UNIVERSITY OF IRINGA

[Formerly Tumaini University-Iringa University College]

FACULTY OF LAW

COMPULSORY RESEARCH PAPER SUBMITTED IN THE REQUIREMENT FOR

THE AWARD OF LL.B DEGREE OF THE UNIVERSITY OF IRINGA

TOPIC: LAW RELATING TO E-BANKING IN TANZANIA, AN ANALYTICAL

OVERVIEW OF DATA PROTECTION IN E-BANKING

BY:

RESEARCHERS MAYONGA NGUHECHA

&

SHEPO M. JOHN

SUPERVISOR: Prof. CHATURVEDI SAURABH

July, 2014

i

CERTIFICATION

We certify that this research paper titled ―Law relating to E-banking in Tanzania, an Analytical

overview of data protection‖ which is done at University of Iringa for the partial fulfillment of

the requirements for the award of degree Bachelor of Laws (LL.B) is recorded as independent

research work earned out by Mayonga Nguhecha & Shepo M. John under my supervision and

guidance. This research paper has not been submitted for award at any other place or degree or

other similar academic activity.

I wish the researchers a fruitful future and success in life.

Certified and signed on 12th

day of July, 2014 at Iringa (Tanzania).

………………………………

Prof. CHATURVEDI SAURABH,

SUPERVISOR

ii

DECLARATION

We, Mayonga Nguhecha & Shepo M. John, do hereby declare and attest that this research paper

titled ―Law relating to E-banking in Tanzania, an Analytical overview of data protection in e-

banking‖ is our original work for The University of Iringa and it has not ever been presented to

any other University for similar or other degree award. Nevertheless, this is not a copy or

manipulation of any report.

Dated ………..day of……………2014

………………………………

MAYOGA NGUHECHA

………………………………

SHEPO M. JOHN

iii

COPYRIGHT

All rights reserved, beyond single copy use, no part of this work will be produced, stored in any

retrieval system or transmitted in any form or by any means. Electronically, or mechanically,

including photocopying, recording or by any information storage or otherwise without prior

written permission of the author and or the Faculty of Law, University of Iringa.

© University of Iringa, 2014

All rights reserved.

iv

ACKNOWLEDGEMENT

First and foremost, our sincere thanks and gratitude goes to our Almighty God, unmoved mover,

who protected and gave us power, vision and strength up to this stage of compiling this research.

We confess that he has been with us ever since we started the journey of our studies until now.

We are greatly beholden to a number of people whose advice, encouragement, moral and

material support contributed to the preparation and completion of this research. However, it is

not possible to list all of them here; we will mention only a few. In the first instance, We extend

our heartfelt appreciations to our beloved parents for materially and financially support to pursue

Bachelor of Law degree [LL.B].We thank them for all the support they gave us as their beloved

sons in the entire journey of our studies. We also express our sincere gratitude and thanks to our

supervisor Chaturvedi, Saurabh whose efforts, commitment and dedication and guidance and his

critics made possible our task. His knowledge and accumulated experience has been a great asset

for our, not only for this research but also for our career. Special thanks go to our dearest

instructor Mr.Lwijiso Ndelwa and Dean of Faculty of Law, University of Iringa Mr.Renatus

Mgongo who provided us with a package of fruitful advice and moral support which made this

research successful. We appreciate for the help given by them, may God help them in their

activities and bless them in their entire life. Uncountable thanks goes to our fellow colleague of

LL.B at University of Iringa for the productive assistance to enrich our report.

v

DEDICATION

This work is dedicated to our family that is Mayonga Nguhecha‘s family as well as Shepo M

John‘s family, from which we have learnt that working hard is virtue.

vi

ABSTRACT

The purpose of this research is to examine legal and practical aspect of data protection in

electronic banking in Tanzania such as ATM, Mobile Banking and internet banking. It addresses

the key issues such as Legal protection of data in e-banking, legal barrier of electronic banking

data protection in Tanzania, and the issue relating to admissibility of electronic banking

evidence.

Researchers observed further the law regulating banking business as a far as legal protection of

data in electronic banking. It also discuss the nature and obligation of a banker-customers

relationship in electronic banking,

Furthermore researchers develop by showing number challenges/ risks associated with electronic

banking data protection, such as operational risk, security risk and legal risk.

Lastly the researchers finish in looking legal practices of data protection in electronic banking in

other jurisdiction and the solution to adopt.

In conclusion the researchers recommends on enactment of an efficient and responsive legal

framework to address the above legal issues with a view to enhancing customer confidence

which will ultimately contribute to building trust in e-banking transactions.

vii

ABBREVIATIONS

ATM Automated Teller Machines

CAP Chapter

CCTV Closed-Circuit Television

CEB Corporate Electronic Banking

CHATS Clearing Housed Automated Transfer System

CRDB Cooperative Rural Development Bank

E- Electronic

EAC East Africa Community

EDI Electronic Data Interchange

EFT Electronic funds transfer

EFTPOS Electronic Funds Transfer at Point of Sale

EU European Union

ICT Information and Communication Technology

IP Internet Protocol

NBC National Bank of Commerce

NMB National Micro-finance Bank

PC-banking Personal Computer banking

PINs Personal Identification Numbers

R.E. Revised Edition

RENTAS Real-time Electronic Transfer of Funds and Securities System

SWIFT Society for Worldwide Interbank Financial Telecommunications

TPB Tanzania Postal Bank

UK United Kingdom

UNCITRAL United National Commission on International Trade Law

USA United States of America

USD United States Dollar

viii

LIST OF STATUTES

The Constitution of United Republic of Tanzania, 1977 (as amended from time to time)

The Banking and Financial Instructions Act, Act No.5 of 2006

Bank of Tanzania Act, Act No. 4 of 2006

The Law of Contract Act [Cap 345 R.E 2002]

The Electronic and Postal Communication Act, No 3 of 2010

The Tanzania bill of exchange Act [Cap 215R.E 2002]

The Penal Code [Cap 16 R.E 2002]

The Sale of Goods Act[Cap 214 R.E 2002]

Written Laws Miscellaneous Amendment Act, No.15 of 2007

Information Technology Act, 2008 India

Electronic Communication Act, 2000 (U.K).

The Banking and Financial Institution Act,1989, (Malaysia.)

The Computer Fraud and Abuse Act, 1986(US)

Computer Crime Act, 1997 (Malaysia)

ix

LIST OF CASES

Abercrombie and Kent (T) Ltd v. Stanbic Bank Ltd [1995-1998] 2E.A 1

Barker v. Wilson (1914) 19 Comm. Cas. 256; 111 L.T. 43

Greenwood v. Martins Bank Ltd (1932) 1 K.B 371 at p.381

Joachim v Swiss Bank of Corporation [1921] 3 KB 110

Ladbroke & Co. vs. Todd(1914) 19 Comm. Cas. 256; 111 L.T. 43

National Banks of Commerce v. Milo Construction Co. Ltd and Two others Commercial case

No. 293 of 2002 (unreported)

National Bank of Commerce v. Said Ally Yakut (1989) T.L.R. 119

Tournier v National Provicial and Union Bank of England [1924] 1 KB 1 KB 461

Trust Bank Tanzania Ltd v. Le-Marsh Enterprises Ltd and Others, (2000) Commercial Case No.4

in the High Court of Tanzania (Commercial Division) at Dar es salaam, (Unreported)

United Dominions Trust Ltd Vs Kirkwood [1966]2 Q.B 431

Williams and Glyn‘s Bank Ltd v. Barnes,(1981) Unreported

Woods v. Martins Bank &Another [1959] 1 Q.B. 55

x

TABLE OF CONTENT

CERTIFICATION ........................................................................................................................... i

DECLARATION ............................................................................................................................ ii

COPYRIGHT ................................................................................................................................. iii

ACKNOWLEDGEMENT ............................................................................................................. iv

DEDICATION ................................................................................................................................ v

ABSTRACT ................................................................................................................................... vi

ABBREVIATIONS ...................................................................................................................... vii

LIST OF STATUTES .................................................................................................................. viii

LIST OF CASES............................................................................................................................ ix

CHAPTER ONE ............................................................................................................................. 1

THEORETICAL FRAME WORK ................................................................................................. 1

1.1 Background of the problem ................................................................................................... 1

1.2 Statement of the problem ...................................................................................................... 3

1.3 Objective of the study ........................................................................................................... 4

1.3.1 General objective ............................................................................................................ 4

1.3.2 Specific objective ........................................................................................................... 4

1.4 Significance of the Study ...................................................................................................... 5

1.5 Hypothesis ............................................................................................................................. 5

1.6 Research methodology .......................................................................................................... 6

1.6.1 Documentary review ....................................................................................................... 6

1.7 Literature review ................................................................................................................... 6

1.7.1 Local Literature .............................................................................................................. 6

1.7.2 Foreign Literature ........................................................................................................... 9

CHAPTER TWO .......................................................................................................................... 12

AN OVERVIEW OF ELECTRONIC BANKING IN TANZANIA ............................................ 12

2.1 Meaning of E-banking ......................................................................................................... 12

2.2 Forms of E-banking ............................................................................................................. 14

2.2.1 Consumer Electronic Banking ...................................................................................... 14

2.2.2 Corporate E-banking ..................................................................................................... 17

2.2.3 Interbank e-banking ...................................................................................................... 18

xi

2.3 Advantages of e-banking ..................................................................................................... 18

2.4 Disadvantages of e-banking ................................................................................................ 20

2.5 Banker customer relationship .............................................................................................. 21

2.5.1 Who is a Banker? .......................................................................................................... 22

2.5.2 Who is a Customer? ...................................................................................................... 22

2.5.3 Nature of Legal Relationship between Banker and Customer. .................................... 23

2.5.4 Duties and Rights.......................................................................................................... 23

2.5.5 Duties of Customers to the bank. .................................................................................. 26

2.6 The risks associated with e-banking.................................................................................... 27

2.6.1 Operational risk ............................................................................................................ 27

2.6.2 Security risk .................................................................................................................. 27

2.6.3 Legal /Compliance Risk ............................................................................................... 29

CHAPTER THREE: ..................................................................................................................... 31

DATA PROTECTION IN ELECTRONIC BANKING ............................................................... 31

3.0 Introduction ......................................................................................................................... 31

3.1 Data protection .................................................................................................................... 31

3.1.1 Data traceability glossary ............................................................................................. 33

3.2 Principle of data protection ................................................................................................. 33

3.3 A comparative assessment of e-banking data protection; Tanzania and other jurisdiction

laws............................................................................................................................................ 35

3.3.1 Legal aspect of e-banking data protection in Tanzania ................................................ 35

3.3.2 Judicial approach toward electronic banking data protection in Tanzania ................... 38

3.3.3 Legal barrier of e- banking data protection in Tanzania .............................................. 39

3.3.4 Solution regarding to E-banking Data Protection in Tanzania. .................................... 41

3.3.5 Position Electronic E-Banking data protection in India ............................................... 41

3.3.6 Position Electronic banking data protection in UK ...................................................... 42

3.3.7 Relevance of Model Laws in Electronic Banking ........................................................ 44

3.3.8 Position of the European Union Data Protection Directive 95/46/EC of 1995 ............ 46

CHAPTER FOUR ......................................................................................................................... 50

CONCLUSION AND RECOMMENDATIONS ......................................................................... 50

4.0 Conclusion ........................................................................................................................... 50

xii

4.1 Recommendations ............................................................................................................... 52

4.1.1 The Law Reform Commission of Tanzania ................................................................. 52

4.1.2 The Parliament .............................................................................................................. 52

4.1.3 Banking Institutions ...................................................................................................... 53

BIBLIOGRAPHY ......................................................................................................................... 54

1

CHAPTER ONE

THEORETICAL FRAME WORK

1.1 Background of the problem

Banking activities in Tanzania could be traced back to the 1900s, banking practices are result of

the colonialists who for the purpose of facilitating their economies in Tanzania and East Africa at

large introduced Banks, and the earlier banks were a product of the Germany regime in

Tanganyika. In 1905 the Deutsch Ostafrikanische bank was established in Dar es salam and in

1911, HandlesbankFurostafrica was established in Tanga1. A great deal of banking regulations

were made by the British regime in 1919s in Tanzania, apart from introducing more banks than

ones held by Germans, enacted a number of laws to regulate banking activities in Tanzania.

After independence banks carried colonial banking legacies, the Arusha declaration of 1967

nationalized all the banks owned privately. In 1980‘s the Government took deliberate efforts to

reform the economy. The intention was to eliminate controls and introduce a market based

economy Pursuant to this goal. In 1988 a report on the inquiry into Monetary and banking

systems in Tanzania by the Nyirabu Commission was delivered2. Its major contribution in

banking development is substantial; it is the cause of the various laws on banking business such

as the Banking and Financial Institution Act, 1991.

Despite its remarkable contribution the latter did not point out a thing on electronic banking. In

recent years, Tanzania banking sector has made a noteworthy progress in development of ICT by

introducing a banking service known E-banking. Bank like CRDB, NMB, NBC, TPB have

1C.S Binamungu& G.S. Ngwilimi. (2006). Regulation of Banking Business in Tanzania.Mzumbe Book

Project.Morogoro-Tanzania pg 39

2 Bank of Tanzania(2011):Tanzania Mainland‘s 50 years of Independence; A review of the role and functions of the

bank of Tanzania (1961—2011).

2

invested significantly in ICT by introducing different form of electronic banking to facilitate

electronic cash movement. New services are originating such as mobile banking, internet

banking and others. This is to say with electronic banking it is even easier for a holding bank to

control its subsidiary bank allocated at a distant as a result of technological advancement3.In

Tanzania electronic banking is in its early stages, though a great response of use is witnessed.

The adoption of Automated Teller Machines (ATM) by various banks and financial institutions

is of pride, the adoption of mobile banking by various communication Companies such as Tigo,

Vodacom, Airtel, gear habits for deposits and quick transfers of money or payments via

electronic payments services. The adoption of electronic banking by banks such as CRDB,

NMB, and NBC evidently indicates the role played by electronic banking in the country.

However while electronic banking talking place, the law has been slow in protecting customers

in electronic banking. In addition our laws have not incorporated tools of affecting electronic

transaction. The existing laws facilitate paper based transactions which apparently are not

applicable to technological changes that are currently taking place in Tanzania. The main statutes

that govern banking industry in Tanzania are Bank of Tanzania Act4 the Banking and Financial

Institutions Act5, The Bills of Exchange Act

6, the Law of Contract Act

7 and Electronic and

Postal Communication Act8. In all laws there is no single provision that carter for the use of

electronic banking in Tanzania despite the fact that there were enacted during the era of

electronic Banking (2006)

3R. mecky.The aspect of Electronic banking in Tanzania; A new phenomena. Retrieved on 5

th April, 2014 from

http://meckyrobert.blogspot.com/2011/08/aspects-of-electronic-banking-in.html.

4 Bank of Tanzania Act of 2006

5Banking and Financial Institutions Act 2006

6The Bills of Exchange Act 2006

7The Law of Contract Act Cap 335 R.E 2002

8Electronic and Postal Communication Act 2010

3

However there have numbers of attempts which address a few issues on e-banking this can be

seen in the case of Trust Bank Tanzania Limited v. Le Marsh9 in which the definition of a

bankers‘ book was extended to include computer generated evidence in the form of print-outs.

The Judge correctly noted that ―the law must keep abreast of technological changes as they affect

the way of doing business. Other attempts include amendment the Evidence Act, 1967 which

give partial recognition to electronic evidence, promulgation of guidelines for regulation of e-

banking by the Bank of Tanzania, as an apparent measure to fill the legal vacuum, and regulation

of e-banking through the law of Contract which governs standard form agreements. Further it

will be argued that operation of banking through electronic medium should be accompanied by

adequate and effective legal framework.

1.2 Statement of the problem

Despite of the significant contribution of Information Communication Technology in banking

sector the development of Information Communication Technology in banking sector has been

accompanied by a number of problems which are increasingly causing substantial financial

losses to consumers. These problems include; the increasing incidences of fraud and theft

resulting from unauthorized access to customers‘ money kept in financial institutions, inability to

access and effect transfer of funds due to technical flaws and errors. Other problems are: loss of

various rights like right to stop payment (countermand); confidentiality and privacy of

information; admissibility of electronic evidence, authorization and authentication of customers‘

instructions and, lastly, lack of consumer protection and dispute resolution mechanism. As a

reaction to these problems, banks are using general terms and conditions to shift all liabilities to

consumers.

9 Commercial Civil Case No. 4 of 2000 (Unreported).

4

Lack of a fully operational legal and regulatory framework jeopardize the security of consumers

who use E-banking and cause financial loss particularly in EFT and other electronic services that

involve monies like ATMs, mobile banking, internet purchase of goods and other payment such

as LUKU. The legal gap that exists in banking laws provides loopholes for offenders to commit

offences and also put the users in to risks. Apart from the effort made by the government to

amendment of evidence act which recognize electronic evidence consumer protection are still in

dilemma due to the absence of specific legislation governing electronic banking in Tanzania in

Tanzania, it is vital for the Tanzania to have sufficient and comprehensive legal framework on

information and data protection laws relating to electronic banking.

1.3 Objective of the study

1.3.1 General objective

The general objective of this study is to explore the legal basis of e-banking in Tanzania

particularly on data protection. The study seeks to search into whether there is strong legal basis

on data protection in electronic banking.

1.3.2 Specific objective

The specific objectives of the study are

(a) To examine whether the current legal framework governing banking business protects

consumers transacting banking business in electronic form

(b) To identify data protection technique and provision adopted by banks and financial

institution.

(c) To identify the legal provision of data protection in electronic banking

(d) To determine the extent to which the current legal framework on banking business

addresses problems/challenge facing consumers in using e-banking.

5

(e) To propose a suitable legal framework that adequately respond to the technological

changes with a view to addressing problems facing the Electronic Banking systems

and consumer protection in electronic transaction

1.4 Significance of the Study

With regard to the above problems and consider the nature of the research topic. This study is

important and significant in number of ways:-

The research will help the coming researcher to use as literature review in conducting

researches on the same subject matter

The study will help the researcher and other student to increase and expand knowledge on

the Electronic banking specifically on the law governing it.

The research will explain in detail the challenges brought by advancement of ICT in

banking sector.

Act as a base to the government when formulating policy and law relating to electronic

banking

The finding and recommendation of this study will establish the argument that without

establishing a legal basis for e-banking in Tanzania, customers will face risks of suffering

financial losses without legal protection at the instance of banks that are capable of

shifting liabilities to consumers.

1.5 Hypothesis

In this study the following hypothesis will be tested:

The Tanzania law do not have enough data protection provision in E-banking

That lack of a legal framework for e-banking in Tanzania posing risks to customers in

respect of protection and security of transactions

6

1.6 Research methodology

1.6.1 Documentary review

There are various sources which will be used to obtain these types of data which are either

published or unpublished. In this regard, the researcher will collect and analyze secondary data

from books, statutes, case law, journals, newspapers, official government reports and other

published and unpublished materials as well as information available in the internet that is

relevant or suitable in the context of the problem under study. These data will enable the

researcher to provide a firm theoretical background to the study. The researcher will use Iringa

University library and online library for search of materials.

1.7 Literature review

There are number of textbooks, journals, and article which addresses on the legal and practical

aspect of Electronic banking but in Tanzania there are few studies yet that have been undertaken

which address the legal and practical aspect of e-banking. The reason is that e-banking is still a

new technology which is growing in many developing countries, including Tanzania. The studies

on this subject written by internal and external author will assist in discovering the Impact of ICT

on the banking service and formulate principles as well as solution facing consumer transaction

in electronic banking. Our literature review is divided into sub

1.7.1 Local Literature

This section discuss on local literature in relation to electronic banking in Tanzania such as

Mollel A and Lukumay Z, Godfrey N. Dimoso, Mambi, A. J, Bwana J, Basle Committee on

Banking supervision.

7

Mollel, A andLukumay, Z10

have addressed strongly on E-transactions and the law of evidence

in Tanzania, and also have discussed that the current legal system does not adequately address

the impact of ICT on rules of evidence in Tanzania. The authors have also address that the

banking sector have made remarkable progress in development of ICT by introducing E-banking

but despite such progress it pose a legal challenges concerning the protection of customers in E-

banking within the country this is because Tanzania has not yet to have cyber laws that govern

ICT.

Godfrey N. Dimoso,11

address that there is no doubt that E-banking is a growing practice around

the world. Obviously, for the developing countries Tanzania included, it is a desirable

advancement that should not be impeded. However, E-banking posses several risks which

require appropriate and adequate safeguards on the business. It is on this background that most of

the developing countries have realized the need for review of the legal framework which is still

largely based on the more traditional physical form of reference. In Tanzania, he addressed that it

is fair to say that E-banking is still in its infancy and the progress so far has been somewhat

appreciable albeit at a slow pace. Currently, banks and non-banks (mobile phone companies)

have started to provide E-banking services. However, the question remains that to what extend

our legal framework has responded to the on-going migration from the traditional banking to the

internet based banking.

Mambi, A. J.12

addresses extensively on legal challenges posed by ICT revolution in Tanzania

as regarded to E-banking. He address that the lack of legal certainty on challenges posed by ICT

10

(2008) Electronic Transactions and the Law of Evidence in Tanzania Pp 5-12

11Director of Legal Services, Azania Bank Ltd., (2008) Legal Framework: Regulatory challenges for effective E-

Banking

12Mambi A. J., (2010) ICT Law Book: A Source Book for Information and Communication Technologies & Cyber

Law in Tanzania & East African Community; Publisher African Books Collective pp. 120-132

8

development to E-banking in the region of EAC particularly Tanzania whereby E-banking may

expose a customer to a legal risks on question of cyber-crimes and the related E-transactions

barrier to achieve E-commerce development. In Tanzania the laws does not address online

transactions or E-payment therefore, it provides a loophole for the occurrence of cyber-crime due

to legal challenges imposed by ICT development in the country thus the present legal system

favours off-line transactions.

Bwana, J.13

has addressed the implementation brought by ICT development in E-banking in

Tanzania. The risks that customers of E-banking encountered are imposed by legal challenges in

ICT development as a result of inappropriate legal framework that address the problems

associated with. The author addresses that the relationship that exist between banks and

customers in E-banking in Tanzania is purely on contractual basis. However, due to new features

that embark in E-banking brings legal challenges that subjects customers into security risks

therefore, the need of a piece of legislation in order to govern this specific area of E-banking is

skyrocketing in the country.

Basle Committee on Banking supervision14

, address the matters relating to E-banking and E-

money activities, rights and obligations of customers to such transactions are not protected by

legal principles therefore impose legal challenges on the legality of the transaction involved in E-

banking. However, the matters involves application of some consumer protection rules to E-

banking and E-money activities in some countries are not clear due to lack of piece of legislation

that address specifically legal challenges posed by ICT revolution in banking sector. Legal risks

arise in the use of ICT development in banking business due to lack of piece of legislation, rules,

13

Bwana (2003) pp 1-10

14 ―Risk management for electronic banking and electronic money activities‖ Retrieved at 29

th April, 2014 from

http://www.bis.org/publ/bcbs35.pgf

9

regulations, or prescribed practices, which addresses the legal rights and obligations of parties to

a transaction by not well being established under the legal system of the country concern.

Mollel, A.15

The author shows that electronic transactions are replacing the old and traditional

methods of transacting in all walks of life. However, the full-fledged application of ICT for

development in most of these countries is seriously hindered by lack of comprehensive legal and

regulatory framework for the subject. The author points out these challenges spin around

integrity authenticity and security of electronic records.

1.7.2 Foreign Literature

The foreign literature discusses in detail the concept of electronic banking. However, it does not

address the Tanzanian legal position. But it helps to develop some of the principle which can be

applied in Tanzania.

Lloyd, J.16

address that E-banking facilitate the growth of E-commerce due to the fact that it

brings conveniences to consumers of E-commerce for the use of EFT hence, they are able to pay

for the products through E-banking enhances consumer confidence in E-commerce. In UK there

is a piece of legislation which address the legal challenges brought by development of ICT in the

sector of banking business and also provides protections to consumers of E-banking and piece of

enacted legislation known as the Consumer Credit Act.17

The author address that a customer in

E-banking can be protected in respective countries which offer legal protection by enacted piece

of legislation if that country there is a piece of legislation protecting customers of E-banking.

15

(1996), ―The legal and regulatory framework for ICT in developing countries: Case study of ICT and the law of

evidence in Tanzania‖ Retrieved at 29th

April, 2014 from http://cs.joensuu.fi/ipid2008/abstracts/Mollel

Andrew_ICT4D PAPER.pdf

16 Lloyd, j. (2000) Information Technology Law, 5

thEdn; USA: Oxford Press pp. 506-507

17 1947

10

However, the author does not address the legal challenges brought by ICT revolutions in EFT

across the border and the solutions to the problems International Trade.

Schaechter,18

A. the author provides the general overview on issues in E-banking. He said that

there are two other important sources of legal risk to consumers. First, there can be uncertainty;

about which legislation applies to E-banking transactions; the legislation of the jurisdiction in

which the virtual bank is licensed or in which the services are offered. This is especially true

when E-banking has a cross-border nature where different legislations might conflict with each

other. And secondly as a consequence of this, also enforcement of certain emerging areas of law

is uncertain, for example laws related to E-contracts and digital signature. This lead to violations

of customer‘s protection laws, including data collection and privacy, and regulations for

soliciting could be important issues. In other word the author is of the view that customers can

only be protected clearly by a system of law.

Bainbridge, D. I.19

address that the vulnerability of some computer systems to criminal activities

and consider the computer as an unwitting accomplice. He addressed that a computer system

might be used to detect information which assists the criminal in the commission of crime. It also

shows that the greatest threat of fraud comes from within an organization and employees are

responsible for a great deal of ICT fraud or attempt ICT fraud, ranging from small amounts of

money to very large sums indeed. The paramount important issues discussed that constituted the

offence of ICT fraud under UK the Fraud Act20

to be tackled includes; dishonestly transferring

18

Schaechter, A. (2002). Issues in electronic banking: An overview. Retrieved at 29th

April, 2014 from http://

www.imf.org/external/pubs/ft/.../2002/pdf06.pdf

19 Bainbridge, D. I., (2008), Introduction to Information Technology Law, 6

thEdn, Pearson Education Ltd, England

p. 422

20 2006

11

funds electronically, phishing, using bogus websites to obtain personal details such as bank

account details, spyware, and dishonest use of telecoms and information society

12

CHAPTER TWO

AN OVERVIEW OF ELECTRONIC BANKING IN TANZANIA

2.1 Meaning of E-banking

E-banking has defined by a number of authors. This indicates that there is no common agreement

on the definition of E banking. Electronic banking, also known as electronic funds transfer

(EFT), is simply the use of electronic means to transfer funds directly from one account to

another, rather than by cheque or cash.21

The concept had initially been associated with the use

of the Automated Teller Machines across the globe; with the growth of technology and new

inventions electronic banking cater across a number of forums used on either purchase

transactions or deposit as part of banks dealings, these include the use of computer and electronic

technology as a substitute for cheques and other paper transactions.

Basel Committee22

defines e-banking as the provision of retail and small value banking products

and services through electronic channels Such products and services can include deposit-taking,

lending, account management, the provision of financial advice, electronic bill payment, and the

provision of other electronic payment products and services such as electronic money

Some studies define electronic banking to mean 24-hour access to cash through an automated

teller machine (ATM) or Direct Deposit of paychecks into checking or savings accounts23

electronic fund transfer (EFT), uses computer and electronic technology in place of checks and

other paper transactions. EFTs is initiated through devices like cards or codes that let you, or

those you authorize, access your account. Many financial institutions use ATM or debit cards

21

Federal Commission for Consumers: Electronic Banking: retrieved on 13th

May 2014 from

www.ftc.gov/bcp/edu/pubs/consumer/credit/cre14

22 Basle Committee on Banking supervision

23Federal Trade Commission Electronic Banking. Retrieved on 13

th May 2014 from https://www.consumer.ftc.gov

13

and Personal Identification Numbers (PINs). Electronic banking can be described as the

―umbrella‖ term, it is used interchangeably when people refer to one or more forms or

components of e-banking such as: Virtual banking, on-line banking, cyber-banking, net banking,

interactive-banking, web-banking phone-banking, PC-banking, and remote electronic banking24

The Bank of Tanzania25

equates e-banking with schemes of electronic payment. It defines

electronic payment schemes as any electronic instrument device or system used for the purposes

of facilitating payment transfers through internet and/or wireless communication networks, and

by use of service delivery products such as electronic cards, electronic payment transfer systems,

mobile banking, internet banking, automated teller machines, points of sale terminals, payment

switches and any other type of electronic payment transfer system

From the above definition , e-banking can be defined as the process by which bank‘s customers

may access their accounts in order to perform banking transactions or obtain financial

information using a variety of electronic distribution channels the common ones being the

Internet, telephones, mobile phones, points of sale, personal computers and ATMs, without

visiting brick-and-mortar institutions. Electronic fund transfer can be used to have your paycheck

deposited directly into your bank or credit union checking account, withdraw money from your

checking account from an ATM machine with a personal identification number (PIN), at your

convenience, day or night, instruct your bank or credit union to automatically pay certain

monthly bills from your account, such as your auto loan or your mortgage payment, have the

bank or credit union transfer funds each month from your checking account to your mutual fund

account, have your government social security benefits check or your tax refund deposited

directly into your checking account, use a smart card with a prepaid amount of money embedded

24

http://www.aboulola.com/E-Banking.pdf

25 The Bank of Tanzania, ―Electronic Payment Schemes and Products Guidelines,‖ May 2007

14

in it for use instead of cash at a pay phone, expressway road toll, or on college campuses at the

library's photocopy machine or bookstores, use your computer and personal finance software to

coordinate your total personal financial management process, integrating data and activities

related to your income, spending, saving, investing, recordkeeping, bill-paying and taxes, along

with basic financial analysis and decision making.

2.2 Forms of E-banking

E-banking exists in a variety of forms, which can be divided into various groups: consumer

Electronic banking, cooperate Electronic banking, interbank Electronic banking product and

plastic card

2.2.1 Consumer Electronic Banking

This includes Automated Teller Machine (ATM), EFTPOS, Telephone, Mobile Banking,

Internet Banking, and Home/Office Banking

(a) Automated Teller Machine

An ATM machine may be considered a branch of a bank as it contains some of the main banking

functions. Large routine transactions are performed with minimal staff intervention. Further the

machine is designed to operate 24 hours. There are savings in staff costs and other overheads like

rentals of branch premises. In addition to being cost effective, it is a prerequisite for staying in

business. Banks have realized the benefit of entering into agreements to share each other‘s

ATMs, instead of competing with each other to capture the ATM market. The ATMs of the

various banks are connected to a switch network which communicates with the banks‘ host.26

Typical services ATMs include the followings; Statement ordering, Balance enquiries, Cheque

26

Aspect of electronic banking retrieved at 17th

May, 2014 from

www.ibbm.org.my/pdf/DP02%20Chapter%20on%20EFT.pdf

15

ordering, Instructions for transfer between the cardholder‘s accounts and Depositing cash and

other payments. There are some services which are connected to ATMs by agreement between

the bank and the service issuing company for example, energy recharge services (LUKU

Services), 24 and phone recharge services using ATMs.

(b) Electronic Funds Transfer at Point of Sale (EFTPOS)

Electronic Fund Transfer at the Point of Sale is payment that enables a cardholder to pay for

goods or service by using a debit card. The debit card is therefore passed through a terminal that

reads the detail of cardholder‘s account imprinted on the card‘s magnetic strip on the card. The

retailer then enters the amount to be paid and cardholder confirms the transaction by entering his

PIN. The retailer‘s bank account is immediately credited with the amount and the cardholder‘s

account is debited by the same amount.27

(c) Mobile Banking

Mobile banking refers to the use of a smart phone or other cellular device to perform online

banking tasks while away from your home computer, such as monitoring account balances,

transferring funds between accounts, bill payment and locating an ATM. For example in

Tanzania there are several mobile phone companies such as Tigo, Zantel, Airtel and Vodacom

that introduce electronic fund transfers as a simplified banking system. Mobile payments give

financial services industry a huge opportunity of tapping the market on provision of convenient

payment services. This is due to the fact that the mobile phone has the advantage of freedom,

functionality, convenience and ease to fuse28

27

Urio, A.M.A, Aspects of Banking & Micro Finance Law

28Loudon, C.K. &Traver, G.K., op.cit.,p. 313.

16

(d) Home Banking

Home banking is a service that enables a bank client to handle his accounts from a computer

from a place selected in advance, at home or in the office. The main features of home banking

systems are the high level of security, comfort, simplicity of use, openness of the system, wide

communication possibilities, networking, definition of users and their rights, automated data

transmission and the option to define a combined signature specimen29

. A home banking system

usually consists of two parts: a bank computer program and a program in the client‘s computer.

The bank program works as a communication server. It receives calls from clients, verifies their

identity, receives data from them, authenticates digital signatures, generates digital receipts and

send data to clients.30

(e) Internet Banking

Internet banking is conducted by completing bank transactions by directly accessing the bank

through the Internet. Nowadays, Internet banking customers can access many different services

online, which makes physical banks open even after office hours. In means of offline banking is

becoming to be online banking while physical banks are not opened (out of office hours), so

customers do not need to go to the banks or call them any more unless there is an issue that

cannot be handled online31

29

Chavanova.A form of electronic banking. Retrieved from

www.nbs.sk/_img/Documents/BIATEC/BIA06_06/22_25pg 3

30 ibid

31 Retrieved from http://www.myclear.org.my/corporations/rentas/ at 17

th May, 2014

17

2.2.2 Corporate E-banking

Corporate Electronic Banking (CEB) is a secure internet based service that provides corporate

clients with access to online banking32

it provide the following services; speed in payment

processing, access to critical account information for decision making, Access to information

such as daily exchange rates for several currencies including major trading currencies, access to

reports of all transactions processed by clients through the platform, availability of audit trail

information of all user activities, processing of several payments in one bulk remittance

transaction.

(a) Financial EDI

Electronic Data Interchange EDI is the process of exchanging information electronically. EDI

enables companies to transmit routine business data such as invoices, product orders, and

remittances electronically the purpose of EDI is to speed up the flow of dollars and data33

.EDI is

an electronic bridge between banks and customers. It carries detailed trading data alongside

payment information. Traditional paper-intensive communication is no longer cost effective or

efficient

(b) Netting arrangement

Netting arrangements are an example of electronic data interchange. To illustrate, if Company A

buys goods or services from Company B at a cost of RM1 million whereas B buys goods or

services from A that cost RM2 million, then the net flow is RM1 million from B to A. In a

32

http://www.ecobank.com/corporate.

33Chavanova. A form of electronic banking.Retrieved

fromwww.nbs.sk/_img/Documents/BIATEC/BIA06_06/22_25.pdpg 3

18

netting arrangement, the parties involved make net settlements only at the end of the day –

credits and debits are summarized for the day to generate a single ledger entry34

2.2.3 Interbank e-banking

Electronic funds transfers between banks are facilitated by two systems which are the RENTAS

and SWIFT. (RENTAS) Real-time Electronic Transfer of Funds and Securities System provides

multi-currency real-time gross settlement of interbank fund transfers, multi-currency debt

securities settlement, and depository services for scrip less debt securities and MYR/USD

Payment versus Payment (PvP) settlement via USD CHATS (Clearing Housed Automated

Transfer System) for its members35

. The SWIFT network enables users to transmit international

payments, statements and other transactions associated with international finance to fellow users.

Created initially by banks for banks, the network is now available to approved categories of non-

bank institutions which currently include securities brokers and dealers, clearing and depository

institutions and recognized exchanges for securities

2.3 Advantages of e-banking

In tradition banking the customer has to visit the bank in person to perform various banking

operation such as account enquiry, funds transfer and cash withdrawal. But now days due to

advancement of ICT in banking sector customers can perform various banking operation

anywhere. So e-banking provides number of advantages for both banks and customers, some of

these advantages of e-banking banking but are not limited to, include:

34

Aspect of electronic banking retrieved at 17th

May, 2014 from

www.ibbm.org.my/pdf/DP02%20Chapter%20on%20EFT.pdf.pg 6

35 Retrieved from http://www.myclear.org.my/corporations/rentas/ at 17

th May, 2014

19

E- Banking offers customers more convenience than you could get from a tradition bank: this is

to mean an individual or customer is not bound by ‗banker‘s hours‘. Time is not wasted when

you have work to do because you can do your office‘s banking without leaving the office. No

matter where you are or what time it is, you can easily manage your money

Electronic Banking reduce workload on banks and enable banks to improve customer services,

the latter has served as a relief to bankers in providing services to its customers. For example

tradition banking a number of labor are required to meet expected demands by the customer, but

in electronic banking lesser bank teller are needed in transaction, rather transaction are carried

out via mobile phones, internet and ATMs.

E-banking help banks to cut operating costs because they don‘t need human operators to keep the

bank services in function all these can be done through electronic media

Environment friendly Internet banking is also environmentally friendly. Electronic transmissions

require no paper, reduce vehicle traffic and are virtually pollution-free. They also eliminate the

need for buildings and office equipment36

.

Ones electronic banking accounting provides a room to view a number of cheques that one has

written in a month. With this access it is easier to catch fraudulent activity in ones account before

much of damage is caused to funds in the account

36

Koskosas I. The pros and cons of internet banking: a short review pg 7

20

2.4 Disadvantages of e-banking

Despite the benefits of e-banking, like any other thing in life, has its own drawbacks customer-

banker relationship. Customary banking allows creation of a personal touch between a bank and

its clients. A personal touch with a bank manager for example can enable the manager to change

terms in your account since he/she has some discretion in case of any personal circumstantial

change. It can include reversal of an undeserved service charge.37

A customer needs access to a computer with internet being connected; which signifies that the

access to a customer‘s account is solely dependent on computer-based technology in the case of

e-banking.38

It is subject to the dependability of other computers and web server, which means

that if these are faulty, a customer cannot have access to his/her account, it also means that a

customer has to know how to use a computer before he/she can carry out a transaction.39

Customers are obliged memories their PIN number and not required to carry PIN in the wallet or

purse or to write it on the ATM card. Never write your PIN on the outside of a deposit slip, an

envelope, or on a postcard. Take your ATM receipt after completing a transaction. Reconcile all

ATM receipts with bank statements as soon as possible this s due to associated risks of e-

banking. There is a group of people which consists of illiterate and older ones, who do not want

to follow the technological trend and that they do not want to learn how to make use of it. They

would prefer the traditional banking way.40

37

http://bankingandsavings.com

38See a discussion forum at http://www.answerbag.com/g_view/369986.

39See also Emilian, P., op.cit.,p. 3.

40See Khan, S., op.cit., p.80.

21

Other drawback is that governmental policies that guide e-banking operations across

international borders are not efficient.41

Another disadvantage is that an electronic bank carries

along with it a number of risks which are examined in this work. The use of e-banking pose the

legal challenges that threatening the growth of the use and increase the number of the costumers.

E-fraud the use of e-banking technologies raises the main legal issue revolving around the

applicability of the paper-based criminal law to punish offenders using electronic payment

systems to steal customers‘ money from their accounts.42

An even more controversial legal issue

in relation to fraud in e-banking, according to White,43

is how the losses arising from flaws in

electronic payment systems would be distributed between a consumer and a financial institution.

Another issue, in the event of a dispute, is how a consumer will prove that he or she did not

authorize a certain fraudulent transaction.44

The burden of proof seems to be on the one who

avers.

2.5 Banker customer relationship

The relationship of banker and customer is at the very core of banking law. It is through this

relationship that banking business is achieved. Researchers interested here to explore three main

issues; (a) when or how this relationship arises, (b) the nature of the relationship, (c) the duties

and rights of each party thereof.

41

See Sulla, E., op.cit., p. 43.

42Lukumay.Z (2012), Electronic banking; its legal Basis in Tanzania. LAP LAMBERT Academic Publishing

Gmbh&Co Kg German p.36

43See White P.F., op.cit.,p. 28.

44Ibid

22

2.5.1 Who is a Banker?

According to the case of United Dominions Trust Ltd vs. Kirkwood,45

a bank is defined as an

organization which accepts money from, and maintains and honour cheques for customers and

maintains current account or accounts of a similar nature.

The Bank of Tanzania Act,46

and the Banking and Financial Institutions Act,47

both define the

term ―bank‖. The term bank is defined under section 3 of the Bank of Tanzania Act as an entity

that is engaged in banking business.48

The definition is not static as it would always depend on

the current practice. The organization should have acquired reputation of being a bank within the

financial community.

2.5.2 Who is a Customer?

In ordinary course of business a customer is anyone who makes contact with a business in

question. This is not the case in banking law, where the question is a customer is given a

qualified meaning. Customer may mean that is a person who has entered into a contract with a

bank for a current account to be opened in his name.49

There are two qualifications of a customer

in the context of banking law. The first revolves around the question of the existence of an

account. In the case of Ladbroke & Co. vs. Todd,50

it was held that a person becomes a customer

45

(1966) 2 QB 431; 2W.L.R 1083; 1 All ER 968.

46 Act No. 4 of 2006

47 Act No. 5 of 2006

48 Banking business is defined under the Act as ―The business for receiving funds from the general public through

the acceptance of deposits payable upon demand or after a fixed period or after notice, or any similar operation

through the frequent sale or placement of bonds, certificates, notes or other securities, and to use such funds, in

whole or in part, for loans or investments for the account of and the risk of the person doing such business.‖

49Urio, A.M.A, Aspects of Banking & Micro Finance Law, p.3

50 (1914) 19 Comm. Cas. 256; 111 L.T. 43

23

of a bank when he goes to the bank with money or a cheque and the bank accepts the money or

cheque and is prepared to open an account in the name of that person.

The second surrounds the provisions of advice services by the bank to a person in question. A

person who receives professional advice from a bank for example, on investment and financial

matters is also regarded a customer for banking purposes; and a bank can be sued for

professional negligence if it provides prejudicial advice. In the case of Woods vs. Martins Bank

and Another,51

it was held that a bank which gave investment advice to someone who did not

have an account had the same contractual duty of care as if that person had held an account with

the bank. It will be seen that whether a person becomes a customer of a bank or not depends on

the nature of a transaction involved and also whether the relationship is contractual. It is also

important to note that the term customer signifies a relationship in which duration is not of

essence.

2.5.3 Nature of Legal Relationship between Banker and Customer.

During the last century since the Joachimson case, the judges have more and more tended to turn

to the general principles of contract law for the solution of the banking problems that come

before them. The result is that a large part of the banker-customer relationship rests on the

foundation of contract law principles, and the nature of the relationship thereof may therefore be

described as one of contract.

2.5.4 Duties and Rights.

The following are the duties of the bank to its customers;

(a) To receive the customer‘s cash and cheques and other instruments for collection.

51

(1956) 1 QB 53

24

(b) To give reasonable notice before closing a credit account.

(c) To honour the words of its authorised officials.

(d) To pay the customer‘s cheques, or allow him to withdraw cash to the extent of his

balance on receipt of a proper written authority during banking hours at the account

holding branch, or at another bank or branch subject to suitable arrangements.

Once a customer is assured that a cheque deposited by him s cleared then he has no more duties.

Drawings by him are regarded as in accordance with the law. In the case of the National Bank of

Commerce v. Saidi Ally Yakut52

it was observed that a collecting bank owes a duty of care to its

customers‘ in that it should conduct its activities with care and circumspection. The court held

that there was need for the banks to display vigilance when handling their customer‘s financial

matters.

In this case, a customer was allowed to withdraw money from his account on the strength of the

word of the bank manager that his bank account has been cleared. It has been also held that, as a

general rule, a collecting bank is bound to use reasonable skill, care and diligence in resenting

and securing payments of cheques entrusted to it for collection and placing the proceeds to the

customer‘s account, as in taking such other steps as may be proper to secure the customers‘

interests.

Should the banker represent to the customer, either expressly or by conduct, that he might treat

the money as his own, or negligently fails to discharge his duty to the customer, as to charge his

52

(1989) T.L.R. 199 (HC)

25

position and act to his detriment, the banker will not be permitted to recover money paid under a

mistake.53

(e) To inform the customer if his signature has been forged on a cheque or other instruments.

(f) To issue bank statements to its customers.

(g) To exercise a duty of reasonable skill and care in carrying out its customer‘s instructions.

The bank must not pay cheques which the bank knows, or should know, are drawn for an

illegal purpose. If the bank pays such cheques it will be liable to refund the money a

payment is a breach of trust.

(h) To exercise duty of secrecy regarding the customers‘ affairs (not to divulge information).

The bank has a duty of secrecy for example, not to divulge information to third parties

regarding the account of the customer. The case of Tournier v. National Provincial and

Union Bank of England,54

rules that the bank must maintain the duty of secrecy regarding

the customer‘s account. The case however sets out exceptions in which the bank may be

ordered to disclose information about its customers‘ account. They includes;

(i) Where the bank is compelled by law to divulge information (by law or by court),

(ii) Where there is public duty of disclosure. This applies in cases of commission of serious

crimes, large scale fraud; drug trafficking, terrorism or money laundering,

(iii) If the bank sues, it must state the amount owing by the customer; and

(iv) Where there is authority of the customer to disclose.

53

Silayo v. CRDB (1996) Ltd [2002] I EA 288 (CAT)

54 (1924) 1 KB 461

26

2.5.5 Duties of Customers to the bank.

The customer has got several duties to the bank, namely;55

(a) To exercise reasonable care in drawing cheques or other mandates so as not to mislead

the banker or to facilitate fraud.

(b) To advice the bank immediately when his cheque book is stolen.

(c) To advice the bank immediately if he discovers that his signature has been forged on the

cheque. In the case of Greenwood v. Martins Bank56

and in Tanzania, forgery was

discussed in Abercrombie and Kent (T) Ltd v. Stanbic Bank Ltd57

the court held that a

banker who encash a forged cheque by a customer‘s employee is liable to the customer

for having paid without paid without authority or instruction in the same way the banker

becomes liable where though the signatures are proper a person other than the payee is

paid instead. In both situations there is no authority to pay and the banker can only

succeed where it is shown that the customer in the cause of making the cheque left out

the figures which facilitated the forgery.

(d) To pay reasonable charges for reasonable charges for the work involved in handling the

account, and to pay charges set out in the agreement like ATM card.

(e) To repay an overdraft in demand according to the case of Williams and Glyn’s Bank Ltd

v. Barnes,58

it was held that when money is lent on overdraft by the bank, and there is no

agreed date for repayment and no special terms which could imply the repayment is not

due on demand, then the over draft is repayable on demand.

55

UrioAlphonce, M. A., et al, (2011); Aspects of Banking and Micro Finance Law, 1stEdn, Moshi Tanzania at p.7

56 (1932) 1 K.B 371 at p. 381

57 [1995-1998] 2 EA 1

58 (1981) Unreported.

27

2.6 The risks associated with e-banking.

The growth of electronic banking has created a new basis with regard to the degree of exposure

to the risk and therefore consequently the need of not only a differentiated regulating frame, but

also mechanisms of monitoring to be formed, these risks includes

2.6.1 Operational risk

Operations risk arises from fraud, processing errors, system disruptions, or other unanticipated

events resulting in the institution‘s inability to deliver products or services. This risk exists in

each product and service offered. The level of transaction risk is affected by the structure of the

institution‘s processing environment, including the types of services offered and the complexity

of the processes and supporting technology.59

In most instances, e-banking activities will increase the complexity of the institution‘s activities

and the quantity of its operations risk, especially if the institution is offering innovative services

that have not been standardized. Since customers expect e-banking services to be available 24

hours a day, 7 days a week, financial institutions should ensure their e-banking infrastructures

contain sufficient capacity and redundancy to ensure reliable service availability.60

2.6.2 Security risk

Security risk arises on account of unauthorized access to a bank‘s critical information stores like

accounting system, risk management system, portfolio management system, and others. A breach

of security could result in direct financial loss to the bank. For example, hackers operating via

the Internet could access, retrieve and use confidential customer information and also can

59

Ibid, P. 165

60Ibid, P. 165

28

implant virus.61

This may result in loss of data, theft of or tampering with customer information,

disabling of a significant portion of bank‘s internal computer system thus denying service, cost

of repairing. Other related risks are loss of reputation, infringing customers‘ privacy and its legal

implications. Thus, access control is of paramount importance. Controlling access to banks‘

system has become more complex in the Internet environment which is a public domain and

attempts at unauthorized access could emanate from any source and from anywhere in the world

with or without criminal intent.62

Attackers could be hackers, unscrupulous vendors, disgruntled

employees or even pure thrill seekers.

In addition to external attacks banks are exposed to security risk from internal sources for

example, employee fraud. Employees being familiar with different systems and their weaknesses

become potential security threats in a loosely controlled environment. They can manage to

acquire the authentication data in order to access the customer accounts causing losses to the

bank.63

Unless specifically protected, all data or information transfer over the Internet can be monitored

or read by unauthorized persons. There are programs such as, sniffers‘ which can be set up at

web servers or other critical locations to collect data like account numbers, passwords, account

and credit card numbers. Data privacy and confidentiality issues are relevant even when data is

not being transferred over the net.64

61

Virender S., Solanki, (2012), International Journal of Marketing, Financial Services & Management Research,

Vol.1 Issue 9, September 2012, at 11th

July, 2014 from

http://indianresearchjournals.com/pdf/IJMFSMR/2012/September/13.pdfP. 167

62 Ibid

63 Ibid

64 Ibid

29

Identity of the person making a request for a service or a transaction as a customer is crucial to

legal validity of a transaction and is a source of risk to a bank. A computer connected to Internet

is identified by its IP (Internet Protocol) address. There are methods available to trick one

computer as another, commonly known as, IP Spoofing. Likewise user identity can be

misrepresented. Hence, authentication control is an essential security step in any e-banking

system.65

2.6.3 Legal /Compliance Risk

Legal risk is the risk of non-compliance with legal or regulatory requirements. The legal risks are

directly related to the electronic banking and they are increased as its use is extended. Legal risk

is related with the protection of the customers‘ personal data. Bad use by the bank personnel or

by exterior malignant intruders can expose a bank in serious legal risks.66

It is possible that the intruders acquire access in the databases of the banks and use the data of

customers in order to commit a fraud. In this case a legal risk is created by the bad or not

certified use of customers‘ data. The legal risks, in which the financial institutions will be

exposed from the use of electronic banking, are expected to increase because of the uncertainty

that characterizes the wider legal framework and the specific lawful regulations of transactions

through an open electronic network as the internet is.67

The uncertainty with regard to the validity of transactions, the protection of personal data, the

involuntary consumer‘s exposure to foreign jurisdiction, the tax evasion, the laundering of

65

Virender S., Solanki, (2012), International Journal of Marketing, Financial Services & Management Research,

Vol.1 Issue 9, September 2012, at 11th

July, 2014 from

http://indianresearchjournals.com/pdf/IJMFSMR/2012/September/13.pdf P. 167

66 Ibid, P. 169

67 Ibid, P. 169

30

money, the electronic fraud but also the legal responsibility in case a system collapses, increase

the exposure to the legal regulatory risks.68

In terms of the European Union, a regulating frame has been developed that is concerned with

questions such as the electronic (digital) signatures, the distant rendering of financial services, as

well as the Directive on the electronic commerce.69

68

Virender S., Solanki, (2012), International Journal of Marketing, Financial Services & Management Research,

Vol.1 Issue 9, September 2012, at 11th

July, 2014 from

http://indianresearchjournals.com/pdf/IJMFSMR/2012/September/13.pdf P. 167

69 Ibid, p. 170

31

CHAPTER THREE:

DATA PROTECTION IN ELECTRONIC BANKING

3.0 Introduction

The issue of data protection on the Internet raises new international legal challenges. With the

development of e-commerce, an increased need developed to exchange personal information.

Personal data is used by corporations to make decisions, expand services and market new

products. Personal data is collected when one subscribes to a website, register for Internet

banking or purchase a product70

.

In Electronic Banking personal information is normally kept by banks using databases which are

centralized collections of data for use by business applications. Customers‘ information kept in

these databases should be properly managed and kept secured against unauthorized modification,

destruction, or disclosure of sensitive information leading to possible financial losses. It is

imperative that banks should maintain the integrity of customers‘ transactions in view of the fact

that information held by banks about their customers and their transactions has the ability of

changing hands several times. The use of open communication channels like the Internet makes

it impossible for banks to retain information solely within their own computer networks, let

alone a single jurisdiction

3.1 Data protection

Personal data is defined as any information relating to an individual, whether it relates to his/her

private, professional or public life. It can be anything from a name, a photo, an email address,

bank details, individual posts on social networking websites, medical information, or computer‘s

70

Retrivied from http://www.dekock.co.za/data-protection-in-south-africa/ on 14th

July, 2014

32

IP address. It use techniques such as file locking and record locking, database shadowing, and

disk mirroring, to ensure the availability, confidentiality and integrity of the data71

There are main six basic essential ingredient that must be protected in matter of personal data on

e banking these includes

1. NOTICE: An individual has the right to know that the collection of personal data will exist.

The personal data must be ―collected for specified, explicit and legitimate purposes and not

further processed in a way incompatible with those purposes72

2. CHOICE: An individual has the right to choose not to have the personal data collected.

3. USE: An individual has the right to know how personal data will be used and to restrict its

use. Personal data may only be used for ―legitimate processing‖ as described by the Directive

details.

4. SECURITY: An individual has the right to know the extent to which the personal data will be

protected. Organizations must ―implement appropriate technical and organizational measures to

protect personal data. The measures must be ―appropriate to the risks represented by the

processing and the nature of the data be protected.‖

5. CORRECTION: An individual has the right to challenge the accuracy of the data and to

provide corrected information. Personal data collected and maintained by organizations is up to

date and reasonable steps must be taken to ensure that inaccurate or incomplete data is corrected.

6. ENFORCEMENT: An individual has the right to seek legal relief through appropriate

channels to protect privacy

71

http://www.businessdictionary.com/definition/data-protection.html#ixzz2fPvqw77I-retrieved on 14th

July 2014.

72European Union (EU) Data Protection Directive of 1995 Frequently Asked Questions Rebecca Herold, the article

was published in the Computer Security InstituteRetrived at 11th

July, 2013 from(www.gocsi.com) May 2002 issue

of the Alert newsletter

33

3.1.1 Data traceability glossary73

Identifiable data: data including information in patient records such as names, addresses, dates

of birth. There are also aspects of health data that could become identifiable when they relate to a

diagnosis of a rare disease or when combined with other data. Identifiable data are needed when

future contact is established with the participant, for example to contact them to take part in a

study, or to link information across different data sets.

Pseudonymised (or key-coded) data: these cannot directly identify an individual, but are

provided with an identifier that enables the patients‘ identity to be re-connected to the data by

reference to separate databases containing the identifiers and identifiable data. Pseudonymised

data can often – but not always - be used in place of identifiable data.

Anonymised data: these data cannot be connected to the original patient record. Anonymised

data are suitable when no contact is needed with the participant or where the data do not need to

be linked to any other data sources.

3.2 Principle of data protection

Data protection has general principles. These General Principles ought to define expectations and

responsibilities for data subjects and regulators.74

These includes

1. Legitimacy which defining when personal data processing is acceptable (accessibility).

2. Purpose provides restriction ensuring that personal data is only processed for the purposes for

which it was collected, barring further consent from the data subject. A person require to be clear

in relation to the purposes for which personal data are held in order to ensure that the data are

73

FEAM Statement on the Data Protection Regulation, June 2012

74 Neil Robinson et al (2009), Review of the European Data Protection Directive, RAND Corporation. Pp.50.

34

processed in a way that is companionable with the original purpose. For example a doctor

discloses his patient list to his uncle‘s who owned a tourist company, which offers special

holiday deals to patients needing healing. Disclosing the information for this purpose would be

irreconcilable with the purposes for which it was obtained

3. Security and confidentiality specifically by requiring the data controller to take appropriate

technical and organizational measures. It means the suitable security to avoid personal data being

unintentionally or consciously compromised. It is of necessity to propose and categorize the

protection to a healthy environment of the personal data held, and the destruction that may effect

from a security contravene. It is worthwhile to be comprehensible to guarantee information

security on the right physical and technical security of a respectful personnel prepared to act in

response to any contravene of security quickly and successfully.

4. Adequate, relevant and not excessive. Data taken must not exceed the purpose of the

transferring. To take reasonable steps to ensure the accuracy of any personal data obtain; to

ensure that the source of any personal data is clear; carefully consider any challenges to the

accuracy of information; and consider whether it is necessary to update the information. For

example a journalist builds up a profile of a particular public figure. This includes information

derived from rumours circulating on the internet that the individual was once arrested on

suspicion of dangerous driving. If the journalist records that the individual was arrested, without

qualifying this, he or she is asserting this as an accurate fact. However, if it is clear that the

journalist is recording rumours, the record is accurate – the journalist is not asserting that the

individual was arrested for this offence75

75

Information Commissioner‘s Office, The Guide to Data Protection, retrieved from

35

5. Transparency that appropriate levels of transparency are provided to data subjects;

6. Data subject participation ensuring that the data subjects can exercise their rights effectively

(the right to retain information) such as review the length of time personal data are kept; consider

the purpose of holding the information for in deciding whether (and for how long) to retain it;

securely delete information that is no longer needed for this purpose; and update, archive or

securely delete information if it goes out of date. For examples, images from a CCTV system

installed to prevent fraud at an ATM machine may need to be retained for several weeks, since a

suspicious transaction may not come to light until the victim gets their bank statement.

7. Accountability. That those processing personal data would be held accountable for their

actions according to the Outcomes;

8. And Authorization of data transfer and protection, that with the consent of the owner, or

recognized legal authority if necessary. This shift of information is not the similar as the transfer

of information though a country. This principle is barely being relevant conditionally to the

information moves to a country, rather than merely transient through it direction to its target

3.3A comparative assessment of e-banking data protection; Tanzania and other

jurisdiction

3.3.1 Legal aspect of e-banking data protection in Tanzania

Protection of public data and private data is most important. It permits individuals to decide the

manner, and extent to which information concerning them should be shared with others. While

ICT has stormed Tanzania and the citizens are deploying ICT in everyday life the framework for

www.ico.org.uk/.../Data_Protection/.../The_Guideto_Data_Protection...- on ept 2013.

36

privacy protection in these emerging technologies is not known but this does not mean that right

to privacy is not recognized in Tanzania.

Under the constitution of united republic of Tanzania76

it provide for the provision relating to

data protection. Article 16(1) of the constitution of the united republic of Tanzania states, inter

alia that every person is entitled to respect and protection of his person, the privacy of his own

person, his family and of his matrimonial life and respect and protection of his residence and

private communications. Also under article 16 (2), further cements the need to enact law that

protects and guarantees the right to privacy: for the purpose of preserving the person’s right in

accordance with this article, the state authority shall lay down legal procedures regarding the

circumstances, manner and extent to which the right to privacy…may be encroached upon

without prejudice to the provisions of this article.

Electronic and Postal Communication Act77

also provide the duty of confidentiality by the

employee or any member of employee to keep the confidentiality of the licensee information and

should not disclose the information to the public or to any other person unless where there an

order of the court to do so for security purpose or the information needed by the court as

evidence. It further stated that, “no person shall disclose the content of information of any

customer received in accordance with the provisions of this Act, except where such person is

authorized by any other written law78

The Act further provides that any person who secures unauthorized access to a computer or

intentionally causes or knowingly causes loss or damage to the public or any person, destroy or

76

The constitution of the United Republic of Tanzania of 1977 (as amended time to time)

77 Section 98 of the Electronic and Postal Communication Act 2010

78 Section 98(2) of the Electronic and Postal Communication Act 2010

37

delete or alter any information in the computer resources or diminish its value or utility or affect

it injuriously by any means, commits an offence and on conviction shall be liable to a fine not

less than five hundred thousand Tanzanian shillings or to imprisonment for a term of not

exceeding three months or to both.

The Banking and Financial Institutions Act79

provides for fidelity and secrecy of customers in

financial information. Under section 4880

it provide inter alia that Every bank or financial

institution shall observe, except as otherwise required by law, the practices and usages

customary among bankers, and in particular, shall not divulge any information relating to its

customers.

Further the amendment of Evidence Act,81

National Science and Technology Policy,82

Tanzania

Development Vision (2025)83

and the drafted bills by the Law Reform Commission are

initiatives of the government of Tanzania to address data protection in corresponding with ICT.

Cyber Law Reforms Commission in Tanzania aims at addressing;

(a) Restricting further opportunities to e-crimes,

(b) Establishing legal framework aligned with Tanzania Constitution provisions, legislative and

regulatory environment and consistent with regional and global best practices,

(c) Ensuring that Tanzania does not become a haven of cyber-crime

The amendment of evidence Act recognize electronic evidence

79

Banking and Financial Institution Act

80 ibid

81 Written Laws Miscellaneous Amendment Act, No. 15 of 2007

82 Of 1996

83 Of 1998

38

3.3.2 Judicial approach toward electronic banking data protection in Tanzania

There few numbers of attempts which address the issues on e-banking this can be seen in the

case of Trust Bank Tanzania Limited v. Le Marsh84

in which the definition of a bankers‘ book

was extended to include computer generated evidence in the form of print-outs. The Judge

correctly noted that ―the law must keep abreast of technological changes as they affect the way

of doing business.

Also in the leading case in Tanzania to extend the definition in paper-based statute to cover

printed electronic records is Trust Bank Tanzania Ltd case.85

In this case Nsekela J.86

(as he then

was), adopting the views of the English Judge in the Barker‘s case,280 extended the definition of

bank records to include computer print-outs. He noted further ―the law must keep abreast of

technological changes as they affect the way of doing business‖. On the role of the courts,

Nsekela J, was of the view that ―the court should not be ignorant of modern business methods

and shut its eyes to the mysteries of the computer….‖

In the case of National Bank of Commerce v. Milo Construction Co. Ltd and two others87

was the

case involving a claim on recovery of an amount of money alleged to have arisen out of an

overdraft facility, it was alleged that the plaintiff defaulted repayment of the said facility. Two

statements were tendered in court. One was the processed easy bank computer program and the

other was the processed inflexible banking computer program. The court found discrepancies

between the two statements as some entries were not reflected in one of the statements. The

Plaintiff did not adduce sufficient explanation on the discrepancies. The court therefore found

84

Commercial Civil Case No. 4 of 2000 (Unreported).

85Supra note 168, p.13

86Justice Nsekela is currently a judge of the Court of Appeal of Tanzania

87Commercial Case No. 293 of 2002 (Unreported)

39

that the plaintiff has failed to prove the exact amount the first Defendant borrowed from the

Plaintiff.

The analysis of this case reveals that the Plaintiff had bank-produced statements generated by

two different computer programs. The later program did not have features similar to the earlier

one. Unfortunately, the Bank failed to lead expert evidence to clear the discrepancies noted. The

court was therefore justified in rejecting the claim in absence of sufficient explanations regarding

the operation of the two computer programs. One would expect the bank to make use of the

software programmers who created the two computer programs. Perhaps it is an opportune

moment for the courts to make use of forensic experts, who would assist it in analyzing

computer-related evidence.

Though data protection is recognized in our laws but the there is uncertain in the existing laws

whether the same protection is accorded to customers transacting banking business in electronic

form. There is no specific provision relating to data protection in e banking

3.3.3Legal barrier of e- banking data protection in Tanzania

Legal barriers in electronic banking in Tanzania are a result of unsupportive nature of the current

legal framework. It is stated that in Tanzania there is no any law which deals directly with

electronic banking data protection to customers.88

It is provided that, the laws which regulate banking in Tanzania do not accommodate online

transactions or payment in cyberspace rather they accommodate off-line transactions only. The

reason being the laws do embrace the traditional mandatory requirements of writing and

manuscript signature which at all costs does not cater for e-banking.

88

Mweteni (2011) p 45

40

It is demonstrated that the Banking and Financial Institution Act89

under section 5 has features

that not recognize online application for a licence due to mandatory requirement that the

applications must be in writing and signed manually as opposed to data message and digital

signatures.90

This proves the fact that this law is embodied with paper based transactions only. In fact this law

was enacted during the era of e-banking of 2006, but it appears that this law was/is aimed at

regulating paper based banking business. It is evidently clear that, making a reference to the

definition of key words and phrases in this statutes find the terms like ‗bank‖, ―entity‖,

―financial institution‖, ―on the contrary ―e-banking‖ is not even mention in this law.91

Actually,

the Act only regulates cash and cheque payment systems operated in a paper based form in a

physical branch of a bank.92

The fact that this statute makes no reference to e-banking and e-banking data protection, casting

doubts whether the current legal framework governing banking business addresses legal issues

posed by e-banking and therefore proves this law does not afford a legal protection of e-banking

data to customers of e-banking.

In Tanzania, even the Bills of Exchange Act93

also puts mandatory requirements of writing and

signature for an instrument to be accepted as a bill of exchange order.94

Therefore it also does

provide for e-banking data protection in Tanzania. The Bills of Exchange is defined as,

89

Act No. 5/2006

90Mambi (2010) pp 128-130

91Banking and Financial Institution Act No. 5/2006

92As per section 5 of the Banking and Financial Institutions Act, 2006(Act No. 5)

931999

94Sections 3(2),23 and 32(1) of the Bill of Exchange Act, 1999

41

―An unconditional order in writing, addressed by one person to another, signed by the

person giving it….

An endorsement in order to be a negotiation must comply with the following conditions, namely-

(a) it must be written on the bill itself and be signed by the endorser and the simple signature of

the endorser on the bill, without additional words, is sufficient. Therefore, cover the bills of

exchange in the document only thus e-signature as a form of data in e-banking is not covered

hence customers of e-banking are not protected in the aspects of data.95

3.3.4 Solution regarding to E-banking Data Protection in Tanzania.

A Bank‘s liability would arise out of the contract as there is no statute to the point of e-banking

thus the law of Contract Act96

will govern breach of contractual term. When liability is

contractual it means that the bank is, by virtue of the contract, under obligation to keep

customers‘ data secret. If transactions are being done on an open network such as the internet

then in case of a security breach, an ISP may be liable. In addition to the bank the viability of a

sectoral legislation on data protection in e-banking should be gauged. Tanzania can take cue from

nations which have favored ad hoc enactment of sectoral laws over omnibus legislation.

3.3.5 Position Electronic E-Banking data protection in India

Indian context has right to privacy as constitutional rights and online privacy protection is being

provided in Information Technology Act97

, 2008 as well in other scattered statues like SEBI‘s

95

CYBER LAWS WORKSHOP FOR EAC, 24-28 April 2006, Kampala. The Status of Cyber Laws in Tanzania by

ADAM MAMBI Retrived at 11th

July , 2014 from

http://www.tanzaniagateway.org/docs/EAC_CyberlawStatusinTanzania_Mambi.ppt

96 Cap 345 RE 2002

97Information Technology Act, 2008

42

regulation for privacy protection through companies, RBI‘s Guidelines to protect online privacy

in electronic banking system.

Under Information Technology Act, 2008 there are some provisions like Section 43, that

provide for Penalty and Compensation for damage to computer, computer system, Section 43-A

provide to inter alia that Where a body corporate, possessing, dealing or handling any sensitive

personal data or information in a computer resource which it owns, controls or operates, is

negligent in implementing and maintaining reasonable security practices and procedures and

thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable

to pay damages by way of compensation, not exceeding five crore rupees, to the person so

affected generally it provide compensation for failure to protect data, Section 44 provide penalty

for failure to furnish information, return, Section 66-E provide punishment for violation of

privacy it inter alia that Whoever, intentionally or knowingly captures, publishes or transmits the

image of a private area of any person without his or her consent, under circumstances violating

the privacy of that person, shall be punished with imprisonment which may extend to three years

or with fine not exceeding two lakh rupees, or with both. Section 67, 67A, 67B and some other

section which directly and indirectly promote protection to data and privacy in electronic

transactions.

3.3.6 Position Electronic banking data protection in UK

In UK, failure to undertake identification of new customers properly can create an array of risks

for the bank. Under the Data Protection Act,98

an earring bank may face an action for damages if

it fails to ―maintain adequate security precautions in respect of the data‖. Essentially, a legal duty

98

1998

43

is imposed upon the banks to use reasonable care and skill in disseminating information to

persons who access the bank‘s networks either on the internet or through an ATM card.

A similar wording is found under the UK Computer Misuse Act of 1990.99

It provides under

section (1) A person is guilty of an offence if

(a) he causes a computer to perform any function with intent to secure access to any

program or data held in any computer, or to enable any such access to be secured; (b) the

access he intends to secure, or to enable to be secured is unauthorized; and (c) he knows

at the time when he causes the computer to perform the function that that is the case.

(2) The intent a person has to have to commit an offence under this section need not be

directed at any particular program or data; a program or data of any particular kind; or a

program or data held in any particular computer.

(3) A person guilty of an offence under this section shall be liableon summary conviction

in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine

not exceeding the statutory maximum or to both; (b) on summary conviction in Scotland,

to imprisonment for a term not exceeding six months or to a fine not exceeding the

statutory maximum or to both; (c) on conviction on indictment, to imprisonment for a

term not exceeding ten years or to a fine or to both.100

99

This piece of legislation can be accessed at http://www.legislation.gov.uk/ukpga/1990/18/section/3.

100See also similar wording in the Computer Misuse Act of Singapore, retrieved from

http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan002107 On 11th

July 2014

44

Failure of the bank to undertake identification of new customers properly can create an array of

risks for the bank. Under the Data Protection Act,101

an earring bank may face an action for

damages if it fails to ―maintain adequate security precautions in respect of the data.‖ Essentially,

a legal duty is thrust upon the banks, to use reasonable care and skill in disseminating information

to persons who access the bank‘s networks either on the internet or through an ATM card.

This position of the law was once given judicial interpretation where the views of the Judge were

well applied to the Act. This was in the English case of Barker v. Wilson102

it was stated that

"The Bankers‘ Books Evidence Act103

was enacted with the practice of bankers in 1879 in mind.

It must be construed in 1980 in relation to the practice of bankers, as we now understand it. So

construing the definition of "bankers‖ ―books‖ and the phrase on entry in a banker‘s book", it

seems to me that clearly both phrases are apt to include any form of permanent record kept by the

bank of transactions relating to the bank‘s business made by any of the methods which modern

technology makes available…"

The case initiated a revolutionary move in the English evidence practice where, for the first time,

the court recognized the changes brought about by information and communication technologies

(modern technologies) in proving bankers‘ books on data protection.

3.3.7 Relevance of Model Laws in Electronic Banking

The articles 6, 7, 8 and 9 of the UNCITRAL Model Law and Commonwealth Model Law

provides for functional equivalence thus where the law requires a signature of a person, that

requirement is met in relation to a data message if an electronic signature is used that is as

101

Of 1998

102[1980] 2 All E.R. 80 at page 82

1031879 [of England]

45

reliable as was appropriate for purpose for the data massage was generated or communicated, in

light all of the above which circumstance, including any relevant agreement. It is believed that

these Model Laws will assist states in reforming and enhancing their legislations that are on paper

method and come up with uniform laws that allow the use of alternatives to paper based methods

of transactions, communication and storage of information at national and international level.104

The leading piece of legislation at the International level is the UNCITRAL Model Law on

Electronic Signatures. Article 6 (1) provide of the Model Law provides that ―where the law

requires a signature of a person, that requirement is met in relation to a data message if an

electronic signature is used that is as reliable as was appropriate for the purpose for which the

data message was generated or communicated, in the light of all the circumstances, including any

relevant agreement.‖105

The Model Law defines electronic signatures as ―data in electronic form in, affixed to or logically

associated with, a data message, which may be used to identify the signatory in relation to the

data message and to indicate the signatory‘s approval of the information contained in the data

message.‖106

The Model Law defines ―certificate‖ as ―a data message or other record confirming

the link between a signatory and signature creation data‖107

The data message is defined as

―information generated, sent, received or stored by electronic, optical or similar means including,

104

Mambi, (2010) p.132

105 UNCITRAL Model Law on Electronic Signatures

106 Ibid, Ariticle 1

107 Ibid

46

but not limited to, electronic data interchange (EDI), electronic mail, telegram, telex or

telecopy‖108

On reliability and security of electronic signatures, the Model Law provides that an electronic

signature is considered to be reliable if first, the signature creation data are within the context in

which they are used linked to the signatory and to no other person. Second, the signature creation

data were, at the time of signing, under the control of the signatory and of no other person. Third,

any alteration to the electronic signature, made after the time of signing, is detectable. Last, if any

alteration made to that information after the time of signing is detectable. The purpose of these

requirements is to assure integrity of the electronic records.

The analysis of these statutes demonstrates two important aspects. Firstly, an electronic signature

is not to be denied admissibility as evidence in legal proceedings solely on the ground that it is in

an electronic form. Secondly, those electronic signatures enjoy the same legal status as the paper-

based signatures.

3.3.8 Position of the European Union Data Protection Directive 95/46/EC of 1995

The European Union Data Protection Directive 95/46/EC of 1995 require that, ―Member States

shall protect the fundamental rights and freedoms of natural persons and in particular their right

to privacy with respect to the processing of personal data.‖109

The directive requires that E.U. member states (countries) protect the privacy of personal

information that is processed using equipment in the member state, whether the processing is

done by government agencies, businesses, or other organizations. ―Personal data‖ includes, but is

108

Ibid

109http://www.cdt.org/privacy/eudirective/EU_Directive_.html, Chapter 1.

47

not limited to, name, address, phone numbers, email addresses, ethnicity, religion, gender, sexual

orientation, birthdates, employment, and financial account numbers. The responsibility for

compliance with the directive rests with the "controller,‖ which is the person, group of people,

public authority, agency, or other body that determines the purposes and means of processing

personal data.

E.U. member states have implemented this directive to varying degrees. It is beyond the scope of

this paper to outline the differences and status of their implementations; the information is

available from each country. Organizations and businesses using equipment in member states to

process personal data are concerned about compliance with the directive and its derivative laws.

Most are equally concerned about data protection for the purposes of maintaining business

integrity and brand value.

Only encryption can protect data itself. Encryption protects personal or other data by rendering it

unreadable to unauthorized users who do not have the key. The Ponemon Institute found that

enterprises that implement a strategic approach to encryption experience fewer data breaches and

that most of them seek a single solution for encryption to implement their data protection

strategy.110

As the leader in encryption solutions for enterprise data protection, PGP Corporation offers a

platform-based solution that addresses the needs for compliance and brand protection.

110

The Ponemon Institute, 2008 Annual Study: U.K. Enterprise Encryption Trends, April 2008, and 2008 Annual

Study: German Enterprise Encryption Trends, May 2008. Retrieved from

http://www.pgp.com/downloads/research_reports/ponemon_reg_direct.html. On 11th

July 2014

48

Essential highlights from the E.C Directives which provides data protection

Directive 95/46/EC requires organizations to protect the integrity of personal data and take steps

to prevent unauthorized access to it. Following are some of the requirements;

• Member States must implement appropriate technical and organizational measures to protect

personal data against accidental or unlawful destruction or accidental loss, alteration,

unauthorized disclosure or access, in particular where the processing involves the transmission of

data over a network, and against all other unlawful forms of processing. Such measures shall

ensure a level of security appropriate to the risks represented by the processing and the nature of

the data to be protected.

• Sending personal information from a member state to a non-member country is legal only with

the consent of those persons whose data is sent. Furthermore, the data may only be sent to

countries with similar laws protecting personal information.

• Individuals have the right to give their consent for the use and storage of personal information,

and to revoke consent at any time.

• Penalties for violating member states‘ directive implementations include fines and criminal

liability for business owners or executives, data controllers, and employees who report to them.

Currently Tanzania lacks an effective legal regime on data protection in all aspect of e banking, e

contract and internet compare to other jurisdiction. Absence of a comprehensive data protection

law exposes subjects to threats of enjoyment of the right of privacy. There is a need to adopt

various laws to regulate electronic banking, the good reflection can be on the USA and UK laws

which set examples of the new laws to be considered for enactment in Tanzania for the purpose

49

of facilitating easy implementation of electronic banking to mention but a few these include

Electronic Funds Transfer Act, (USA); Data Protection Act, (UK); Computer Fraud and Abuse

Act, (USA); Consumer Protection Act, (UK).

50

CHAPTER FOUR

CONCLUSION AND RECOMMENDATIONS

4.0 Conclusion

The main purpose of this study is to make analytical overview of data protection in electronic

banking in Tanzania. The study has shown that data protection in Tanzania has little or no legal

framework that protects personal information or data in e-banking. This is a wide gap in view of

the fact that e-banking and e-commerce in general involves a global market that relies much on

movement of data across international boundaries. Despite the fact that The Banking and

Financial Institutions Act provides for fidelity and secrecy of customers in financial information

there is uncertain whether the same protection is reflected to customers transacting banking

business in electronic form.

Lack of strong basis in Electronic banking exposed banks as well as customers to huge financial

losses in view of the increasing incidents of unauthorized transactions and other flaws in the use

of ICT in the banking business. Apart from financial losses, financial institutions also face the

problems of loss of data, theft or tampering with customer information, disabling of a significant

portion of financial institution‘s internal computer systems due to the activities of hackers. It

would appear that problems will continue to exist despite efforts to minimize them. It is argued

in this study that flow of data affecting bankers and customer in electronic banking will only be

reduced when all the relevant stakeholders (lawyers, technical personnel and the society at large)

have taken the matter more seriously.

Most of our laws regulating banking industry does not responding to the issue of electronic

banking, calling for further reform as most of laws protect customers on offline business only. It

is true that in Tanzania there are no specific provisions that protect data protection in electronic

51

banking Therefore there is a need to make reference from international, regional and other

jurisdiction such as UNCITRAL Model Law on E-Commerce, UNCITRAL Model Law on E-

Signatures, EU Conventions on E-Commerce, the US EFT Act, Malaysia EFT Act, Malaysia

Code of Conduct and many others in order to have strong legal framework for e-banking.

Currently the law reform has drafted three bills that address the issue of electronic transaction

and communication these bills are, The Electronic Transactions and Communications Bill,111

the

Computer Crime and Cybercrime Bill112

, and Data Protection and Privacy Bill,113

which among

other thing provides for data protection. Some of these provisions include but not limited to the

followings

Clause 6 (2)114

data it provide to the effect that data controller shall not collect personal

information by unlawful means; or by means that, in the circumstances are unauthorized; or

intrude to an unreasonable extent upon the privacy of the datasubject concerned also under

Clause 10115

it provides for the limits of the data controller on disclosure of personal information

A part from the data protection Bills there is Computer Crime and Cyber Crime bill that contain

provision relating to data protection

Clause 8 of the Computer Crime and Cyber Crime Bill it provide inter alia that a person who

intentionally without lawful excuse or justification damage or deteriorates computer data, delete

computer data, alter computer data, or denies access to computer data commit an offence

Generally In order to respond with new technology there is a need of enact specific laws to cover

this crucial areas that have a high impact on the economic development in Tanzania and East

111

Bill of 2013

112 Ibid

113 ibid

114Data Protection and Privacy Bill, 2013.

115 ibid

52

Africa in general. Also there is a need of amending certain laws such as the law of Contract

Act,116

the Bills of Exchange Act,117

and Sale of Goods Act118

and the Banking and Financial

Institutions Act119

to respond with electronic commerce and technological advancement.

4.1 Recommendations

Our study has shown that data protection in Tanzania needs specific provisions and Laws which

will protect data protection in electronic banking. Tanzania through Law Reform Commission

has tried to respond on the issue of electronic banking by draft some bills on electronic

transactions that carter the issue of data protection in electronic banking. In the light of these

findings and observations we recommend as follows.

4.1.1 The Law Reform Commission of Tanzania

It is our recommendation that the Law Reform Commission of Tanzania and the Ministry of

Justice and Constitutional affairs should present the drafted bills on electronic transactions to the

Parliament to be discussed. Such legislation would be most significant in responding the problem

relating to data protection in electronic banking

4.1.2 The Parliament

Once the bills are presented, the Parliament should timely discuss them and enact sound

legislation to that effect. It is recommended that the parliament should put provisions that compel

banks to employ a secured electronic payment system in accordance with accepted international

standards to protect customers. For example the use of additional secured methods of

116

Cap 315 R.E 2002

117Cap 215 R.E 2002

118Cap 214 R.E 2002

119Act No.5/2006

53

authentication like retina, thumbprints and other biometric technologies should be employed to

prevent security breaches.

4.1.3 Banking Institutions

It is our recommendation that in designing e-banking systems to be used by consumers, legal

principles such as those relating to mandate, mistake and confidentiality together with customer

data protection be kept in mind. Further in order for electronic funds transfer involving huge

amounts of money to be successful, there must in most cases be an involvement of employees of

the bank. It is recommended that the Bank of Tanzania should device a mechanism of dealing

with this vice in order to assure security of customers‘ money and their data. Furthermore e-

banking should raise the issue of banks to comply with legal requirement like secrecy of

customer‘s account and data protection.

54

BIBLIOGRAPHY

Primary sources

Statute(s)

The Constitution of United Republic of Tanzania, 1977 (as amended from time to time)

The Banking and Financial Instructions Act, Act No.5 of 2006

Bank of Tanzania Act, Act No. 4 of 2006

The Law of Contract Act [Cap 345 R.E 2002]

The Electronic and Postal Communication Act, No 3 of 2010

The Tanzania bill of exchange Act [Cap 215R.E 2002]

The Penal Code [Cap 16 R.E 2002]

The Sale of Goods Act[Cap 214 R.E 2002]

Written Laws Miscellaneous Amendment Act, No.15 of 2007

Information Technology Act, 2008 India

Electronic Communication Act, 2000 (U.K).

The Banking and Financial Institution Act,1989, (Malaysia.)

The Computer Fraud and Abuse Act, 1986(US)

Computer Crime Act, 1997 (Malaysia)

Case(s)

Abercrombie and Kent (T) Ltd v. Stanbic Bank Ltd [1995-1998] 2E.A 1

Barker v. Wilson (1914) 19 Comm. Cas. 256; 111 L.T. 43

Greenwood v. Martins Bank Ltd (1932) 1 K.B 371 at p.381

Joachim v Swiss Bank of Corporation [1921] 3 KB 110

Ladbroke & Co. vs. Todd (1914) 19 Comm. Cas. 256; 111 L.T. 43

55

National Banks of Commerce v. Milo Construction Co. Ltd and Two others Commercial case

No. 293 of 2002 (unreported)

National Bank of Commerce v. Said Ally Yakut (1989) T.L.R. 119

Tournier v National Provicial and Union Bank of England [1924] 1 KB 1 KB 461

Trust Bank Tanzania Ltd v. Le-Marsh Enterprises Ltd and Others, (2000) Commercial Case No.4

in the High Court of Tanzania (Commercial Division) at Dar es salaam, (Unreported)

United Dominions Trust Ltd Vs Kirkwood [1966]2 Q.B 431

Williams and Glyn‘s Bank Ltd v. Barnes,(1981) Unreported

Woods v. Martins Bank & Another [1959] 1 Q.B. 55

Secondary sources

Books

Binamungu, C.S &Ngwilimi.G.S.(2006). Regulation of Banking Business in Tanzania.Mzumbe

Book Project.Morogoro-Tanzania.

Mambi.A.J., (2010).A Source Book for Information and Communication Technologies and

Cyber Law in Tanzania and East Africa Community., Mkuki&Nyota Publishers. Dar-es-Salaam

Mollel, A., &Lukumay, Z. (2008).Electronic transactions and the law of evidence in

Tanzania.Iringa: Peramiho Printing Press.

Agarwal, R., Sharma, P. and Sherry, A. M. (2003), E banking for comprehensive E Democracy:

An Indian Discernment, Journal of Internet Banking and Commerce, Vol. 8, No. 1, June, 2003.

Lloyds, J. (2008). Information technology law, 5th ed, United States of America: Oxford

University Press

56

Internet sources:

www.ibimapublishing.com/journals/CIBIMA/CIMIMA/html.

www.ftc.gov/bcp/edu/pubs/consumer/credit/cre14

http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan

http://www.pgp.com/downloads/research_reports/ponemon_reg_direct.html

http://www.businessdictionary.com/definition/data-protection.html.

http://www.dekock.co.za/data-protection-in-south-africa