Centre for Internet & Society

Banking is one of the most risky sectors as far as privacy is concerned due to the highly sensitive and personal nature of information which is often exchanged, recorded and retained. Although India has RBI guidelines and legislations to protect data, this blog post looks at the extent of those protections, and what are the areas that still need to be addressed.

1. Introduction

Banking is one of the most at risk sectors for privacy violations due to the sensitive, and highly personal nature of information that is exchanged, recorded, and retained. Individuals must trust banks with personal identifying information, their financial records, the access information to their accounts,  and their credit history. Thus, privacy violations are not taken lightly and heavily impact the individual whose privacy was violated. Ways in which a violation of privacy can take place in the banking sector include: sharing personal information with third parties without consent  for marketing purposes, stolen or lost banking number or card, sharing personal information or allowing access to third parties without informed consent, inadequate notification  to an individual concerning what will be done with their data, collecting more personal data than is necessary, refusal to provide financial records upon request by client, incorrectly recording personal information, and loss of  a clients personal data due to improper security measures. 

2. Examples of privacy violations in the banking sector: 

There have been many instances in which one of the above violations has occurred. The examples below demonstrate that  a privacy violation of any nature is never as simple as “the disclosure of personal data” or “unauthorized access”. Each violation has a unique context that raises important questions that must be answered when forming a privacy legislation, while at the same time demonstrating the need for a certain level of privacy protection to be applied across the board in the financial sector.

2.1 Bank of America: 

An example of very common privacy violation by Bank of America was reported by the Utility Consumers' Action Network. In the case Bank of America was charged for selling the personal information (social security numbers, bank account numbers etc) of 35 million customers to marketers and third parties without informing individuals. Bank of America is now settling for $14 million, and agreeing to change its privacy polices, its Web site, and its privacy procedures. Perhaps the most alarming element to this story is that Bank of America violated its own privacy policy [1].

 This example  raises the question of who should be regulating the banking sector?  If the banking sector should be subject to audits more frequently or more stringently? Under what circumstances should data transfer be permitted ie can financial institutions disclose encrypted account numbers to non-affiliated third parties as long as the access code is not provided? The example also demonstrates:

  • The need for  a customers  personal data to be  distinguished between public and non-public information.

  • The need for  opt out options for customers, so they can choose if  personal information is shared with non-affiliated third parties.

  • The need for restrictions on  re-disclosure and re-use of transferred or disclosed data 

2.2 Punjab National Bank 

In  2008  in the case of the Punjab National Bank vs. Rupa Mahajan Pahwa a bank was charged of issuing a duplicate passbook of a joint saving bank account of a husband and wife being maintained with “operational instructions” of either or survivor, to an unauthorized person. The bank was held accountable for the disclosed information, and was charged a fine with the instructions to look into the conduct of the officials who were supplying information to the unauthorized individual. The fact that a bank employee permitted an unauthorized person access to personal information raises the question of whether a privacy legislation should require that employees in the financial sector go through training on privacy procedures [2]

This example further demonstrates the need for: 

  • Specific guidelines to the instances in which each type of information can be disclosed.
  • Appropriate notice  should be given to costumers for the disclosure of personal information. Notices of disclosure should include: initial privacy notices of the financial institutions policies and practices with respect to the disclosure and protection of personal information, annual notices. If there are exceptions to be made, these should be clearly established.

2.3 Canara Bank

In the case of  Canara Bank vs. DistRegistrar and Collector  the district Registrar,  entered onto Canara's banks premise and inspected its books and documents. After inspecting the documents they found an error, and seized the material. The bank argued that though the Registrar could inspect the documents, they did not have the authority to seize the documents without notice to the persons affected. The ruling of the case held that the exclusion of illegitimate intrusions into privacy depends on the nature of the right being asserted, and the way in which it is brought into play[3]. This case demonstrates  that context is a crucial element of protecting privacy and defining the right to privacy, and  raises the question of how a privacy legislation should define context for the financial sector. 

3. What are the current privacy standards for the banking sector in India? 

Below are questions pertaining to privacy concerns and the corresponding regulations that exist in the banking sector.  

  • What are the rules and restrictions placed on banks that relate to confidentiality and secrecy?

  •  What are the exceptions to the obligations of secrecy?

    3.1. Customary/Statutory Banking Law

Both in banking customs as well as statutes, there is a standardized, recognized obligation of secrecy. The wording in the following section is reproduced identically in many banking related acts including: SBI Act, 1955 – Section 44, SBI (Acquisition and Transfer of Undertakings) 1980 – Section 13, Credit Information Companies Act 2005 -section 29, and The Public Financial Institutions Act, 1983 -section 3. The section is applicable to the respective Bank as a whole and its directors, local boards, auditors, advisers, officers or other employees of the State Bank, and creditors are required in addition to affirm an oath of secrecy as provided [4]

 Section 44. Obligation as to fidelity and secrecy: Obligation as to fidelity and secrecy.(1) The State Bank shall observe, except as otherwise required by law, the practices and usages customary among bankers, and, in particular, it shall not divulge any information relating to or to the affairs of its constituents except in circumstances in which it is, in accordance with the law or practice and usage customary among bankers, necessary or appropriate for the State Bank to divulge such information. (2) Every director, member of a Local Board or of a Local Committee, auditor, adviser, officer or other employee of the State Bank shall, before entering upon his duties, make a declaration of fidelity and secrecy as in the form set out in the Second Schedule.

 In Shankarlal Agarwalla v. State Bank of India, AIR 1987 Cal 29, a customer owned 261 bank currency notes of Rs. l.000/-each. Following the demonitisation of high value currency notes in 1978, he tendered these notes to the bank along with the requisite declaration and instricted the bank to credit his Current Account with the amount. The bank made declaration made by the customer available to the Income-tax Department who issued a notice under Sec. 226(3) of the Income-tax Act, attaching the said sum. Later the sum was released. The Calcutta High Court observed that among the duties of the banker towards the customer was the duty of secrecy. Such duty is a legal one arising out of the contract and was not merely a moral one. Breach of it could, therefore, give a claim for nominal damages or for substantial damages if injury is resulted from the breach. It was, however, not an absolute duty. but was a qualified one subject to certain exceptions. The instances being (l)the duty to obey an order under the Bankers' Books Evidence Act. (2) cases where a higher duty than the private duty is involved, as where danger to the State or public duty may supersede the duty of the agent to his principal, (3) of a bank issuing a writ claiming payment of an overdraft, stating on the face the amount of overdraft, and (4) the familiar case where the customer authorises a reference to his banker. The learned Judge further observed that the State Bank of India was directed by the Reserve Bank of India and the Ministry of Finance to furnish all particulars regarding deposit of bank notes to the Income-tax Department as soon as such notices were received. This instance had, therefore, come within the exceptions. The recent Payment and Settlement Systems Act , 2007 imposes privacy obligations on those who manage online payment and settlement systems such as RTGS/NEFT etc. Section 22  of the Act enjoins “system provider” not to disclose the existence or contents of any document or part of any information given to him by a system participant, except where disclosure is:

(a) required under the provisions of this Act 

(b) made with the express or implied consent of the system participant concerned 

(c) in obedience to the orders passed by a court of competent jurisdiction 

(d) in obedience of a statutory authority in exercise of the powers conferred by a statute.

 3.2 Reserve Bank of India regulations 

The Reserve Bank of India has periodically issued guidelines, regulations and circulars which require banks to maintain the confidentiality and privacy of customers. Thus, the Master Circular on Credit Card Operations of banks issued by the RBI in July 2010 contains an elaborate set of provisions on “Right to Privacy” and “Customer Confidentiality” under a section titled ‘Protection of Customer Rights’. The provisions inter alia, forbid the banks from making unsolicited calls, delivering unsolicited credit cards and from disclosing customer information to any third party without specific consent. Similarly, the Master Circular on Customer Service in banks issued in 2009 contains a detailed clause on Customer Confidentiality Obligations. The clause reaffirms the customary banking obligation of secrecy and extends it by forbidding the usage of customer information for “cross-selling purposes”. It imposes a restriction on data collection by requiring Banks to “ensure that information sought from the customer is relevant to the perceived risk, is not intrusive, and is in conformity with the guidelines issued in this regard”. 

In 2006, the Reserve Bank of India along with several banks of the Indian Banks Association (IBA) established a body called the Banking Codes and Standards Board of India to evolve a set of voluntary norms which banks would enforce on their own. A number of guidelines and notices have been produced by the BCSBI including the “Code of Bank's Commitment to Customers” which most banks in India adhere to. Enforcement is through a seriece of internal Grievance redressal mechanisms within each bank including a designated “Code Compliance Officer” and an Ombudsman.

Though these guidelines do provide differing and useful degrees of security and privacy, the lack of legislative oversight and enforcement allows the standards to be applied per institution and  per-contract and enforcement is not guaranteed through parliamentary sanctions.

3.3  What legislation applies to data protection in the banking sector?

Banks are governed by the Information Technology Act 2000 as amended in 2008. The latter amendments contain provisions that enjoin inter alia, banks to adopt reasonable security practices with respect to their databases. Customers of banks can, under the IT Act, obtain compensatory relief for losses arising out of data leakages as well as unauthorised disclosure of information by the banks for gain.

4. International Regulation of Privacy in Banks: 

The EU: The EU Data Protection Directive is a broad directive adopted by the European Union designed to protect the privacy  of all personal data of EU citizens collected and used for commercial purposes,specifically  as it relates to processing, using, or exchanging such data [5]. The Directive establishes a broad regulatory framework which sets limits on the collection and use of personal data, and requires each Member State to set up an independent national body responsible for the protection of data. The Directive prohibits the transfer of protected personal information outside the EU unless the receiving country applies similar legal protections. For example in the UK the financial sector is regulated by the Banking Act of 2009but financial data, along with other data is monitored by the UK data regulator.

 The US: Though the United States has many acts regulating the financial sector, the main legislation though is the Gramm-Leach-Bliley Act [6]. The  GLBA imposes obligations and restrictions on financial institutions. The act defines:

  •   The entities covered in the act
  •   Classifications of data and restrictions based on type of data
  •   Acceptable and non-acceptable forms of disclosure
  •   Opt out requirements protocols and procedures
  •   Notice requirements
  •   Acceptable and non-acceptable marketing activities
  •   Measures that should be taken to safeguard information
  •   Methods of enforcement.

 Questions to  Consider:

  • Should financial information be separated into categories based on level of privacy risk?
  • Should financial information be treated to a greater  level of security?
  • Should organizations who commit data breaches in the financial sector receive more severe sanctions?
  • Should a privacy legislation create a standardized privacy policy for the financial sector?
  • Should a privacy legislation require specific internal and external audits and monitoring of the financial sector? 

 

Bibliography

1. http://www.ucan.org/money_privacy/banking_finance_credit_cards/ucan_wins_lawsuit_against_bank_of_america_concerning_poor_privacy_practices

2.http://164.100.72.12/ncdrcrep/judgement/80PNB%20VS.%20RUPA%20MAHAJAN.htm

3.(2005) 1 SCC 496: AIR 2005 SC 186

4. One of the landmark cases on banking customs related to secrecy is the Court of Appeal case of  Tournier v. National Provincial and Union Bank of England decided in 1924. The court upheld the general duty of secrecy arising out of a contract between the banker and the customer and held that the breach of it may give rise to a claim for substantial damages if injury has resulted from the breach. It is, however, not an absolute duty but qualified and is subject to certain reasonable exceptions. These exceptions have been incorporated into Indian law (see the Shankarlal Agarwalla case below)

5.Westby, Jody. International Guide to Privacy: American Bar Associaton 2004 pg.89-102

6.Westby, Jody. International Guide to Privacy: American Bar Associaton 2004 pg.18

 

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.