Securities And Cyber Laws

Chapter 1 Introduction Online Trading is a service offered on the internet for purchase and sale of shares and securities. In the real world, you place orders on your stockbroker either verbally (personally or telephonically) or in a written form (fax). In Online Trading, you will access a stockbroker's website through your internet-enabled PC and place orders through the broker's internet-based trading engine. These orders are routed to the Stock Exchange without manual intervention and executed thereon in a matter of a few seconds. Through online trading, the securities industry has, for the first time, paved the way for the implementation of direct order placement directly into the broking firm's trading system via the Internet. By circumventing the broker in the order entry stage, the price setting power for trading has shifted from the brokers and traditional stock exchanges to the individuals. The advent of online trading is probably the final stage in the `disintermediation of the trading environment,' ending the process which started with the abolition of the fixed brokerage commissions in the mid-1970s. In three years, by the end of 1999 this trend is growing rapidly through out the world. 1 Stock exchanges today have to rely increasingly on information technology to stay competitive in delivering services. This is primarily because of newer trading channels used for communicating and transacting like Internet and On-line security trading.The IT department of National Stock Exchange (NSE) employs 150 IT professionals forming a third of its total staff strength. The exchange has invested close to Rs.400 Crores in computers, software and communication equipment. It is therefore recognized as one of "Top IT User" organizations. In line with global trends NSE is structured and operates much like an information technology company. It has the largest VSAT network in this part of the world with a huge and complex web of hardware and software. It has a detailed disaster recovery site that mirrors all operating systems. The NSE has set up its own Internet Webster, which is visited daily by four Lakh persons for securities and share.2 The modern stock exchange technology does not need the traditional type of brokers to match investors' orders as they used to do on the physical-trading floor. The automated Trading screens can match buy and sell orders without the intervention of brokers. Today brokers are needed only for settlement responsibilities. NSE introduced a nation-wide VSAT driven screen based trading system Operations commenced in Mumbai and rapidly spread all over India. NSE today offers investors trading facilities in over 280 cities and town through 4000 terminals. For the first time NSE introduced in India screen based trading with automated matching. 1

www.openarticlesubmission.com

2

www.indianexpress.com

1

The system conceals the identity of the parties to an order or trade. This help better functioning of the market as disclosures of identity would put most members at a disadvantage. The trading system operates on price time priority. This means given the same set or orders, the orders that come first receive priority in matching. When an order does not find an immediate match in remains in the system and is displayed to the whole market, till a fresh order comes in or the earlier order is modified or cancelled. The market screens at any point of time give the members complete information on the total order depth in a security, the high price, the low price, the last traded price and other related information.3 Electronic commerce (E-Commerce or EC) is an emerging concept that describes the process of buying and selling or exchanging of products, services, share, securities and information via computer networks including the Internet. It is the use of the Internet and the Web to transact business. Doing business online, typically via the Web. It is also called “e-business” “e-tailing” “e-sharing” and "I-commerce." Although in most cases ecommerce and e-business are synonymous, e-commerce implies that goods and services can be purchased online, whereas e-business might be used as more of an umbrella term for a total presence on the Web, which would naturally include e-commerce (shopping) component. E-commerce may also refer to electronic data interchange (EDI), in which one company's computer queries and transmits purchase orders to another company's computer. It is an umbrella term for the process by which a customer may perform banking transactions electronically without visiting a brick-and-mortar institution. The following terms all refer to one form or another of electronic banking: personal computer (PC) banking, Internet banking, virtual banking, online banking, home banking, remote electronic banking, and phone banking. PC banking and Internet or online banking are the most frequently used designations. It should be noted, however, that the terms used to describe the various types of electronic banking are often used interchangeably. PC banking is a form of online banking that enables customers to execute bank transactions from a PC via a modem. In most PC banking ventures, the bank offers the customer a proprietary financial software program that allows the customer to perform financial and securities transactions from his or her home computer. The customer then dials into the bank with his or her modem, downloads data, and runs the programs that are resident on the customer's computer. Currently, many banks offer PC banking systems that allow customers to obtain account balances and credit card statements, pay bills, status of securities and transfer funds between accounts. 4 But this time some problem occurs that the cyber theft are hack the system and done many grievous offences so to protect the securities and money our legislation took measures .SEBI also led down some guidelines .The discussion of “Securities and Cyber Laws” not only securities or share or banking but also relates to cyber law.

3 4

economictimes.indiatimes.com www.blonnet.com/iw/2000/08/27

2

Chapter 2 Definition “Security” generally means an organizations occasionally need to raise cash (or capital) in order to expand their business through, for example, buying new premises, building new factories or acquiring other companies. The options open to such organizations for raising the necessary capital include: Borrowing cash from banks, Selling a part of their existing business, Selling part ownership in the company (issuing shares), and Borrowing cash from investors (issuing bonds) With both shares and bonds generically known as securities. The securities marketplace: Facilitates the process of bring new securities to the marketplace, and Provides a structured and regulated method of buying and selling existing securities for the protection of the investors. "Securities" means shares, debentures, bonds and other stock of any company or other body corporate, whether incorporated in India or outside, and securities issued by any local authority in India, or by the Government of, or a local authority in, any such country outside India as may be approved by the Reserve Bank and includes Government security as defined in section 2 of the Public Debt Act, 1944, (18 of 1944.) but does not include mortgages on immovable property;5 ‘Security’ means shares, stocks, bonds and debentures, Government securities as defined in the Public Debt Act, 1944 (18 of 1944), savings certificates to which the Government Savings Certificates Act, 1959 (46 of 1959) applies, deposit receipts in respect of deposits of securities and units of the Unit Trust of India established under sub-section (1) of section 3 of the Unit Trust of India Act, 1963 (52 of 1963) or of any mutual fund and includes certificates of title to securities, but does not include bills of exchange or promissory notes other than Government promissory notes or any other instruments which may be notified by the Reserve Bank as security for the purposes of Foreign Exchange Management Act 1999 .6 “Securities” include— Shares, scrips, stocks, bonds, debentures, debenture stock or other marketable securities of a like nature in or of any incorporated company or other body corporate; [(ia) Derivative; (ib) Units or any other instrument issued by any collective investment scheme to the investors in such schemes;]7 “Government security” means a security created and issued, whether before or after the commencement of this Act, by the Central Government or a State Government for the purpose of raising a public loan and having one of the forms specified in clause (2) of section 2 of the Public Debt Act, 1944 (13 of 1944);8 5

Unit Trust of India Act, 1963 Sec 2 (i) Foreign Exchange Management Act 1999 Sec 2(za) 7 Securities Contracts (Regulation) Act, 1956 Sec 2 (h) 8 Securities Contracts (Regulation) Act, 1956. Sec 2 (b) 6

3

“Foreign security” means any security, in the form of shares, stocks, bonds, debentures or any other instrument denominated or expressed in foreign currency and includes securities expressed in foreign currency, but where redemption or any form of return such as interest or dividends is payable in Indian currency .9 "Securitisation" means acquisition of financial assets by any securitisation company or reconstruction company from any origin nator whether by raising of funds by such securitisation company or reconstruction company from qualified institutional buyers by issue of security receipts representing undivided interest in such financial assets or otherwise.10 “Cyber Law” is a relevant knowledge for all of us living in a society with increasing use of Computers and you will appreciate this as you proceed to read more of this book. The Cyber Laws that we are discussing here is the “Fundamental Law” of the Cyber Space. Whoever is living in this Cyber Space or is conducting business in Cyber Space or is exposed to Crimes in Cyber Space and Crimes emanating from Cyber Space, should all be concerned with this branch of Law. In particular, Software professionals who actually create Cyber Space elements in the form of software products that communicate in Cyber Space and live for most part of their day in Cyber Space need to absorb many salient features of this Law so that they keep themselves and their clients safe and protected from the consequences of Cyber Law. Corporate Executives who own and manage Cyber Space properties also need to be conversant with Cyber Laws so that they will be able to discharge their functions properly. With the passage of the Information Technology Act 2000, (ITA- 2000) with effect from October 17, 2000 India has decisively moved from a paper Based society to a paper less society. As per the provisions of the ITA-2000, Records and Signatures in Electronic form will have complete legal effect, validity or enforceability in all transactions except for the following five types of transactions specifically excluded in the Act. 1.Negotiable Instruments (Other than Cheques) 2.Power of Attorney instruments, 3.Trust deeds, 4.Wills, and 5.Any contract of sale or conveyance of immovable property or interest in such property. In bringing Digital Documents and Signatures within the ambit of law, ITA-2000 has used a “Bridging Provision” to state that “Wherever Law” requires documents to be in writing and to be “Signed”, the requirement will be deemed to have been satisfied if such a document is rendered in electronic form and the signature is rendered in the manner specified in the Act. By virtue of this, every law in India today stands extended to Electronic Documents excepting the categories mentioned in the earlier paragraph.11 9

Foreign Exchange Management Act, 1999 Sec 2(o) Securitisation and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002.Sec 2(z) 11 Naavi Na.Vijayashankar Cyber Laws For Every Netizen in India (Version 2004) Page 13 10

4

What is cyber crime? “Cyber” refers to imaginary space, which is created when the electronic devices communicate, like network of computers. Cyber crime refers to anything done in the cyber space with a criminal intent. These could be either the criminal activities in the conventional sense or could be activities, newly evolved with the growth of the new medium. Cyber crime includes acts such as hacking, uploading obscene content on the Internet, sending obscene e-mails and hacking into a person's e-banking account to withdraw money.12

Chapter 3 Transfer of securities through internet “Security” generally means an organizations occasionally need to raise cash (or capital) in order to expand their business through, for example, buying new premises, building new factories or acquiring other companies. The options open to such organizations for raising the necessary capital include: Borrowing cash from banks, Selling a part of their existing business, Selling part ownership in the company (issuing shares), and Borrowing cash from investors (issuing bonds) With both shares and bonds generically known as securities. The securities marketplace: Facilitates the process of bring new securities to the marketplace, and Provides a structured and regulated method of buying and selling existing securities for the protection of the investors. This Securities may be transfer by following ways: 1. Prencipal 2 .Repurchase (repo) 3.Securities lending and borrowing 4.Treading book transfer 5.Depot(custodian)transfer 13

1. Principal Transaction A principal transaction represents either a purchase or a sale by an security treading organization(STO) on a proprietary trading basis(that is ,on its own behalf of a client).A purchase of a security at one price followed by a sale at a higher price, with each trade being effected STO “as principal” will reap a profit for the STO.

Characteristics 12 13

Principal Transaction

www.naavi.org , www.cyberlawcollege.com (21.01.09) Michael Simmons ,Securities operation , John Wiley & sons Ltd, Page 71

5

Securities only, Securities + cash, cash only? Origin?

Securities +Cash

Trading position affected?

Front office(trader or market markers) Yes.

External Securities movement?

Yes

External Cash movement

Yes

Number of external counterparties?

One

Issue a Trade confirmation?

Yes.

Issue a settlement instruction

Yes14

2. Repurchase (repo) Transaction STO wishing to minimize the cost of borrowing cash may have arrangements with banks, to borrow cash on a secure or unsecured basis; secured cash is cheaper to borrow than unsecured cash as the lender has less risk. A repo is a form of secured cash borrowing where the STO utilize the securities it has purchased and which it holds at the relevant custodian to deliver to the cash lender as security for the cash that the STO is borrowing. Characteristics Repurchase (repo) Transaction Securities only, Securities + cash, cash only?

Securities +Cash

Origin?

Front office(Repo trader )

Trading position affected?

No.

External Securities movement?

Yes

External Cash movement

Yes

Number of external counterparties?

One

Issue a Trade confirmation?

Yes.

Issue a settlement instruction

Yes(one for opening value date, one for closing)15

3. Securities Lending and Borrowing Transaction 14 15

Michael Simmons ,Securities operation , John Wiley & sons Ltd, Page 72 Securities operation ,Michael Simmons ,John Wiley & sons Ltd, Page 73

6

Any investor in securities ,including individuals, institutions and STOs,is able to increase the return on their investment if they lend their securities STOs and other investors borrow a lender’s securities ,for which the lender receives a fee agreed with the borrower. Characteristics Securities only, Securities + cash, cash only?

Securities Lending and Borrowing Transaction Securities only or Securities +Cash

Origin?

Front office or back office

Trading position affected?

No.

External Securities movement?

Yes

External Cash movement

Yes

Number of external counterparties?

One

Issue a Trade confirmation?

Yes.

Issue a settlement instruction

Yes(two for opening value date, two for closing)16

4. Treading book transfer Transaction STO’s traders an market marker trade on a principal basis with other STOs and institutional clients within some STOs ,two (or more)trading books within the same legal entity may be allowed to trade and hold trading possession in the same security Characteristics

Treading book transfer Transaction

Securities only, Securities + cash, cash only?

16

Securities +Cash

Origin?

Front office

Trading position affected?

Yes (both seling and buying books).

External Securities movement?

No

External Cash movement

No

Number of external counterparties?

None

Securities operation ,Michael Simmons ,John Wiley & sons Ltd, Page 75

7

Issue a Trade confirmation?

No.

Issue a settlement instruction

No

5. Depot ( custodian ) Transfer Transactions An individual STO typically appoints one custodian in each financial centre to settle transactions and to hold the resultant securities on behalf of the STO. Normally, an STO will hold secdurities in one custodian per financial centre, however certain securities may be held at more than one custodian or financial centre. Characteristics

Depot ( custodian ) Transfer Transactions

Securities only, Securities + cash, cash only?

Securities +Cash

Origin?

Back office

Trading position affected?

Yes(both selling and buying .books)

External Securities movement?

No

External Cash movement

No

Number of external counterparties?

None

Issue a Trade confirmation?

No.

Issue a settlement instruction

No17

To protect the transaction Securities and Exchange Board of India (SEBI) made some rules & regulation .They are as discussed in the next chapter.

Chapter 4 17

Michael Simmons ,Securities operation , John Wiley & sons Ltd, Page 78

8

Guideline of SEBI on Internet Based Trading and Services Modernization of market infrastructure improves market transparency standard. The improvement of market micro-structure increases trading efficiency. Risk containment measures help in improving market integrity and safety. Rolling settlement enhances liquidity and also provides for faster settlement. These have been the main focus of the SEBI’s efforts in the secondary market. The SEBI extends its oversight to 23 stock exchanges in the country and directs its efforts towards encouraging them to become more effective and efficient self-regulatory organizations. The measures taken by the SEBI in 1999-2000 in the secondary market are discussed below. Depositories and paperless trading and other related issues Dematerialisation of securities is one of the major steps for improving and modernizing market and enhancing the level of investor protection through elimination of bad deliveries and forgery of shares, and expediting the transfer of shares. Recognizing the far reaching benefits that would accrue to the market through the removal of physical securities, the speeding up of dematerialisation process has been high on the agenda of the SEBI. During the year 1999-2000, the SEBI continued its policy to enhance the growth of paperless trading and electronic book entry transfer but in a phased manner so as to allow time for required infrastructure to develop and to gain acceptance of the investors and the market. The following measures have been taken by the SEBI during the year under review : • The SEBI issued directive to the companies included in the list of securities for dematerialisation to effect compulsory dematerialised trading for all investors and institutional investors on the scheduled dates announced and to sign agreements and complete all formalities with both the depositories and establish connectivity on time so that dematerialisation could proceed on schedule. • Companies whose shares are being traded compulsorily in dematerialised form by all investors, are required to compulsorily provide for transfer and dematerialisation of securities simultaneously. This will help the investors in reducing the time taken for transfer of shares. • The SEBI (Depositories and Participants) Regulation, 1996 was amended to include registrars to an issue or share transfer agents in the eligible category to become a depository participant. • Introduction of procedures for interconnectivity between the various segments and components involved in the process of dematerialisation and its smooth functioning at various levels of participantion in dematerialised securities. • In respect of the value of portfolio of securities of the beneficiary accounts, the broker DPs allowed to maintain client assets in custody to the extent of 100 times of broker’s networth from the earlier limit of 35 times upto a networth of Rs.750 lakhs and 50 times above the networth of Rs. 750 lakh . • The branch offices of DPs that are handling more than 5000 accounts shall either have direct electronic connectivity with the depository or with office of depository participant that is connected live to the depository. This would adequately equip the infrastructure of

9

the depository participant branches so that the reach of the DPs could be increased and the branches could serve the investors better, while ensuring that the branches have adequate control systems. • Every company is required to appoint the same registrars and share transfer agents for both the depositories. • The registrars and share transfer agents are required to accept partial dematerialisation requests and will not reject or send back the complete lot of dematerialisation request to the DPs in cases where only a part of the request was to be rejected. • A Standing Committee co-chaired by the Managing Directors of NSDL and CDSL was formed which will meet at least once a month to resolve issues between DPs, registrars and depositories which may arise from time to time. The other members of the committee are SHCIL, HDFC Bank, Standard Chartered Bank, Integrated Enterprises (I) Ltd., Karvy Consultants, ICICI Ltd. and three persons from RAIN. • If a DP has sent information about dematerialisation electronically to a Registrar but physical shares are not received, the registrar will accept the dematerialisation request and carry out dematerialization on the indemnity given by the DP and proof of dispatch of document given by DP. • CDSL and NSDL shall be required to persuade major DPs to open branches in cities where DP services are not available. • The broker DPs who are also registered with SEBI as share transfer agents, shall be allowed to change their broker DP status to that of share transfer agent/Registrar DP. • The committee on dematerialisation of shares was also seized of various issues as mentioned below : • Standardization of various procedures related to trading in depository system: • Safety features and standards for depository operations: • Expansion of depository infrastructure and making the branch offices with 'live" connectivity: • Systemic tracking of delays at the hands of the depository participants, share transfer/issuer companies and depositories: • Adequacy/capability of the depository system and systemic changes necessary to cope with the workload present as well as future: • One stage processing for transfer and dematerialisation: • Reductions in the size of batch processing from the present level of 1000 requests per batch: • Good/bad delivery norms to be made mandatory on the registrars.18

Chapter 5 18

www.sebi.gov.in (21.01.09)

10

SEBI to Set Rules for India internet Trading Indian market regulator, the Securities and Exchange Board of India (SEBI)will create stringent standards and practices for online trading, including disclaimers required to be followed by the Internet sites relating to the capital market. Indian market regulator, the Securities and Exchange Board of India (SEBI) will create stringent standards and practices for online trading, including disclaimers required to be followed by the Internet sites relating to the capital market. The first meeting of the sub-group on surveillance and enforcement of Internet trading, appointed by SEBI met Wednesday and discussed the need for further adaptation and changes in the Internet environment. "The need to effectively regulate financial advisory services on the Internet follows the mushrooming activity of multiple services in terms of information and advice to investors on the Net," said L.K. Singhvi, Senior Executive Director, SEBI. The sub-group will define a framework and guidelines for investment advisory services offered over the Net. "Most developed nations like the U.S., Australia, Hong Kong, Malaysia have such guidelines in place for investment advisors on the Net. Besides, as per Section 11 (2B) of the SEBI Act, we are empowered to regulate investor advisors," Singhvi said. The group has also set up a sub-group to evolve a set of fair practices and obligations to be followed by Web sites dealing with capital market related services. To this end, members of the group will release a detailed paper suggesting standards for content, community and commerce related activities. In the area of surveillance and monitoring of activity on the Internet, the group has recommended that there was a need to have appropriate infrastructure, systems and technology support and modalities in this regard will be worked out by the group. The Internet surveillance group also felt that there was a need to review some of the existing regulations and by-laws of exchanges, which may have become redundant or obsolete with advent and adoption of this technology. The group felt that investor education in the Internet environment is critical for investor protection and would be instrumental in making investors aware of the precautions required to be taken while availing of Internet services. "Some of the members of the group will look into areas that an investor on the Net needs to know. Some of the by-laws and regulations may have become obsolete in the current context. This group will identify and restructure any such inconsistent clauses," he explained. The group also considered the mushrooming activity of providing advisory services on the Internet. Although the SEBI Act empowers SEBI to register investment advisors at present, there is no regulation in this area.

11

The Group on Enforcement and Surveillance of Internet Trading was convened by L.K. Singhvi and include amongst its members, Sunil Chandiramani, chief executive officer, Ernst & Young, Kalpathi S. Suresh, chief executive officer SSI, Nimish Kampani, Chairman, JM Financial and Investment, S. Ramadurai, chief executive officer of Tata Consultancy Services, Dominic Price of J.P. Morgan, Albert Aboody of KPMG, Dhiren Sheth, member BSE Board, Madhavi Puri Buch, chief executive officer of ICICI Webtrade and officials of the Bombay Stock Exchange(BSE) and the National Stock Exchange (NSE). SEBI clears decks for use of WAP for Net trading (Mumbai 2nd August) THE SEBI-promoted committee on Internet-based securities trading and services today cleared the decks for usage of wireless application protocol (WAP) for Internet trading and derivatives trading on the Internet. The regulator's decision is expected to further extend the reach of the markets and increase the number of investor volumes and liquidity. “This is in keeping with the international trend and is the natural direction in which markets will, over time, progress to,'' Mr. O.P. Gahrotra, Senior Executive Director, SEBI, said. The regulator will issue formal instructions to the stock exchanges in about a week's time on the decisions taken today. The regulator, however, maintained that Internet trading via WAP will be in adherence of all the requirements stipulated earlier by SEBI for Internet-based trading and the minimum security features laid down in this regard. SEBI's decision will enable the WAP-enabled mobile device (mobile phones, personal digital assistants, etc) users to trade in securities using their mobile sets. The regulator said the same minimum systems and operational requirements laid down earlier for Net-based trading, will be applicable for derivative trading on the Internet. ``Once derivatives trading gains ground, this will be a logical extension,'' Mr. Gahrotra added. The technical committee, at its meeting today, also deliberated on issues pertaining to interfacing between brokers, depositories and banks. It recommended adopting the messaging standards on the lines of the standards being evolved by the RBI working group on Inter-Bank Messaging Standards. Commenting on the decisions taken, Mr. Gahrotra said the regulator had not set a time limit to how soon these measures need be implemented. ``One cannot say whether it will come into effect in the next one or three months' time. What we are looking at is that in the long-term, the markets should not feel inhibited in anyway. We will put the system in place, let the market provide the feedbac k,'' he explained. National long distance phone norms finalised (NEW DELHI, Aug. 2) THE Telecom Commission on Wednesday finalised the terms and conditions for opening up the national long distance (NLD) telephony to private firms, ending the monopoly of the incumbent Department of Telecom Services (DTS). The commission is also learnt to

12

have decided that the corporate entity of DTS will be a registered company under the Companies Act, 1956. The Telecom Commission Chairman, Mr. Shyamal Ghosh, told presspersons after the three-hour long meeting, that the commission had decided on several key entry-related issues such as entry fee, licence fee as revenue share and inter-circle carriage. He, ho wever, declined to give comments as the decision will be forwarded to the Communication Minister for his comments. “We have fixed entry fee at a very competitive level, in accordance with the provisions of the National Telecom Policy, 1999,'' he said. Mr. Ghosh said the DTS would not get a statutory status, but would have to be registered as a company under the Companies Act. Agency reports stated that the decision of the commission was mostly in line with the recommendations of the Telecom Regulatory Authority of India (TRAI). The regulator had suggested an entry fee of Rs. 500 crores with a non-refundable component of Rs. 1 00 crores. The balance Rs. 400 crores was refundable on the basis of roll-out obligations. TRAI's recommendation of fixing an annual licence fee in the form of revenue share of 10 per cent and universal service obligation (USO) were also considered and resolved by the commission, the agency report stated.19

Chapter 6 Committee for promote an internet based trading A committee on corporate governance set up by the SEBI under the chairmanship of Shri Kumar Mangalam Birla, member SEBI Board with the objective of strengthening and promoting the standard of corporate governance of listed companies, had made several recommendations. Corporate governance is an important tool of investor protection. This would be the first formal code of corporate governance in the country through the listing agreement. It is expected that the introduction of these measures will raise the awareness and make a good beginning for raising standard of functioning of corporate. The SEBI board accepted the recommendations of the committee followed by a notification issued to the concern agencies:

Major recommendations of Kumar Mangalam Birla Committee • The board of directors of the company shall have an optimum combination of executive and non-executive directors with not less than fifty percent of the board of directors comprising of non-executive directors. • All pecuniary relationship or transactions of the non-executive directors viz.-a-viz. the company, should be disclosed in the Annual Report. • Board meeting shall be held atleast four times a year with a minimum time gap of atleast four months between any two meetings. • The Committee recommended the constitution of Audit Committee in a listed company. • The committee recommended that audit committee shall have minimum three members, all being non-executive directors, with the majority of them being independent, and with at least one director having financial and accounting knowledge, the chairman of the committee shall be an independent director. 19

www.emastersindia.net

13

• The audit committee shall meet at least thrice a year. One meeting shall be held before finalization of annual accounts and one every six months. The audit committee shall have powers which should include to investigate any activity within its terms of reference, to seek information from any employee, to obtain outside legal or other professional advice, to secure attendance of outsiders with relevant expertise, if it considers necessary. • The committee will review with the management, the external and internal auditors, the adequacy of internal control systems, the adequacy of internal audit function including the structure of the internal audit department, staffing and seniority of the official heading the department, reporting structure, discussion with internal auditors, reviewing the findings of any internal investigations by the internal auditors, discussions with external auditors. • The audit committee will review the company’s financial and risk management policies and will look into the reasons for substantial defaults in the payment to the depositors, debenture holders, shareholders (in case of non payment of declared dividends) and creditors. • The committee has recommended that remuneration of directors including nonexecutive directors will be decided by the board of directors. • A director shall not be a member in more than 10 companies or act as chairman of more than 5 companies in which he is a director. He will keep informed the company about the committee positions he occupies in other companies. • As part of the directors’ report or as an addition there to, a Management Discussion and Analysis Report should form part of the annual report to the shareholders. The management discussion and analysis will include industry structure and developments, opportunities and threats, segment–wise or product-wise performance, outlook, risks and concerns, internal control systems and their adequacy, discussion on financial performance with respect to operational performance, material developments in human resources / industrial relations front, including number of people employed. • Disclosures must be made by the management to the board relating to all important financial and commercial transactions. • In case of the appointment of a new director or re-appointment of a director, the shareholders must be provided with a brief resume of the director; nature of his expertise in specific function areas ; and names of companies in which the proposed directors holds directorship and the membership of committees of the board. • Information like quarterly results and presentation made by companies to analysts, shall be put on company’s web-site, or shall be sent in such a form so as to enable the stock exchange on which the company is listed, to put it on its own web-site. • A board committee under the chairmanship of a non-executive director shall be formed to specifically look into the redressing of shareholders and investors’ complaints like transfer of shares, non-receipt of balance sheet, non-receipt of declared dividends etc. • To expedite the process of share transfers, the board of the company shall delegate the power of share transfer to an officer or a committee or to the registrar and share transfer agents. • A company will have to include separate sections on corporate governance in its annual report with details on compliance, non-compliance of any mandatory requirement. The company will have to obtain a certificate from the auditors of the company regarding compliance of conditions of corporate governance.

14

• Almost all the companies listed on stock exchanges or seeking listing for the first time will have to complete all mandatory corporate governance requirements in a phased manner by March 31, 2003. The companies seeking listing for the first time will have to complete corporate governance at the time of listing.

Internet based securities trading A Committee on internet based securities trading and services was set up by the SEBI to develop regulatory parameters for use of internet in securities business and effective enforcement of internet trading. The report of the Committee was approved by the Board. The Board decided that internet trading can take place in India within the existing legal framework through the use of order-routing systems, which will route orders from clients to brokers, for trade execution on registered stock exchanges. The Board also took note of the recommended minimum technical standards for ensuring safety and security of transactions between clients and brokers which will be enforced by the respective stock exchanges.

Committee on internet based securities trading and services - first report Internet, the new medium that has emerged as a result of convergence between telecommunication and computers, is revolutionising the way business is done and is making inroads into every conceivable area of business activity. The potential of ecommerce is no longer a matter of debate. In fact, every forecast has been proved wrong, with actual figures far exceeding the forecast. The natural extension of e-commerce in the securities market is Internet based trading and securities services and it has made a great impact on the securities trading business. Issuers of securities, intermediaries, service providers and investors are increasingly selling and dealing or providing securities services on the Internet. SEBI as the Capital Market Regulator in India, has twin objectives i.e. of regulating as well as developing the market. Although, the Internet based trading and securities services are at a nascent stage in India, the pace of growth predicted brings in an urgency to address legal and policy issues that are associated with it. To examine and clarify regulatory and other issues related to Internet based securities trading and services on a continuous basis, SEBI has constituted a standing committee on Internet Based Securities Trading and Services, chaired by Shri O.P. Gahrotra, Sr.Executive Director, SEBI. As the Internet technology continues to evolve, the standing committee will assess new developments and address relevant issues from time to time. The committee comprises of the following members: Prof. Deepak B Phatak, IIT, Mumbai. Shri A.K.Sharma, DG Investigations - Registrations Dr D.P.S.Seth, Sr.DDG(CS), Department of Telecommunication Dr. R. H. Patil, Managing Director, NSE Shri Anand Rathi, President, BSE Shri S. Ramadorai, CEO, Tata Consultancy Services, Shri C N Ram, Vice President (IT), HDFC Bank, Shri LK Singhvi, Sr. ED, SEBI Ms. DN Raval, ED,SEBI 15

The Committee would also like to acknowledge the commendable efforts made by Shri Deepak Sanchety, Shri Ananta Barua, Division Chief, SEBI and Ms. Prarthna Awasthi, Shri Ankit Sharma, Ms. Maninder Cheema and Shri Ebrahim Machhiwala, officers of SEBI. The Committee held its first meeting on 18th Aug 1999. The Committee took stock of the developments in the use of Internet in securities business at the international level and within the country. In its deliberations the committee noted that a number of issuers and information service providers have developed websites and are providing information to investors in India. Similarly, many brokers have developed websites and have started offering value added information to their clients. A number of websites provide price quotations from major stock exchanges, on almost real-time basis. Technology development and related market innovation is growing at a fast pace. This has in turn created an urgent need to address emerging legal and policy issues. If these issues are not timely dealt with, it is bound to adversely affect the growth of the markets. Committee also appreciated that physical infrastructure in terms of Internet service providers, connectivity etc., no matter how extensive or robust, is not sufficient in the long run to sustain the high growth witnessed in the capital market. It is equally important, therefore to create soft infrastructure through harmonisation of laws, rules, regulations, and policies. It is also necessary to clearly lay down the rights of investors and the rights and responsibilities of all market participants and other agencies involved in this exercise. In India the policies related to telecommunication including connectivity between two closed user groups and closed user group and Internet are governed by the Department of Telecommunication (DoT), Government of India. Matters related to encryption of messages are also handled by the DoT. The Government has been concerned about the issue of connectivity and a lot of debate has been generated on these issues. Recently DoT has come out with guidelines of connectivity of independent networks. The Committee noted that Internet is already being used in developed securities markets in the world. Some of the areas where its usage has become common have been described below. Internet Based Trading through Order Routing Systems Internet based trading on conventional exchanges, uses the Internet as a medium for communicating client orders to the exchanges, through broker web sites. Brokers’ web sites may serve a variety of functions. These may include; --allowing the clients to directly trade through internet; --advertise the broker-dealers' services to potential investors; --offer market information and investment tools similar to those offered by information vendor or SRO web sites; --offer real-time or delayed quote information, continuously update quotes while the user visits other sites, or allow investors to create a personal stock ticker; --provide market summaries and commentaries, analyst reports and trading strategies and market data on currencies, mutual funds, options, market indices and news; and --offer investors access to portfolio management tools and analytic programs; --information on commissions and fees; and --account information and research reports.

16

In an Order Routing System, a broker offering Internet trading facility provides an electronic template for the customer to enter the name of the security, whether it is to be bought or sold, the quantity and whether the order is a market or limit order. Once the broker’s system receives this information, it is checked electronically against the customer's account and is routed out by the broker to the appropriate exchange for execution. After the order is executed, the customer receives a message confirming the order. The customer's portfolio and ledger account may also be updated on-line to reflect the transaction. Use of Internet as Alternative Trading Systems (Provision for price discovery and matching outside conventional exchanges) In foreign jurisdictions, Alternative trading systems have been developing outside conventional securities markets, which provide investors with additional proprietary electronic trading facilities for securities that are traded principally on securities exchanges, or other organised markets. They have price discovery functions, matching systems and crossing systems. The systems that are currently in use in outside jurisdictions are closed systems and are not accessible to the general public through the Internet. The securities markets regulators abroad have maintained flexible and open policies designed to encourage innovation in the secondary securities markets. As a result, a number of market participants, usually broker-dealers, have developed computerized "alternative trading systems", by which the system centralise, display, match, cross or otherwise execute trading interest. Use of Internet for making Initial Public Offerings Issuers of securities are using the Internet to communicate directly with their shareholders, potential investors and analysts by disseminating corporate information. In foreign jurisdictions, they are also using the Internet to communicate to the public for the following: --public offerings; --private offerings; and --disclosure and communication. Issuers are using the Internet to market themselves to potential investors. The Internet is also being used for fulfilling necessary disclosure requirements, for disseminating the prospectus in electronic form and even for receiving share applications in public issues electronically. In India, SEBI has taken initiative in permitting use of the network of stock exchanges for collection of investor applications in public offerings by the issuer companies. Investment Advisory Services Brokers as well as other service providers such as investment firms, research outfits etc. are using the Internet for marketing and advertising purposes, for presenting information on portfolio analysis and market information, and for communicating with and receiving orders from potential investors. The services offered by the service providers to the investors are generally the following: --advertising; --providing investment information and investment advice; --underwriting; --communicating with the investors;

17

--customer orders; and --record keeping. Working Groups set up by the Committee Considering the present state of capital markets in India and keeping in view the ongoing developments in Internet based securities business, it was felt that SEBI as a regulator could strive to identify areas where use of Internet in the capital market is possible within the existing legal framework. One such area identified by the Committee, which is also the central theme of this report is the area of Internet trading on existing electronic exchanges. In this area, though early introduction of Cyber Laws would be highly desirable but their existence is not a necessary precondition. To look into the existing regulatory scenario and to bring out some ground rules for use of the medium of Internet, the Committee therefor constituted the following two working groups to look into the areas of : i. security protocols and standardisation of interfaces for Internet based securities trading, chaired by Prof. Deepak B. Phatak, IIT, Powai, Mumbai ii. surveillance and monitoring related issues arising due to Internet based securities trading, chaired by Shri L K Singhvi, Sr. ED, SEBI The Committee also requested Ms D N Raval, Executive Director, SEBI to examine the legality of introduction of Internet trading and the issue of Alternative Trading Systems. This report of the standing committee examines the regulatory and security requirements regarding Internet Based Trading on Conventional Exchanges. Separate report(s) will cover the other areas related to Internet applications in the securities markets. The report of the first working group on security protocols and standardisation of interfaces has since been submitted and incorporated in this report as Annexure I. The committee would like to place on record its sincere thanks to Dr. D.B.Phatak, Ms.D.N. Raval and their team members. The global financial market is undergoing a transformation due to rapid technological developments. It thus becomes imperative that for developing an effective regulatory framework developments in other parts of the world should be studied and analysed. With nearly two million on-line investors, Internet trading in the United States is growing by leaps and bounds. Internet trading is being facilitated by large brokerage houses, thus changing the total concept of securities trading. A team comprising of members from stock exchanges and SEBI visited the United States to study these developments and had interactions with brokerage houses, Internet service providers and other agencies involved in facilitating Internet trading. The team also discussed the developments in the emerging regulatory and supervisory framework in United States with the Securities and Exchange Commission officials. They were also apprised of the various initiatives taken by SEC in this regard. These inputs have been utilised while drafting this report. Regulatory Approach The Committee has worked on the premise that the order screening and subsequent execution which is being done manually today is simply sought to be replaced by electronic screening and execution through the brokers terminal in the proposed system of Internet trading, the basic principles of regulation would remain the same, irrespective

18

of the medium of communication or delivery. The Committee seeks to encourage the legitimate use of Internet in a uniform regulatory environment for trading on the Internet in the already existing conventional automated screen based trading models. Further objective of the committee is to do the initial groundwork by laying down standards which would help create an appropriate environment in which transition and adoption of international standards in the regulation and communication technology becomes easy at a future date. Scope of the Report As per the report at Annexure II, under the existing legal framework, Internet can be used as an order routing system through registered stock brokers on behalf of clients for execution of trades on recognised stock exchanges. At present, very few banks are offering Internet based services. Depositories have not yet started offering services on Internet. Because of this, interfacing securities trading with banking and depository services may take longer. Keeping this in view, as a first, the Committee has limited the scope of its present recommendations to cover only those issues, which are directly related to Internet trading through order routing systems.

Recommendations of the Committee Application for Permission by Brokers SEBI registered Stock Brokers interested in providing Internet based trading services will be required to apply to the respective stock exchange for a formal permission. The stock exchange should grant approval or reject the application as the case may be, and communicate its decision to the member within 30 calendar days of the date of completed application submitted to the exchange. The stock exchange, before giving permission to brokers to start Internet based services shall ensure the fulfillment of the following minimum conditions: Networth Requirement The broker must have a minimum net worth of Rs.50 lacs if the broker is providing the Internet based facility on his own. However, if some brokers collectively approach a service provider for providing the internet trading facility, net worth criteria as stipulated by the stock exchange will apply. The net worth will be computed as per the SEBI circular no FITTC/DC/CIR-1/98 dated June 16, 1998. Operational and System Requirements Operational Integrity: The Stock Exchange must ensure that the system used by the broker has provision for security, reliability and confidentiality of data through use of encryption technology. (Basic minimum security standards are enclosed in Annexure-I). The Stock Exchange must also ensure that records maintained in electronic form by the broker are not susceptible to manipulation. System Capacity: The Stock Exchange must ensure that the brokers maintain adequate backup systems and data storage capacity. The Stock Exchange must also ensure that the brokers have adequate system capacity for handling data transfer, and arranged for alternative means of communications in case of Internet link failure. Qualified Personnel: The Stock Exchange must lay down the minimum qualification for personnel to ensure that the broker has suitably qualified and adequate personnel to

19

handle communication including trading instructions as well as other back office work which is likely to increase because of higher volumes. Written Procedures: Stock Exchange must develop uniform written procedures to handle contingency situations and for review of incoming and outgoing electronic correspondence. Signature Verification/ Authentication: It is desirable that participants use authentication technologies. For this purpose it should be mandatory for participants to use certification agencies as and when notified by Government /SEBI. They should also clearly specify when manual signatures would be required. Client Broker Relationship Know Your Client: The Stock Exchange must ensure that brokers have sufficient, verifiable information about clients, which would facilitate risk evaluation of clients. Broker-Client Agreement: Brokers must enter into an agreement with clients spelling out all obligations and rights. This agreement should also include inter alia, the minimum service standards to be maintained by the broker for such services specified by SEBI/Exchanges for the internet based trading from time to time. Exchanges will prepare a model agreement for this purpose. The broker agreement with clients should not have any clause that is less stringent/contrary to the conditions stipulated in the model agreement. Investor Information: The broker web site providing the internet based trading facility should contain information meant for investor protection such as rules and regulations affecting client broker relationship, arbitration rules, investor protection rules etc. The broker web site providing the Internet based trading facility should also provide and display prominently, hyper link to the web site/page on the web site of the relevant stock exchange(s) displaying rules/ regulations/circulars. Ticker/quote/order book displayed on the web-site of the broker should display the time stamp as well as the source of such information against the given information. Order/Trade Confirmation: Order/Trade confirmation should also be sent to the investor through email at client’s discretion at the time period specified by the client in addition to the other mode of display of such confirmations on real time basis on the broker web site. The investor should be allowed to specify the time interval on the web site itself within which he would like to receive this information through email. Facility for reconfirmation of orders which are larger than that specified by the member’s risk management system should be provided on the internet based system. Handling Complaints by Investors: Exchanges should monitor complaints from investors regarding service provided by brokers to ensure a minimum level of service. Exchange should have separate cell specifically to handle Internet trading related complaints. It is desirable that exchanges should also have facility for on-line registration of complaints on their web-site. Risk Management Exchanges must ensure that brokers have a system-based control on the trading limits of clients, and exposures taken by clients. Brokers must set pre-defined limits on the exposure and turnover of each client. The broker systems should be capable of assessing the risk of the client as soon as the order comes in. The client should be informed of acceptance/rejection of the order within a reasonable period. In case system based control

20

rejects an order because of client having exceeded limits etc., the broker system may have a review and release facility to allow the order to pass through. Reports on margin requirements, payment and delivery obligations, etc. should be informed to the client through the system. Contract Notes Contract notes must be issued to clients as per existing regulations, within 24 hours of the trade execution. Cross Trades As a matter of abundant precaution, the committee seeks to reiterate that as in the case of existing system, brokers using Internet based systems for routing client orders will also not be allowed to cross trades of their clients with each other. All orders must be offered to the market for matching. It is emphasised that in addition to the requirements mentioned above, all existing obligations of the broker as per current regulation will continue without changes. Exchanges may also like to specify more stringent standards as they may deem fit for allowing Internet based trading facilities to their brokers. Enforcement A separate working group has been set to look into the surveillance and enforcement related issues arising due to Internet based securities trading. However, general anti-fraud provisions (SEBI Fraudulent and Unfair Trade Practices Regulations, 1995) would apply to all transactions involving securities or financial services, regardless of the medium. Conclusion and Future Agenda Under the existing legal and regulatory framework, SEBI registered brokers can offer trading on Internet through order is routing systems. However, with the rapid development of the technology, we have to evolve further steps in this direction It is there for proposed that as the next step link between the depositories and banks shall be established after the necessary regulations have been passed. This would reduce the clearing and settlement time and would also minimise the risk of all the participants involved in the transactions. We have to look forward towards achieving an ideal scenario where all the services related to securities markets including marketing of initial public offers on internet, providing investment advisory services to the clients, broking, clearing and settlement etc., are provided on the Internet by an intermediary. In a nutshell it can be said that we are moving towards a one stop service centre. Annexure I Network Security Protocols and Interface Standards At present the Indian laws are silent on the security of Internet information. However, the draft E-Commerce Act focuses on this issue and prescribes the requirements like electronic certification, digital signatures etc. which will play an important role on the authenticity of such information gathered from the Internet. These requirements will also have to be met by Internet traders using ORS on the stock exchanges. Network Security It is suggested that the following security measures should be made mandatory i. User id ii. First Level password (Private code)

21

iii. Automatic expiry of passwords at the end of a reasonable duration. Reinitialise access on entering fresh passwords iv. All transaction logs with proper audit facilities to be maintained in the system. v. Secured Socket Level Security for server access through Internet vi. Suitable Firewalls between trading set-up directly connected to an Exchange trading system and the Internet trading set-up. Advanced Security products used for E-Commerce may be made optional. Some of these are: a. Microprocessor based SMART cards b. Dynamic Password (Secure ID Tokens) c. 64 bit/128 bit encryption ** d. Second Level password (personal information e.g. village name,birth date etc.) **DOT policy and regulations will govern the level of encryption. Standards for Web Interfaces and Protocols For Order Routing Systems to become operational in the existing scenario, interfacing of trading systems with Banking Systems and Depositories is not immediately required and may be considered after the E-Commerce Laws are in place. Similarly the Group believes that Wireless Internet Interface has the potential of a very large penetration and the Group will work towards interface standardisation in that area as well. Between a Trading Web Server and Trading Client Terminals, Interfaces Standards as per recommendations of IETF (Internet Engineering Task Force) and W3C (World Wide Web Consortium) may be adopted. E.g.: HTTP Ver 4 or above HTML Ver 4/XML. Systems Operations a. Brokers should follow the similar logic/priorities used by the Exchange to treat client orders b. Brokers should maintain all activities/ alerts log with audit trail facility c. Broker Web Server should have internally generated unique numbering for all client order/trades d. Brokers should seek permission from the Exchange before commencement of Internet trading facility after providing complete details of the features of implemented systems. e. Brokers should make periodic reporting to the Exchange as specified by the Exchange. The committee strongly recommends that 128 bit encryption should be allowed to be freely used by the Department of Telecommunications, Government of India to ensure safety, security and integrity as well as for maintaining investor trust in the internet based trading system.20

Chapter 7 Transfer of cash through internet21 20 21

www.sebi.gov.in(21.01.09) Michael Simmons ,Securities operation , John Wiley & sons Ltd, Page 80

22

The following transaction types are typically used by Securities trading organization involving cash : 1. 2. 3. 4.

repurchase(repo) unsecured borrowing and lending account transfer foreign exchange

1. Repurchase (repo) Transaction For completeness, repo transaction are listed here as a cash transaction type, as well as in previous section as securities transaction type. Many ripo transactions are executed by securities trading organizations from the perspective of the need to borrow cash, against which securities are given as collateral. The borrowing or lending of cash on a secured basis is very similar in structure to a repo transaction and so will not be specifically described within this section .

2. Unsecured cash Borrowing and Lending The settlement of principle purchase by an securities trading organization will result in a debit of cash and usually a negative cash position on the securities trading organization’s nostro account at the custodian. As the rate of overdraft interest chard by a custodian may be out of line with market rates, a securities trading organization will reduce its costs if it can borrow cash more cheaply from another source. Characteristics

Unsecured cash Borrowing and Lending

Securities + cash, cash only?

Cash only

Origin?

Treasury department

Trading position affected?

No.

External cash movement?

Yes

Number of external counterparties?

One

Issue a Trade confirmation?

Yes.

Issue a settlement instruction

Yes(one for opening value ,one for closing)

3. Account Transfer Transactions

23

Where an STO has an overdraft (or anticipated overdraft) at a custodian as a result of settlement of trades and the STO wishes to cover that overdraft, one of the options open to the STO is to transfer cash (in the same currency) from: • another account with the same custodian, or • an account held at another Bank Where the accounts involved belong to the STO. Characteristics Securities + cash, cash only? Origin? Trading position affected?

Account Transfer Transactions Cash only Treasury department or Or back office No.

External cash movement?

Yes

Number of external counterparties?

One

Issue a Trade confirmation?

Yes.

Issue a settlement instruction

Yes (both paying and Receiving nostros)

4. Foreign Exchange Transactions A further option for an STO to cover an over draft is to execute a foreign exchange(FX) transaction. Where the STO has a credit balance in a nostro account in one currency.(e.g. Japanese Yen), but has an over draft in anther currency (e.g. US Dollar). The STO can effect an FX transaction that sells the appropriate amount of Yen in exchange for the required amount of Dollars. It is important to note that an FX transaction is not a temporary loan or borrowing of cash, but an outright sale of one currency and purchase of another, at an agreed exchange rate. Characteristics

Foreign Exchange Transactions

Securities + cash, cash only?

Cash only (two currencies)

Origin?

Back office or treasury Department

Trading position affected?

No.

24

External cash movement?

Yes

Number of external counterparties?

One

Issue a Trade confirmation?

Yes.

Issue a settlement instruction Receiving nostros)22

Yes (both paying and

Chapter 8 Internet Banking in India – Guidelines23 (June 14, 2001) Reserve Bank of India had set up a ‘Working Group on Internet Banking’ to examine different aspects of Internet Banking (I-banking). The Group had focused on three major areas of I-banking, i.e., (1) technology and security issues, (2) legal issues and (3) regulatory and supervisory issues. RBI has accepted the recommendations of the Group to be implemented in a phased manner. Accordingly, the following guidelines are issued for implementation by banks. Banks are also advised that they may be guided by the original report, for a detailed guidance on different issues. I. Technology and Security Standards: a. Banks should designate a network and database administrator with clearly defined roles as indicated in the Group’s report. b. Banks should have a security policy duly approved by the Board of Directors. There should be a segregation of duty of Security Officer / Group dealing exclusively with information systems security and Information Technology Division which actually implements the computer systems. Further, Information Systems Auditor will audit the information systems. c. Banks should introduce logical access controls to data, systems, application software, utilities, telecommunication lines, libraries, system software, etc. Logical access control techniques may include user-ids, passwords, smart cards or other biometric technologies. d. At the minimum, banks should use the proxy server type of firewall so that there is no direct connection between the Internet and the bank’s system. It facilitates a high level of control and in-depth monitoring using logging and auditing tools. For sensitive systems, a stateful inspection firewall is recommended which thoroughly inspects all packets of 22 23

Michael Simmons, Securities operation , John Wiley & sons Ltd, Page 80-84 Naavi Na.Vijayashankar Cyber Laws For Every Netizen in India

25

information, and past and present transactions are compared. These generally include a real time security alert. e. All the systems supporting dial up services through modem on the same LAN as the application server should be isolated to prevent intrusions into the network as this may bypass the proxy server. f. PKI (Public Key Infrastructure) is the most favoured technology for secure Internet banking services. However, as it is not yet commonly available, banks should use the following alternative system during the transition, until the PKI is put in place: 1. Usage of SSL (Secured Socket Layer), which ensures server authentication and use of client side certificates issued by the banks themselves using a Certificate Server. 2. The use of at least 128-bit SSL for securing browser to web server communications and, in addition, encryption of sensitive data like passwords in transit within the enterprise itself. g. It is also recommended that all unnecessary services on the application server such as FTP (File Transfer Protocol), telnet should be disabled. The application server should be isolated from the e-mail server. h. All computer accesses, including messages received, should be logged. Security violations (suspected or attempted) should be reported and follow up action taken should be kept in mind while framing future policy. Banks should acquire tools for monitoring systems and the networks against intrusions and attacks. These tools should be used regularly to avoid security breaches. The banks should review their security infrastructure and security policies regularly and optimize them in the light of their own experiences and changing technologies. They should educate their security personnel and also the end users on a continuous basis. i. The information security officer and the information system auditor should undertake periodic penetration tests of the system, which should include: 1. Attempting to guess passwords using password-cracking tools. 2. Search for back door traps in the programs. 3. Attempt to overload the system using DDoS (Distributed Denial of Service) & DoS(Denial of Service) attacks. 4. Check if commonly known holes in the software, especially the browser and the email software exist. 5. The penetration testing may also be carried out by engaging outside experts (often called ‘Ethical Hackers’).

26

j. Physical access controls should be strictly enforced. Physical security should cover all the information systems and sites where they are housed, both against internal and external threats. k. Banks should have proper infrastructure and schedules for backing up data. The backed-up data should be periodically tested to ensure recovery without loss of transactions in a time frame as given out in the bank’s security policy. Business continuity should be ensured by setting up disaster recovery sites. These facilities should also be tested periodically. l. All applications of banks should have proper record keeping facilities for legal purposes. It may be necessary to keep all received and sent messages both in encrypted and decrypted form. m. Security infrastructure should be properly tested before using the systems and applications for normal operations. Banks should upgrade the systems by installing patches released by developers to remove bugs and loopholes, and upgrade to newer versions which give better security and control. II. Legal Issues a. Considering the legal position prevalent, there is an obligation on the part of banks not only to establish the identity but also to make enquiries about integrity and reputation of the prospective customer. Therefore, even though request for opening account can be accepted over Internet, accounts should be opened only after proper introduction and physical verification of the identity of the customer. b. From a legal perspective, security procedure adopted by banks for authenticating users needs to be recognized by law as a substitute for signature. In India, the Information Technology Act, 2000, in Section 3(2) provides for a particular technology (viz., the asymmetric crypto system and hash function) as a means of authenticating electronic record. Any other method used by banks for authentication should be recognized as a source of legal risk. c. Under the present regime there is an obligation on banks to maintain secrecy and confidentiality of customer’s accounts. In the Internet banking scenario, the risk of banks not meeting the above obligation is high on account of several factors. Despite all reasonable precautions, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking/ other technological failures. The banks should, therefore, institute adequate risk control measures to manage such risks. d. In Internet banking scenario there is very little scope for the banks to act on stoppayment instructions from the customers. Hence, banks should clearly notify to the customers the timeframe and the circumstances in which any stop-payment instructions could be accepted.

27

e. The Consumer Protection Act, 1986 defines the rights of consumers in India and is applicable to banking services as well. Currently, the rights and liabilities of customers availing of Internet banking services are being determined by bilateral agreements between the banks and customers. Considering the banking practice and rights enjoyed by customers in traditional banking, banks’ liability to the customers on account of unauthorized transfer through hacking, denial of service on account of technological failure etc. needs to be assessed and banks providing Internet banking should insure themselves against such risks. III. Regulatory and Supervisory Issues: As recommended by the Group, the existing regulatory framework over banks will be extended to Internet banking also. In this regard, it is advised that: 1. Only such banks which are licensed and supervised in India and have a physical presence in India will be permitted to offer Internet banking products to residents of India. Thus, both banks and virtual banks incorporated outside the country and having no physical presence in India will not, for the present, be permitted to offer Internet banking services to Indian residents. 2. The products should be restricted to account holders only and should not be offered in other jurisdictions. 3. The services should only include local currency products. 4. The ‘in-out’ scenario where customers in cross border jurisdictions are offered banking services by Indian banks (or branches of foreign banks in India) and the ‘out-in’ scenario where Indian residents are offered banking services by banks operating in cross389 border jurisdictions are generally not permitted and this approach will apply to Internet banking also. The existing exceptions for limited purposes under FEMA i.e. where resident Indians have been permitted to continue to maintain their accounts with overseas banks etc., will, however, be permitted. 5. Overseas branches of Indian banks will be permitted to offer Internet banking services to their overseas customers subject to their satisfying, in addition to the host supervisor, the home supervisor. Given the regulatory approach as above, banks are advised to follow the following instructions: a. All banks, who propose to offer transactional services on the Internet should obtain prior approval from RBI. Bank’s application for such permission should indicate its business plan, analysis of cost and benefit, operational arrangements like technology adopted, business partners, third party service providers and systems and control procedures the bank proposes to adopt for managing risks. The bank should also submit a security policy covering recommendations made in this circular and a certificate from an independent auditor that the minimum requirements prescribed have been met. After the

28

initial approval the banks will be obliged to inform RBI any material changes in the services /products offered by them. b. Banks will report to RBI every breach or failure of security systems and procedure and the latter, at its discretion, may decide to commission special audit / inspection of such banks. c. The guidelines issued by RBI on ‘Risks and Controls in Computers and Telecommunications’ vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated 4th February 1998 will equally apply to Internet banking. The RBI as supervisor will cover the entire risks associated with electronic banking as a part of its regular inspections of banks. d. Banks should develop outsourcing guidelines to manage risks arising out of third party service providers, such as, disruption in service, defective services and personnel of service providers gaining intimate knowledge of banks’ systems and miss utilizing the same, etc., effectively. e. With the increasing popularity of e-commerce, it has become necessary to set up ‘Interbank Payment Gateways’ for settlement of such transactions. The protocol for transactions between the customer, the bank and the portal and the framework for setting up of payment gateways as recommended by the Group should be adopted. f. Only institutions who are members of the cheque clearing system in the country will be permitted to participate in Inter-bank payment gateways for Internet payment. Each gateway must nominate a bank as the clearing bank to settle all transactions. Payments effected using credit cards, payments arising out of cross border e-commerce transactions and all intra-bank payments (i.e., transactions involving only one bank) should be excluded for settlement through an inter-bank payment gateway.) g. Inter-bank payment gateways must have capabilities for both net and gross settlement. All settlement should be intra-day and as far as possible, in real time. h. Connectivity between the gateway and the computer system of the member bank should be achieved using a leased line network (not through Internet) with appropriate data encryption standard. All transactions must be authenticated. Once, the regulatory framework is in place, the transactions should be digitally certified by any licensed certifying agency. SSL / 128 bit encryption must be used as minimum level of security. Reserve Bank may get the security of the entire infrastructure both at the payment gateway’s end and the participating institutions’ end certified prior to making the facility available for customers use. i. Bilateral contracts between the payee and payee’s bank, the participating banks and service provider and the banks themselves will form the legal basis for such transactions.

29

The rights and obligations of each party must be clearly defined and should be valid in a court of law. j. Banks must make mandatory disclosures of risks, responsibilities and liabilities of the customers in doing business through Internet through a disclosure template. The banks should also provide their latest published financial results over the net. k. Hyperlinks from banks’ websites, often raise the issue of reputational risk. Such links should not mislead the customers into believing that banks sponsor any particular product or any business24

Chapter 9 Legal issues in cyber banking 25 Banking was one of the earliest industries in the world to have adopted Internet into its Business Model. Initially, the dot-com banks made significant progress in USA and elsewhere in the world just as Amazon.com made its presence felt as a virtual book seller. Gradually the Brick and Mortar Banks joined the race and today they use Internet as a means of communication not only for Customer transactions but also for Inter-branch transactions and Inter-bank transactions. In India, the strict licensing regime in the Banking industry has ensured that no Virtual bank could come up on the Net. However, the Commercial Banks entered the Cyber space initially with an information website and later with limited online transactions. Today, without doubt ICICI Bank is the leading Indian Bank on the Net with HDFC Bank, UTI Bank, SBI and others trying to catch up with them. The Competitive environment in which Commercial bankers have to function today in India has also placed a premium on o Reduction in Cost of Service o Innovation in Products o Better Customer Service. Technology Banking in the Internet era will therefore try to achieve these objectives by the use of Internet. The legal issues confronting the Cyber Banks of India have to beanalyzed with reference to the general legal regime prevailing in India and the specific guidelines that have now been issued by Reserve bank of India in this regard. Building blocks of technology banking Technology Banking in the Internet era will be characterized by 1. Establishing customer relationship on the Internet and maintaining them through Internet for a true “Any where, Any Time” Banking service. 2. Interacting with the existing clients through Internet for communication.

24

Naavi Na.Vijayashankar, Cyber Laws For Every Netizen in India (Version 2004), Page 371

25

Naavi Na.Vijayashankar Cyber Laws For Every Netizen in India

30

3. Using Internet for structuring and delivering services that require automatic real time responses such as the Foreign Exchange and Treasury Operations besides the Stock Market Payment mechanisms. 4. Inter Bank Fund Transfer and Clearing of cheques through Internet.

Legal issues Digital Signatures: The Banker Customer relationship in the Internet era will revolve around the Digital signatures as it now revolves round written signatures. In view of the Digital Signature being a creation of Technology, The Banker would be heavily dependent on technology for "Authentication", "Storage" and "Recovery" of information. Customer Relation Establishment: In the Meta society Banking, opening of accounts are always done with the Customer and the Introducer being present before an authorized Bank officer. With the passage of the Information Technology Act, a natural question that will come up is whether an Account can be opened through Electronic Documents only. For records sake, the RBI guidelines on Internet Banking released on June 14, 2001 has indicated that Banks should open accounts only after physical verification of signatures. This implies that the guideline is over ruling the spirit of Section 4 and 5 of the Information Technology Act 2000 according to which an electronic application made with a digital signature covered by the Digital Certificate from an approved Certifying authority should be a legally valid application for starting a Banker-Customer Contractual relationship. . The action can be legally justified only by extending the provisions of Section 9 of the ITA-2000 to RBI . However Section 9 was meant to provide a discretion to the Government and some of the Government agencies not to adopt EGovernance measures enunciated in sections 6, 7 and 8. It is doubtful if the legislative intent was to exempt RBI from these provisions. Presently, RBI is has become a Certifying Authority itself through its technology arm IDRBT (Institute of Development and Research in Banking Technology). RBI also has initiated amendments to Negotiable Instruments Act 1881 and the ITA- 2000 itself to provide recognition to electronic form of cheques. It is time therefore for RBI to review its Internet Banking guideline and withdraw the ban on opening new accounts through digitally signed application forms. Rights of Lien and Setoff: Banking law and practice have developed some exclusive laws applicable to Bankers particularly in the areas of Lien and Set off. While "Lien" refers to physical property, "Set off" refers to moneys due. In the Internet banking era, the “Virtual Properties” and “Virtual Balances” come to the forefront. The established Banking law and practice will have to therefore modify itself to accept lien of a virtual property and set off on virtual money. Negotiable Instruments and the ITA-2000:

31

Law and Practice of Indian Banking have been developed on the basis of English law and are fairly well established. The Negotiable Instruments such as the Cheque, Bill of Exchange and the Promissory Note have a legal history of their own. With the advent of Internet into Banking, many of these need to undergo a change. When Information Technology Act-2000 was originally passed, it stated in its first section itself that the Act shall not apply to a Negotiable Instruments. Now this restriction has been confined to Negotiable Instruments other than a Cheque meaning the Promissory Note and the Bill of Exchange. The Negotiable Instruments Amendment Act 2002 (NIAA-2002) has introduced two types of Electronic Instruments called the Electronic Cheque and the Truncated Cheque and ITA-2000 would be applicable for such cheques. Promissory Notes and Bills of Exchange are however outside the scope of the ITA-2000. The Electronic Cheque has been defined under NIAA 2002 as under: "a cheque in the electronic form" means a cheque which contains the exact mirror image of a paper cheque, and is generated, written and signed in a secure system ensuring the minimum safety standards with the use of digital signature (with or without biometrics signature) and asymmetric cryptosystem; Similarly, the truncated cheque has been defined as under: "a truncated cheque" means a cheque which is truncated during the course of a clearing cycle, either by the clearing house or by the bank whether paying or receiving payment, immediately on generation of an electronic image for transmission, substituting the further physical movement of the cheque in writing. RBI is presently working on the procedures involved in operating the truncated cheque and e-cheques. It is however clear that the truncated cheque being a system internal to the Banking system, it is possible to install necessary equipments and truncate the physical cheques. However, the concept of Electronic cheques to be used by the public is more difficult to implement since it requires a hardware device for the purpose of converting a physical cheque to a cheque in Electronic form. Even though this is an attempt to introduce an electronic cheque in the Indian system, the suggested system is incomplete without appropriate systems for endorsement and delivery of E-Cheques. In the meantime, if a Customer issues a digitally signed instruction to his Banker containing all the ingredients of a cheque such as an unconditional order to pay a certain sum of money to a certain person, it is legally inconceivable not to recognize the nature of this instruction as an E-Cheque. While the Banker is at liberty to bar such instructions by specific contract, if the Banker Customer Relationship is based on a contract, which is silent on this aspect, the instruction cannot be ignored. If the instruction is refused and consequently the beneficiary is forced to a financial loss or damage, which in turn results in a loss to the customer, the Bank may have to compensate. It may be recalled that even in Meta society Banking, a letter written by a customer ordering the bank to make a certain amount of money to a certain person to the debit of the customer’s account is always honoured. Even though Clearing houses do accept some letter like instruments such as IT refund orders, and Traveller’s cheques, customer’s letters are not an accepted instrument for clearing purpose. But for this short coming, the letter is still binding on the Banker to

32

whom it is issued. Hence a similar electronic instruction cannot be ignored by the Bankers. Digital signature cannot tally with a specimen When it comes to “Signature”, Banks adopt a ”Procedure” where by the signature should be as per the specimen already supplied to the Bank. One important aspect of Digital Signature is that it is irretrievably linked to the document and no two digital signatures ever tally. It will require a totally different out look for the Bankers to accept a payment instruction where the “Digital Signature is not tallied with any specimen already supplied by the customer. Further, the Digital Signature even though may be as safe as the written signature, relies on a Certifying authority for authentication. It would therefore make the Banker subordinate to the Certifying Authority as regards authenticating a signature. Termination of Banker Customer Relationship: Bankers may receive e-mails notifying “Death”, “Insolvency” or “Insanity” of the customer which, like the stop payment instructions would put them in a dilemma. The dilemma is basically on the need to identify and authenticate the message. As in the usual case of such information being received over phone or through third party unconfirmed sources, the Bank Manager has to use his discretion in acting on such messages. E-Mail Identifiers for Bank Staff: In the context of receiving notices that affect banker-Customer relations, it becomes relevant to discuss the effect of e-mail addresses such as [email protected] or [email protected]. If a third party is sending a mail at [email protected], it may be considered a valid notice to the Bank while the personal name at the bank’s address may be considered as a personal message. Banks will have to carefully develop their policies of providing e-mail identities to their authorized staff. Banking in a Continuous Time Cycle: Another important aspect of Banking in the Internet era would be that one single Internet Interface center would be able to cater to customers in different time zones. Hence the Internet Bank is a 24-hour Bank. The Bank has to therefore consciously introduce a day change over so as to give effect to policy changes. Unlike in Meta Society Banking where the Banker and Customer are in the same time zone, in the Internet Banking zone, if the rate of interest is to be changed, one has to be specific that the change is effective with effect from X hours IST. Every Banking transaction has to be therefore time stamped and the time becomes an important parameter of the voucher. Security in Banking Environment: So far when we spoke of security in the Banking environment, we spoke of “Physical Security”. In the Internet era, Security has to be seen not only at the Physical level, but also at the “Data Storage Level”. Apart from having a security guard at the door, it will therefore be necessary to have a “Fire Wall” protecting the data. Just as we distribute “Key” s to the safe at present, the Banking in the Internet era would consist of “Passwords” as keys or “Smart Cards” as Key holders. Hacking and Virus will be the tools of fraud more than “Forgery” and “Dacoity”. The Banker in the coming era should prepare himself to deal with these technological threats to remain in business. A detailed guideline on security has been issued by RBI which has been separately reproduced at the end of this chapter. It is interesting to note that the guidelines suggests the Banks to use the services of “Ethical Hackers” to monitor the security levels of the network.

33

Real Time Information Products: Another feature of Internet is its ability to collate information from many sources on a real-time basis. This aspect of Internet would come in handy for Bankers in structuring products in areas such as “Foreign Exchange” or “Treasury ”. For example, every foreign exchange bid can be reverse auctioned on the Internet for obtaining best market rates directly from the customers with counter offers. The Banker in this case will only act as a trusted intermediary to enforce the contracts. Once the exchange control regulations remove the concept of an “Authorized Dealer” and permit direct customer level contacts, a normal E-Commerce portal such as paisepower.com can substitute the Bank in brokering foreign exchange transactions. Bankers have to be on their toes as otherwise the prediction of Mr A.T. Pannerselvam, former IBA chairman that “Future of Indian Banking will belong to Non Bankers” will come true. Virtual Property As Security: Bankers will increasingly come across requests to evaluate and accept Properties such as web sites as security for loans. At present Banks conveniently avoid such decisions by refusing the security and insisting on “Land and Building”. However, in the coming days, wealth will concentrate with people who accumulate Intellectual Property and Virtual Property and business from such customers will shift to those progressive bankers who are capable of accepting these properties as security. AMENDMENTS TO BANKER'S BOOKS EVIDENCE ACT AND RBI ACT Realizing the growing importance of electronic documentation in Banking, the ITA-2000, has proposed some vital amendments to the Bankers Books Evidence Act 1891 as well as the RBI Act 1934 According to Schedule 3 (Ref: Sec 93) of the ITA-2000, Banks can now store "Ledgers", "Day Books", "Cash Books", "Account Books" etc in the form of floppy, Disk, Tape or other electromagnetic data storage devices. "Certified Copy" of transactions include print outs of data stored in a floppy, disc, tape or any other electromagnetic data storage device together with a statement certified as under: -a certificate to the effect that it is a printout of such entry or a copy of such printout by the principal accountant orbranch manager; and -a certificate by a person in-charge of computer system containing a brief description of the computer system and the particulars of the safeguards adopted by the system to ensure that data is entered or any other operation performed only by authorized persons the safeguards adopted to prevent and detect unauthorized change of data; the manner in which data is transferred from the system to removable media like floppies, discs, tapes or other electromagnetic data storage devices the mode of verification in order ensure that data has been accurately transferred to such removable media; the mode of identification of such data storage devices the arrangements for the storage and custody of such storage devices; the safeguards to prevent and detect any tampering with the system; and any other factor which will vouch for the integrity and accuracy of the system. - a further certificate from the person in-charge of the computer system to the effect that to the best of his knowledge and belief that the computer system operated properly at the material time, he was provided with all the relevant data and the printout in question

34

represents correctly, or is appropriately derived from, the relevant data The amendment to the RBI Act as per Schedule 4( Ref Section 94) empowers RBI to extend its powers regarding regulation of Fund Transfers between Banks to "Electronic Means of Fund Transfers" also. Cama Committee on E-Money.In one of the recent attempts to exercise its control on E-Commerce, a working group constituted by RBI on E-Money has come up with suggestions on electronic systems that can be used as multipurpose e-money. The Working group headed by Mr Zarir J Cama which submitted its report on July 11, 2002 has expressed its opinion that the Electronic Payment Systems have the potential to become an independent medium of exchange and therefore needs to be regulated. Accordingly the group has recommended that -e-money for multipurpose use can be issued only when the payment has been made by the e-money holder in full through Central Bank Money. -Issue of e-money against credit is recommended to be restricted to Banks. -Only single purpose e-money is recommended for use by other entities. It also suggests that where e-money is issued in exchange of any other kind of services, a "Redemption Option" should be provided for conversion into Central Bank Money. These recommendations may shortly be codified into appropriate legislations. There will however be many more areas of operation in Banking where the traditional legal interpretations will have to be redefined to suit the requirements of Technology Banking in the Internet Era.

Chapter 10 Conclusions Recent incidents involving data loss have forced many organizations to consider how they can significantly improve their data security. In particular, safeguarding personal and financial data is a key responsibility for the financial services industry. The mismanagement of data security is a significant risk for financial organizations due to the nature of their business as they generally hold large volumes of personal and financial data about their customers, such as names, addresses, dates of birth, bank account details, transaction records, PIN, national insurance numbers and so on. Thus, the financial services industry needs to pay close attention to how they handle this type of data. Financial organizations are becoming more aware of the potential costs of losing data. However, corporate information security policies, procedures and controls are not enough to prevent data loss through lack of employee awareness about the risks related to handling information.26 Effective training and awareness mechanisms are crucial in these organisations as the risks to which they are exposed, for instance identity theft, money laundering, market abuse may all result in considerable inconvenience and possible financial loss to the victims as well as damage to the organization itself.

26

Information security awareness in financial organizations November 2008.

35

Many bank and STOs already started some awareness programs for the protection of their customer. As to protect cyber theft and related offences. Moreover the legislation also took some measures as to protect the securities and cash from the hand of hackers. The Information Technology Act, 2000 (IT Act).implemented to control the cyber securities . Now a days I hope that the only to stop this short of offence by way of sound awareness of the people who are engage in the sector of investments and share.

36