Indian Kanoon - Search engine for Indian Law

Central Information Commission

Mrs.Sucheta Charudatta Dhekane vs Bank Of Maharashtra on 9 November, 2011

                        CENTRAL INFORMATION COMMISSION
                            Club Building (Near Post Office)
                          Old JNU Campus, New Delhi - 110067
                                 Tel: +91-11-26161796

                                                             Decision No. CIC/SG/A/2011/002073/15529
                                                                     Appeal No. CIC/SG/A/2011/002073
Relevant facts emerging from the Appeal:

Appellant                            :               Ms. Sucheta Charuduatta Dhekane
                                                     Chintamani Heaven, Flat No. 6
                                                     1st Floor, Near Kothrud,
                                                     Pune-411029

Respondent                           :               Mr. Ajay Banerjee,

PIO & Chief General; Manager (Planning development & Corporate services), Bank of Maharashtra, Lokmangal 1501, Shivaji Nagar, Pune-411005 RTI application filed on : 05-01-2011 PIO replied on : 14-01-2010 First Appeal filed on : 18-04-2011 First Appellate Authority order of : 07-05-2011 Second Appeal received on : 29-06-2011 Q. Information sought Reply of PIO No.

1. The procedure for opening a new Information provided.

savings bank account and current As regards the document to be submitted as per KYC account with your bank/ branches. norm, the same is attached herewith,Annexture-1 Procedure regarding linking of internet banking, phone banking, ATM and Credit card facilities to such accounts and documents obtained under KYC.

2. * The requisite documents sought The information regarding requisite documents sought from customers at the time of opening from at the time of opening of such a/cs for complying of such accounts for complying with with KYC KYC norms prescribed by RBI. given in point 1.

3. * System for Monitoring of such In -reply- to -point no- 3, we inform you that all the new newly opened bank accounts accounts are monitored on continuous basis and (savings/current) opened with your transactions which give rise to suspicion are further Bank/ branches during initial period as scrutinized and reported to FIU-IND if found to be of per RBI guidelines Suspicious nature. . -

4. * What are the norms for dormant and 4. Regarding point no 4, we inform you that All those the procedure for activating such bank accounts which have not been operated for two years, are accounts which are dormant? categorised as 0inoperative account". Further, for the Procedure for activation and purpose of classifying an account as inoperative, both the Page 1 of 7 authorization before any operations are types of transactions i.e. debit as well as credit being allowed. transactions induced at the instance of customers as well as third party is considered.

The segregation of the inoperative accounts is from the point of view of reducing risk of frauds etc in such accounts. Any transactions in inoperative account will be made by maker and checked by checker i.e. it wiii' be necessarily routed through two employees of the Bank. -

5. What is the procedure for availing of 5."As"téards poinV5 the piocedure for avafling of internet internet/phone banking etc. facilities? banking/ phone banking/etc, has been provided on our Documents sought for from the Bank's website. Please find the customers. The documents supplied to the customers in turn by the bank (BOM), before availing of such facility.

6. Guidelines issued by the bank as Regarding point 6,the guidelines issued by the Bank as regards to use of internet Banking, regards to use phone banking, ATM and credit card internet banking, ohone banking, ATM'& Credi1 cards facilities by the customers and copies facilities , please find the annexture-3 in relation to the thereof. same.

7. System of uploading the customers 7. !n r-p o ct no 7, we inform you that Bank has its Core and copies thereof. Banking appllcation running in all the branches and customer's data at the time of opening the account and any transaction related to the custmers accounts are done through the CBS application. The customers' data, is stored in Bank's data center in a secured environment.

8. * safety measures taken by bank to Regarding point 8, the customers Database being the most protect/prevent sharing of the data criticai information is never disclosed with outsiders. base of its customers with However, NDA (NonDisclosure Agreement) is signed outsiders/vendors so as to protect its with the vendors working on the Bank's Systems in order own interest and that of its customers. to assure the non disclosure of the customers data.

9. * It is learnt that the official website of 9. In reply to point 9, regarding the change. of official web Bank was changed in the past- reasons site, we inform you that you have raised certain queries & thereof & made statements which do not fall under the purview of details thereof. Date from which the the definition of 'information' under RTI Act, 2005 website was changed? Whether all accounts holders customers were intimated in these regard- details thereof. Copies of both the websites be furnished.

10. Measures taken by the bank to protect 10. Regarding point no 10, Bank has taken the following the customers interest from internet measures to protect the customers interest from internet banking Frauds/ Phishing activities, Banking frauds etc. etc. a) Internet Banking Start-up kit includes instructions regarding precautions to be taken while using the Internet Banking facility.

b) Bank has secured its Internet Banking Website by providing the Secured ------ - Socket Layer (SSL) protocol. The same could be identified by having the "https" in the URL. Bank is also repeatedly advising customers through various communication, channels to type in the URL as https://www.mahaconnect.in Page 2 of 7

c) In the Internet Banking website once the user logs in, there is a continuous message scrolling that indicates clearly that such fraudulent

11. * Details of internet Banking Frauds ii. In reply to point no 11, the details of the frauds / phone under Phishing/ Phone banking and banking & credit card frauds are as follows:

credit card Fraud occurred at bank Of CREDIT CARD FRAUDS Maharashtra for the last four years a. 2007-08: NIL 2007-08, 2008-09 and 2009-10 2010- b. 2008-09, Navarang pura, ahemedabad, No fo cases-i,

11. the necessary details be furnished amount involved-i .09 lacs in following format: c. 2009-10, Card Cell Mumbai.No.of cases -01, amount involved-2.58 lacs Name of No. of Amount d. 2010-il, Asaf au Road, Delhi. No of cases: 2, amount Branch cases involved involved:

0.75 lacs. . /// Phising Frauds:

For the year 2007-08, 200809, 2009-10, no phishing frauds occurred. In 201 0-11 till dec 2010 only one case of Bandra East is registered, amount invnlvecj-Rs.3.30 lacs.

12. Details of staff accountability fixed in ii. In reply to point no 11, the details of the frauds / phone such cases for any staff lapses, as also banking & credit card frauds are as follows:

details of any recovery effected in CREDIT CARD FRAUDS such cases. a. 2007-08: NIL b. 2008-09, Navarang pura, ahemedabad, No fo cases-i, amount involved-i .09 lacs c. 2009-10, Card Cell Mumbai.No.of cases -01, amount involved-2.58 lacs d. 2010-il, Asaf au Road, Delhi. No of cases: 2, amount involved:

0.75 lacs. . /// Phising Frauds:

For the year 2007-08, 200809, 2009-10, no phishing frauds occurred. In 201 0-11 till dec 2010 only one case of Bandra East is registered, amount invnlvecj-Rs.3.30 lacs.

13. * The details of measures taken by the 13.ln reply to point 13, the details of measures taken by bank (BOM) to strengthen its own the bank to strenghthen its own internal control system to internal control system to prevent prevent recurrence of such instances in future are as recurrence of such instances in future. follows:

Necessary details are furnished. a) Bank has its Information Security Framework in place.

b) Quarterly Security audit of the network infrastructure is being done. In order to detect any new vulnerability Bi-

Monthly Vulnerability Assessment and Penetration Testing of the Internet Banking System is being done.

c) The One Time Password for addition of the Beneficiary through Internet Banking has been implemented. And fund transfer facility is available only to the registered beneficiaries through the OTP.

14. * When the last Risk Based internal 14.As regards point no 14, we inform you that RBIA of Audit (RBIA) of Mavipeth Branch Navi Peth Branch was conducted on 18/11/2010. was conducted? Copy of the report. Regarding copy of the report & compliance furnished by Copy of compliance furnished by the branch, we inform you that the information sought for has branch. no relationship with any public activity or interest & hence we can not provide the same.

15. * Copy of last system Audit Report of 15.In point no 15, you have sought the last system audit Bank Of Maharashtra and copy of report of bank of Maharashtra & copy of compliance Compliance furnished to audit furnished to audit committee of the board & Board's committee of the Board. Board's observation in this regard, we inform you that the observation in this regard. Copy of information includes the commercial.. confidence of the compliance furnished to the board. Bank and also the

16. Copy of citizen's charter issued by 16.As regards point no 16, we inform you that the Bank of Maharashtra as per RBI citizen's charter is available on our bank's websité guidelines. bmaharashtra.co.in. However a copy of the same is attached herewith for your perusal. Annexture-4

17. * Copy of standard procedure code & Regarding point 17,as the standard procedure & ethics is ethics issued by the bank of the part of citizen's charter & the same is provided under Maharashtra as per RBI guidelines. point no 16.

18. * Is there any "compensation policy" point 18, we inform you that Bank has 'compensation to compensate the customer in case of policy' fraud? Copy thereof. been displayed on its website. However a copy of the same is .Annexture-5

19. Information about 3 bank accounts of 19.ln reply to point 19 to 21, we inform you that the Shukla Das, shekhar Das and Nilesh information sought for is personal information of third Dandekar. party which has no relationship with any public activity or interest and it would cause unwarranted invasion of Name SB A/c Branc Amt. privacy of the individual & as such exempt under sectior1 of h sipho 8(1) U) of the Act, moreover Bank has to maintain secrecy benefic ned about the accounts of its constituents. --

       iary                      off &
                                 date.
       Nilesh    6002787   Tarde 20,00
       Dande     7360      o-    0 (20-
       kar                 Mumb 07-
                           ai    2010)
       Sukla     6800048   Jadav 30.00
       Das       5603      pur-  0 (20-
                           Kolka 07-
                           tta   2010)
       Sekhar    6800048   Jadav 30,00
       Das       5829      pur-  0 (20-
                           Kolka 07-
                           tta   2010)

                                     12,00
                                     0 (21-
                                     07-
                                     2010)
20.   Copies of account opening forms and     20. In point no 22, you have sought certain information
      copies of documents obtained under      based on certain presumption, which does not fall under

KYC and relied upon, as prescribed by the scope of RTI Act. Moreover, we inform you that there RBI at the time of opening of these is no such "Money Mule" account with Bank. accounts at respective branches.

21. * similar details viz. account opening form and KYC documents in respect of introducers of these accounts .

22. * Copies of the account statements of 22.As regards point no 24. we inform you that there are 5 all the above mentioned money mule instances happened during June / July 2010. the accounts from date of opening to information regarding the victims & their account details freezing of accounts. can not be provided as the information would impede the process of investigation or apprehension or prosecution of offenders & as such exempt under section 8 (1) (h) of the Act. However, regarding Phishing of your account, bank vide its letter dated 14/01/2011 has made correspondence with you, a copy of the same is attached herewith.Annexture- 7.

23. * System for monitoring of such 23. In reply to point 25 & 26, copy of reporting of frauds "Money Mules Accounts" as per RBI to RBF & internal investigation report, we inform you that guidelines. the information is confidential report of Bank & hence we can not -provide the-same-Moreover -the- information sought for has no relationship with any public activity or interest.

24. * Number of such phishing instances No staff fraud was found.

happened during June/july 2010.

Name of the victims, accounts details, details of Mule accounts. Date on which the first complaint was received at BOM Hqrs. Steps/ Measures taken by BOM to alert other customers in this regard to protect their interest.

25. * Copy of statement/return of As regards point• no 25, we inform you that you have reporting of fraud to RBI, DBS, CO, sought certain opinion which does not fall under the Mumbai and copy of communications definition of 'information' under RTI Act. received from RBI, DBS, CO , Mumbai and copy of communications received from RBI in this regard follow up action.

26. * Copy of the internal investigation 26, Regarding point no 29, as the matter is under process.

report and observation made by TOP Management- copies thereof.

27. * The action taken by the bank Does not arise.

officials/authorities for non adherence of KYC guidelines as well as internal guidelines thus helping / abatement in perpetration of this particular fraud.

28. Whether the bank is aware that the Regarding point no 31, we inform you that Bank is having captioned Fraud also falls under the well defined staff accountability examination policy' to provisions of preventions of Money deal with misconduct. Laundering Act-2002? Yes or No.

29. * If yes whether the bank has reported In respect of point no 32, regarding the measures taken to the requisites details to Financial address' Operational Risk" as per operational risk Intelligence Unit New Delhi under management policy, the information technology AMI guidelines? If yes , copy of department would assess the IT Environment Risk and IT communication sent to FUI-ND operation and Product Risk and submit a Half Yearly Page 5 of 7 report to the ORMD. This would cover losses on account of technological issues, operational breakdowns, system downtimes, ATM downtimes and nranr9''minn error with impact on loss of business I income, repair & recovery cost, the efficacy and appropriateness of disaster recovery plans etc.

30. If No, reasons thereof? Any action WAs regards point no 33, relating to expenditure incurred contemplated against delinquent on lawyers & police authorities in connection with the officials? Details thereof. particular case, we inform you that the information sought for is not avaHable with us in the format as you sought.

31. Whether there is any system of fixing 31.Regarcfrg joint no 34, we inform you that Bank has of any accountability in such cases? taken immediate steps iti inform and guide and assist you Details thereof. to tile the FIR with the polite station. Bank has also extended all the necessary co-operation by analyzhg and providing the required information to the police authorities. The matter is being investigated by the police authorities.

32. Copy of risk management policy of the -32. In point no. 35 as ho: information sought for, question bank. Measure taken to address of "operational risk". Details thereof. information does not arise.

33. Details of expenditure incurred on 33.As regards point rio 36, we inform you that Bank has lawyers and police authorities in extended all the necessary cooperation by analyzing and connection with this particular fraud, providing the required information àf the Suspects to the including Air Fare and expenses on Police authorities and the matter is being 'vestigated by litigation , lawyers fees etc. vis a vis the Police Authorities. final outcome.

34. * Current status of the investigation / 34. In resect of point no 37 regarding the Log-in and time proceedings of internet Banking fraud details of IP addresses and places from which your current in my above. Mentioned current a/c was siphoned, the information can not be provided as account. the information would impede the process of investigation or apprehension or prosecution of offenders & as such exempt under section 8 (1) (h) of the Act,

35. * Future course of action contemplated 35. In reply to point no. 38, we inform you that no such against these fraudulent advertisement was published in local news paper. accountholders for recovery of the amount involved.

36. * Efforts made by the bank to trace the 36. Regarding point flO; 39, measure taken by Bank to whereabouts of Mr. nilesh dandelar, strengthening the security of IT system, we inform that the Nafasopara, Thane, who has been the One Time Password for addition of the Beneficiary customer of BOM and one of the through Internet Banking has been implemented. And beneficiary of this fraud. fund transfer faciiity is available only to the registered beneficiaries through the OTP.

37. * date of log-in & time details of IP 37.As regards to point no 40, please find the photocopy of addresses and places from which my your internet banking application form Annexture-8 current acc. No. 20076502628 maintained at your Navi Peth branch, Pune was accessed on 20-07-2010 and 21-07-2010 and an amount of rs.

92,000/- was siphoned off.

38. Details of any adv. Given by the bank in the local newspaper for generating Page 6 of 7 further public awareness amongst customers about such fraudulent activities- copies thereof.

38. * after reporting of such internet banking frauds , any further measure taken bank in this regard to strengthen the security of IT system . details thereof.

40. * Kindly arrange to forward me a photocopy of my internet banking application.

Grounds for the First Appeal:

The CPIO did not give complete and true information and CPIO did not provide information.

Order of the First Appellate Authority (FAA):

The appellant has asked so many questions which do not come under RTI Ground of the Second Appeal:

PIO had not given complete and true information.

Relevant Facts emerging during Hearing: The following were present:

Appellant: Ms. Sucheta Charuduatta Dhekane on video conference from NIC-Pune Studio; Respondent: Mr. G. Ram Chandaran, DGM (IT) on behalf of Mr. Ajay Banerjee, Public Information Officer & Chief General; Manager on video conference from NIC-Pune Studio; The PIO has provided certain information but is now directed to provide the following information:

1- Query-12: Specific information to be provided. 2- Query-19 to 22: PIO will provide the information as sought by the Appellant. 3- Query-25: Copies of Reports on fraud sent to RBI. 4- Query-27: Specific information will be provided.

Decision:

The Appeal is allowed.

The PIO is directed to provide the information as directed above to the Appellant before 30 November 2011.

This decision is announced in open chamber. Notice of this decision be given free of cost to the parties. Any information in compliance with this Order will be provided free of cost as per Section 7(6) of RTI Act.

Shailesh Gandhi Information Commissioner 09 November 2011 (In any correspondence on this decision, mention the complete decision number. (BK)) Page 7 of 7