Awarded Best Data Protection Law Firm of 2023
Cyber Legal Framework Banking India
  1. Cyber Law Consulting
  2. BLOG
  3. Cyber Legal Framework in Banking

Cyber Legal Framework in India with respect to the Banking Industry

Keywords: Cyber Security, Privacy Standards, Sensitive Data, Digital Banking, RBI Framework, IT Act, DPDPA

Cyber Security Framework for Indian Banking

Introduction

Cybersecurity backed by legal standing is a rapidly booming essential in the Banking sector since Banks are one of the primary targets of major Cyber Attacks (as per the 2024-25 Economic Survey Report). A single banking transaction today involves servers, APIs, telecom networks, third-party apps and customer devicesβ€”each serving as a potential legal risk point.

πŸ’‘ What is Cyber Legal Framework?
It refers to all the Acts, Rules, Guidelines, Directional Circulars, Security Standards, Policies, etc., governing Digital Banking Operations in the country. In this rapidly growing segment of the finance sector, it becomes crucial to ensure effective privacy practices and enforcement mechanisms.

Major Frameworks Governing Cyber Security in Banking

  1. The Information Technology Act, 2000
  2. IT (Use of Electronic Records & Digital Signatures) Rules, 2004
  3. IT (Security Procedure) Rules, 2004
  4. IT (Information Security Practices & Procedures for Protected Systems) Rules, 2018
  5. IT (Procedure and Safeguards for Blocking for Access of Information by Public) Rules, 2009
  6. The Bharatiya Nyaya Sanhita, 2023
  7. The Bharatiya Sakshya Adhiniyam, 2023
  8. The Banker's Book Evidence Act, 1891
  9. RBI Cyber Security Frameworks in Banks, 2016
  10. Storage of Payment System Data (Data Localization Directive by RBI), 2018
  11. RBI Master Direction on Digital Payment Security Control, 2021
  12. RBI Authentication Mechanisms for Digital Payment Transactions Directions, 2025
  13. Master Direction - Risk Management and Inter-Bank Dealings
  14. The Electronic Trading Platforms (Reserve Bank) Directions, 2018
  15. Master Circular on Mobile Banking Transactions in India
  16. The Payment & Settlement Systems Act, 2007
  17. The Digital Personal Data Protection Act, 2023
  18. DPDP Rules, 2025
  19. The Foreign Exchange Management Act (FEMA), 1999
  20. PMLA S. 66 (I4C incorporation by Ministry of Finance), 2025
  21. CERT-In Rules for Cybersecurity Reporting
  22. Data Security Standards (ISO 27001)
  23. E-KYC Guidelines
  24. Cyber Insurance Frameworks
  25. Zero Trust and Continuous Monitoring Models
  26. RBI KYC/AML/CFT Norms
  27. Banking Codes and Standards Board of India

The Beginning of an Era of Digital Trust and Privacy Protection

The IT Act, 2000 has been a cornerstone for the Banking Industry in the context of cybersecurity. It was the first time electronic signatures (created as per the IT Security Procedure Rules, 2004) and digital contracts were given legal recognition, which brought Digital Payments and Internet Banking into valid practice.

πŸ“š Landmark Case: K.S. Puttaswamy v. Union of India (2017)
The Apex Court held Privacy as a fundamental Right under Article 21. This gave a waking call to the government to enhance the security of personal data of citizens, which led to the major robust frameworks in the current era.

The IT Act has been largely inspired by the EU General Data Protection Regulation (GDPR) which focuses on stringent privacy measures, and originates from the Budapest Convention which focuses on harmonizing criminal law and international cooperation against cybercrime.

The RBI, as the governing body, has issued circulars from time to time to regulate the Digital Banking Infrastructure.

Rise of Crimes in the Digital Banking Ecosystem

Understanding crimes in digital banking requires understanding where technology is actually used. Banks rely on:

  1. Core Banking Systems (CBS)
  2. Internet and mobile banking platforms
  3. UPI, card networks, and payment gateways
  4. Cloud storage and third-party service providers
  5. APIs and fintech integrations

Each layer creates distinct vulnerability exposure.

⚠️ Example - Vendor Liability: A Bank outsources its mobile banking backend to a third-party vendor. A vulnerability in the vendor's system leads to leakage of sensitive customer credentials. The Bank cannot escape liability by blaming the vendor. Under the IT law regime and RBI frameworks, outsourcing does not dilute responsibility. Banks must observe due diligence, enforce security standards, and ensure contractual compliance with cybersecurity norms.
⚠️ Example - UPI Transaction Fraud: A customer initiates a UPI transaction. The amount is debited but credited to an unknown beneficiary due to malware interference. Although the customer interacted only through the app, liability extends to the Bank, the Payment Gateway, and Third-party Web Service Providers.

Cyber Frauds in the Banking Sector

1. Phishing and OTP Fraud

A customer receives an email appearing to be from their bank, asking to update KYC details via a link. Upon clicking the link and sharing an OTP, the account gets emptied within seconds.

Legal Provisions Involved:

Impersonation:

  • Section 66D IT Act - Cheating by personation using computer resource
  • Section 319 BNS - Cheating by personation

Unauthorized Access:

  • Section 43 IT Act - Accessing computer resource without permission
  • Section 66 IT Act - Actions under S.43 committed dishonestly or fraudulently
  • Section 70 IT Act - Accessing "protected systems" without authorization

Breach of Confidentiality:

  • Section 72 IT Act - Disclosure of electronic records without consent
  • Section 72A IT Act - Disclosure in breach of lawful contract
  • Section 43A IT Act - Corporate liability for negligent handling of SPDI (now under DPDP Act)
πŸ“š Case: Sujata Ahuja v. State Bank of India (2022)
Held that even if fraud occurs due to phishing, the burden of proof of absence of negligence on part of Banks in their security system lies upon them.

2. SIM Swap Fraud

In a SIM Card Swap Fraud, a person's mobile number is illicitly transferred to a fraudster's SIM card. The fraudster resets UPI credentials and drains the account.

Shared Responsibility Framework:

Telecom Operator's Failure:

  • The Telecom Commercial Communications Customer Preference Regulations, 2018 mandates strict verification
  • Section 66C IT Act - Identity theft facilitated by poor verification
  • Section 42(3)(e) & 42(6) Telecommunications Act, 2023 - Fraud in obtaining telecommunication identifier

Bank's Authentication Reliance:

  • RBI Circular on Customer Liability (2017/2025): Zero liability for customers if unauthorized transaction arises due to Bank's negligence
  • RBI Authentication Directions, 2025: Mandates minimum two-factor authentication (effective April 1, 2026)
  • Section 2(42) Consumer Protection Act, 2019 - Banking services included; failure = "deficiency in service"
πŸ“š Case: ICICI Bank Limited v. Prakash Kaur
The Supreme Court held that NCDRC has power to try matters involving Banks and Customers. A Bank may be held liable for "deficiencies in its services" and consumers have the right to seek compensation.

3. Unauthorized Online Transactions

A customer notices multiple international card transactions not authorized by them. Despite informing the bank promptly, transactions are processed.

Customer Liability Framework (RBI Guidelines):

Reporting Time Liability Details
Within 3 working days Zero Liability For third-party breaches not due to customer's or bank's fault
4-7 working days Limited Liability Capped per transaction (β‚Ή5,000 - β‚Ή25,000 depending on account type)
Beyond 7 days Full Liability Determined by Bank's Board-approved policy

Bank Obligations:

  • Provisionally credit unauthorized transaction amount within 10 working days
  • Resolve complaints within 90 days

Similar Attack Types:

  • Brute Force Attacks: Using automated software to guess login credentials
  • DNS Cache Poisoning: Redirecting users to malicious clone sites
  • Card Skimming: Capturing card details using discreet electronic devices
  • DoS Attacks: Flooding banking systems with traffic
  • Reflected Attacks: Using spoofed IP addresses with victim's source address

Banks as "Body Corporates" and Data Fiduciaries

Section 3 DPDP Act, 2023 defines "Data Fiduciary" as a person who alone or in conjunction with others determines the purpose and means of processing personal data.

Banks qualify as "body corporates" handling sensitive personal data including:

  • Financial information
  • Transaction history
  • KYC details
  • Biometric identifiers
  • Authentication credentials
βš–οΈ Preventive Focus: Even if no immediate financial loss occurs from a data breach due to outdated firewall, banks may face legal consequences for failure to maintain adequate cybersecurity standards. The focus of law here is preventive, not merely punitive.

Customer Protection vs Defences by Banks

Banks assess liability based upon:

  • Timing of customer reporting (entities must sync system clocks with NIC's NTP servers)
  • Nature of fraud
  • Degree of customer negligence
  • Existence of systemic or security failure
Scenario Liability
Fraud occurs due to system failure Bank Liability
Credentials shared due to deception Shared or Customer Liability
Prompt reporting ignored by bank Bank Liability Escalates

Digital Evidence and Banking Records

The DPDP Act covers all data collected in digital format. In case of an offence, almost entire reliance is on electronic evidence. Banks must:

  • Authenticate electronic records
  • Keep record of all transaction logs
  • Establish integrity of digital data

The Bharatiya Sakshya Adhiniyam (BSA), 2023 (Sections 28, 29) and Banker's Book Evidence Act, 1891 give recognition to contents in Banking records in electronic form as primary admissible evidence in Indian Courts.

Proper certification under Form A and Form B of Section 63(4) BSA, 2023 ensures integrity of electronic records.

Incident Response by Banks Post Cyber Attack

A legally sound response includes:

  1. Immediate preservation of transactions and digital evidence for forensic assessment
  2. Freezing of accounts and blocking of further transactions
  3. Mandatory reporting to regulatory authorities after detecting the incident
  4. Informing the affected customers
  5. Coordination with law enforcement agencies and CERT-In
⚠️ Warning: If a Bank resolves a breach internally and fails to notify customers, such non-disclosure can amount to violation of duties and breach of trust, giving exposure to consumer claims.

Role of Courts

Indian courts and Tribunals examine:

  • Whether the bank exercised reasonable care
  • Whether the customer acted prudently
  • Whether systemic safeguards were adequate
πŸ“š Case: Punjab National Bank v. Leader Valves Pvt. Ltd. (2006)
The Court reaffirmed the fiduciary duties of Banks towards customers.
πŸ“š Pune Citibank Mphasis Call Centre Fraud Case
The Court held that unauthorized access to electronic accounts brings the case under IT Act purview. Demonstrated judiciary's approach in applying IT Act and IPC (now BNS) to Banking Offences.
πŸ“š Case: Re: Victims Of Digital Arrest vs Mr. Avishkar Singhvi (2025)
The Supreme Court, taking suo moto cognizance, declared bank "laxity" in preventing cyber fraud as a deficiency of service. The Court also scrutinized telecom providers' role and directed action against over-the-counter sale of SIM boxes.

Money Laundering, Money Mules and Cyber-Enabled Terror Financing

Cyber fraud rarely remains a standalone digital offence. It increasingly functions as the entry point for larger financial crimes.

i. Money Laundering

A phishing attack loots small amounts from hundreds of accounts. Stolen funds are immediately transferred to multiple newly opened accounts, consolidated, routed through digital wallets (layering), and finally withdrawn in cash. This is how black money is converted to white money.

ii. Terror Financing

Fraudulent online investment schemes collect funds via UPI. While victims believe they're investing, funds are transferred to accounts linked with terrorist organizations. Banks must monitor destination accounts, transaction patterns, and geographic risk indicators.

iii. Use of Mule Accounts

Individuals allow their bank accounts to be used for receiving and transferring fraud proceeds in exchange for commission. Banks must identify such accounts through unusual transaction behaviour.

πŸ€– MuleHunter.AI: The RBI has developed an AI/ML-based model called "MuleHunter.ai" to detect mule accounts used for financial frauds. The model uses advanced algorithms to identify fraud patterns and predict mule accounts more efficiently than rule-based systems.

Consent and Data Sharing

πŸ“š Case: Google India Pvt. Ltd. v. Visakha Industries (2020)
The SC directed intermediaries to implement due diligence to prevent financial scams and unauthorized disclosure of data. This ruling compelled RBI to release strict regulations for fintech and digital financial services firms.

The DPDP Act makes "consent" the primary premise for any data processing. Banks sharing customer data with loan application operators without explicit consent raises serious concerns of:

  • Data minimisation
  • Purpose limitation
  • Lawful processing

Emerging Security Mechanisms and Challenges

  • AI-based Fraud Detection: Advanced machine learning algorithms detecting unusual patterns
  • Deepfake Impersonation Tackled by KYC: AI deepfakes posing as legitimate individuals
  • Zero-Trust Security Models: RBI's Financial Stability Report (June 2025) highlighted "Never Trust, Always Verify" principle
  • Cyber Insurance (Banker's Blanket Bonds): Coverage for loss of personal financial data or money in fraud cases
  • CIA Triad: Confidentiality, Integrity, and Availability - foundational information security model
  • ISMS ISO 27001: International standard for managing sensitive data
⚠️ Challenge - AI Accountability: An AI system freezes a legitimate account suspecting fraud. This raises concerns over algorithmic accountability, customer rights, and human oversight in automated systems.
⚠️ Challenge - Real-time Payments: Once authorized, funds are credited immediately, leaving little window for reversal. Fraudsters exploit this urgency to execute cyber frauds before intervention.

Conclusion

Cyber law in the Banking sector has evolved from a compliance essential to an operational principle and strategic governance mandate. Banks are expected not only to respond to cyber incidents but to:

  • Proactively anticipate risks
  • Prevent intrusion and data loss
  • Transparently manage incidents with customer awareness
🎯 Key Takeaway: The real question is no longer whether cyberattacks will occur but how prepared institutions and governments are in tackling them.

References

  1. Does Your Bank Need Better Cyber Insurance and Security Solutions?
  2. CERT-In's Six Hour Reporting Rule - Statutory Interpretation and Analysis
  3. The Ultimate Guide to ISO 27001
  4. I4C's Inclusion Under PMLA
  5. RBI Customer Protection - Limiting Liability Guidelines
  6. RBI Cyber Security Framework in Banks
  7. Re: Victims Of Digital Arrest vs Mr. Avishkar Singhvi (2025)
  8. ICICI Bank Limited v. Prakash Kaur (2007)
  9. Economic Survey 2024-25
  10. The Digital Personal Data Protection Act, 2023

Contact Us

Email: info@cyberlawconsulting.com

Submitted by: Lipsa Das, at Cyber Law Consulting (Advocates & Attorneys), TOP Tech LAW FIRM in INDIA, as guided by Adv (Dr.) Prashant Mali β™› [MSc(Comp Sci), LLM, Ph.D.]

Services..