Electronic Bank Records and Its Implications for Banks and their Customers – Part I
November 11, 2016
On November 3rd 2016, Finton De Bourg was found guilty by a jury of his peers in respect of fraud related charges arising out of the collapse of Capital Bank International Limited, a Grenada indigenous bank.
Electronic records would have played a supporting role in the evidence given at Mr. DeBourg’s trial. These electronic records were obtained by the Receiver’s computer forensics specialist team immediately upon taking over the Bank.
The electronic records were retained, kept in storage, and used at this just concluded criminal trial, eight years after the Bank went into receivership.
We are all aware that in the internet age, large quantities of customer personal information are held by Banks in their computer databases.
This fact juxtaposes two conflicting subject areas in the spotlight: (1) Banking Privacy; and, (2) Public Interest.
To find a reasoned answer in law as to this apparent public/private conflict, there must be an examination of the rights and obligations of the affected parties, whether it is the bank, the customer, or third parties. This article is intended to cover electronic records from the perspectives of regulation, access, and evidence in two parts, this being Part I.
It is stated that Banks must adapt to the growing obligations associated with maintaining electronic records, and that there must be policies in place to deal with proper storage, retention, sharing, and disposal of these electronic records.
The following questions are posed for consideration:
- What are these electronic records and how are they regulated?
- Who can access the electronic records?
- Are the electronic records admissible in our court systems?
- What affects the integrity of these electronic records?
- And finally, how does the Bank safeguard itself against liability connected with electronic records?
What are these electronic records and how are they regulated?
As a quick snapshot, under The ELECTRONIC TRANSACTIONS ACT No. 21 of 2013: “electronic record” means “a record generated, communicated, received or stored by electronic means in an information system or for transmission from one information system to another”. The same definition is found in The ELECTRONIC FILING ACT No 12 of 2013.
If we are to examine this from a pure legal perspective, we can start by positing a hypothetical scenario in which a bank or some other financial institution in Grenada was considering its options for the transfer and storage of certain electronic records relative to customers.
This hypothetical scenario contemplates electronic records which may consist of internal bank generated customer information being transferred to a series of computer servers in a foreign country, cloud configured.
Let us suppose that this cloud storage facility being considered by the bank or financial institution is based in Seattle, Washington, United States of America.
It could be that the justification for this is that the Bank’s current email storage provider is no longer able to continue in the business; or that the financial institution is seeking a more cost effective and flexible system readily available from a foreign country.
In this hypothetical scenario, the electronic records to be transferred would be e-mails, including any attachments to these e-mails. These email attachments would consist of documents relating to a wide range of corporate and personal information pertaining to the Bank and its customers.
These electronic records will also contain transactional information, documents concerning real estate transactions, estates and services, corporate records, applications for products and services containing sensitive customer personal information.
Let us also suppose that the financial institution is considering the transfer of customer record storage and records of transactions between the Bank and its customers; as well as payments and benefits information for its employees in the same manner.
These electronic records would include detailed personal information on customers and employees (such as name, contact information, government-issued identification, date of birth, and employment data).
Transactional information would include records regarding transactions completed on customer products, such as bank accounts, credit cards, mortgages, wire transfer data etc.
We all know confidentiality is key in the Banking Industry, but here we are contemplating a transfer of all this private information about customers, transactions, services and so on into “the Cloud”, which is going to be controlled and stored by a service provider that is not the financial institution, and, which is situate outside of the jurisdiction of Grenada.
In Grenada, we do not have any over-arching “privacy rights” enshrined in statute, not even in our Constitution, and so the issues of private information and the intended transfer of electronic records, are governed by common law under tort and contract. In particular, the tort of breach of confidence, and the terms of any bank customer agreement such as a customer privacy agreement, as well as our E-legislation regime.
It was only as late as 2013, that Grenada had its body of E-legislation introduced to govern our “E-dealings, so to speak. Our legislature in Grenada has finally caught up to the times! See the following regime of e-laws now on the books and in force.
- Electronic Filing Act, Act No. 12 of 2013: “to give legal recognition to and to regulate the electronic filing of information with Public Authorities;..”
- Electronic Evidence Act, Act No. 13 of 2013: “to give legal recognition to electronic records and “to facilitate the admission of such records into legal proceedings…”;
- Electronic Transfer of Funds Crimes Act, Act No.14 of 2013: “to regulate the transfer of monies done electronically and for related matters..;
- Electronic Transactions Act, Act No. 21 of 2013: “to give legal effect to electronic documents, records and signatures..;”
- Electronic Crimes Act, Act No. 23 of 2013: “addresses the prevention and punishment of crimes done electronically….”
As lawyers it is quite likely that we would advise that the Bank’s electronic records can be transferred and kept in “the Cloud, pursuant to the terms and conditions of a cloud computing services agreement with the cloud service provider. That said, the next question now is:
(ii) Who can access these electronic records?
Let’s think about this hypothetical scenario for a moment. A customer’s information about a transaction that happened in 2012 is stored on the Cloud, and there is a request for this information to be retrieved in 2016.
Who will be able to access these electronic records? This could be the Bank itself, or its disgruntled customer or his personal representative, if the customer is now deceased.
But what about the Eastern Caribbean Central Bank, the Financial Intelligence Unit , or any other person with a legitimate request in a legal proceeding who is granted an Order by the Court?
Let us revert for a moment to the transfer of email communications for storage purposes as mentioned earlier. First, we can confirm that e-mails do constitute part of the records of the Bank; and, that these may be requested by the Central Bank Examiner, for example, in pursuance of his statutory duties under the Banking Act.
Pursuant to Sections 74, 89, and 90 of the Banking Act, the Central Bank is authorized to access or obtain the Bank’s electronic information.
In this internet age, it seems acceptable that electronic records may be the preferred choice of the Central Bank for production and inspection purposes, if indeed, a request for information is made or any information is required by it in the exercise of its statutory duties.
Section 12(1) of the Electronic Transactions Act (“ETA”), deals with the retention of documents, records or information in electronic form, providing that: “Where certain documents records or information are required by law to be retained in paper or other non-electronic form that requirement is met by retaining it in electronic form if certain conditions are satisfied information contained in electronic form is accessible so as to be usable for subsequent reference.”
And under section 32 of the ETA, the requirement for inspection of records is met by making such records available for the inspection in a perceivable form as an electronic record.
Further, the Proceeds of Crime (Anti-Money Laundering and Financing) Guidelines SRO 6 of 2012 recognizes the retention of records in retrievable form which may consist of computerized or other electronic data.
In other words, the legislation makes it abundantly clear on a prima facie basis that electronic data is as acceptable as paper based data.
What this means is, that as with a document stored in a cabinet, the Court can allow the Financial Intelligence Unit, a Receiver, or a Liquidator, or a litigant in an adverse proceeding against the Bank, to access information contained in the electronic records wherever or howsoever electronically stored by the Bank.
But what about unauthorized third party access to this information through hacking into the electronic systems of either the Bank or the Cloud Service Provider?
The Electronic Crimes Act addresses that unauthorized access scenario by (1) defining “electronic system” to include an electronic storage medium; and (2) specially recognizing at section 13(3),“sensitive electronic system” as an “electronic system used in connection with or necessary for the provision of services directly related to banking and financial services.”
Thirdly, and most importantly, the Electronic Crimes Act makes this unauthorized third party access a criminal offence in that Section 13(1) states: – “A person shall not knowingly or without lawful excuse and justification disable or obtain access to a sensitive electronic system.”
Of particular note is that under section 14 of the Electronic Crimes Act, (which is paraphrased for purposes of brevity), a person who threatens the integrity, security etc etc of Grenada, or strikes terror in its people by attempting to penetrate or access an electronic system without authorization or exceeds authorized access, and by means of such conduct causes, or is likely to cause death or injury to persons, can be found liable, if convicted of the indictable offence of “electronic terrorism.”
If anyone thinks that the elimination of paper records does not come at a cost you only have to think about the Panama Papers explosive exposé in 2016!
It is clear then, that the question of access to electronic records can quickly lead to matters of litigation, whether it is with respect to legitimate access, or unauthorized access to the electronic records.
We shall address the issue of electronic evidence, and safeguarding the interests of banks in connection with electronic records, in Part II of our article to be published on this site very soon.
This topic was presented by the Principal Leslie-Ann Seon at a training session for bankers this month and has been modified for publication on the web.