The Practice And Procedure Guidelines Used To Prepare And Maintain Financial Records: Fill & Download for Free

Imagine a city with a few people and a few firms. These firms tend to keep to themselves and contribute their part towards the city’s economy.Due to low number of firms in the city, these firms often find the need to conduct business with each other.Would you engage in business if you didn’t understand or couldn’t comprehend the other party’s financial figures?Maybe you record sales and update your cash account balance when it occurs and not when you are actually paid. Maybe the other firm, records the sales but updates the accounts receivables and sales and not the cash account.When different accounting practices are used, all the firms in the economy use different tools. This results in vague understanding and confuses all external parties involved.In such a situation, it becomes exceedingly difficult to analyze profitability and risks of the firm.This is where IFRS comes in.IFRS standardizes all accounting practices, rules and regulations. Concerned parties across the world are able to analyze financial statements because now, they are prepared using a standard guideline and procedure.But why should the firms or the investors trust IFRS and their standards?Well, it is because IFRS brings in 3 priceless benefits. They are :Transparency: This helps investors make more informed decisions. Transparency encourages comparability as well.Accountability: IFRS standards bridges the information gap between the external and internal parties of a firm. This helps in maintaining high standards of accountability.Efficiency: IFRS improves efficiency. Companies follow IFRS standards because it's widely accepted and trusted. This further helps in lowering financial reporting costs.This in turn enables investors, stockholders, and various other parties of a firm to understand the financial statements and reports and make important risky decisions accordingly.International Financial Reporting Standards standardizes all accounting practices and brings all rules, regulations, and methods under one umbrella.IFRS provides crystal clear understandability of a firms financial statement.

HARSHAD MEHTA SCAM :This was one of the best engineered financial scam the country has witnessed.To understand the complete story :It requires the complete understanding of the whole mechanism, plotted very cleverly by a broker.A basic knowledge is required to understand the financial terms used ahead in order to catch the whole scenario.It is a long read. Go on and comprehend. It is indeed a very interesting story where there were faults in the system itself.I found this report from one of the projects by the students of IIMA. Here is the simplified version to read so that even a layman can grasp and correlate the chain of events happening around in the plot.The term "Securities Scam" refers to a diversion of funds to the tune of over Rs. 3500 crores from the banking system to various stockbrokers in a series of transactions (primarily in Government securities) during the period April 1991 to May 1992.The scam has for several months become a permanent feature of the front pages of the newspapers. Despite the massive media coverage of the scam, most readers found it hard to understand it particularly when they were confronted with difficult terms and acronyms like ready forward, double ready forward, SGL, PDO, BR, PMS etc.In April 1992, the first press report appeared indicating that there was a shortfall inthe Government Securities held by the State Bank of India. In a little over a month, investigations revealed that this was just the tip of an iceberg which came to be called the securities scam, involving misappropriation of funds to the tune of over Rs. 3500 crores ( about $ 1.2 billion). In an ever expanding ambit, the scam has engulfed top executives of large nationalised banks, foreign banks and financial institutions, brokers, bureaucrats and politicians. The functioning of the money market and the stock market has been thrown in disarray. The scam has generated such immense public interest that it has become a permanent feature on the front pages of newspapers.The scam was in essence a diversion of funds from the banking system (in particular the inter-bank market in government securities) to brokers for financing their operations in the stock market.A clear understanding of the government securities market and the stock (corporate securities) markets is a prerequisite for understanding the scam. A brief comparative description of these two markets is as follows:It is quite clear therefore that there were enormous profits to be had for anybody who could find a way of breaching the artificial wall separating the two markets and arbitrage between them. That in essence was what the scam was all about.To understand the motivation of different players involved in such diversion, it is necessary to examine the changes in the economic environment that preceded the discovery of the scam, and how these changes were affecting the the principal players in both markets.1. LIBERALISATION OF THE ECONOMY .After assuming office in June 1991, the new government accelerated the process of economic liberalisation under the auspices of the International Monetary Fund (IMF).The opening up of the Indian economy as a result of these measures promised an unprecedented growth and prosperity for the private corporate sector as new sectors of the economy were being allowed private participation and various administrative impediments were being removed. Anticipating the good tidings for the private sector, the stock market started booming - the Bombay Stock Exchange Sensitive Index (SENSEX) rose from around 1000 in February 1991 to a peak of 4500 in March 1992 just before the scam came to light. This meant an enormous increase in the scale of finance required by operators in the stock market. Heavy margins imposed by the Bombay Stock Exchange on settlement trading added to the funds requirement.At the same time, the new free market philosophy confronted the public sector with new challenges. There was immense pressure on the public sector to perform - to perform in financial terms. The nationalised banks too were under the same pressure to improve their bottom line. The proposed increase in capital adequacy requirement (mandated by the Narasimham Committee report) added to the pressure on the banks.Another innovation in the banking sector in the period preceding the scam was the Portfolio Management Scheme (PMS).PMS was simply a deposit which was not subject to interest rate ceilings or to reserve requirements. The scheme was designed to permit deployment of large amounts of surplus cash available with several public sector undertakings (PSUs) particularly in the oil sector. A large part of this surplus cash resulted from borrowings in the international markets (by PSUs, at the instance of the government) to bolster the country's precarious foreign exchange reserves.An intense competition developed among the banks for these funds as they were unfettered by reserve requirements.To compete for PMS funds from the PSUs as well as to enhance their own profitability, banks were forced to look for higher returns. This was happening at the same time when there was a growing need for funds in the informal money market to finance stock market operations at very high rates of interest. The time was therefore most appropriate for somebody to find innovative ways of diverting funds from the banking system to the stock market. Brokers who were operating in both the markets were ideally placed to do this, and thus the scam was born.2. THE READY FORWARD DEAL :(Don’t worry about the complex terms, read and understand , it’s simple.)The crucial mechanism through which the scam was effected was the ready forward (RF) deal.The RF is in essence a secured short term (typically 15 day) loan from one bank to another bank. The lending is done against government securities, exactly the way a pawnbroker lends against jewellery or other valuables.In form, however, the RF is not a loan at all. The borrowing bank (Bank 2) actually sells the securities to the lending bank (Bank 1) and buys them back at the end of the period of the loan at (typically) a slightly higher price. The price difference represents the interest on the loanThe RF in India serves two main purposes:• Like repo markets around the world the RF deals provide much needed liquidity to the government securities markets.• The RF deals are an important tool in the hands of the banks to manage their Statutory Liquidity Ratio (SLR) requirements. Banks in India were required to maintain 38.5% of their Demand and Time Liabilities (DTL) in government securities and certain approved securities which are collectively known as SLR securities.RF helps in managing this requirement in two ways :A bank which has a temporary surge in DTL may not want to buy SLR securities outright and then sell them when the DTL comes back to normal. Instead it can do an RF deal whereby it effectively borrows the securities from a bank which has surplus SLR securities. An RF in SLR securities can thus be seen either as lending of money or as borrowing of securities.An RF deal is not legally a loan. The amount borrowed by a bank under RF is not regarded as a part of the bank's liabilities. Therefore it is not a part of its DTL, and does not attract the SLR requirement. Had the bank borrowed outright, it would have had to maintain 38.5% of the borrowing in SLR securities.The Mechanics of the Scam As explained above, a ready forward deal is, in substance, a secured loan from one bank to another. To make the scam possible, the RF had to undergo a complete metamorphosis: it had to become an unsecured loan to a broker. How was this transformation brought about? The three crucial steps to effect the metamorphosis were:• The settlement process in the government securities market became broker intermediated, that is, delivery and payments started getting routed through a broker instead of being made directly between the transacting banks.• The broker through whom the payment passed on its way from one bank to another found a way of crediting the money into his account though the account payee cheque was drawn in favour of a bank.• While the above two steps transformed an RF deal from a loan to a bank into a loan to a broker, it would still be a secured loan. However, the brokers soon found a way of persuading the lending bank to dispense with security for the loan or to accept worthless security.Now elaboration on each of these steps is required , in order to clearly understand the modus operandi used in the scam.3. SETTLEMENT PROCESSThe normal settlement process in government securities is that the transacting banks make payments and deliver the securities directly to each other.The broker's only function is to bring the buyer and seller together and help them negotiate the terms, for which he earns a commission from both the parties. He does not handle either the cash or the securities.During the scam, however, the banks or at least some banks adopted an alternative settlement process which was similar to the process used for settling transactions in the stock market.In this settlement process, deliveries of securities and payments are made through the broker. That is, the seller hands over the securities to the broker who passes them on to the buyer, while the buyer gives the cheque to the broker who then makes the payment to the seller. In this settlement process, the buyer and the seller may not even know whom they have traded with, both being known only to the broker.There were two important reasons why the broker intermediated settlement began to be used in the government securities markets:The brokers instead of merely bringing buyers and sellers together started taking positions in the market. In other words, they started trading on their own account, and in a sense became market makers in some securities thereby imparting greater liquidity to the markets.When a bank wanted to conceal the fact that it was doing an RF deal, the broker came in handy. The broker provided contract notes for this purpose with fictitious counterparties, but arranged for the actual settlement to take place with the correct counterparty.4. ACCOUNT PAYEE CHEQUESA broker intermediated settlement allowed the broker to lay his hands on the cheque as it went from one bank to another through him.The hurdle now was to find a way of crediting the cheque to his account though it was drawn in favour of a bank and was crossed account payee.As it happens, it is purely a matter of banking custom, that an account payee cheque is paid only to the payee mentioned on the cheque.In fact, exceptions were being made to this norm, well before the scam came to light. Privileged (corporate) customers were routinely allowed to credit account payee cheques in favour of a bank into their own accounts to avoid clearing delays, thereby reducing the interest lost on the amount.Normally, if a customer obtains a cheque in his own favour and deposits it into his own account, it may take a day or two for the cheque to be cleared and for the funds to become available to the customer. At 15% interest, the interest loss on a clearing delay of two days for a Rs. 100 crore cheque is about Rs. 8 lacs.On the other hand, when banks make payments to each other by writing cheques on their account with the RBI, these cheques are cleared on the same day.The practice which thus emerged was that a customer would obtain a cheque drawn on the RBI favouring not himself but his bank. The bank would get the money and credit his account the same day. This was the practice which the brokers in the money market exploited to their benefit.5. DISPENSING WITH THE SECURITY.The brokers thus found a way of getting hold of the cheques as they went from one bank to another and crediting the amounts to their accounts.This effectively transformed an RF Into a loan to a broker rather than to a bank. But this, by itself, would not have led to the scam because the RF after all is a secured loan, and a secured loan to a broker is still secured. What was necessary now was to find a way of eliminating the security itself!Three routes adopted for this purpose were:Some banks (or rather their officials) were persuaded to part with cheques without actually receiving securities in return. A simple explanation of this is that the officials concerned were bribed and/or negligent. A more intriguing possibility is that the banks' senior/top management were aware of this and turned a Nelson's eye to it to benefit from higher returns the brokers could offer by diverting the funds to the stock market. One must recognise that as long as the scam lasted, the banks benefited from such an arrangement. The management of banks might have been sorely tempted to adopt this route to higher profitability.The second route was to replace the actual securities by a worthless piece of paper - a fake Bank Receipt (BR). This is discussed in greater detail in the next section.The third method was simply to forge the securities themselves. In many cases, PSU bonds were represented only by allotment letters rather than certificates on security paper. And it is easier to forge an allotment letter for Rs. 100 crores worth of securities than it is to forge a 100 rupee note! Outright forgery of this kind however accounted for only a very small part of the total funds misappropriated.6. BANK RECEIPTIn an RF deal, as we have discussed it so far, the borrowing bank delivers the actual securities to the lender and takes them back on repayment of the loan. In practice, however, this is not usually done. Instead, the borrower gives a Bank Receipt (BR) which serves three functions:The BR confirms the sale of securities.It acts as a receipt for the money received by the selling bank. Hence the name - bank receipt.It promises to deliver the securities to the buyer. It also states that in the meantime the seller holds the securities in trust for the buyer.In short, a BR is something like an IOU (I owe you securities!), and the use of the BR de facto converts an RF deal into an unsecured loan. The lending bank no longer has the securities; it has only the borrower's assurance that the borrower has the securities which can/will be delivered if/when the need arises.Advantages of using BRs. There were several reasons why BRs came to be used in lieu of the actual securities:BRs were very convenient for RF deals because delivery was not needed. BRs could simply be cancelled and returned when the deals were reversed.In case of PSU bonds, actual delivery was almost impossible because of a variety of reasons, such as non-existence of certificates, or a single certificate for investment of several hundreds of crores of rupees.In case of government securities, the RBI had issued a directive that BRs should not be used. The reason was that, for these securities, the RBI, through its Public Debt Office (PDO), acts as the custodian. Physical securities are never issued, and the holding of these securities is represented by book entries at the PDO.The ledger in which the PDO maintains these accounts is called the Subsidiary General Ledger (SGL), and these securities are referred to as SGL securities.When a holder of these securities sells them and wishes to transfer them to the buyer, he fills up an SGL transfer form and gives it to the buyer.This SGL form can be compared to a cheque: the buyer deposits it into his SGL account at the PDO, and the PDO makes a book entry reducing the holding of the seller and increasing that of the buyer. Because of this facility, the RBI does not permit use of BRs for these securities. Had the PDO functioned efficiently and carried out its bookkeeping without delays, RBI would have been justified in not permitting use of BRs for government securities.Unfortunately, the PDO was very inefficient and laggardly in its functioning. This was a very serious matter because, like a cheque, an SGL form can also bounce if the seller does not have sufficient holding of securities in his SGL account. The buyer needs to be informed about this promptly; else, he may resell the same securities by issuing his own SGL forms in the belief that he has sufficient balance in his account. The inefficiency of the PDO made the SGL form an inconvenient and unreliable instrument, and banks preferred to use BRs even for the SGL securities, in violation of the RBI's directiveBRs Issued without Backing of Securities As stated earlier, a BR is supposed to imply that the issuer actually has the securities and holds them in trust for the buyer. But in reality the issuer may not have the securities at all. There are two reasons why a bank may issue a BR which is not backed by actual securities:A bank may short sell securities, that is, it sells securities it does not have. This would be done if the bank thinks that the prices of these securities would decrease. Since this would be an outright sale (not an RF!), the bank issues a BR. When the securities do fall in value, the bank buys them at lower prices and discharges the BR by delivering the securities sold. Short selling in some form is an integral part of most bond markets in the world. It can be argued that some amount of short selling subject to some degree of regulation is a desirable feature of a bond market. In our opinion, an outright sale using a BR which is not backed by securities is not harmful per se though it violates the RBI guidelines.The second reason is that the bank may simply want an unsecured loan. It may then do an RF deal issuing a "fake" BR which is a BR without any securities to back them. The lending bank would be under a mistaken impression that it is making a secured loan when it is actually advancing an unsecured loan. Obviously, lenders should have taken measures to protect themselves from such a possibility. This aspect will be examined later when we discuss the banks' control system in general and counterparty limits in particular.During the scam, the brokers perfected the art of using fake BRs to obtain unsecured loans from the banking system. They persuaded some small and little known banks - the Bank of Karad (BOK) and the Metropolitan Cooperative Bank (MCB) - to issue BRs as and when required. These BRs could then be used to do RF deals with other banks. The cheques in favour of BOK were, of course, credited into the brokers' accounts. In effect, several large banks made huge unsecured loans to the BOK/MCB which in turn made the money available to the brokers.7. CONTROL SYSTEMSThe scam was made possible by a complete breakdown of the control system both within the commercial banks as well as the control system of the RBI itself. We shall examine these control systems to understand how these failed to function effectively and what lessons can be learnt to prevent failure of control systems in the future. The internal control system of the commercial banks involves the following features:Separation of Functions: The different aspects of securities transactions of a bank, namely dealing, custody and accounting are carried out by different persons. Dealing refers to the decision about which transactions are to be entered into with which parties. Custody involves receiving and delivering securities/substitute instruments and cheques for the transactions done. Accounting involves maintenance of the investment account of the bank and its reconciliation with the SGL account of the bank maintained by the PDO of the RBI. Closely related to separation of functions is the notion of double custody. Just as the currency chests in the banks are under double custody where two people have to collaborate to open it, the securities too are usually under double custody. The assumption underlying double custody is that two individuals are unlikely to have a criminal intent at the same time!Counterparty Limits: The moment an RF deal is done on the basis of a BR rather than actual securities, the lending bank has to contend with the possibility that the BR received may not be backed by any/adequate securities. In effect, therefore, it may be making an unsecured loan, and it must do the RF only if it is prepared to make an unsecured loan. This requires assessing the creditworthiness of the borrower and assigning him a "credit limit" up to which the bank is prepared to lend. Technically, this is known as a counterparty limit. Strictly, a counterparty limit is required even if an RF is done against actual securities because the securities may decline in value and the RF may end up becoming only partly secured though it was fully secured to begin with.Most of the foreign banks with the exception of the Standard Chartered Bank had very strict counterparty limits and were thus protected from lending too much against fake BRs. For a bank like the Bank of Karad, a reasonable counterparty limit may have been Rs. 50 lacs so that an RF for several hundred crores would be flatly refused. The Standard Chartered Bank either did not have or did not adhere to such limits and agreed to do these RFs.These simple control mechanisms were not being operated by the PDO.What is more surprising is that even when discrepancies were discovered, such as when some SGL forms sent to the PDO bounced because of inadequate inventory of securities in the seller's account, the intimation regarding the inadequacy of securities was communicated to the buyer leisurely, may be through a letter by ordinary post, which could take days to reach. In the mean time, if the buyer sells the same securities on the strength of the SGL sent to the PDO, it could start an ever expanding chain of bounced SGLs! It appears that the PDO was not particularly perturbed by such possibilities.The RBI is expected to carry out site inspections and other audits of the investment accounts and procedures of the banks. These were not quite comprehensive and even when some irregularities were detected, the RBI did not act decisively against the erring banks.8. WINDOW DRESSING THE BALANCE SHEETS.Most banks carry investments in their books at their cost of acquisition and do not mark it down to market. This creates serious distortions during a period when, as shown in the preceding section, the prices of securities are falling.If one assumes that prices of government securities fell by about 5% over the last year, then on an aggregate holding of these securities by the banking system of Rs. 70,000 crores, the paper loss of the banks would be Rs. 3,500 crores. A 10% fall in the prices of PSU bonds would imply a further paper loss of about Rs. 800 crores to the banks (based on the assessment that banks hold about Rs. 8000 crores worth of PSU bonds).Under the current system of accounting, these losses are recognized only when the securities are sold. This means that a bank would be reluctant to sell these securities and show the loss in its books. It was in this context that the banks and the brokers resorted to innovative methods of window dressing the bank balance sheet.The basic idea is as follows:The bank sells the securities trading at a discount to a broker at face value or at a price which is much higher than the prevailing market prices. The broker incurs a huge loss in this transaction as he will have to resell the securities to some other bank at market prices.The bank then buys some other securities from the same broker at prices well above market prices. The broker therefore makes a huge profit in the second transaction which compensates him for the loss incurred in transaction (a).Thus, the net result of the two transactions is that neither the bank nor the broker make any profit or loss. Then why would these transactions be done? The reason is that while the profit earned through transaction(a) would improve the bottom line (profit) for the bank, the loss suffered by the bank in transaction(b) would not be reflected in its profit and loss account at all. The securities bought would simply appear in the bank's balance sheet at inflated values!It is a most ingenious way of creating paper profits. As far the broker is concerned, the price in transaction (a) can be as high as the bank wants so long as he gets a correspondingly higher price in transaction (b).What the scam investigations have revealed is that window dressing of this kind was rampant. Instances have been recorded of the same broker selling the same security on the same day to different banks at vastly different prices.This makes it very difficult to fathom the motives for a single transaction in isolation from other transactions done by a bank.Unless one can put together the entire series of transactions, it is impossible to know whether the banks or the brokers have been the net gainers through all the manipulative transactions. It is conceivable that some brokers were willing to absorb a part of the losses as a quid pro quo for other "services" which the banks provided them.It is interesting to note that even the pure RF deal involves an element of window dressing.The lending bank shows the interest received as an income in its profit and loss account.But the borrowing bank does not show the interest paid as an expense, because it simply carries the investment in its books at the higher repurchase price.It is, in fact, quite likely that the enormous increases in the profits that some of the banks reported in 1992 over the previous year, can at least in part be explained by use of such "creative" accounting practices.Where has all the money gone?It is becoming increasingly clear that despite the intensive efforts by several investigating agencies, it would be impossible to trace all the money swindled from the banks. At this stage we can only conjecture about where the money has gone and what part of the misappropriated amount would be recovered. Based on the result of investigations and reporting so far, the following appear to be the possibilities:A large amount of the money was perhaps invested in shares. However, since the share prices have dropped steeply from the peak they reached towards end of March 1992, the important question is what are the shares worth today? Till February 1992, the Bombay Sensitive Index was below 2000; thereafter, it rose sharply to peak at 4500 by end of March 1992. In the aftermath of the scam it fell to about 2500 before recovering to around 3000 by August 1992. Going by newspaper reports, it appears likely that the bulk of Harshad Mehta's purchases were made at low prices, so that the average cost of his portfolio corresponds to an index well below 2500 or perhaps even below 2000. Therefore, Mehta's claim that he can clear all his dues if he were allowed to do so cannot be dismissed without a serious consideration. Whether these shares are in fact traceable is another question.It is well known that while Harshad Mehta was the "big bull" in the stock market, there was an equally powerful "bear cartel", represented by Hiten Dalal, A.D. Narottam and others, operating in the market with money cheated out of the banks.Since the stock prices rose steeply during the period of the scam, it is likely that a considerable part of the money swindled by this group would have been spent on financing the losses in the stock markets.It is rumoured that a part of the money was sent out of India through the havala racket, converted into dollars/pounds, and brought back as India Development Bonds. These bonds are redeemable in dollars/pounds and the holders cannot be asked to disclose the source of their holdings. Thus, this money is beyond the reach of any of the investigating agencies.A part of the money must have been spent as bribes and kickbacks to the various accomplices in the banks and possibly in the bureaucracy and in the political system.As stated earlier, a part of the money might have been used to finance the losses taken by the brokers to window-dress various banks' balance sheets. In other words, part of the money that went out of the banking system came back to it. In sum, it appears that only a small fraction of the funds swindled is recoverable.This sort of chain to chain connection laid out as a master plan for the “Big Bull” to cheat and manipulative the stock prices with loads of money acquired with fraudulent activities for fulfilling his own pockets and his filthy intentions.“Kaam karne ki pehli shart imaandari hoti hai” ,But these big bulls were just stupid and did not have either the brain nor any morals to understand the basics.

The Information Technology Act, 2000 came into force on 17.10.2000 vide G.S.R No. 788(E) dated 17.10.2000 and for the first time, a legal definition of “Computer”, “Data”, “electronic record”, “Information” et al were provided. The said Act gave a legal recognition to the electronic records and digital signatures and in Chapter IX thereof provided for penalty and adjudication. Section 43 of the Act interalia provided that in case of unauthorised access, download or copying or damage to data etc, the person responsible shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person affected.Apart from civil liability provided under Section 43, Chapter XI (Sections 63 to 78) of the Act of 2000 provided for criminal liability in cases of Tampering, Hacking, publishing or transmitting obscene material, misrepresentation etc. Apart from the same, Section 72 of the Act provided for penalty in case of breach of confidentiality and privacy and laid that in case any person who has secured access to any electronic record, Data or information, discloses the same to any other person without obtaining the consent of the person concerned, he shall be punished with imprisonment upto two years or with fine upto Rupees one lakh or with both.However, the provisions of the Information Technology Act, 2000 were not adequate and the need for more stringent data protection measures were felt, the Information Technology (Amendment) Act, 2008 was enacted which came into force on 27.10.2009. The said Amendment Act brought in the concepts like cyber security in the statute book and widened the scope of digital signatures by replacing the words “electronic signature”. The amendment act also provided for secure electronic signatures and enjoined the central government to prescribe security procedures and practices for securing electronic records and signatures (Sections 15-16) The amendment Act also removed the cap of Rupees One Crore as earlier provided under Section 43 for damage to computer and computer systems and for unauthorised downloading/ copying of data. The said Amendment Act also introduced Section 43A which provides for compensation to be paid in case a body corporate fails to protect the data. Section 46 of the Act prescribes that the person affected has to approach the adjudicating officer appointed under Section 46 of the Act in case the claim for injury or damage does not exceed Rupees Five crores and the civil court in case, the claim exceeds Rupees Five crores. The amendment act also brought/ introduced several new provisions which provide for offenses such as identity theft, receiving stolen computer resource/ device, cheating, violation of privacy, cyber terrorism, pornography (Section 66A-F & 67A-C). The amendment act also brought in provisions directing intermediaries to protect the data/information and penalty has been prescribed for disclosure of information of information in breach of lawful contract (Section 72A)With the enactment of the Amendment Act of 2008, India for the first time got statutory provisions dealing with data protection. However, as the ingredients of “sensitive personal data and information” as well as the “reasonable security practices and procedures” were yet to be prescribed by the Central Government, the Ministry of Communications and Information Technology vide Notification No. GSR 313 (E) dated 11th April 2011 made the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information ) Rules, 2011 (the said rules). Rule 3 of the said rules defines personal sensitive data or information and provides that the same may include information relating to password, financial information such as bank account or credit card details, health condition, medical records etc. Rule 4 enjoins every body corporate which receives or deals with information to provide a privacy policy. Rule 5 prescribes that every body corporate shall obtain consent in writing from the provider of the sensitive information regarding purpose of usage before collection of such information and such body corporate will not collect such information unless it is collected for a lawful purpose connected with the function or activity of such body corporate and collection of such information or data is necessary and once such data is collected, it shall not be retained for a period longer than what is required. Rule 6 provides that disclosure of the information to any third party shall require prior permission from the provider unless such disclosure has been agreed to in the contract between the body corporate and the provider or where the disclosure is necessary for compliance of a legal obligation. The Body corporate has been barred to publish sensitive information and the third parties receiving such information have been barred to disclose it further. Rule 7 lays down that the body corporate may transfer such information to any other body corporate or person in India or outside, that ensure the same level of data protection and such transfer will be allowed only if it is necessary for performance of lawful contract between the body corporate and provider of information or where the provider has consented for data transfer. Rule 8 of the said rules further provide reasonable security practises and procedures and lays down that international standard IS/ISO/IEC 27001 on “Information Technology- Security Techniques- Information Security Management System- requirements “ would be one such standard.The Ministry of Communication and Information Technology further issued a press note dated 24th August 2011 and clarified that the said rules are applicable to the body corporate or any person located within India. The press note further provides that any body corporate providing services relating to collection or handling of sensitive personal data or information under contractual obligation with any other legal entity located within India or outside is not subject to requirements of Rules 5 &6 as mentioned hereinabove. A body corporate providing services to the provider of information under a contractual obligation directly with them however has to comply with Rules 5 &6. The said press note also clarifies that privacy policy mentioned in Rule 4 relates to the body corporate and is not with respect to any particular obligation under the contract. The press note at the end provides that the consent mentioned in Rule 5 includes consent given by any mode of electronic communication.Data Protection relates to issues relating to the collection, storage, accuracy and use of data provided by net users in the use of the World Wide Web. Visitors to any website want their privacy rights to be respected when they engage in e-Commerce. It is part of the confidence-creating role that successful e-Commerce businesses have to convey to the consumer. If industry doesn't make sure it's guarding the privacy of the data it collects, it will be the responsibility of the government and it's their obligation to enact legislation.Any transaction between two or more parties involves an exchange of essential information between the parties. Technological developments have enabled transactions by electronic means. Any such information/data collected by the parties should be used only for the specific purposes for which they were collected. The need arose, to create rights for those who have their data stored and create responsibilities for those who collect, store and process such data. The law relating to the creation of such rights and responsibilities may be referred to as ‘data protection’ law.The world’s first computer specific statute was enacted in the form of a Data Protection Act, in the German state of Hesse, in 1970.The misuse of records under the Nazi regime had raised concerns among the public about the use of computers to store and process large amounts of personal data.The Data Protection Act sought to heal such memories of misuse of information. A different rationale for the introduction of data protection legislation can be seen in the case of Sweden which introduced the first national statute in 1973.Here, data protection was seen as fitting naturally into a two hundred year old system of freedom of information with the concept of subject access (such a right allows an individual to find out what information is held about him) being identified as one of the most important aspects of the legislation.In 1995, the European Union adopted its Directive (95/46/EC) of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, the Directive), establishing a detailed privacy regulatory structure. The Directive is specific on the requirements for the transfer of data. It sets down the principles regarding the transfer of data to third countries and states that personal data of EU nationals cannot be sent to countries that do not meet the EU “adequacy” standards with respect to privacy.In order to meet the EU “adequacy” standards, US developed a ‘Safe Harbour’ framework, according to which the US Department of Commerce would maintain a list of US companies that have self-certified to the safe harbor framework. An EU organization can ensure that it is sending information to a U.S. organization participating in the safe harbor by viewing the public list of safe harbor organizations posted on the official website.Data protection has emerged as an important reaction to the development of information technology. In India data protection is covered under the Information Technology Act, 2000 (hereinafter, the Act). The Act defines ‘data’ as, “‘data’ means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer”. Protection of such data and privacy are covered under specific provisions in the Act. In the recent past, the need for data protection laws has been felt to cater to various needs. The following analyses the position of data protection law with respect to some of the needs.Data Protection Law In Respect of Information Technology Enabled Services (ITES)India started liberalizing its economy in the 1990’s and since then a huge upsurge in the IT business process outsourcing may be witnessed. Financial, educational, legal, marketing, healthcare, telecommunication, banking etc are only some of the services being outsourced into India. This upsurge of outsourcing of ITES into India in the recent past may be attributed to the large English-speaking unemployed populace, cheap labour, enterprising and hardworking nature of the people etc. Statistics have shown that the outsourcing industry is one of the biggest sources of employment. In a span of four years, the number of people working in call centers in the country supporting international industries has risen from 42,000 to 3,50,000. Exports were worth $5.2 billion in 2004-2005 and are expected to grow over 40% this fiscal year. US is currently the biggest investor in Indian ITES, taking advantage of cheap labour costs. Statistics indicate that software engineers with two-years experience in India are being paid about 1/5th of an equivalent US employee.Concerns about adequacy of lawBPO FraudsWith globalization and increasing BPO industry in India, protection of data warrants legislation. There are reasons for this. Every individual consumer of the BPO Industry would expect different levels of privacy from the employees who handle personal data. But there have been situations in the recent past where employees or systems have given away the personal information of customers to third parties without prior consent. So other countries providing BPO business to India expect the Indian government and BPO organizations to take measures for data protection. Countries with data protection law have guidelines that call for data protection law in the country with whom they are transacting.For instance, in, the European Union countries according to the latest guidelines, they will cease to part with data, which are considered the subject matter of protection to any third country unless such other country has a similar law on data protection. One of the essential features of any data protection law would be to prevent the flow of data to non-complying countries and such a provision when implemented may result in a loss of "Data Processing" business to some of the Indian companies.In the recent past, concerns have been raised both within the country as well as by customers abroad regarding the adequacy of data protection and privacy laws in the country. A few incidents have questioned the Indian data protection and privacy standards and have left the outsourcing industry embarrassed. In June 2005, ‘The Sun’ newspaper claimed that one of its journalists bought personal details including passwords, addresses and passport data from a Delhi IT worker for £4.25 each. Earlier BPO frauds in India include New York-based Citibank accounts being looted from a BPO in Pune and a call-center employee in Bangalore peddling credit card information to fraudsters who stole US$398,000 from British bank accounts.UK's Channel 4 TV station ran broadcast footage of a sting operation exposing middlemen hawking the financial data of 200,000 UK citizens. The documentary has prompted Britain's Information Commissioner's Office to examine the security of personal financial data at Indian call centers.In the absence of data protection laws, the kind of work that would be outsourced to India in the future would be limited. The effect of this can be very well seen in the health-care BPO business, which is estimated to be worth close to $45 billion. Lack of data protection laws have left Indian BPO outfits still stagnating in the lower end of the value chain, doing work like billing, insurance claims processing and of course transcription. Besides healthcare, players in the retail financial sector are also affected. Financial offshoring from banks is limited because of statutory compliance requirements and data privacy laws protecting sensitive financial information in accounts. In the Human Resource (HR) domain, there are many restrictions on sharing of personal information. In the medical domain, patient history needs to be protected. In credit card transactions, identity theft could be an issue and needs to be protected. Companies in the banking, financial services and insurance (BFSI) sector and healthcare have excluded applications/processes which use sensitive information from their portfolio for offshoring till they are comfortable about the data protection laws prevalent in the supplier country.Since there is lack of data protection laws in India, Indian BPO outfits are trying to deal with the issue by attempting to adhere to major US and European regulations. MNCs have to comply with foreign Regulations so that they don’t lose on their international partners. There are problems involved in this. Efforts by individual companies may not count for much if companies rule out India as a BPO destination in the first place in the absence of data protection law.Today, the largest portion of BPO work coming to India is low-end call centre and data processing work. If India has to exploit the full potential of the outsourcing opportunity, then we have to move up the value chain. Outsourced work in Intellectual Property Rights (IPR)-intensive areas such as clinical research, engineering design and legal research is the way ahead for Indian BPO companies. The move up the value chain cannot happen without stringent laws. Further, weak laws would act as deterrents for FDI, global business and the establishment of research and development parks in the pharmaceutical industry.Looking to the above scenario, we can say that for India to achieve heights in BPO industry stringent laws for data protection and intellectual property rights have to be made. . Thus, a law on data protection on India must address the following Constitutional issues on a "priority basis" before any statutory enactment procedure is set into motion:(1) Privacy rights of interested persons in real space and cyber space.(2) Mandates of freedom of information U/A 19 (1) (a).(3) Mandates of right to know of people at large U/A 21.Once the data protection rules are enforced in India, companies outsourcing to India are unlikely to dismantle the systems they have in place straightaway, and move data more freely to India. Hence ,the need for data protection laws would win over the confidence of international business partners; protect abuse of information; protection of privacy and personal rights of individuals would be ensured; there would be more FDI inflows, global business and the establishment of research and development parks in the pharmaceutical industry & impetus to the sector of e-Commerce at national and international levels would be provided.Data protection law in India (Present status):-Data Protection law in India is included in the Act under specific provisions. Both civil and criminal liabilities are imposed for violation of data protection.(1) Section 43 deals with penalties for damage to computer, computer system etc.(2) Section 65 deals with tampering with computer source documents.(3) Section 66 deals with hacking with computer system.(4) Section 72 deals with penalty for breach of confidentiality and privacy. Call centers can be included in the definition of ‘intermediary’and a ‘network service provider’ and can be penalized under this section.These developments have put the Indian government under pressure to enact more stringent data protection laws in the country in order to protect the lucrative Indian outsourcing industry. In order to use IT as a tool for socio-economic development, employment generation and to consolidate India’s position as a major player in the IT sector,amendments to the IT Act, 2000 have been approved by the cabinet and are due to be tabled in the winter session of the Parliament.Proposed amendments:-The amendments relate to the following[22]:(i) Proposal at Sec. 43 (2) related to handling of sensitive personal data or information with reasonable security practices and procedures.(ii) Gradation of severity of computer related offences under Section 66, committed dishonestly or fraudulently and punishment thereof.(iii) Proposed additional Section 72 (2) for breach of confidentiality with intent to cause injury to a subscriber.It is hoped that these amendments will strengthen the law to suffice the need.Data Protection Laws In Order To Invite ‘Data Controllers’.There has been a strong opinion that if India strengthens its data protection law, it can attract multi-national corporations to India. India can be home to such corporations than a mere supplier of services.In fact, there is an argument that the EU’s data protection law is sufficient to protect the privacy of its people and thus lack of strong protection under Indian law is not a hindrance to the outsourcing industry. To enumerate, consider a company established in EU (called the ‘data controller’) and the supplier of call center services (‘data processor’) in India. If the data processor makes any mistake in the processing of personal data or there are instances of data theft, then the data controller in the EU can be made liable for the consequences. The Indian data processor is not in control of personal data and can only process data under the instructions of the data controller. Thus if a person in EU wants to exercise rights of access and retrieve personal data, the data controller has to retrieve it from the data processor, irrespective of where the data processor is located. Thus a strong data protection law is needed not only to reinforce the image of the Indian outsourcing industry but also to invite multi-national corporations to establish their corporate offices here.Data Protection And TelemarketingIndia is faced with a new phenomenon-telemarketing. This is facilitated, to a large extent, by the widespread use of mobile telephones. Telemarketing executives, now said to be available for as low as US $70 per month, process information about individuals for direct marketing. This interrupts the peace of an individual and conduct of work. There is a violation of privacy caused by such calls who, on behalf of banks, mobile phone companies, financial institutions etc. offer various schemes. The right to privacy has been read into Article 21, Constitution of India, but this has not afforded enough protection. A PIL against several banks and mobile phone service providers is pending before the Supreme Court alleging inter alia that the right to privacy has been infringed.The EC Directive confers certain rights on the people and this includes the right to prevent processing for direct marketing. Thus, a data controller is required not to process information about individuals for direct marketing if an individual asks them not to. So individuals have the right to stop unwanted marketing offers. It would be highly beneficial that data protection law in India also includes such a right to prevent unsolicited marketing offers and protect the privacy of the people.Data Protection With Regard To Governance And PeopleThe Preamble to the Act specifies that, the IT Act 2000, inter alia, will facilitate electronic filing of documents with the Government agencies. It seeks to promote efficient delivery of Government services by means of reliable electronic records. Stringent data protection laws will thus help the Government to protect the interests of its people.Data protection law is necessary to provide protection to the privacy rights of people and to hold cyber criminals responsible for their wrongful acts. Data protection law is not about keeping personal information secret. It is about creating a trusted framework for collection, exchange and use of personal data in commercial and governmental contexts. It is to permit and facilitate the commercial and governmental use of personal data.The Data Security Council of India (DSCI) and Department of Information Technology(DIT) must also rejuvenate its efforts in this regard on the similar lines. However, the best solution can come from good legislative provisions along with suitable public and employee awareness. It is high time that we must pay attention to Data Security in India. Cyber Security in India is missing and the same requires rejuvenation. When even PMO's cyber security is compromised for many months we must at least now wake up. Data breaches and cyber crimes in India cannot be reduced until we make strong cyber laws. We cannot do so by mere declaring a cat as a tiger. Cyber law of India must also be supported by sound cyber security and effective cyber forensics.Indian companies in the IT and BPO sectors handle and have access to all kinds of sensitive and personal data of individuals across the world, including their credit card details, financial information and even their medical history. These Companies store confidential data and information in electronic form and this could be vulnerable in the hands of their employees. It is often misused by unsurplous elements among them. There have been instances of security breaches and data leakages in high profile Indian companies. The recent incidents of data thefts in the BPO industry have raised concerns about data privacy.There is no express legislation in India dealing with data protection. Although the Personal Data Protection Bill was introduced in Parliament in 2006, it is yet to see the light of day. The bill seems to proceed on the general framework of the European Union Data Privacy Directive, 1996. It follows a comprehensive model with the bill aiming to govern the collection, processing and distribution of personal data. It is important to note that the applicability of the bill is limited to ‘personal data’ as defined in Clause 2 of the bill.The bill applies both to government as well as private enterprises engaged in data functions. There is a provision for the appointment of, “Data Controllers”, who have general superintendence and adjudicatory jurisdiction over subjects covered by the bill. It also provides that penal sanctions may be imposed on offenders in addition to compensation for damages to victims.The stringency of data protection law, whether the prevailing law will suffice such needs, whether the proposed amendments are a welcome measure, whether India needs a separate legislation for data protection etc are questions which require an in-depth analysis of the prevailing circumstances and a comparative study with laws of other countries. There is no consensus among the experts regarding these issues. These issues are not in the purview of this write-up. But there can be no doubt about the importance of data protection law in the contemporary IT scenario and are not disputable.