial regulatoryframework have also allowed wide powers of search and seizure to be given to lawenforcement and the authorities. Broadly speaking, four bodies have the ability to accessfinancial data. These include the police (but only with case-by-case authorisation), the courts,the Reserve Bank of India, and the intelligence agencies (where authorisation for specificcases is not required).

130

The inconsistencies in the implementation and structuring of the financial regulatoryframework have left individuals vulnerable to privacy violations of their financial data. In Indiathe most frequently reported privacy violation is banking fraud. The innovative ways in whichcriminals are accessing and misusing financial information raises the question of whether the

current legislation and regulations are adequate to punish and prevent crime. In 2011, theEconomic Times reported as many as 11,195 suspicious transaction reports (STRs) weredetected by the Finance Ministry's Financial Intelligence Unit (FIU) between 2006 and10.131 AMay 2011 news report revealed that individuals, by working closely with mobile serviceproviders, intercept SMSs that contain the details of financial transactions. These individualsstop any 'alert' SMSs sent from a bank and use a replacement SIM card to send thetransaction details to their phone.132


22/25

Page | 22

Similarly, in June 2011 a scam was discovered in which fraudsters had set up a fake companyselling car accessories that offered a discount to buyers whos used a card. When theindividuals entered their PINs on handheld devices, the devices copied the card details storedin both the magnetic strip and the PIN. Subsequently, the card details were used to clone thecard, and the PIN enabled the withdrawal of money.

133At present, as discussed above, Indian

banks are not taking responsibility for wrongful withdrawals.134 In another example, in June

2011 six people were able to hack into an account in the ICICI Bank, Chandigarh, andfraudulently sell INR94 lakhs worth of shares in the shareholder's name. Similarly, in May2012 the RBI issued a public statement warning against fraudulent emails being sent to RBIcustomer's under the auspices of a new security platform being adopted by the bank. 135

These news items raise questions of liability and effectiveness.136

In response to theseinconsistencies, the Financial Sector Legislative Reforms Commission (FSLRC) isconsidering a single, harmonised and uniform law applicable to all banks and giving thecentral bank the power to sanction the takeover of a co-operative bank by commercialbanks.

137

Terms and Conditions from private and public sector:138Private and public sector banks in India implement terms and conditions with implications fortheir customers' privacy. For example: the private bank ICICI has established a policy thatallows the bank to share all information relating to a client's application with other ICICI Groupcompanies, banks, financial institutions, credit bureaus, agencies, statutory bodies, taxauthorities, central information bureaus, and other persons as ICICI Bank and its GroupCompanies deem necessary or appropriate as may be required for use or processing of theinformation. Furthermore, under the terms the ICICI Bank and its group companies will not beliable for how that information is used. The terms of this contract are non-negotiable, binary,and changeable at the will of the Bank.139 These broad terms encompass the relevantbanking laws (as discussed in this chapter) and also include any future bodies created by thelegislature, under any law. Public sector banks, like the State Bank of India, are regulated bystatute and owe a duty of fidelity and secrecy to all their customers. For instance, under theState Bank of India (Subsidiary Banks) Act, banks must observe, except as otherwiserequired by law, the practices and usages customary among bankers. In particular, the bankcannot share information pertaining to its clients except in accordance with the law, or whenpractice and usage customary among bankers deem it necessary or appropriate for that bankto disclose the information.140


23/25

Page | 23

IInntteerrnnaattiioonnaall BBeesstt PPrraaccttiicceess

RReeccoommmmeennddaattiioonnss

1. DSCI - KPMG Banking Survey Report Final.pdf2. Negotiable Instruments Act, 1881 s.131.3. Negotiable Instruments Act, 1881 s.131 85 (1).4. Negotiable Instruments Act, 1881 s.131 85A .5. Negotiable Instruments Act, 1881 s.131 131 inserted by Act 55 of 2002 s. 6.6. Prevention of Money Laundering Act, 2002, s. 6 'The Central Government shall appoint the

Adjudicating Authority. The Adjudicating Authority will consist of a chairperson, and two other members.7. Prevention of Money Laundering Act, 2002, s. 50 The Director shall have the same powers vested in a

civil court in respect of certain matters, the director, additional director, Joint Director, Assistant Directorshall have the power to summon any person.

8. Section 21(1).9. Id., Section 21 (2).10. Id., Section 21(3).11. Prevention of Money Laundering Act, 2002, s. 12 (a)(b)(c).12. Prevention of Money Laundering Act, 2002, s.12(2).13. Prevention of Money Laundering Act, 2002, s. 15.14. Id., Section 11 (a)(C).15. Prevention of Money Laundering Act, 2002, s.16 (1).16. Prevention of Money Laundering Act, 2002, s.16(1)(i).17. Prevention of Money Laundering Act, 2002, s. (16)(3)(i) to (iii).18. Prevention of Money Laundering Act, 2002, s.16(1)(i) and (ii).19. Prevention of Money Laundering Act, 2002, s. 48 'The Act has three classes of authorities 1. Director

or Additional Director or Joint Director, 2. Assistant Director, and 3. Other such officers that maybeappointed under this Act. Section 50 'The Director shall have the same powers as are vested in a civilcourt. The additional director shall have the power to summon any person whose attendance heconsiders necessary to produce documents . The Assistant Director shall not (a) impound any record

without recording his reasons for doing so (b) retain any record without prior permission from theDirector.

20. Prevention of Money Laundering Act, 2002, s. 17 (1).21. Prevention of Money Laundering Act, 2002, s. 17(a).22. Prevention of Money Laundering Act, 2002, s. 17(3).23. Prevention of Money Laundering Act, 2002, s. 66.24. Prevention of Money Laundering Act, 2002, s. 26.25. Bankers Book Evidence Act, 1891, s. 2A(a).26. Bankers Book Evidence Act, 1891, s. 2A(c).27. Bankers Book Evidence Act, 1891, s. 2A(A-I).28. Id., Section 5' Case in which officer of bank cannot be compelled to produce books.29. Id., Section 6, Inspection of Books by Order of Court or Judge.30. Credit Information Companies (Regulation) Act 2005, s. 2 (d)

31. Credit Information Companies (Regulation) Act 2005, s. 2 (e).32. Credit Information Companies (Regulation) Act 2005, s. 2 (f).33. Credit Information Companies (Regulation) Act 2005, s. 2(l).34. Credit Information Companies (Regulation) Act 2005, s. 29.35. Credit Information Companies (Regulation) Act 2005, s. 20.36. Id., s. 19.37. Id., s. 20(c).38. Id., s. 20(d).39. Id., s. 20(e).40. Credit Information Companies (Regulation) Act 2005, s. 20(f).
http://www.dsci.in/sites/default/files/DSCI%20-%20KPMG%20Banking%20Survey%20Report%20-%20Final.pdfhttp://www.dsci.in/sites/default/files/DSCI%20-%20KPMG%20Banking%20Survey%20Report%20-%20Final.pdfhttp://www.dsci.in/sites/default/files/DSCI%20-%20KPMG%20Banking%20Survey%20Report%20-%20Final.pdfhttp://www.dsci.in/sites/default/files/DSCI%20-%20KPMG%20Banking%20Survey%20Report%20-%20Final.pdf


24/25

Page | 24

41. Id., s. 21(1)(2)(3).42. Id., s. (22)(23).43. Credit Information Companies (Regulation) Act 2005, s. 17(4)(a)(b)(c), s. 28.44. Id., s. 12 (1).45. Id., s. 17(1).46. Credit Regulations 2006, s. 647. Credit Regulations 2006 definition c.48. Credit Regulations 2006 definition g.49. Section 7.50. Section 9.1.3.51. Section 9.2.3.52. Section 9.2.5.53. Section 9.2.2.54. Sections 9.3.1, 9.3.2, 9.3.3.55. Sections 9.4.1, 9.4.3.56. Credit Regulations s. 9.5.1.57. Section 9.5.5 .58. Section 11 .59. Section 9.5.2.60. Section 9.5.3 & 9.5.4.

61. Section 9.6.1.62. Section 9.6.2.63. Section 9.6.4.64. Section 9.6.3.65. Section 9.7.1 .66. Section 9.7.2 .67. Section 9.7.3.68. Section 15 (a)69. Section 16 (b) (i)(ii)(iii) .70. Section 17.71. Section 18 .72. IDRA Regulations 2002, s. 11(3) .73. IDRA Regulations 2010, s. 5.

74. IDRA Regulations 2010 6(f) .75. IDRA Regulations 2010 6(h) .76. 14 Section h.77. Section 17.78. Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983, s. 3(1) .79. Id., Section 4 (a)(b) .80. Payment and Settlement Systems Act, 2007, s. 15.81. Payment and Settlement Systems Act, 2007, s. 22.82. Id., Section 15(2) .83. Id., Section 22(1) .84. Id., Section 22 (2) .85. Payment and Settlement Systems Act, 2007, s.21(1) .86. Id., Section 12, 13.87. Id., Section 12.88. Id., Section 13.89. Id., Section 14 .90. Payment and Settlement Systems Act, 2007, s. 16.91. Id., Section 26(3) .92. Payment and Settlement Systems Act, 2007, s. 26 (4) .93. Banking Regulation Act, 1949, s. 45Y.94. Banking Regulation Act, 1949, s. 35, Section 45Q.95. Banking Regulation Act, 1949, s. 35 (1A)(b) .96. Id., Section 28 .97. Id., Section 34A.


25/25

P | 25

98. Banking Regulation Act, 1949, s. 27.99. Id., Section 36 AI.100. Id., Section 36 AI.101. Id., Section 45R.

102. Id., Section 35 A.103. http://bit.ly/TEiC5i

104. http://bit.ly/P1z7Wb105. Indian Income Tax Act, 1961, 132(1): Director General, Director, Chief Commissioner, Commissioner,Deputy Commissioner, commissioner empowered by the board.

106. Id., Section 132 (4A) .107. Indian Income Tax Act, 1961, s.132(8) .108. Id., Section 132 (11) .109. Research completed by Tarun Krishnakumar.

110. Preamble to the Foreign Contribution Regulation Act, 2010.111. Proviso to Section 9 of the Foreign Contribution Regulation Act, 2010.112. Id., Section 5 (a) .113. Id., Section 6.1(b)(d), and (e) .114. Id., Section 6.1 (f) .115. Id., Section 6.1 (c)(e) .116. Id., Section 6.2 (b) .117. Id., Section 9.118. Section research conducted by Malavika Chandu law student at NUJS law school.119. Seehttp://bit.ly/Qwpr4f120. Ibid.http://bit.ly/UCabHo121. Seehttp://bit.ly/hgjdgt122. Seehttp://bit.ly/Ty28NN123. Research and writing done by Priyale Prasad124. Seehttp://bit.ly/QwGK90125. Seehttp://bit.ly/TEjjfb126. Seehttp://bit.ly/Ty2pjU127. Seehttp://bit.ly/NiWAnQ128. Seehttp://bit.ly/QswfFR129. Seehttp://bit.ly/SiGmb1

130. Ibid. Interview with NA Vijayashankar131. Seehttp://bit.ly/QwqFwk132. Seehttp://bit.ly/iZoziA133. Seehttp://bit.ly/kDSqWF134. Seehttp://bit.ly/RM1z10135. RBI warns against fraud email, Economic Times, May21, 2012,http://bit.ly/P1A6FR20(last accessed

on June 16,,2012).

136. http://bit.ly/kvzrdS137. http://bit.ly/PTOUWh138. Section research completed by Malavika Chandu intern NUJS law school.139. Seehttp://bit.ly/P7xRzj: see clauses 18and19140. State Bank of India (Subsidiary Banks) Act 1959 s. 52.
http://bit.ly/TEiC5ihttp://bit.ly/TEiC5ihttp://bit.ly/P1z7Wbhttp://bit.ly/P1z7Wbhttp://bit.ly/Qwpr4fhttp://bit.ly/Qwpr4fhttp://bit.ly/Qwpr4fhttp://bit.ly/UCabHohttp://bit.ly/UCabHohttp://bit.ly/UCabHohttp://bit.ly/hgjdgthttp://bit.ly/hgjdgthttp://bit.ly/hgjdgthttp://bit.ly/Ty28NNhttp://bit.ly/Ty28NNhttp://bit.ly/Ty28NNhttp://bit.ly/QwGK90http://bit.ly/QwGK90http://bit.ly/QwGK90http://www.indiankanoon.org/doc/582336http://www.indiankanoon.org/doc/582336http://bit.ly/TEjjfbhttp://bit.ly/TEjjfbhttp://bit.ly/TEjjfbhttp://bit.ly/Ty2pjUhttp://bit.ly/Ty2pjUhttp://www.naavi.org/edit_todayhttp://www.naavi.org/edit_todayhttp://bit.ly/NiWAnQhttp://bit.ly/NiWAnQhttp://bit.ly/NiWAnQhttp://bit.ly/QswfFRhttp://bit.ly/QswfFRhttp://bit.ly/QswfFRhttp://bit.ly/SiGmb1http://bit.ly/SiGmb1http://bit.ly/SiGmb1http://bit.ly/QwqFwkhttp://bit.ly/QwqFwkhttp://bit.ly/QwqFwkhttp://bit.ly/iZoziAhttp://bit.ly/iZoziAhttp://bit.ly/iZoziAhttp://bit.ly/kDSqWFhttp://bit.ly/kDSqWFhttp://bit.ly/kDSqWFhttp://bit.ly/RM1z10http://bit.ly/RM1z10http://bit.ly/RM1z10http://bit.ly/P1A6FR20http://bit.ly/P1A6FR20http://bit.ly/P1A6FR20http://bit.ly/kvzrdShttp://bit.ly/kvzrdShttp://bit.ly/PTOUWhhttp://bit.ly/PTOUWhhttp://bit.ly/P7xRzjhttp://bit.ly/P7xRzjhttp://bit.ly/P7xRzjhttp://bit.ly/P7xRzjhttp://bit.ly/PTOUWhhttp://bit.ly/kvzrdShttp://bit.ly/P1A6FR20http://bit.ly/RM1z10http://bit.ly/kDSqWFhttp://bit.ly/iZoziAhttp://bit.ly/QwqFwkhttp://bit.ly/SiGmb1http://bit.ly/QswfFRhttp://bit.ly/NiWAnQhttp://www.naavi.org/edit_todayhttp://bit.ly/Ty2pjUhttp://bit.ly/TEjjfbhttp://www.indiankanoon.org/doc/582336http://bit.ly/QwGK90http://bit.ly/Ty28NNhttp://bit.ly/hgjdgthttp://bit.ly/UCabHohttp://bit.ly/Qwpr4fhttp://bit.ly/P1z7Wbhttp://bit.ly/TEiC5i

finance and privacy

Documents