THE ROLE OF ENCRYPTION IN BANKING LAW AND PROTECTING TRANSACTIONS

This Article is written by Edleen T. Makiwa of Marwadi University, an intern under Legal Vidhiya

ABSTRACT

During the pre-digital age, when technology was not so prevalent, problems like hacking and cyberattacks were little to none. However, with the coming of the digital age, cyber threats emerged rapidly. Does this mean that the digital age is a bane? Absolutely not. In fact, information technology has been a major breakthrough in the banking sector because it has brought about convenience, hassle-free, and flexibility in the banking system, making banking transactions more accessible and efficient than ever before. However, even with all these benefits, due to the growth in the use of electronic banking, the need for security and privacy has increased. Banks have embraced information technology, with most of the transactions being conducted online, through bank mobile applications, or bank websites. This mode of banking requires proper security to ensure the safety of financial data and user information. Thus, this is where encryption comes in as the backbone of cybersecurity in banking law. In an environment where cyber threats are increasing, encryption is not just a tool of security, but rather a legal necessity mandated by national laws and global data protection standards. This article explores the significant role of encryption in banking law and protecting transactions along with the legal framework surrounding the use of encryption.

KEYWORDS

Encryption, Banking Law, Electronic Banking, Financial Transaction, Cyberattack.

INTRODUCTION

In this digital age, where banking transactions are conducted online via the internet, it is important to ensure the security of those transactions. Banking transactions are at risk of cyberattacks. Hackers are constantly looking for ways to exploit technological developments to their advantage. Without encryption, one is an open book in a world full of hackers. The risks that come with online banking necessitate the need for encryption in banking law and in protecting transactions. Encryption plays an important role in the protection of banking data. It ensures the safety of banking data integrity, security, and confidentiality, and builds and maintains consumer trust. It ensures that the banking data and transactions are not accessed by unauthorized users. Encryption refers to the process by which normal or plain text data is transformed into a coded form that can only be accessed by authorized users. Encryption as defined by the Information Technology (Certifying Authorities) Rules of 2000 under Schedule-V, is the process of transforming plaintext data into an unintelligible form (cipher text) such that the original data either cannot be recovered (one-way encryption) or cannot be recovered without using an inverse decryption process (two-way encryption).[1] It is used to protect information like personal or sensitive information, financial information or stored data. In banking, encryption is effective in safeguarding customer account information, log-in credentials, communication between banks and their consumers, and communication between banks themselves etc. The aforementioned information, if accessed by the wrong people, could even cause the world to go upside down, hence the importance of encryption in this technological era.

WHAT IS THE ROLE OF ENCRYPTION IN BANKING LAW AND PROTECTING TRANSACTIONS?

• Protection of Data Integrity.

Encryption plays a significant role in banking law in protecting transactions. It ensures data integrity in that it prevents unauthorized users from accessing the information of the banking transactions; therefore, the information is transmitted from the sender to the receiver without any alterations by unauthorized users. This ensures that the banking transaction information is accurate, reliable, and free from unauthorized modifications.

• Protection of Information Confidentiality.

Encryption also protects the confidentiality of information. This is because the plain text data is converted into ciphertext, which is not accessible to individuals without the decryption key. Therefore, this ensures that the banking transactions are protected, and their privacy is maintained and protected from hackers.

• Protection of Sensitive Information.

The technology used in banks is not at all attack-free, it is prone to cyber attacks, like hacking, among others. Hackers never sleep; they work on devising new techniques to bypass current technologies and find ways to exploit any vulnerabilities in these current technologies. Banks are adopting new technologies; transactions are being conducted electronically. Therefore, this opens room for hackers and/or fraudsters to access the system and intercept sensitive information and use it for their fraudulent activities. This is where encryption comes in. It protects the sensitive information from being hacked and controlled by

• Ensure a Secure Banking System.

Encryption enables safe and secure transactions across all platforms, from online banking, ATM transactions to mobile banking. This builds confidence in the banking system, which is essential for digital banking adoption. It ensures a safe passage for the transactions.

• Protection Against Middle-Man Attacks

Encryption protects banking transactions against man-in-the-middle attacks because it secures the communication channel between the sender and receiver of information, making it impossible for a middleman to hack into or tamper with the transactions mid-way.

• Protection of Banks from Legal Liability.

In case of any breach in the security system of a bank, having encryption as a security tool can help the bank prove due diligence and reasonable care and avoid legal liability. This is because, many a time, in legal battles, when any damage has been incurred by a client due to unauthorized access to their account, the bank is usually held liable for having inadequate security measures. Therefore, if a bank has an encryption policy as a security measure, it can show that it exercised a reasonable duty of care to protect client banking data.

A NOTE ON ENCRYPTION

Section 84A of the Information Technology Act of 2000 authorizes the Central Government to prescribe the modes or methods of encryption for secure use of the electronic medium and for the promotion of e-governance and e-commerce.[2] However, even with the power bestowed upon it, the Central Government hasn’t yet prescribed any modes or methods of encryption as mentioned above since the withdrawal of the draft of the National Encryption Policy in September 2015, which was criticized for being vague and unfeasible.[3]

The Reserve Bank of India, in its notification in 2001 on Internet Banking, issued guidelines to banks for their security that they should use at least the 128-bit SSL (Secured Socket Layer) for securing browser-to-web server communication, and in addition, encryption of sensitive data like passwords in transit within the enterprise itself.^[4] It further mentioned that it may be necessary to keep all received and sent messages both in encrypted and decrypted form.[5] This report showed that the RBI acknowledged that there was a need for protection of internet banking transactions, and that encryption is a capable solution.

The Digital Threat Report, which was launched in 2024 to strengthen cybersecurity in the Banking, Financial Services, and Insurance sector (BSFI), revealed that there is a growing use of artificial intelligence by cybercriminals to bypass the traditional security systems, and that the cybercriminals aim to exploit digital payment vulnerabilities to their advantage.[6] This report emphasized the need for preventive and detective security measures in financial institutions to curb these threats.[7] This shows that while technological advancements have revolutionized the financial sector, it has opened room for cyberthreats. The growth in sophisticated cyber-attacks highlights the reality that traditional security systems are not enough. Banks must adopt encryption as a tool to protect their information and transactions. Encryption ensures that even if cybercriminals manage to bypass the bank security system, they cannot interfere with the data therein as it remains unreadable and useless without the decryption key, which is only available to authorized users. The aforementioned report is a wake-up call for the BSFI sector to invest in strengthening its security protocols in this fast-growing, hostile digital environment.

It is important for banks to be vigilant about their security systems because in case of legal disputes, it is them that are held liable for the financial loss of a client. The courts have constantly held liable for having inadequate security measures which resulted in unauthorized access to client accounts. Banks hold the responsibility of protecting their customers from unauthorized transactions reported on their accounts. For instance, in a ruling by Justices JB Pardiwala and R. Mahadevan, the Supreme Court upheld the State Bank of India’s liability in a case involving fraudulent transactions from a customer’s account amounting to ₹94,204.80.[8] This judgment affirmed the bank’s duty to address such unauthorized and fraudulent transactions especially given that banks have the best technology capable of detecting and preventing such incidents.

Therefore, this emphasizes the importance of encryption as a security tool useful to banks to prevent the occurrence of fraudulent activities in their systems and in the customers’ accounts.

METHODS OF ENCRYPTION IN BANKING SYSTEMS.

• Symmetric Encryption

Symmetric Encryption, also referred to as Private-Key Encryption, is an encryption technique that utilizes the same key to both encrypt and decrypt data.[9] It is efficient because it is fast and simple, however, its strength lies in the secrecy of the key. The key has to remain unknown to other parties except the sender and receiver of information. If the key is compromised in any way during data transmission, the security of the transaction is also compromised, therefore, it requires strict discreetness from the sender and receiver or information.

Symmetric encryption widely uses the Advanced Encryption Standard Algorithm. This algorithm works with fixed block sizes of 128, 192, or 256 bits, offering optimal balance between speed and security.[10] It also uses Triple Data Encryption Standard algorithm (3DES) which is an enhanced version of the Data Encryption Standard (DES). 3DES algorithm strengthens security by applying the DES algorithm three separate times to each data block.

• Asymmetric Encryption.

Asymmetric Encryption also known as Public-Key Encryption, unlike symmetric encryption, it uses two distinct keys for encryption and decryption of data, a public key for encryption and a private key for decryption. The public key can be shared with other parties to send data to the private key holder whilst the private key cannot be shared with anyone, it should be kept with the data recipient who is authorized to decrypt the data. Even though it is slower than asymmetric encryption, it is more secure for data exchange.

Asymmetric Encryption uses the Rivest-Shamir-Adleman (RSA) algorithm, which is used for protecting sensitive data transfers, authenticating data with digital signatures, etc. Its security is based on the difficulty in factoring large prime numbers. It provides much needed security, especially in banks. Elliptic Curve Cryptography (ECC) algorithm is another algorithm incorporated by Asymmetric Encryption. ECC uses a curve diagram to represent points of solving a mathematical equation. It is known for its shorter keys which make it faster and stronger than RSA. As a result, it requires fewer computational resources and less storage, making it highly suitable for banking systems that manage large-scale data operations.

Therefore, banks use any of the above methods of encryption depending on their needs and wants. The above list is not exhaustive; there are other methods that can be utilized by banks.

CONCLUSION

In today’s digital age where cyberthreats are ever-present, encryption stands as a fundamental pillar of security in the banking sector. It is high time India enacted a new banking law specifically on encryption, considering that currently there is none. As cybercriminals adopt more advanced methods, often backed by artificial intelligence, the need to adopt robust and legally backed encryption systems becomes more crucial. Encryption protects our data from unauthorized access. Encryption ensures that the information transmitted from the sender to the receiver is not altered by malicious means.

Indian laws, particularly the Information Technology Act, 2000 and the RBI Guidelines emphasize the importance of encryption in ensuring security of digital infrastructure. However, this is insufficient considering the evolving cyberthreats that demand that encryption be not just a technical security tool, but a legal tool integrated into the banking laws of India and into every banking operation. Technology continues to evolve, and the law should evolve along with it to ensure that it is regulated, and cybersecurity threats are curbed.

REFERENCES

1. The Information Technology (Certifying Authorities) Rules, 2000.
2. The Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India).
3. Lexology, https://www.lexology.com/library/detail.aspx?g=af33ffb9-66b8-4d04-a9ff0c5a4668a5fd#:~:text=Anyway%2C%20India%20does%20not%20have%20dedicated%20provisions%20of,encryption%20that%20can%20be%20used%20in%20securing%20transactions (last visited July 11, 2025).
4. Reserve Bank of India, https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=414 (last visited July 11, 2025).
5. Cert-In.Org.In, https://www.cert-in.org.in/PDF/Digital_Threat_Report_2024.pdf (last visited July 12, 2025).
6. CNBCTV, https://www.cnbctv18.com/india/banks-liable-for-unauthorised-transactions-supreme-court-directs-sbi-to-refund-customer-19535551.html (last visited July 12, 2025).
7. Annie Badman and Matthew Kosinski , What is Symmetric Encryption, IBM (July 12, 2025. 12:35 PM), https://www.ibm.com/think/topics/symmetric-encryption.
8. Edward Robin, How Do Banks Encrypt Data? New Softwares (July 12, 2025, 1:08 PM), https://www.newsoftwares.net/blog/how-do-banks-encrypt-data/.

[1] Information Technology (Certifying Authorities) Rules, 2000.

[2] The Information Technology Act, 2000, §84 A, No. 21, Acts of Parliament, 2000 (India).

[3]Lexology, https://www.lexology.com/library/detail.aspx?g=af33ffb9-66b8-4d04-a9ff0c5a4668a5fd#:~:text=Anyway%2C%20India%20does%20not%20have%20dedicated%20provisions%20of,encryption%20that%20can%20be%20used%20in%20securing%20transactions (last visited July 11, 2025).

[4] Reserve Bank of India, https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=414 (last visited July 11, 2025).

[5] Ibid.

[6] Cert-In.Org.In, https://www.cert-in.org.in/PDF/Digital_Threat_Report_2024.pdf (last visited July 12, 2025).

[7] Ibid.

[8] CNBC TV, https://www.cnbctv18.com/india/banks-liable-for-unauthorised-transactions-supreme-court-directs-sbi-to-refund-customer-19535551.html (last visited July 12, 2025).

[9] Annie Badman and Matthew Kosinski, What is Symmetric Encryption? IBM (July 12, 2025. 12:35 PM), https://www.ibm.com/think/topics/symmetric-encryption.

[10] Edward Robin, How Do Banks Encrypt Data? New Softwares (July 12, 2025, 1:08 PM), https://www.newsoftwares.net/blog/how-do-banks-encrypt-data/.

Disclaimer: The materials provided herein are intended solely for informational purposes. Accessing or using the site or the materials does not establish an attorney-client relationship. The information presented on this site is not to be construed as legal or professional advice, and it should not be relied upon for such purposes or used as a substitute for advice from a licensed attorney in your state. Additionally, the viewpoint presented by the author is personal.

Admin