UNIVERSITY OF IRINGA
[Formerly Tumaini University-Iringa University College]
FACULTY OF LAW
COMPULSORY RESEARCH PAPER SUBMITTED IN THE REQUIREMENT FOR
THE AWARD OF LL.B DEGREE OF THE UNIVERSITY OF IRINGA
TOPIC: LAW RELATING TO E-BANKING IN TANZANIA, AN ANALYTICAL
OVERVIEW OF DATA PROTECTION IN E-BANKING
BY:
RESEARCHERS MAYONGA NGUHECHA
&
SHEPO M. JOHN
SUPERVISOR: Prof. CHATURVEDI SAURABH
July, 2014
i
CERTIFICATION
We certify that this research paper titled ―Law relating to E-banking in Tanzania, an Analytical
overview of data protection‖ which is done at University of Iringa for the partial fulfillment of
the requirements for the award of degree Bachelor of Laws (LL.B) is recorded as independent
research work earned out by Mayonga Nguhecha & Shepo M. John under my supervision and
guidance. This research paper has not been submitted for award at any other place or degree or
other similar academic activity.
I wish the researchers a fruitful future and success in life.
Certified and signed on 12th
day of July, 2014 at Iringa (Tanzania).
………………………………
Prof. CHATURVEDI SAURABH,
SUPERVISOR
ii
DECLARATION
We, Mayonga Nguhecha & Shepo M. John, do hereby declare and attest that this research paper
titled ―Law relating to E-banking in Tanzania, an Analytical overview of data protection in e-
banking‖ is our original work for The University of Iringa and it has not ever been presented to
any other University for similar or other degree award. Nevertheless, this is not a copy or
manipulation of any report.
Dated ………..day of……………2014
………………………………
MAYOGA NGUHECHA
………………………………
SHEPO M. JOHN
iii
COPYRIGHT
All rights reserved, beyond single copy use, no part of this work will be produced, stored in any
retrieval system or transmitted in any form or by any means. Electronically, or mechanically,
including photocopying, recording or by any information storage or otherwise without prior
written permission of the author and or the Faculty of Law, University of Iringa.
© University of Iringa, 2014
All rights reserved.
iv
ACKNOWLEDGEMENT
First and foremost, our sincere thanks and gratitude goes to our Almighty God, unmoved mover,
who protected and gave us power, vision and strength up to this stage of compiling this research.
We confess that he has been with us ever since we started the journey of our studies until now.
We are greatly beholden to a number of people whose advice, encouragement, moral and
material support contributed to the preparation and completion of this research. However, it is
not possible to list all of them here; we will mention only a few. In the first instance, We extend
our heartfelt appreciations to our beloved parents for materially and financially support to pursue
Bachelor of Law degree [LL.B].We thank them for all the support they gave us as their beloved
sons in the entire journey of our studies. We also express our sincere gratitude and thanks to our
supervisor Chaturvedi, Saurabh whose efforts, commitment and dedication and guidance and his
critics made possible our task. His knowledge and accumulated experience has been a great asset
for our, not only for this research but also for our career. Special thanks go to our dearest
instructor Mr.Lwijiso Ndelwa and Dean of Faculty of Law, University of Iringa Mr.Renatus
Mgongo who provided us with a package of fruitful advice and moral support which made this
research successful. We appreciate for the help given by them, may God help them in their
activities and bless them in their entire life. Uncountable thanks goes to our fellow colleague of
LL.B at University of Iringa for the productive assistance to enrich our report.
v
DEDICATION
This work is dedicated to our family that is Mayonga Nguhecha‘s family as well as Shepo M
John‘s family, from which we have learnt that working hard is virtue.
vi
ABSTRACT
The purpose of this research is to examine legal and practical aspect of data protection in
electronic banking in Tanzania such as ATM, Mobile Banking and internet banking. It addresses
the key issues such as Legal protection of data in e-banking, legal barrier of electronic banking
data protection in Tanzania, and the issue relating to admissibility of electronic banking
evidence.
Researchers observed further the law regulating banking business as a far as legal protection of
data in electronic banking. It also discuss the nature and obligation of a banker-customers
relationship in electronic banking,
Furthermore researchers develop by showing number challenges/ risks associated with electronic
banking data protection, such as operational risk, security risk and legal risk.
Lastly the researchers finish in looking legal practices of data protection in electronic banking in
other jurisdiction and the solution to adopt.
In conclusion the researchers recommends on enactment of an efficient and responsive legal
framework to address the above legal issues with a view to enhancing customer confidence
which will ultimately contribute to building trust in e-banking transactions.
vii
ABBREVIATIONS
ATM Automated Teller Machines
CAP Chapter
CCTV Closed-Circuit Television
CEB Corporate Electronic Banking
CHATS Clearing Housed Automated Transfer System
CRDB Cooperative Rural Development Bank
E- Electronic
EAC East Africa Community
EDI Electronic Data Interchange
EFT Electronic funds transfer
EFTPOS Electronic Funds Transfer at Point of Sale
EU European Union
ICT Information and Communication Technology
IP Internet Protocol
NBC National Bank of Commerce
NMB National Micro-finance Bank
PC-banking Personal Computer banking
PINs Personal Identification Numbers
R.E. Revised Edition
RENTAS Real-time Electronic Transfer of Funds and Securities System
SWIFT Society for Worldwide Interbank Financial Telecommunications
TPB Tanzania Postal Bank
UK United Kingdom
UNCITRAL United National Commission on International Trade Law
USA United States of America
USD United States Dollar
viii
LIST OF STATUTES
The Constitution of United Republic of Tanzania, 1977 (as amended from time to time)
The Banking and Financial Instructions Act, Act No.5 of 2006
Bank of Tanzania Act, Act No. 4 of 2006
The Law of Contract Act [Cap 345 R.E 2002]
The Electronic and Postal Communication Act, No 3 of 2010
The Tanzania bill of exchange Act [Cap 215R.E 2002]
The Penal Code [Cap 16 R.E 2002]
The Sale of Goods Act[Cap 214 R.E 2002]
Written Laws Miscellaneous Amendment Act, No.15 of 2007
Information Technology Act, 2008 India
Electronic Communication Act, 2000 (U.K).
The Banking and Financial Institution Act,1989, (Malaysia.)
The Computer Fraud and Abuse Act, 1986(US)
Computer Crime Act, 1997 (Malaysia)
ix
LIST OF CASES
Abercrombie and Kent (T) Ltd v. Stanbic Bank Ltd [1995-1998] 2E.A 1
Barker v. Wilson (1914) 19 Comm. Cas. 256; 111 L.T. 43
Greenwood v. Martins Bank Ltd (1932) 1 K.B 371 at p.381
Joachim v Swiss Bank of Corporation [1921] 3 KB 110
Ladbroke & Co. vs. Todd(1914) 19 Comm. Cas. 256; 111 L.T. 43
National Banks of Commerce v. Milo Construction Co. Ltd and Two others Commercial case
No. 293 of 2002 (unreported)
National Bank of Commerce v. Said Ally Yakut (1989) T.L.R. 119
Tournier v National Provicial and Union Bank of England [1924] 1 KB 1 KB 461
Trust Bank Tanzania Ltd v. Le-Marsh Enterprises Ltd and Others, (2000) Commercial Case No.4
in the High Court of Tanzania (Commercial Division) at Dar es salaam, (Unreported)
United Dominions Trust Ltd Vs Kirkwood [1966]2 Q.B 431
Williams and Glyn‘s Bank Ltd v. Barnes,(1981) Unreported
Woods v. Martins Bank &Another [1959] 1 Q.B. 55
x
TABLE OF CONTENT
CERTIFICATION ........................................................................................................................... i
DECLARATION ............................................................................................................................ ii
COPYRIGHT ................................................................................................................................. iii
ACKNOWLEDGEMENT ............................................................................................................. iv
DEDICATION ................................................................................................................................ v
ABSTRACT ................................................................................................................................... vi
ABBREVIATIONS ...................................................................................................................... vii
LIST OF STATUTES .................................................................................................................. viii
LIST OF CASES............................................................................................................................ ix
CHAPTER ONE ............................................................................................................................. 1
THEORETICAL FRAME WORK ................................................................................................. 1
1.1 Background of the problem ................................................................................................... 1
1.2 Statement of the problem ...................................................................................................... 3
1.3 Objective of the study ........................................................................................................... 4
1.3.1 General objective ............................................................................................................ 4
1.3.2 Specific objective ........................................................................................................... 4
1.4 Significance of the Study ...................................................................................................... 5
1.5 Hypothesis ............................................................................................................................. 5
1.6 Research methodology .......................................................................................................... 6
1.6.1 Documentary review ....................................................................................................... 6
1.7 Literature review ................................................................................................................... 6
1.7.1 Local Literature .............................................................................................................. 6
1.7.2 Foreign Literature ........................................................................................................... 9
CHAPTER TWO .......................................................................................................................... 12
AN OVERVIEW OF ELECTRONIC BANKING IN TANZANIA ............................................ 12
2.1 Meaning of E-banking ......................................................................................................... 12
2.2 Forms of E-banking ............................................................................................................. 14
2.2.1 Consumer Electronic Banking ...................................................................................... 14
2.2.2 Corporate E-banking ..................................................................................................... 17
2.2.3 Interbank e-banking ...................................................................................................... 18
xi
2.3 Advantages of e-banking ..................................................................................................... 18
2.4 Disadvantages of e-banking ................................................................................................ 20
2.5 Banker customer relationship .............................................................................................. 21
2.5.1 Who is a Banker? .......................................................................................................... 22
2.5.2 Who is a Customer? ...................................................................................................... 22
2.5.3 Nature of Legal Relationship between Banker and Customer. .................................... 23
2.5.4 Duties and Rights.......................................................................................................... 23
2.5.5 Duties of Customers to the bank. .................................................................................. 26
2.6 The risks associated with e-banking.................................................................................... 27
2.6.1 Operational risk ............................................................................................................ 27
2.6.2 Security risk .................................................................................................................. 27
2.6.3 Legal /Compliance Risk ............................................................................................... 29
CHAPTER THREE: ..................................................................................................................... 31
DATA PROTECTION IN ELECTRONIC BANKING ............................................................... 31
3.0 Introduction ......................................................................................................................... 31
3.1 Data protection .................................................................................................................... 31
3.1.1 Data traceability glossary ............................................................................................. 33
3.2 Principle of data protection ................................................................................................. 33
3.3 A comparative assessment of e-banking data protection; Tanzania and other jurisdiction
laws............................................................................................................................................ 35
3.3.1 Legal aspect of e-banking data protection in Tanzania ................................................ 35
3.3.2 Judicial approach toward electronic banking data protection in Tanzania ................... 38
3.3.3 Legal barrier of e- banking data protection in Tanzania .............................................. 39
3.3.4 Solution regarding to E-banking Data Protection in Tanzania. .................................... 41
3.3.5 Position Electronic E-Banking data protection in India ............................................... 41
3.3.6 Position Electronic banking data protection in UK ...................................................... 42
3.3.7 Relevance of Model Laws in Electronic Banking ........................................................ 44
3.3.8 Position of the European Union Data Protection Directive 95/46/EC of 1995 ............ 46
CHAPTER FOUR ......................................................................................................................... 50
CONCLUSION AND RECOMMENDATIONS ......................................................................... 50
4.0 Conclusion ........................................................................................................................... 50
xii
4.1 Recommendations ............................................................................................................... 52
4.1.1 The Law Reform Commission of Tanzania ................................................................. 52
4.1.2 The Parliament .............................................................................................................. 52
4.1.3 Banking Institutions ...................................................................................................... 53
BIBLIOGRAPHY ......................................................................................................................... 54
1
CHAPTER ONE
THEORETICAL FRAME WORK
1.1 Background of the problem
Banking activities in Tanzania could be traced back to the 1900s, banking practices are result of
the colonialists who for the purpose of facilitating their economies in Tanzania and East Africa at
large introduced Banks, and the earlier banks were a product of the Germany regime in
Tanganyika. In 1905 the Deutsch Ostafrikanische bank was established in Dar es salam and in
1911, HandlesbankFurostafrica was established in Tanga1. A great deal of banking regulations
were made by the British regime in 1919s in Tanzania, apart from introducing more banks than
ones held by Germans, enacted a number of laws to regulate banking activities in Tanzania.
After independence banks carried colonial banking legacies, the Arusha declaration of 1967
nationalized all the banks owned privately. In 1980‘s the Government took deliberate efforts to
reform the economy. The intention was to eliminate controls and introduce a market based
economy Pursuant to this goal. In 1988 a report on the inquiry into Monetary and banking
systems in Tanzania by the Nyirabu Commission was delivered2. Its major contribution in
banking development is substantial; it is the cause of the various laws on banking business such
as the Banking and Financial Institution Act, 1991.
Despite its remarkable contribution the latter did not point out a thing on electronic banking. In
recent years, Tanzania banking sector has made a noteworthy progress in development of ICT by
introducing a banking service known E-banking. Bank like CRDB, NMB, NBC, TPB have
1C.S Binamungu& G.S. Ngwilimi. (2006). Regulation of Banking Business in Tanzania.Mzumbe Book
Project.Morogoro-Tanzania pg 39
2 Bank of Tanzania(2011):Tanzania Mainland‘s 50 years of Independence; A review of the role and functions of the
bank of Tanzania (1961—2011).
2
invested significantly in ICT by introducing different form of electronic banking to facilitate
electronic cash movement. New services are originating such as mobile banking, internet
banking and others. This is to say with electronic banking it is even easier for a holding bank to
control its subsidiary bank allocated at a distant as a result of technological advancement3.In
Tanzania electronic banking is in its early stages, though a great response of use is witnessed.
The adoption of Automated Teller Machines (ATM) by various banks and financial institutions
is of pride, the adoption of mobile banking by various communication Companies such as Tigo,
Vodacom, Airtel, gear habits for deposits and quick transfers of money or payments via
electronic payments services. The adoption of electronic banking by banks such as CRDB,
NMB, and NBC evidently indicates the role played by electronic banking in the country.
However while electronic banking talking place, the law has been slow in protecting customers
in electronic banking. In addition our laws have not incorporated tools of affecting electronic
transaction. The existing laws facilitate paper based transactions which apparently are not
applicable to technological changes that are currently taking place in Tanzania. The main statutes
that govern banking industry in Tanzania are Bank of Tanzania Act4 the Banking and Financial
Institutions Act5, The Bills of Exchange Act
6, the Law of Contract Act
7 and Electronic and
Postal Communication Act8. In all laws there is no single provision that carter for the use of
electronic banking in Tanzania despite the fact that there were enacted during the era of
electronic Banking (2006)
3R. mecky.The aspect of Electronic banking in Tanzania; A new phenomena. Retrieved on 5
th April, 2014 from
http://meckyrobert.blogspot.com/2011/08/aspects-of-electronic-banking-in.html.
4 Bank of Tanzania Act of 2006
5Banking and Financial Institutions Act 2006
6The Bills of Exchange Act 2006
7The Law of Contract Act Cap 335 R.E 2002
8Electronic and Postal Communication Act 2010
3
However there have numbers of attempts which address a few issues on e-banking this can be
seen in the case of Trust Bank Tanzania Limited v. Le Marsh9 in which the definition of a
bankers‘ book was extended to include computer generated evidence in the form of print-outs.
The Judge correctly noted that ―the law must keep abreast of technological changes as they affect
the way of doing business. Other attempts include amendment the Evidence Act, 1967 which
give partial recognition to electronic evidence, promulgation of guidelines for regulation of e-
banking by the Bank of Tanzania, as an apparent measure to fill the legal vacuum, and regulation
of e-banking through the law of Contract which governs standard form agreements. Further it
will be argued that operation of banking through electronic medium should be accompanied by
adequate and effective legal framework.
1.2 Statement of the problem
Despite of the significant contribution of Information Communication Technology in banking
sector the development of Information Communication Technology in banking sector has been
accompanied by a number of problems which are increasingly causing substantial financial
losses to consumers. These problems include; the increasing incidences of fraud and theft
resulting from unauthorized access to customers‘ money kept in financial institutions, inability to
access and effect transfer of funds due to technical flaws and errors. Other problems are: loss of
various rights like right to stop payment (countermand); confidentiality and privacy of
information; admissibility of electronic evidence, authorization and authentication of customers‘
instructions and, lastly, lack of consumer protection and dispute resolution mechanism. As a
reaction to these problems, banks are using general terms and conditions to shift all liabilities to
consumers.
9 Commercial Civil Case No. 4 of 2000 (Unreported).
4
Lack of a fully operational legal and regulatory framework jeopardize the security of consumers
who use E-banking and cause financial loss particularly in EFT and other electronic services that
involve monies like ATMs, mobile banking, internet purchase of goods and other payment such
as LUKU. The legal gap that exists in banking laws provides loopholes for offenders to commit
offences and also put the users in to risks. Apart from the effort made by the government to
amendment of evidence act which recognize electronic evidence consumer protection are still in
dilemma due to the absence of specific legislation governing electronic banking in Tanzania in
Tanzania, it is vital for the Tanzania to have sufficient and comprehensive legal framework on
information and data protection laws relating to electronic banking.
1.3 Objective of the study
1.3.1 General objective
The general objective of this study is to explore the legal basis of e-banking in Tanzania
particularly on data protection. The study seeks to search into whether there is strong legal basis
on data protection in electronic banking.
1.3.2 Specific objective
The specific objectives of the study are
(a) To examine whether the current legal framework governing banking business protects
consumers transacting banking business in electronic form
(b) To identify data protection technique and provision adopted by banks and financial
institution.
(c) To identify the legal provision of data protection in electronic banking
(d) To determine the extent to which the current legal framework on banking business
addresses problems/challenge facing consumers in using e-banking.
5
(e) To propose a suitable legal framework that adequately respond to the technological
changes with a view to addressing problems facing the Electronic Banking systems
and consumer protection in electronic transaction
1.4 Significance of the Study
With regard to the above problems and consider the nature of the research topic. This study is
important and significant in number of ways:-
The research will help the coming researcher to use as literature review in conducting
researches on the same subject matter
The study will help the researcher and other student to increase and expand knowledge on
the Electronic banking specifically on the law governing it.
The research will explain in detail the challenges brought by advancement of ICT in
banking sector.
Act as a base to the government when formulating policy and law relating to electronic
banking
The finding and recommendation of this study will establish the argument that without
establishing a legal basis for e-banking in Tanzania, customers will face risks of suffering
financial losses without legal protection at the instance of banks that are capable of
shifting liabilities to consumers.
1.5 Hypothesis
In this study the following hypothesis will be tested:
The Tanzania law do not have enough data protection provision in E-banking
That lack of a legal framework for e-banking in Tanzania posing risks to customers in
respect of protection and security of transactions
6
1.6 Research methodology
1.6.1 Documentary review
There are various sources which will be used to obtain these types of data which are either
published or unpublished. In this regard, the researcher will collect and analyze secondary data
from books, statutes, case law, journals, newspapers, official government reports and other
published and unpublished materials as well as information available in the internet that is
relevant or suitable in the context of the problem under study. These data will enable the
researcher to provide a firm theoretical background to the study. The researcher will use Iringa
University library and online library for search of materials.
1.7 Literature review
There are number of textbooks, journals, and article which addresses on the legal and practical
aspect of Electronic banking but in Tanzania there are few studies yet that have been undertaken
which address the legal and practical aspect of e-banking. The reason is that e-banking is still a
new technology which is growing in many developing countries, including Tanzania. The studies
on this subject written by internal and external author will assist in discovering the Impact of ICT
on the banking service and formulate principles as well as solution facing consumer transaction
in electronic banking. Our literature review is divided into sub
1.7.1 Local Literature
This section discuss on local literature in relation to electronic banking in Tanzania such as
Mollel A and Lukumay Z, Godfrey N. Dimoso, Mambi, A. J, Bwana J, Basle Committee on
Banking supervision.
7
Mollel, A andLukumay, Z10
have addressed strongly on E-transactions and the law of evidence
in Tanzania, and also have discussed that the current legal system does not adequately address
the impact of ICT on rules of evidence in Tanzania. The authors have also address that the
banking sector have made remarkable progress in development of ICT by introducing E-banking
but despite such progress it pose a legal challenges concerning the protection of customers in E-
banking within the country this is because Tanzania has not yet to have cyber laws that govern
ICT.
Godfrey N. Dimoso,11
address that there is no doubt that E-banking is a growing practice around
the world. Obviously, for the developing countries Tanzania included, it is a desirable
advancement that should not be impeded. However, E-banking posses several risks which
require appropriate and adequate safeguards on the business. It is on this background that most of
the developing countries have realized the need for review of the legal framework which is still
largely based on the more traditional physical form of reference. In Tanzania, he addressed that it
is fair to say that E-banking is still in its infancy and the progress so far has been somewhat
appreciable albeit at a slow pace. Currently, banks and non-banks (mobile phone companies)
have started to provide E-banking services. However, the question remains that to what extend
our legal framework has responded to the on-going migration from the traditional banking to the
internet based banking.
Mambi, A. J.12
addresses extensively on legal challenges posed by ICT revolution in Tanzania
as regarded to E-banking. He address that the lack of legal certainty on challenges posed by ICT
10
(2008) Electronic Transactions and the Law of Evidence in Tanzania Pp 5-12
11Director of Legal Services, Azania Bank Ltd., (2008) Legal Framework: Regulatory challenges for effective E-
Banking
12Mambi A. J., (2010) ICT Law Book: A Source Book for Information and Communication Technologies & Cyber
Law in Tanzania & East African Community; Publisher African Books Collective pp. 120-132
8
development to E-banking in the region of EAC particularly Tanzania whereby E-banking may
expose a customer to a legal risks on question of cyber-crimes and the related E-transactions
barrier to achieve E-commerce development. In Tanzania the laws does not address online
transactions or E-payment therefore, it provides a loophole for the occurrence of cyber-crime due
to legal challenges imposed by ICT development in the country thus the present legal system
favours off-line transactions.
Bwana, J.13
has addressed the implementation brought by ICT development in E-banking in
Tanzania. The risks that customers of E-banking encountered are imposed by legal challenges in
ICT development as a result of inappropriate legal framework that address the problems
associated with. The author addresses that the relationship that exist between banks and
customers in E-banking in Tanzania is purely on contractual basis. However, due to new features
that embark in E-banking brings legal challenges that subjects customers into security risks
therefore, the need of a piece of legislation in order to govern this specific area of E-banking is
skyrocketing in the country.
Basle Committee on Banking supervision14
, address the matters relating to E-banking and E-
money activities, rights and obligations of customers to such transactions are not protected by
legal principles therefore impose legal challenges on the legality of the transaction involved in E-
banking. However, the matters involves application of some consumer protection rules to E-
banking and E-money activities in some countries are not clear due to lack of piece of legislation
that address specifically legal challenges posed by ICT revolution in banking sector. Legal risks
arise in the use of ICT development in banking business due to lack of piece of legislation, rules,
13
Bwana (2003) pp 1-10
14 ―Risk management for electronic banking and electronic money activities‖ Retrieved at 29
th April, 2014 from
http://www.bis.org/publ/bcbs35.pgf
9
regulations, or prescribed practices, which addresses the legal rights and obligations of parties to
a transaction by not well being established under the legal system of the country concern.
Mollel, A.15
The author shows that electronic transactions are replacing the old and traditional
methods of transacting in all walks of life. However, the full-fledged application of ICT for
development in most of these countries is seriously hindered by lack of comprehensive legal and
regulatory framework for the subject. The author points out these challenges spin around
integrity authenticity and security of electronic records.
1.7.2 Foreign Literature
The foreign literature discusses in detail the concept of electronic banking. However, it does not
address the Tanzanian legal position. But it helps to develop some of the principle which can be
applied in Tanzania.
Lloyd, J.16
address that E-banking facilitate the growth of E-commerce due to the fact that it
brings conveniences to consumers of E-commerce for the use of EFT hence, they are able to pay
for the products through E-banking enhances consumer confidence in E-commerce. In UK there
is a piece of legislation which address the legal challenges brought by development of ICT in the
sector of banking business and also provides protections to consumers of E-banking and piece of
enacted legislation known as the Consumer Credit Act.17
The author address that a customer in
E-banking can be protected in respective countries which offer legal protection by enacted piece
of legislation if that country there is a piece of legislation protecting customers of E-banking.
15
(1996), ―The legal and regulatory framework for ICT in developing countries: Case study of ICT and the law of
evidence in Tanzania‖ Retrieved at 29th
April, 2014 from http://cs.joensuu.fi/ipid2008/abstracts/Mollel
Andrew_ICT4D PAPER.pdf
16 Lloyd, j. (2000) Information Technology Law, 5
thEdn; USA: Oxford Press pp. 506-507
17 1947
10
However, the author does not address the legal challenges brought by ICT revolutions in EFT
across the border and the solutions to the problems International Trade.
Schaechter,18
A. the author provides the general overview on issues in E-banking. He said that
there are two other important sources of legal risk to consumers. First, there can be uncertainty;
about which legislation applies to E-banking transactions; the legislation of the jurisdiction in
which the virtual bank is licensed or in which the services are offered. This is especially true
when E-banking has a cross-border nature where different legislations might conflict with each
other. And secondly as a consequence of this, also enforcement of certain emerging areas of law
is uncertain, for example laws related to E-contracts and digital signature. This lead to violations
of customer‘s protection laws, including data collection and privacy, and regulations for
soliciting could be important issues. In other word the author is of the view that customers can
only be protected clearly by a system of law.
Bainbridge, D. I.19
address that the vulnerability of some computer systems to criminal activities
and consider the computer as an unwitting accomplice. He addressed that a computer system
might be used to detect information which assists the criminal in the commission of crime. It also
shows that the greatest threat of fraud comes from within an organization and employees are
responsible for a great deal of ICT fraud or attempt ICT fraud, ranging from small amounts of
money to very large sums indeed. The paramount important issues discussed that constituted the
offence of ICT fraud under UK the Fraud Act20
to be tackled includes; dishonestly transferring
18
Schaechter, A. (2002). Issues in electronic banking: An overview. Retrieved at 29th
April, 2014 from http://
www.imf.org/external/pubs/ft/.../2002/pdf06.pdf
19 Bainbridge, D. I., (2008), Introduction to Information Technology Law, 6
thEdn, Pearson Education Ltd, England
p. 422
20 2006
11
funds electronically, phishing, using bogus websites to obtain personal details such as bank
account details, spyware, and dishonest use of telecoms and information society
12
CHAPTER TWO
AN OVERVIEW OF ELECTRONIC BANKING IN TANZANIA
2.1 Meaning of E-banking
E-banking has defined by a number of authors. This indicates that there is no common agreement
on the definition of E banking. Electronic banking, also known as electronic funds transfer
(EFT), is simply the use of electronic means to transfer funds directly from one account to
another, rather than by cheque or cash.21
The concept had initially been associated with the use
of the Automated Teller Machines across the globe; with the growth of technology and new
inventions electronic banking cater across a number of forums used on either purchase
transactions or deposit as part of banks dealings, these include the use of computer and electronic
technology as a substitute for cheques and other paper transactions.
Basel Committee22
defines e-banking as the provision of retail and small value banking products
and services through electronic channels Such products and services can include deposit-taking,
lending, account management, the provision of financial advice, electronic bill payment, and the
provision of other electronic payment products and services such as electronic money
Some studies define electronic banking to mean 24-hour access to cash through an automated
teller machine (ATM) or Direct Deposit of paychecks into checking or savings accounts23
electronic fund transfer (EFT), uses computer and electronic technology in place of checks and
other paper transactions. EFTs is initiated through devices like cards or codes that let you, or
those you authorize, access your account. Many financial institutions use ATM or debit cards
21
Federal Commission for Consumers: Electronic Banking: retrieved on 13th
May 2014 from
www.ftc.gov/bcp/edu/pubs/consumer/credit/cre14
22 Basle Committee on Banking supervision
23Federal Trade Commission Electronic Banking. Retrieved on 13
th May 2014 from https://www.consumer.ftc.gov
13
and Personal Identification Numbers (PINs). Electronic banking can be described as the
―umbrella‖ term, it is used interchangeably when people refer to one or more forms or
components of e-banking such as: Virtual banking, on-line banking, cyber-banking, net banking,
interactive-banking, web-banking phone-banking, PC-banking, and remote electronic banking24
The Bank of Tanzania25
equates e-banking with schemes of electronic payment. It defines
electronic payment schemes as any electronic instrument device or system used for the purposes
of facilitating payment transfers through internet and/or wireless communication networks, and
by use of service delivery products such as electronic cards, electronic payment transfer systems,
mobile banking, internet banking, automated teller machines, points of sale terminals, payment
switches and any other type of electronic payment transfer system
From the above definition , e-banking can be defined as the process by which bank‘s customers
may access their accounts in order to perform banking transactions or obtain financial
information using a variety of electronic distribution channels the common ones being the
Internet, telephones, mobile phones, points of sale, personal computers and ATMs, without
visiting brick-and-mortar institutions. Electronic fund transfer can be used to have your paycheck
deposited directly into your bank or credit union checking account, withdraw money from your
checking account from an ATM machine with a personal identification number (PIN), at your
convenience, day or night, instruct your bank or credit union to automatically pay certain
monthly bills from your account, such as your auto loan or your mortgage payment, have the
bank or credit union transfer funds each month from your checking account to your mutual fund
account, have your government social security benefits check or your tax refund deposited
directly into your checking account, use a smart card with a prepaid amount of money embedded
24
http://www.aboulola.com/E-Banking.pdf
25 The Bank of Tanzania, ―Electronic Payment Schemes and Products Guidelines,‖ May 2007
14
in it for use instead of cash at a pay phone, expressway road toll, or on college campuses at the
library's photocopy machine or bookstores, use your computer and personal finance software to
coordinate your total personal financial management process, integrating data and activities
related to your income, spending, saving, investing, recordkeeping, bill-paying and taxes, along
with basic financial analysis and decision making.
2.2 Forms of E-banking
E-banking exists in a variety of forms, which can be divided into various groups: consumer
Electronic banking, cooperate Electronic banking, interbank Electronic banking product and
plastic card
2.2.1 Consumer Electronic Banking
This includes Automated Teller Machine (ATM), EFTPOS, Telephone, Mobile Banking,
Internet Banking, and Home/Office Banking
(a) Automated Teller Machine
An ATM machine may be considered a branch of a bank as it contains some of the main banking
functions. Large routine transactions are performed with minimal staff intervention. Further the
machine is designed to operate 24 hours. There are savings in staff costs and other overheads like
rentals of branch premises. In addition to being cost effective, it is a prerequisite for staying in
business. Banks have realized the benefit of entering into agreements to share each other‘s
ATMs, instead of competing with each other to capture the ATM market. The ATMs of the
various banks are connected to a switch network which communicates with the banks‘ host.26
Typical services ATMs include the followings; Statement ordering, Balance enquiries, Cheque
26
Aspect of electronic banking retrieved at 17th
May, 2014 from
www.ibbm.org.my/pdf/DP02%20Chapter%20on%20EFT.pdf
15
ordering, Instructions for transfer between the cardholder‘s accounts and Depositing cash and
other payments. There are some services which are connected to ATMs by agreement between
the bank and the service issuing company for example, energy recharge services (LUKU
Services), 24 and phone recharge services using ATMs.
(b) Electronic Funds Transfer at Point of Sale (EFTPOS)
Electronic Fund Transfer at the Point of Sale is payment that enables a cardholder to pay for
goods or service by using a debit card. The debit card is therefore passed through a terminal that
reads the detail of cardholder‘s account imprinted on the card‘s magnetic strip on the card. The
retailer then enters the amount to be paid and cardholder confirms the transaction by entering his
PIN. The retailer‘s bank account is immediately credited with the amount and the cardholder‘s
account is debited by the same amount.27
(c) Mobile Banking
Mobile banking refers to the use of a smart phone or other cellular device to perform online
banking tasks while away from your home computer, such as monitoring account balances,
transferring funds between accounts, bill payment and locating an ATM. For example in
Tanzania there are several mobile phone companies such as Tigo, Zantel, Airtel and Vodacom
that introduce electronic fund transfers as a simplified banking system. Mobile payments give
financial services industry a huge opportunity of tapping the market on provision of convenient
payment services. This is due to the fact that the mobile phone has the advantage of freedom,
functionality, convenience and ease to fuse28
27
Urio, A.M.A, Aspects of Banking & Micro Finance Law
28Loudon, C.K. &Traver, G.K., op.cit.,p. 313.
16
(d) Home Banking
Home banking is a service that enables a bank client to handle his accounts from a computer
from a place selected in advance, at home or in the office. The main features of home banking
systems are the high level of security, comfort, simplicity of use, openness of the system, wide
communication possibilities, networking, definition of users and their rights, automated data
transmission and the option to define a combined signature specimen29
. A home banking system
usually consists of two parts: a bank computer program and a program in the client‘s computer.
The bank program works as a communication server. It receives calls from clients, verifies their
identity, receives data from them, authenticates digital signatures, generates digital receipts and
send data to clients.30
(e) Internet Banking
Internet banking is conducted by completing bank transactions by directly accessing the bank
through the Internet. Nowadays, Internet banking customers can access many different services
online, which makes physical banks open even after office hours. In means of offline banking is
becoming to be online banking while physical banks are not opened (out of office hours), so
customers do not need to go to the banks or call them any more unless there is an issue that
cannot be handled online31
29
Chavanova.A form of electronic banking. Retrieved from
www.nbs.sk/_img/Documents/BIATEC/BIA06_06/22_25pg 3
30 ibid
31 Retrieved from http://www.myclear.org.my/corporations/rentas/ at 17
th May, 2014
17
2.2.2 Corporate E-banking
Corporate Electronic Banking (CEB) is a secure internet based service that provides corporate
clients with access to online banking32
it provide the following services; speed in payment
processing, access to critical account information for decision making, Access to information
such as daily exchange rates for several currencies including major trading currencies, access to
reports of all transactions processed by clients through the platform, availability of audit trail
information of all user activities, processing of several payments in one bulk remittance
transaction.
(a) Financial EDI
Electronic Data Interchange EDI is the process of exchanging information electronically. EDI
enables companies to transmit routine business data such as invoices, product orders, and
remittances electronically the purpose of EDI is to speed up the flow of dollars and data33
.EDI is
an electronic bridge between banks and customers. It carries detailed trading data alongside
payment information. Traditional paper-intensive communication is no longer cost effective or
efficient
(b) Netting arrangement
Netting arrangements are an example of electronic data interchange. To illustrate, if Company A
buys goods or services from Company B at a cost of RM1 million whereas B buys goods or
services from A that cost RM2 million, then the net flow is RM1 million from B to A. In a
32
http://www.ecobank.com/corporate.
33Chavanova. A form of electronic banking.Retrieved
fromwww.nbs.sk/_img/Documents/BIATEC/BIA06_06/22_25.pdpg 3
18
netting arrangement, the parties involved make net settlements only at the end of the day –
credits and debits are summarized for the day to generate a single ledger entry34
2.2.3 Interbank e-banking
Electronic funds transfers between banks are facilitated by two systems which are the RENTAS
and SWIFT. (RENTAS) Real-time Electronic Transfer of Funds and Securities System provides
multi-currency real-time gross settlement of interbank fund transfers, multi-currency debt
securities settlement, and depository services for scrip less debt securities and MYR/USD
Payment versus Payment (PvP) settlement via USD CHATS (Clearing Housed Automated
Transfer System) for its members35
. The SWIFT network enables users to transmit international
payments, statements and other transactions associated with international finance to fellow users.
Created initially by banks for banks, the network is now available to approved categories of non-
bank institutions which currently include securities brokers and dealers, clearing and depository
institutions and recognized exchanges for securities
2.3 Advantages of e-banking
In tradition banking the customer has to visit the bank in person to perform various banking
operation such as account enquiry, funds transfer and cash withdrawal. But now days due to
advancement of ICT in banking sector customers can perform various banking operation
anywhere. So e-banking provides number of advantages for both banks and customers, some of
these advantages of e-banking banking but are not limited to, include:
34
Aspect of electronic banking retrieved at 17th
May, 2014 from
www.ibbm.org.my/pdf/DP02%20Chapter%20on%20EFT.pdf.pg 6
35 Retrieved from http://www.myclear.org.my/corporations/rentas/ at 17
th May, 2014
19
E- Banking offers customers more convenience than you could get from a tradition bank: this is
to mean an individual or customer is not bound by ‗banker‘s hours‘. Time is not wasted when
you have work to do because you can do your office‘s banking without leaving the office. No
matter where you are or what time it is, you can easily manage your money
Electronic Banking reduce workload on banks and enable banks to improve customer services,
the latter has served as a relief to bankers in providing services to its customers. For example
tradition banking a number of labor are required to meet expected demands by the customer, but
in electronic banking lesser bank teller are needed in transaction, rather transaction are carried
out via mobile phones, internet and ATMs.
E-banking help banks to cut operating costs because they don‘t need human operators to keep the
bank services in function all these can be done through electronic media
Environment friendly Internet banking is also environmentally friendly. Electronic transmissions
require no paper, reduce vehicle traffic and are virtually pollution-free. They also eliminate the
need for buildings and office equipment36
.
Ones electronic banking accounting provides a room to view a number of cheques that one has
written in a month. With this access it is easier to catch fraudulent activity in ones account before
much of damage is caused to funds in the account
36
Koskosas I. The pros and cons of internet banking: a short review pg 7
20
2.4 Disadvantages of e-banking
Despite the benefits of e-banking, like any other thing in life, has its own drawbacks customer-
banker relationship. Customary banking allows creation of a personal touch between a bank and
its clients. A personal touch with a bank manager for example can enable the manager to change
terms in your account since he/she has some discretion in case of any personal circumstantial
change. It can include reversal of an undeserved service charge.37
A customer needs access to a computer with internet being connected; which signifies that the
access to a customer‘s account is solely dependent on computer-based technology in the case of
e-banking.38
It is subject to the dependability of other computers and web server, which means
that if these are faulty, a customer cannot have access to his/her account, it also means that a
customer has to know how to use a computer before he/she can carry out a transaction.39
Customers are obliged memories their PIN number and not required to carry PIN in the wallet or
purse or to write it on the ATM card. Never write your PIN on the outside of a deposit slip, an
envelope, or on a postcard. Take your ATM receipt after completing a transaction. Reconcile all
ATM receipts with bank statements as soon as possible this s due to associated risks of e-
banking. There is a group of people which consists of illiterate and older ones, who do not want
to follow the technological trend and that they do not want to learn how to make use of it. They
would prefer the traditional banking way.40
37
http://bankingandsavings.com
38See a discussion forum at http://www.answerbag.com/g_view/369986.
39See also Emilian, P., op.cit.,p. 3.
40See Khan, S., op.cit., p.80.
21
Other drawback is that governmental policies that guide e-banking operations across
international borders are not efficient.41
Another disadvantage is that an electronic bank carries
along with it a number of risks which are examined in this work. The use of e-banking pose the
legal challenges that threatening the growth of the use and increase the number of the costumers.
E-fraud the use of e-banking technologies raises the main legal issue revolving around the
applicability of the paper-based criminal law to punish offenders using electronic payment
systems to steal customers‘ money from their accounts.42
An even more controversial legal issue
in relation to fraud in e-banking, according to White,43
is how the losses arising from flaws in
electronic payment systems would be distributed between a consumer and a financial institution.
Another issue, in the event of a dispute, is how a consumer will prove that he or she did not
authorize a certain fraudulent transaction.44
The burden of proof seems to be on the one who
avers.
2.5 Banker customer relationship
The relationship of banker and customer is at the very core of banking law. It is through this
relationship that banking business is achieved. Researchers interested here to explore three main
issues; (a) when or how this relationship arises, (b) the nature of the relationship, (c) the duties
and rights of each party thereof.
41
See Sulla, E., op.cit., p. 43.
42Lukumay.Z (2012), Electronic banking; its legal Basis in Tanzania. LAP LAMBERT Academic Publishing
Gmbh&Co Kg German p.36
43See White P.F., op.cit.,p. 28.
44Ibid
22
2.5.1 Who is a Banker?
According to the case of United Dominions Trust Ltd vs. Kirkwood,45
a bank is defined as an
organization which accepts money from, and maintains and honour cheques for customers and
maintains current account or accounts of a similar nature.
The Bank of Tanzania Act,46
and the Banking and Financial Institutions Act,47
both define the
term ―bank‖. The term bank is defined under section 3 of the Bank of Tanzania Act as an entity
that is engaged in banking business.48
The definition is not static as it would always depend on
the current practice. The organization should have acquired reputation of being a bank within the
financial community.
2.5.2 Who is a Customer?
In ordinary course of business a customer is anyone who makes contact with a business in
question. This is not the case in banking law, where the question is a customer is given a
qualified meaning. Customer may mean that is a person who has entered into a contract with a
bank for a current account to be opened in his name.49
There are two qualifications of a customer
in the context of banking law. The first revolves around the question of the existence of an
account. In the case of Ladbroke & Co. vs. Todd,50
it was held that a person becomes a customer
45
(1966) 2 QB 431; 2W.L.R 1083; 1 All ER 968.
46 Act No. 4 of 2006
47 Act No. 5 of 2006
48 Banking business is defined under the Act as ―The business for receiving funds from the general public through
the acceptance of deposits payable upon demand or after a fixed period or after notice, or any similar operation
through the frequent sale or placement of bonds, certificates, notes or other securities, and to use such funds, in
whole or in part, for loans or investments for the account of and the risk of the person doing such business.‖
49Urio, A.M.A, Aspects of Banking & Micro Finance Law, p.3
50 (1914) 19 Comm. Cas. 256; 111 L.T. 43
23
of a bank when he goes to the bank with money or a cheque and the bank accepts the money or
cheque and is prepared to open an account in the name of that person.
The second surrounds the provisions of advice services by the bank to a person in question. A
person who receives professional advice from a bank for example, on investment and financial
matters is also regarded a customer for banking purposes; and a bank can be sued for
professional negligence if it provides prejudicial advice. In the case of Woods vs. Martins Bank
and Another,51
it was held that a bank which gave investment advice to someone who did not
have an account had the same contractual duty of care as if that person had held an account with
the bank. It will be seen that whether a person becomes a customer of a bank or not depends on
the nature of a transaction involved and also whether the relationship is contractual. It is also
important to note that the term customer signifies a relationship in which duration is not of
essence.
2.5.3 Nature of Legal Relationship between Banker and Customer.
During the last century since the Joachimson case, the judges have more and more tended to turn
to the general principles of contract law for the solution of the banking problems that come
before them. The result is that a large part of the banker-customer relationship rests on the
foundation of contract law principles, and the nature of the relationship thereof may therefore be
described as one of contract.
2.5.4 Duties and Rights.
The following are the duties of the bank to its customers;
(a) To receive the customer‘s cash and cheques and other instruments for collection.
51
(1956) 1 QB 53
24
(b) To give reasonable notice before closing a credit account.
(c) To honour the words of its authorised officials.
(d) To pay the customer‘s cheques, or allow him to withdraw cash to the extent of his
balance on receipt of a proper written authority during banking hours at the account
holding branch, or at another bank or branch subject to suitable arrangements.
Once a customer is assured that a cheque deposited by him s cleared then he has no more duties.
Drawings by him are regarded as in accordance with the law. In the case of the National Bank of
Commerce v. Saidi Ally Yakut52
it was observed that a collecting bank owes a duty of care to its
customers‘ in that it should conduct its activities with care and circumspection. The court held
that there was need for the banks to display vigilance when handling their customer‘s financial
matters.
In this case, a customer was allowed to withdraw money from his account on the strength of the
word of the bank manager that his bank account has been cleared. It has been also held that, as a
general rule, a collecting bank is bound to use reasonable skill, care and diligence in resenting
and securing payments of cheques entrusted to it for collection and placing the proceeds to the
customer‘s account, as in taking such other steps as may be proper to secure the customers‘
interests.
Should the banker represent to the customer, either expressly or by conduct, that he might treat
the money as his own, or negligently fails to discharge his duty to the customer, as to charge his
52
(1989) T.L.R. 199 (HC)
25
position and act to his detriment, the banker will not be permitted to recover money paid under a
mistake.53
(e) To inform the customer if his signature has been forged on a cheque or other instruments.
(f) To issue bank statements to its customers.
(g) To exercise a duty of reasonable skill and care in carrying out its customer‘s instructions.
The bank must not pay cheques which the bank knows, or should know, are drawn for an
illegal purpose. If the bank pays such cheques it will be liable to refund the money a
payment is a breach of trust.
(h) To exercise duty of secrecy regarding the customers‘ affairs (not to divulge information).
The bank has a duty of secrecy for example, not to divulge information to third parties
regarding the account of the customer. The case of Tournier v. National Provincial and
Union Bank of England,54
rules that the bank must maintain the duty of secrecy regarding
the customer‘s account. The case however sets out exceptions in which the bank may be
ordered to disclose information about its customers‘ account. They includes;
(i) Where the bank is compelled by law to divulge information (by law or by court),
(ii) Where there is public duty of disclosure. This applies in cases of commission of serious
crimes, large scale fraud; drug trafficking, terrorism or money laundering,
(iii) If the bank sues, it must state the amount owing by the customer; and
(iv) Where there is authority of the customer to disclose.
53
Silayo v. CRDB (1996) Ltd [2002] I EA 288 (CAT)
54 (1924) 1 KB 461
26
2.5.5 Duties of Customers to the bank.
The customer has got several duties to the bank, namely;55
(a) To exercise reasonable care in drawing cheques or other mandates so as not to mislead
the banker or to facilitate fraud.
(b) To advice the bank immediately when his cheque book is stolen.
(c) To advice the bank immediately if he discovers that his signature has been forged on the
cheque. In the case of Greenwood v. Martins Bank56
and in Tanzania, forgery was
discussed in Abercrombie and Kent (T) Ltd v. Stanbic Bank Ltd57
the court held that a
banker who encash a forged cheque by a customer‘s employee is liable to the customer
for having paid without paid without authority or instruction in the same way the banker
becomes liable where though the signatures are proper a person other than the payee is
paid instead. In both situations there is no authority to pay and the banker can only
succeed where it is shown that the customer in the cause of making the cheque left out
the figures which facilitated the forgery.
(d) To pay reasonable charges for reasonable charges for the work involved in handling the
account, and to pay charges set out in the agreement like ATM card.
(e) To repay an overdraft in demand according to the case of Williams and Glyn’s Bank Ltd
v. Barnes,58
it was held that when money is lent on overdraft by the bank, and there is no
agreed date for repayment and no special terms which could imply the repayment is not
due on demand, then the over draft is repayable on demand.
55
UrioAlphonce, M. A., et al, (2011); Aspects of Banking and Micro Finance Law, 1stEdn, Moshi Tanzania at p.7
56 (1932) 1 K.B 371 at p. 381
57 [1995-1998] 2 EA 1
58 (1981) Unreported.
27
2.6 The risks associated with e-banking.
The growth of electronic banking has created a new basis with regard to the degree of exposure
to the risk and therefore consequently the need of not only a differentiated regulating frame, but
also mechanisms of monitoring to be formed, these risks includes
2.6.1 Operational risk
Operations risk arises from fraud, processing errors, system disruptions, or other unanticipated
events resulting in the institution‘s inability to deliver products or services. This risk exists in
each product and service offered. The level of transaction risk is affected by the structure of the
institution‘s processing environment, including the types of services offered and the complexity
of the processes and supporting technology.59
In most instances, e-banking activities will increase the complexity of the institution‘s activities
and the quantity of its operations risk, especially if the institution is offering innovative services
that have not been standardized. Since customers expect e-banking services to be available 24
hours a day, 7 days a week, financial institutions should ensure their e-banking infrastructures
contain sufficient capacity and redundancy to ensure reliable service availability.60
2.6.2 Security risk
Security risk arises on account of unauthorized access to a bank‘s critical information stores like
accounting system, risk management system, portfolio management system, and others. A breach
of security could result in direct financial loss to the bank. For example, hackers operating via
the Internet could access, retrieve and use confidential customer information and also can
59
Ibid, P. 165
60Ibid, P. 165
28
implant virus.61
This may result in loss of data, theft of or tampering with customer information,
disabling of a significant portion of bank‘s internal computer system thus denying service, cost
of repairing. Other related risks are loss of reputation, infringing customers‘ privacy and its legal
implications. Thus, access control is of paramount importance. Controlling access to banks‘
system has become more complex in the Internet environment which is a public domain and
attempts at unauthorized access could emanate from any source and from anywhere in the world
with or without criminal intent.62
Attackers could be hackers, unscrupulous vendors, disgruntled
employees or even pure thrill seekers.
In addition to external attacks banks are exposed to security risk from internal sources for
example, employee fraud. Employees being familiar with different systems and their weaknesses
become potential security threats in a loosely controlled environment. They can manage to
acquire the authentication data in order to access the customer accounts causing losses to the
bank.63
Unless specifically protected, all data or information transfer over the Internet can be monitored
or read by unauthorized persons. There are programs such as, sniffers‘ which can be set up at
web servers or other critical locations to collect data like account numbers, passwords, account
and credit card numbers. Data privacy and confidentiality issues are relevant even when data is
not being transferred over the net.64
61
Virender S., Solanki, (2012), International Journal of Marketing, Financial Services & Management Research,
Vol.1 Issue 9, September 2012, at 11th
July, 2014 from
http://indianresearchjournals.com/pdf/IJMFSMR/2012/September/13.pdfP. 167
62 Ibid
63 Ibid
64 Ibid
29
Identity of the person making a request for a service or a transaction as a customer is crucial to
legal validity of a transaction and is a source of risk to a bank. A computer connected to Internet
is identified by its IP (Internet Protocol) address. There are methods available to trick one
computer as another, commonly known as, IP Spoofing. Likewise user identity can be
misrepresented. Hence, authentication control is an essential security step in any e-banking
system.65
2.6.3 Legal /Compliance Risk
Legal risk is the risk of non-compliance with legal or regulatory requirements. The legal risks are
directly related to the electronic banking and they are increased as its use is extended. Legal risk
is related with the protection of the customers‘ personal data. Bad use by the bank personnel or
by exterior malignant intruders can expose a bank in serious legal risks.66
It is possible that the intruders acquire access in the databases of the banks and use the data of
customers in order to commit a fraud. In this case a legal risk is created by the bad or not
certified use of customers‘ data. The legal risks, in which the financial institutions will be
exposed from the use of electronic banking, are expected to increase because of the uncertainty
that characterizes the wider legal framework and the specific lawful regulations of transactions
through an open electronic network as the internet is.67
The uncertainty with regard to the validity of transactions, the protection of personal data, the
involuntary consumer‘s exposure to foreign jurisdiction, the tax evasion, the laundering of
65
Virender S., Solanki, (2012), International Journal of Marketing, Financial Services & Management Research,
Vol.1 Issue 9, September 2012, at 11th
July, 2014 from
http://indianresearchjournals.com/pdf/IJMFSMR/2012/September/13.pdf P. 167
66 Ibid, P. 169
67 Ibid, P. 169
30
money, the electronic fraud but also the legal responsibility in case a system collapses, increase
the exposure to the legal regulatory risks.68
In terms of the European Union, a regulating frame has been developed that is concerned with
questions such as the electronic (digital) signatures, the distant rendering of financial services, as
well as the Directive on the electronic commerce.69
68
Virender S., Solanki, (2012), International Journal of Marketing, Financial Services & Management Research,
Vol.1 Issue 9, September 2012, at 11th
July, 2014 from
http://indianresearchjournals.com/pdf/IJMFSMR/2012/September/13.pdf P. 167
69 Ibid, p. 170
31
CHAPTER THREE:
DATA PROTECTION IN ELECTRONIC BANKING
3.0 Introduction
The issue of data protection on the Internet raises new international legal challenges. With the
development of e-commerce, an increased need developed to exchange personal information.
Personal data is used by corporations to make decisions, expand services and market new
products. Personal data is collected when one subscribes to a website, register for Internet
banking or purchase a product70
.
In Electronic Banking personal information is normally kept by banks using databases which are
centralized collections of data for use by business applications. Customers‘ information kept in
these databases should be properly managed and kept secured against unauthorized modification,
destruction, or disclosure of sensitive information leading to possible financial losses. It is
imperative that banks should maintain the integrity of customers‘ transactions in view of the fact
that information held by banks about their customers and their transactions has the ability of
changing hands several times. The use of open communication channels like the Internet makes
it impossible for banks to retain information solely within their own computer networks, let
alone a single jurisdiction
3.1 Data protection
Personal data is defined as any information relating to an individual, whether it relates to his/her
private, professional or public life. It can be anything from a name, a photo, an email address,
bank details, individual posts on social networking websites, medical information, or computer‘s
70
Retrivied from http://www.dekock.co.za/data-protection-in-south-africa/ on 14th
July, 2014
32
IP address. It use techniques such as file locking and record locking, database shadowing, and
disk mirroring, to ensure the availability, confidentiality and integrity of the data71
There are main six basic essential ingredient that must be protected in matter of personal data on
e banking these includes
1. NOTICE: An individual has the right to know that the collection of personal data will exist.
The personal data must be ―collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes72
2. CHOICE: An individual has the right to choose not to have the personal data collected.
3. USE: An individual has the right to know how personal data will be used and to restrict its
use. Personal data may only be used for ―legitimate processing‖ as described by the Directive
details.
4. SECURITY: An individual has the right to know the extent to which the personal data will be
protected. Organizations must ―implement appropriate technical and organizational measures to
protect personal data. The measures must be ―appropriate to the risks represented by the
processing and the nature of the data be protected.‖
5. CORRECTION: An individual has the right to challenge the accuracy of the data and to
provide corrected information. Personal data collected and maintained by organizations is up to
date and reasonable steps must be taken to ensure that inaccurate or incomplete data is corrected.
6. ENFORCEMENT: An individual has the right to seek legal relief through appropriate
channels to protect privacy
71
http://www.businessdictionary.com/definition/data-protection.html#ixzz2fPvqw77I-retrieved on 14th
July 2014.
72European Union (EU) Data Protection Directive of 1995 Frequently Asked Questions Rebecca Herold, the article
was published in the Computer Security InstituteRetrived at 11th
July, 2013 from(www.gocsi.com) May 2002 issue
of the Alert newsletter
33
3.1.1 Data traceability glossary73
Identifiable data: data including information in patient records such as names, addresses, dates
of birth. There are also aspects of health data that could become identifiable when they relate to a
diagnosis of a rare disease or when combined with other data. Identifiable data are needed when
future contact is established with the participant, for example to contact them to take part in a
study, or to link information across different data sets.
Pseudonymised (or key-coded) data: these cannot directly identify an individual, but are
provided with an identifier that enables the patients‘ identity to be re-connected to the data by
reference to separate databases containing the identifiers and identifiable data. Pseudonymised
data can often – but not always - be used in place of identifiable data.
Anonymised data: these data cannot be connected to the original patient record. Anonymised
data are suitable when no contact is needed with the participant or where the data do not need to
be linked to any other data sources.
3.2 Principle of data protection
Data protection has general principles. These General Principles ought to define expectations and
responsibilities for data subjects and regulators.74
These includes
1. Legitimacy which defining when personal data processing is acceptable (accessibility).
2. Purpose provides restriction ensuring that personal data is only processed for the purposes for
which it was collected, barring further consent from the data subject. A person require to be clear
in relation to the purposes for which personal data are held in order to ensure that the data are
73
FEAM Statement on the Data Protection Regulation, June 2012
74 Neil Robinson et al (2009), Review of the European Data Protection Directive, RAND Corporation. Pp.50.
34
processed in a way that is companionable with the original purpose. For example a doctor
discloses his patient list to his uncle‘s who owned a tourist company, which offers special
holiday deals to patients needing healing. Disclosing the information for this purpose would be
irreconcilable with the purposes for which it was obtained
3. Security and confidentiality specifically by requiring the data controller to take appropriate
technical and organizational measures. It means the suitable security to avoid personal data being
unintentionally or consciously compromised. It is of necessity to propose and categorize the
protection to a healthy environment of the personal data held, and the destruction that may effect
from a security contravene. It is worthwhile to be comprehensible to guarantee information
security on the right physical and technical security of a respectful personnel prepared to act in
response to any contravene of security quickly and successfully.
4. Adequate, relevant and not excessive. Data taken must not exceed the purpose of the
transferring. To take reasonable steps to ensure the accuracy of any personal data obtain; to
ensure that the source of any personal data is clear; carefully consider any challenges to the
accuracy of information; and consider whether it is necessary to update the information. For
example a journalist builds up a profile of a particular public figure. This includes information
derived from rumours circulating on the internet that the individual was once arrested on
suspicion of dangerous driving. If the journalist records that the individual was arrested, without
qualifying this, he or she is asserting this as an accurate fact. However, if it is clear that the
journalist is recording rumours, the record is accurate – the journalist is not asserting that the
individual was arrested for this offence75
75
Information Commissioner‘s Office, The Guide to Data Protection, retrieved from
35
5. Transparency that appropriate levels of transparency are provided to data subjects;
6. Data subject participation ensuring that the data subjects can exercise their rights effectively
(the right to retain information) such as review the length of time personal data are kept; consider
the purpose of holding the information for in deciding whether (and for how long) to retain it;
securely delete information that is no longer needed for this purpose; and update, archive or
securely delete information if it goes out of date. For examples, images from a CCTV system
installed to prevent fraud at an ATM machine may need to be retained for several weeks, since a
suspicious transaction may not come to light until the victim gets their bank statement.
7. Accountability. That those processing personal data would be held accountable for their
actions according to the Outcomes;
8. And Authorization of data transfer and protection, that with the consent of the owner, or
recognized legal authority if necessary. This shift of information is not the similar as the transfer
of information though a country. This principle is barely being relevant conditionally to the
information moves to a country, rather than merely transient through it direction to its target
3.3A comparative assessment of e-banking data protection; Tanzania and other
jurisdiction
3.3.1 Legal aspect of e-banking data protection in Tanzania
Protection of public data and private data is most important. It permits individuals to decide the
manner, and extent to which information concerning them should be shared with others. While
ICT has stormed Tanzania and the citizens are deploying ICT in everyday life the framework for
www.ico.org.uk/.../Data_Protection/.../The_Guideto_Data_Protection...- on ept 2013.
36
privacy protection in these emerging technologies is not known but this does not mean that right
to privacy is not recognized in Tanzania.
Under the constitution of united republic of Tanzania76
it provide for the provision relating to
data protection. Article 16(1) of the constitution of the united republic of Tanzania states, inter
alia that every person is entitled to respect and protection of his person, the privacy of his own
person, his family and of his matrimonial life and respect and protection of his residence and
private communications. Also under article 16 (2), further cements the need to enact law that
protects and guarantees the right to privacy: for the purpose of preserving the person’s right in
accordance with this article, the state authority shall lay down legal procedures regarding the
circumstances, manner and extent to which the right to privacy…may be encroached upon
without prejudice to the provisions of this article.
Electronic and Postal Communication Act77
also provide the duty of confidentiality by the
employee or any member of employee to keep the confidentiality of the licensee information and
should not disclose the information to the public or to any other person unless where there an
order of the court to do so for security purpose or the information needed by the court as
evidence. It further stated that, “no person shall disclose the content of information of any
customer received in accordance with the provisions of this Act, except where such person is
authorized by any other written law78
The Act further provides that any person who secures unauthorized access to a computer or
intentionally causes or knowingly causes loss or damage to the public or any person, destroy or
76
The constitution of the United Republic of Tanzania of 1977 (as amended time to time)
77 Section 98 of the Electronic and Postal Communication Act 2010
78 Section 98(2) of the Electronic and Postal Communication Act 2010
37
delete or alter any information in the computer resources or diminish its value or utility or affect
it injuriously by any means, commits an offence and on conviction shall be liable to a fine not
less than five hundred thousand Tanzanian shillings or to imprisonment for a term of not
exceeding three months or to both.
The Banking and Financial Institutions Act79
provides for fidelity and secrecy of customers in
financial information. Under section 4880
it provide inter alia that Every bank or financial
institution shall observe, except as otherwise required by law, the practices and usages
customary among bankers, and in particular, shall not divulge any information relating to its
customers.
Further the amendment of Evidence Act,81
National Science and Technology Policy,82
Tanzania
Development Vision (2025)83
and the drafted bills by the Law Reform Commission are
initiatives of the government of Tanzania to address data protection in corresponding with ICT.
Cyber Law Reforms Commission in Tanzania aims at addressing;
(a) Restricting further opportunities to e-crimes,
(b) Establishing legal framework aligned with Tanzania Constitution provisions, legislative and
regulatory environment and consistent with regional and global best practices,
(c) Ensuring that Tanzania does not become a haven of cyber-crime
The amendment of evidence Act recognize electronic evidence
79
Banking and Financial Institution Act
80 ibid
81 Written Laws Miscellaneous Amendment Act, No. 15 of 2007
82 Of 1996
83 Of 1998
38
3.3.2 Judicial approach toward electronic banking data protection in Tanzania
There few numbers of attempts which address the issues on e-banking this can be seen in the
case of Trust Bank Tanzania Limited v. Le Marsh84
in which the definition of a bankers‘ book
was extended to include computer generated evidence in the form of print-outs. The Judge
correctly noted that ―the law must keep abreast of technological changes as they affect the way
of doing business.
Also in the leading case in Tanzania to extend the definition in paper-based statute to cover
printed electronic records is Trust Bank Tanzania Ltd case.85
In this case Nsekela J.86
(as he then
was), adopting the views of the English Judge in the Barker‘s case,280 extended the definition of
bank records to include computer print-outs. He noted further ―the law must keep abreast of
technological changes as they affect the way of doing business‖. On the role of the courts,
Nsekela J, was of the view that ―the court should not be ignorant of modern business methods
and shut its eyes to the mysteries of the computer….‖
In the case of National Bank of Commerce v. Milo Construction Co. Ltd and two others87
was the
case involving a claim on recovery of an amount of money alleged to have arisen out of an
overdraft facility, it was alleged that the plaintiff defaulted repayment of the said facility. Two
statements were tendered in court. One was the processed easy bank computer program and the
other was the processed inflexible banking computer program. The court found discrepancies
between the two statements as some entries were not reflected in one of the statements. The
Plaintiff did not adduce sufficient explanation on the discrepancies. The court therefore found
84
Commercial Civil Case No. 4 of 2000 (Unreported).
85Supra note 168, p.13
86Justice Nsekela is currently a judge of the Court of Appeal of Tanzania
87Commercial Case No. 293 of 2002 (Unreported)
39
that the plaintiff has failed to prove the exact amount the first Defendant borrowed from the
Plaintiff.
The analysis of this case reveals that the Plaintiff had bank-produced statements generated by
two different computer programs. The later program did not have features similar to the earlier
one. Unfortunately, the Bank failed to lead expert evidence to clear the discrepancies noted. The
court was therefore justified in rejecting the claim in absence of sufficient explanations regarding
the operation of the two computer programs. One would expect the bank to make use of the
software programmers who created the two computer programs. Perhaps it is an opportune
moment for the courts to make use of forensic experts, who would assist it in analyzing
computer-related evidence.
Though data protection is recognized in our laws but the there is uncertain in the existing laws
whether the same protection is accorded to customers transacting banking business in electronic
form. There is no specific provision relating to data protection in e banking
3.3.3Legal barrier of e- banking data protection in Tanzania
Legal barriers in electronic banking in Tanzania are a result of unsupportive nature of the current
legal framework. It is stated that in Tanzania there is no any law which deals directly with
electronic banking data protection to customers.88
It is provided that, the laws which regulate banking in Tanzania do not accommodate online
transactions or payment in cyberspace rather they accommodate off-line transactions only. The
reason being the laws do embrace the traditional mandatory requirements of writing and
manuscript signature which at all costs does not cater for e-banking.
88
Mweteni (2011) p 45
40
It is demonstrated that the Banking and Financial Institution Act89
under section 5 has features
that not recognize online application for a licence due to mandatory requirement that the
applications must be in writing and signed manually as opposed to data message and digital
signatures.90
This proves the fact that this law is embodied with paper based transactions only. In fact this law
was enacted during the era of e-banking of 2006, but it appears that this law was/is aimed at
regulating paper based banking business. It is evidently clear that, making a reference to the
definition of key words and phrases in this statutes find the terms like ‗bank‖, ―entity‖,
―financial institution‖, ―on the contrary ―e-banking‖ is not even mention in this law.91
Actually,
the Act only regulates cash and cheque payment systems operated in a paper based form in a
physical branch of a bank.92
The fact that this statute makes no reference to e-banking and e-banking data protection, casting
doubts whether the current legal framework governing banking business addresses legal issues
posed by e-banking and therefore proves this law does not afford a legal protection of e-banking
data to customers of e-banking.
In Tanzania, even the Bills of Exchange Act93
also puts mandatory requirements of writing and
signature for an instrument to be accepted as a bill of exchange order.94
Therefore it also does
provide for e-banking data protection in Tanzania. The Bills of Exchange is defined as,
89
Act No. 5/2006
90Mambi (2010) pp 128-130
91Banking and Financial Institution Act No. 5/2006
92As per section 5 of the Banking and Financial Institutions Act, 2006(Act No. 5)
931999
94Sections 3(2),23 and 32(1) of the Bill of Exchange Act, 1999
41
―An unconditional order in writing, addressed by one person to another, signed by the
person giving it….
An endorsement in order to be a negotiation must comply with the following conditions, namely-
(a) it must be written on the bill itself and be signed by the endorser and the simple signature of
the endorser on the bill, without additional words, is sufficient. Therefore, cover the bills of
exchange in the document only thus e-signature as a form of data in e-banking is not covered
hence customers of e-banking are not protected in the aspects of data.95
3.3.4 Solution regarding to E-banking Data Protection in Tanzania.
A Bank‘s liability would arise out of the contract as there is no statute to the point of e-banking
thus the law of Contract Act96
will govern breach of contractual term. When liability is
contractual it means that the bank is, by virtue of the contract, under obligation to keep
customers‘ data secret. If transactions are being done on an open network such as the internet
then in case of a security breach, an ISP may be liable. In addition to the bank the viability of a
sectoral legislation on data protection in e-banking should be gauged. Tanzania can take cue from
nations which have favored ad hoc enactment of sectoral laws over omnibus legislation.
3.3.5 Position Electronic E-Banking data protection in India
Indian context has right to privacy as constitutional rights and online privacy protection is being
provided in Information Technology Act97
, 2008 as well in other scattered statues like SEBI‘s
95
CYBER LAWS WORKSHOP FOR EAC, 24-28 April 2006, Kampala. The Status of Cyber Laws in Tanzania by
ADAM MAMBI Retrived at 11th
July , 2014 from
http://www.tanzaniagateway.org/docs/EAC_CyberlawStatusinTanzania_Mambi.ppt
96 Cap 345 RE 2002
97Information Technology Act, 2008
42
regulation for privacy protection through companies, RBI‘s Guidelines to protect online privacy
in electronic banking system.
Under Information Technology Act, 2008 there are some provisions like Section 43, that
provide for Penalty and Compensation for damage to computer, computer system, Section 43-A
provide to inter alia that Where a body corporate, possessing, dealing or handling any sensitive
personal data or information in a computer resource which it owns, controls or operates, is
negligent in implementing and maintaining reasonable security practices and procedures and
thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable
to pay damages by way of compensation, not exceeding five crore rupees, to the person so
affected generally it provide compensation for failure to protect data, Section 44 provide penalty
for failure to furnish information, return, Section 66-E provide punishment for violation of
privacy it inter alia that Whoever, intentionally or knowingly captures, publishes or transmits the
image of a private area of any person without his or her consent, under circumstances violating
the privacy of that person, shall be punished with imprisonment which may extend to three years
or with fine not exceeding two lakh rupees, or with both. Section 67, 67A, 67B and some other
section which directly and indirectly promote protection to data and privacy in electronic
transactions.
3.3.6 Position Electronic banking data protection in UK
In UK, failure to undertake identification of new customers properly can create an array of risks
for the bank. Under the Data Protection Act,98
an earring bank may face an action for damages if
it fails to ―maintain adequate security precautions in respect of the data‖. Essentially, a legal duty
98
1998
43
is imposed upon the banks to use reasonable care and skill in disseminating information to
persons who access the bank‘s networks either on the internet or through an ATM card.
A similar wording is found under the UK Computer Misuse Act of 1990.99
It provides under
section (1) A person is guilty of an offence if
(a) he causes a computer to perform any function with intent to secure access to any
program or data held in any computer, or to enable any such access to be secured; (b) the
access he intends to secure, or to enable to be secured is unauthorized; and (c) he knows
at the time when he causes the computer to perform the function that that is the case.
(2) The intent a person has to have to commit an offence under this section need not be
directed at any particular program or data; a program or data of any particular kind; or a
program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liableon summary conviction
in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine
not exceeding the statutory maximum or to both; (b) on summary conviction in Scotland,
to imprisonment for a term not exceeding six months or to a fine not exceeding the
statutory maximum or to both; (c) on conviction on indictment, to imprisonment for a
term not exceeding ten years or to a fine or to both.100
99
This piece of legislation can be accessed at http://www.legislation.gov.uk/ukpga/1990/18/section/3.
100See also similar wording in the Computer Misuse Act of Singapore, retrieved from
http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan002107 On 11th
July 2014
44
Failure of the bank to undertake identification of new customers properly can create an array of
risks for the bank. Under the Data Protection Act,101
an earring bank may face an action for
damages if it fails to ―maintain adequate security precautions in respect of the data.‖ Essentially,
a legal duty is thrust upon the banks, to use reasonable care and skill in disseminating information
to persons who access the bank‘s networks either on the internet or through an ATM card.
This position of the law was once given judicial interpretation where the views of the Judge were
well applied to the Act. This was in the English case of Barker v. Wilson102
it was stated that
"The Bankers‘ Books Evidence Act103
was enacted with the practice of bankers in 1879 in mind.
It must be construed in 1980 in relation to the practice of bankers, as we now understand it. So
construing the definition of "bankers‖ ―books‖ and the phrase on entry in a banker‘s book", it
seems to me that clearly both phrases are apt to include any form of permanent record kept by the
bank of transactions relating to the bank‘s business made by any of the methods which modern
technology makes available…"
The case initiated a revolutionary move in the English evidence practice where, for the first time,
the court recognized the changes brought about by information and communication technologies
(modern technologies) in proving bankers‘ books on data protection.
3.3.7 Relevance of Model Laws in Electronic Banking
The articles 6, 7, 8 and 9 of the UNCITRAL Model Law and Commonwealth Model Law
provides for functional equivalence thus where the law requires a signature of a person, that
requirement is met in relation to a data message if an electronic signature is used that is as
101
Of 1998
102[1980] 2 All E.R. 80 at page 82
1031879 [of England]
45
reliable as was appropriate for purpose for the data massage was generated or communicated, in
light all of the above which circumstance, including any relevant agreement. It is believed that
these Model Laws will assist states in reforming and enhancing their legislations that are on paper
method and come up with uniform laws that allow the use of alternatives to paper based methods
of transactions, communication and storage of information at national and international level.104
The leading piece of legislation at the International level is the UNCITRAL Model Law on
Electronic Signatures. Article 6 (1) provide of the Model Law provides that ―where the law
requires a signature of a person, that requirement is met in relation to a data message if an
electronic signature is used that is as reliable as was appropriate for the purpose for which the
data message was generated or communicated, in the light of all the circumstances, including any
relevant agreement.‖105
The Model Law defines electronic signatures as ―data in electronic form in, affixed to or logically
associated with, a data message, which may be used to identify the signatory in relation to the
data message and to indicate the signatory‘s approval of the information contained in the data
message.‖106
The Model Law defines ―certificate‖ as ―a data message or other record confirming
the link between a signatory and signature creation data‖107
The data message is defined as
―information generated, sent, received or stored by electronic, optical or similar means including,
104
Mambi, (2010) p.132
105 UNCITRAL Model Law on Electronic Signatures
106 Ibid, Ariticle 1
107 Ibid
46
but not limited to, electronic data interchange (EDI), electronic mail, telegram, telex or
telecopy‖108
On reliability and security of electronic signatures, the Model Law provides that an electronic
signature is considered to be reliable if first, the signature creation data are within the context in
which they are used linked to the signatory and to no other person. Second, the signature creation
data were, at the time of signing, under the control of the signatory and of no other person. Third,
any alteration to the electronic signature, made after the time of signing, is detectable. Last, if any
alteration made to that information after the time of signing is detectable. The purpose of these
requirements is to assure integrity of the electronic records.
The analysis of these statutes demonstrates two important aspects. Firstly, an electronic signature
is not to be denied admissibility as evidence in legal proceedings solely on the ground that it is in
an electronic form. Secondly, those electronic signatures enjoy the same legal status as the paper-
based signatures.
3.3.8 Position of the European Union Data Protection Directive 95/46/EC of 1995
The European Union Data Protection Directive 95/46/EC of 1995 require that, ―Member States
shall protect the fundamental rights and freedoms of natural persons and in particular their right
to privacy with respect to the processing of personal data.‖109
The directive requires that E.U. member states (countries) protect the privacy of personal
information that is processed using equipment in the member state, whether the processing is
done by government agencies, businesses, or other organizations. ―Personal data‖ includes, but is
108
Ibid
109http://www.cdt.org/privacy/eudirective/EU_Directive_.html, Chapter 1.
47
not limited to, name, address, phone numbers, email addresses, ethnicity, religion, gender, sexual
orientation, birthdates, employment, and financial account numbers. The responsibility for
compliance with the directive rests with the "controller,‖ which is the person, group of people,
public authority, agency, or other body that determines the purposes and means of processing
personal data.
E.U. member states have implemented this directive to varying degrees. It is beyond the scope of
this paper to outline the differences and status of their implementations; the information is
available from each country. Organizations and businesses using equipment in member states to
process personal data are concerned about compliance with the directive and its derivative laws.
Most are equally concerned about data protection for the purposes of maintaining business
integrity and brand value.
Only encryption can protect data itself. Encryption protects personal or other data by rendering it
unreadable to unauthorized users who do not have the key. The Ponemon Institute found that
enterprises that implement a strategic approach to encryption experience fewer data breaches and
that most of them seek a single solution for encryption to implement their data protection
strategy.110
As the leader in encryption solutions for enterprise data protection, PGP Corporation offers a
platform-based solution that addresses the needs for compliance and brand protection.
110
The Ponemon Institute, 2008 Annual Study: U.K. Enterprise Encryption Trends, April 2008, and 2008 Annual
Study: German Enterprise Encryption Trends, May 2008. Retrieved from
http://www.pgp.com/downloads/research_reports/ponemon_reg_direct.html. On 11th
July 2014
48
Essential highlights from the E.C Directives which provides data protection
Directive 95/46/EC requires organizations to protect the integrity of personal data and take steps
to prevent unauthorized access to it. Following are some of the requirements;
• Member States must implement appropriate technical and organizational measures to protect
personal data against accidental or unlawful destruction or accidental loss, alteration,
unauthorized disclosure or access, in particular where the processing involves the transmission of
data over a network, and against all other unlawful forms of processing. Such measures shall
ensure a level of security appropriate to the risks represented by the processing and the nature of
the data to be protected.
• Sending personal information from a member state to a non-member country is legal only with
the consent of those persons whose data is sent. Furthermore, the data may only be sent to
countries with similar laws protecting personal information.
• Individuals have the right to give their consent for the use and storage of personal information,
and to revoke consent at any time.
• Penalties for violating member states‘ directive implementations include fines and criminal
liability for business owners or executives, data controllers, and employees who report to them.
Currently Tanzania lacks an effective legal regime on data protection in all aspect of e banking, e
contract and internet compare to other jurisdiction. Absence of a comprehensive data protection
law exposes subjects to threats of enjoyment of the right of privacy. There is a need to adopt
various laws to regulate electronic banking, the good reflection can be on the USA and UK laws
which set examples of the new laws to be considered for enactment in Tanzania for the purpose
49
of facilitating easy implementation of electronic banking to mention but a few these include
Electronic Funds Transfer Act, (USA); Data Protection Act, (UK); Computer Fraud and Abuse
Act, (USA); Consumer Protection Act, (UK).
50
CHAPTER FOUR
CONCLUSION AND RECOMMENDATIONS
4.0 Conclusion
The main purpose of this study is to make analytical overview of data protection in electronic
banking in Tanzania. The study has shown that data protection in Tanzania has little or no legal
framework that protects personal information or data in e-banking. This is a wide gap in view of
the fact that e-banking and e-commerce in general involves a global market that relies much on
movement of data across international boundaries. Despite the fact that The Banking and
Financial Institutions Act provides for fidelity and secrecy of customers in financial information
there is uncertain whether the same protection is reflected to customers transacting banking
business in electronic form.
Lack of strong basis in Electronic banking exposed banks as well as customers to huge financial
losses in view of the increasing incidents of unauthorized transactions and other flaws in the use
of ICT in the banking business. Apart from financial losses, financial institutions also face the
problems of loss of data, theft or tampering with customer information, disabling of a significant
portion of financial institution‘s internal computer systems due to the activities of hackers. It
would appear that problems will continue to exist despite efforts to minimize them. It is argued
in this study that flow of data affecting bankers and customer in electronic banking will only be
reduced when all the relevant stakeholders (lawyers, technical personnel and the society at large)
have taken the matter more seriously.
Most of our laws regulating banking industry does not responding to the issue of electronic
banking, calling for further reform as most of laws protect customers on offline business only. It
is true that in Tanzania there are no specific provisions that protect data protection in electronic
51
banking Therefore there is a need to make reference from international, regional and other
jurisdiction such as UNCITRAL Model Law on E-Commerce, UNCITRAL Model Law on E-
Signatures, EU Conventions on E-Commerce, the US EFT Act, Malaysia EFT Act, Malaysia
Code of Conduct and many others in order to have strong legal framework for e-banking.
Currently the law reform has drafted three bills that address the issue of electronic transaction
and communication these bills are, The Electronic Transactions and Communications Bill,111
the
Computer Crime and Cybercrime Bill112
, and Data Protection and Privacy Bill,113
which among
other thing provides for data protection. Some of these provisions include but not limited to the
followings
Clause 6 (2)114
data it provide to the effect that data controller shall not collect personal
information by unlawful means; or by means that, in the circumstances are unauthorized; or
intrude to an unreasonable extent upon the privacy of the datasubject concerned also under
Clause 10115
it provides for the limits of the data controller on disclosure of personal information
A part from the data protection Bills there is Computer Crime and Cyber Crime bill that contain
provision relating to data protection
Clause 8 of the Computer Crime and Cyber Crime Bill it provide inter alia that a person who
intentionally without lawful excuse or justification damage or deteriorates computer data, delete
computer data, alter computer data, or denies access to computer data commit an offence
Generally In order to respond with new technology there is a need of enact specific laws to cover
this crucial areas that have a high impact on the economic development in Tanzania and East
111
Bill of 2013
112 Ibid
113 ibid
114Data Protection and Privacy Bill, 2013.
115 ibid
52
Africa in general. Also there is a need of amending certain laws such as the law of Contract
Act,116
the Bills of Exchange Act,117
and Sale of Goods Act118
and the Banking and Financial
Institutions Act119
to respond with electronic commerce and technological advancement.
4.1 Recommendations
Our study has shown that data protection in Tanzania needs specific provisions and Laws which
will protect data protection in electronic banking. Tanzania through Law Reform Commission
has tried to respond on the issue of electronic banking by draft some bills on electronic
transactions that carter the issue of data protection in electronic banking. In the light of these
findings and observations we recommend as follows.
4.1.1 The Law Reform Commission of Tanzania
It is our recommendation that the Law Reform Commission of Tanzania and the Ministry of
Justice and Constitutional affairs should present the drafted bills on electronic transactions to the
Parliament to be discussed. Such legislation would be most significant in responding the problem
relating to data protection in electronic banking
4.1.2 The Parliament
Once the bills are presented, the Parliament should timely discuss them and enact sound
legislation to that effect. It is recommended that the parliament should put provisions that compel
banks to employ a secured electronic payment system in accordance with accepted international
standards to protect customers. For example the use of additional secured methods of
116
Cap 315 R.E 2002
117Cap 215 R.E 2002
118Cap 214 R.E 2002
119Act No.5/2006
53
authentication like retina, thumbprints and other biometric technologies should be employed to
prevent security breaches.
4.1.3 Banking Institutions
It is our recommendation that in designing e-banking systems to be used by consumers, legal
principles such as those relating to mandate, mistake and confidentiality together with customer
data protection be kept in mind. Further in order for electronic funds transfer involving huge
amounts of money to be successful, there must in most cases be an involvement of employees of
the bank. It is recommended that the Bank of Tanzania should device a mechanism of dealing
with this vice in order to assure security of customers‘ money and their data. Furthermore e-
banking should raise the issue of banks to comply with legal requirement like secrecy of
customer‘s account and data protection.
54
BIBLIOGRAPHY
Primary sources
Statute(s)
The Constitution of United Republic of Tanzania, 1977 (as amended from time to time)
The Banking and Financial Instructions Act, Act No.5 of 2006
Bank of Tanzania Act, Act No. 4 of 2006
The Law of Contract Act [Cap 345 R.E 2002]
The Electronic and Postal Communication Act, No 3 of 2010
The Tanzania bill of exchange Act [Cap 215R.E 2002]
The Penal Code [Cap 16 R.E 2002]
The Sale of Goods Act[Cap 214 R.E 2002]
Written Laws Miscellaneous Amendment Act, No.15 of 2007
Information Technology Act, 2008 India
Electronic Communication Act, 2000 (U.K).
The Banking and Financial Institution Act,1989, (Malaysia.)
The Computer Fraud and Abuse Act, 1986(US)
Computer Crime Act, 1997 (Malaysia)
Case(s)
Abercrombie and Kent (T) Ltd v. Stanbic Bank Ltd [1995-1998] 2E.A 1
Barker v. Wilson (1914) 19 Comm. Cas. 256; 111 L.T. 43
Greenwood v. Martins Bank Ltd (1932) 1 K.B 371 at p.381
Joachim v Swiss Bank of Corporation [1921] 3 KB 110
Ladbroke & Co. vs. Todd (1914) 19 Comm. Cas. 256; 111 L.T. 43
55
National Banks of Commerce v. Milo Construction Co. Ltd and Two others Commercial case
No. 293 of 2002 (unreported)
National Bank of Commerce v. Said Ally Yakut (1989) T.L.R. 119
Tournier v National Provicial and Union Bank of England [1924] 1 KB 1 KB 461
Trust Bank Tanzania Ltd v. Le-Marsh Enterprises Ltd and Others, (2000) Commercial Case No.4
in the High Court of Tanzania (Commercial Division) at Dar es salaam, (Unreported)
United Dominions Trust Ltd Vs Kirkwood [1966]2 Q.B 431
Williams and Glyn‘s Bank Ltd v. Barnes,(1981) Unreported
Woods v. Martins Bank & Another [1959] 1 Q.B. 55
Secondary sources
Books
Binamungu, C.S &Ngwilimi.G.S.(2006). Regulation of Banking Business in Tanzania.Mzumbe
Book Project.Morogoro-Tanzania.
Mambi.A.J., (2010).A Source Book for Information and Communication Technologies and
Cyber Law in Tanzania and East Africa Community., Mkuki&Nyota Publishers. Dar-es-Salaam
Mollel, A., &Lukumay, Z. (2008).Electronic transactions and the law of evidence in
Tanzania.Iringa: Peramiho Printing Press.
Agarwal, R., Sharma, P. and Sherry, A. M. (2003), E banking for comprehensive E Democracy:
An Indian Discernment, Journal of Internet Banking and Commerce, Vol. 8, No. 1, June, 2003.
Lloyds, J. (2008). Information technology law, 5th ed, United States of America: Oxford
University Press
56
Internet sources:
www.ibimapublishing.com/journals/CIBIMA/CIMIMA/html.
www.ftc.gov/bcp/edu/pubs/consumer/credit/cre14
http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan
http://www.pgp.com/downloads/research_reports/ponemon_reg_direct.html
http://www.businessdictionary.com/definition/data-protection.html.
http://www.dekock.co.za/data-protection-in-south-africa
Top Related