Author: Jhanvi Rajput
To the Point
This article critically analyses how India’s traditional banker–customer confidentiality doctrine, inspired by the famous Swiss banking secrecy model, is being challenged by rising global transparency obligations under the OECD Common Reporting Standard (CRS), Foreign Account Tax Compliance Act (FATCA), and Financial Action Task Force (FATF) standards. Simultaneously, India’s Digital Personal Data Protection Act, 2023 (DPDP Act) asserts national control over cross-border data transfers. This creates a clear tension: should banks guard secrecy or share data globally? This paper argues India must resolve this conflict through clear statutory harmonization to uphold constitutional privacy rights under Article 21, comply with international obligations, and maintain banking stability.
Use of Legal Jargon
Key legal terms:
Fiduciary duty of secrecy
Cross-border data flow
Automatic Exchange of Information (AEOI)
Data fiduciary
Predicate offence (AML)
Proportionality doctrine
Data localization
Mutual Legal Assistance Treaty (MLAT)
Egmont Group
Intergovernmental Agreement (IGA)
The Proof
Key Legal Provisions
Banking Regulation Act, 1949 — While the Act does not codify secrecy directly, Sections 44–45 imply confidentiality in inspection and amalgamation contexts (Banking Regulation Act, 1949, Ss. 44–45., n.d.)
Common Law Duty — Tournier v National Provincial and Union Bank of England (1924) 1 KB 461 laid down that banks owe an implied duty of confidentiality, subject to four exceptions (Tournier v National Provincial and Union Bank of England (1924) 1 KB 461., n.d.)
RBI Master Circular on Customer Service (2022) — Reaffirms a bank’s obligation to protect customer information except when disclosure is legally mandated (RBI Master Circular on Customer Service, 2022., n.d.)
Income Tax Act, 1961 — Sections 131, 133, 138 authorize tax officers to call for bank records (Income Tax Act, 1961, Ss. 131, 133, 138., n.d.)
Prevention of Money Laundering Act, 2002 — Sections 12–13 compel banks to report suspicious transactions to FIU-IND (Prevention of Money Laundering Act, 2002, Ss. 12–13., n.d.)
OECD Common Reporting Standard (CRS) — India joined in 2015, committing to AEOI of non-resident accounts (OECD CRS, 2014; India Finance Ministry Notification (2015)., n.d.)
FATCA IGA (2015) — Binds Indian banks to disclose US persons’ accounts to the US IRS or risk a 30% withholding tax (India-US FATCA Intergovernmental Agreement (2015)., n.d.)
Digital Personal Data Protection Act, 2023 — Section 16 restricts cross-border personal data transfers unless specifically permitted by the Union Government (Digital Personal Data Protection Act, 2023, S. 16., n.d.)
K.S. Puttaswamy v Union of India (2017) 10 SCC 1 — Affirmed the fundamental right to privacy, including informational privacy (K.S. Puttaswamy v Union of India (2017) 10 SCC 1., n.d.)
Abstract
The banker’s fiduciary duty of secrecy is under increasing strain from global transparency imperatives. CRS, FATCA, and FATF’s AML obligations require banks to exchange client data globally, eroding traditional secrecy. Meanwhile, the DPDP Act, 2023 seeks to assert India’s data sovereignty by restricting cross-border flows. The judiciary has recognised a fundamental right to privacy but balanced it with legitimate state interests under the proportionality doctrine. This paper argues India urgently needs statutory clarity that aligns secrecy with global obligations, ensures constitutional compliance, and offers banks a workable framework to avoid conflicting liabilities.
CASE LAWS
Tournier v National Provincial and Union Bank of England (1924) 1 KB 461
Key Points:
This landmark English case is the foundation for the modern doctrine of banking confidentiality. Mr. Tournier sued his bank for disclosing to his employer that he was cashing cheques at a bookmaker’s shop, which damaged his reputation and led to loss of employment.
Legal Principle Laid Down:
The Court of Appeal held that a banker is under an implied contractual duty to keep customer information confidential but recognized four well-defined exceptions:
Disclosure under compulsion of law (e.g., statutory obligations to disclose for tax or criminal investigations)
Duty to the public to disclose (where public interest overrides private secrecy)
Disclosure in the banker’s own interest (e.g., suing the customer or defending a claim)
Disclosure with customer consent (express or implied)
Relevance to India:
Indian banks still follow this principle because Indian law retains common law traditions unless replaced by statute. The RBI’s Master Circulars and various guidelines reflect Tournier’s framework making it highly relevant when balancing secrecy with statutory duties.
Ram Jethmalani v Union of India (2011) 8 SCC 1
Key Points:
This public interest litigation arose when senior advocate Ram Jethmalani and others petitioned the Supreme Court seeking disclosure of names of Indians holding illicit bank accounts abroad (mainly in Liechtenstein).
Legal Findings:
The Supreme Court ruled that citizens have a right to know whether the government is taking action against black money hoarders. However, it also:
Recognised that mere suspicion is not enough; due process must be followed.
Emphasised the balance between transparency in governance and the right to privacy.
Held that indiscriminate publication of names without verification violates Article 21 rights.
Relevance:
This case is central when analysing how banking secrecy must yield to legitimate public interests, but only through proportionate and lawful means. It’s a direct precedent for the proportionality test in financial data disclosure.
K.S. Puttaswamy v Union of India (2017) 10 SCC 1
Key Points:
Known as the Privacy Judgment, this nine-judge bench decision declared the right to privacy a fundamental right under Article 21 of the Constitution.
Key Doctrines:
Privacy includes informational privacy, which covers personal financial data.
Any restriction on privacy must satisfy three tests: legality (by valid law), necessity (legitimate state aim), and proportionality (least intrusive means).
Overruled prior inconsistent precedents (e.g., MP Sharma and Kharak Singh).
Relevance:
Puttaswamy transformed India’s privacy regime. When banks transfer or disclose customer data — especially cross-border — they must ensure that the legal regime is clear, necessary, and proportionate. The judgment underpins how DPDP Act compliance will be interpreted constitutionally.
Girish Ramchandra Deshpande v CIC (2013) 1 SCC 212
Key Points:
In this case, the petitioner sought access to personal financial details of a government employee under the Right to Information Act, 2005.
Supreme Court Ruling:
Held that an individual’s personal income tax returns, assets, and bank details are ‘personal information’ under Section 8(1)(j) RTI Act.
Such information cannot be disclosed unless a larger public interest justifies it.
The Court reinforced that personal financial privacy is a facet of informational privacy.
Relevance:
This case is regularly cited in banking law contexts to show that financial details attract strong privacy protection unless there’s a compelling legal or public interest ground to override it — echoing Tournier’s first exception.
Global Trust Bank Ltd. v Commissioner of Income Tax (1998) 230 ITR 774 (Madras High Court)
Key Points:
In this case, the Income Tax Department summoned banking records during an investigation. The bank resisted, citing customer confidentiality.
High Court Holding:
Affirmed that statutory powers under the Income Tax Act to inspect books and demand information override the banker’s fiduciary duty of secrecy.
Recognised the ‘compulsion of law’ exception from Tournier applies fully in India.
Reinforced that banks must comply with statutory disclosure duties to avoid obstructing tax investigations.
Relevance:
This case shows how Indian courts reconcile banking secrecy with tax enforcement. It remains an important precedent for banks when deciding whether they can lawfully withhold information from tax authorities.
Conclusion
India’s banking secrecy doctrine, inherited from common law principles such as the Tournier rule, remains a foundational pillar of trust in banker customer relationships. However, in the modern era of transnational money flows, tax avoidance crackdowns, and digital data proliferation, this secrecy is neither absolute nor archaic it has become a qualified obligation, constantly balanced against compelling public interests. Statutes like the Income Tax Act, 1961, the Prevention of Money Laundering Act, 2002 (PMLA), and India’s binding commitments under frameworks like the OECD Common Reporting Standard (CRS) and FATCA mandate automatic exchange of financial information with foreign jurisdictions. These legal regimes carve deep, well-recognized exceptions into the once-sacrosanct secrecy rule, compelling banks to share client data with domestic regulators and international partners. The new Digital Personal Data Protection Act, 2023 (DPDP) adds a further layer of legal complexity. While its stated goal is to protect citizens’ informational privacy, it also restricts cross-border data transfers unless the Central Government explicitly approves them. This can clash directly with India’s international tax and anti-money laundering commitments creating a legal grey zone that banks must navigate at the risk of facing privacy litigation on one hand or sanctions for non-compliance on the other.
In this precarious climate, banks become reluctant rule-interpreters, exposed to criminal or civil penalties for wrong calls. Moreover, customers are left uncertain whether their sensitive financial data can be disclosed abroad and under what safeguards. To resolve this, India’s legal architecture needs urgent recalibration. It must craft a balanced, harmonized framework that secures legitimate national interests while upholding global obligations and constitutional guarantees. Specifically, lawmakers and regulators should:
Amend the DPDP Act: The law should contain clear statutory carve-outs explicitly permitting cross-border data transfers required for compliance with India’s CRS, FATCA, and FATF obligations. Without these carve-outs, banks are forced to choose between domestic data sovereignty rules and treaty compliance, risking breach of either.
Clarify RBI Guidelines: The Reserve Bank of India must issue updated, binding circulars detailing the circumstances under which banks must disclose client data. This clarity will protect bankers from potential litigation by disgruntled customers claiming breach of fiduciary duty, provided the disclosure aligns with clear statutory or regulatory authority.
Codify Proportionality Protocols: In line with the Supreme Court’s ruling in Putt swamy and Ram Jethmalani, any intrusion into customer privacy must pass the proportionality test it should be legally sanctioned, necessary for a legitimate aim (like preventing tax evasion or terror financing), and must use the least intrusive means possible. Statutes and rules should expressly codify this test to guide both regulators and financial institutions.
Provide Statutory Indemnity: Banks that comply in good faith with statutory or treaty obligations to disclose customer information should enjoy statutory immunity from civil suits for breach of confidentiality. This will prevent an honest bank from being caught in costly litigation for simply obeying the law.
Establish Judicial Oversight: Cross-border transfers of sensitive banking data especially to jurisdictions with weak privacy safeguards should be subject to judicial or quasi-judicial oversight. For example, a framework could be developed for the government to maintain and periodically review a “white list” of countries that meet India’s privacy and security standards for financial data sharing.
In the absence of such clear statutory guidance, banks are left to interpret conflicting obligations on their own, which invites regulatory arbitrage, inconsistent compliance, and potential erosion of customer trust. Worse, it may expose India to international censure for non-compliance with global transparency norms while simultaneously failing to fully protect its citizens’ constitutional right to privacy.
Therefore, a robust legal and regulatory roadmap synchronizing secrecy, privacy, and transparency is the only way forward. This is essential not only for safeguarding India’s status as a responsible participant in the global financial system but also for protecting the sanctity of its constitutional guarantees in the digital age.
FAQs
Q1: If banking secrecy is so qualified, can a customer sue the bank for disclosing data under CRS?
Not if the disclosure is lawful. Disclosures under CRS, FATCA, PMLA or tax laws are mandatory statutory exceptions. But if a bank discloses beyond these limits, a breach of fiduciary duty can arise.
Q2: Does the DPDP Act block all financial data exports?
No. Section 16 allows the government to specify conditions for cross-border transfers. Banks must watch for future notifications clarifying exemptions for CRS, FATCA, or FATF compliance .
Q3: What is the role of proportionality in secrecy disputes?
As per Puttaswamy and Ram Jethmalani, any restriction on privacy (including banking secrecy) must be legal, necessary, and proportionate to a legitimate aim like preventing tax evasion (Ram Jethmalani v Union of India (2011) 8 SCC 1., n.d.).
Bibliography
Banking Regulation Act, 1949, Ss. 44–45. (n.d.).
Digital Personal Data Protection Act, 2023, S. 16. (n.d.).
Girish Ramchandra Deshpande v CIC (2013) 1 SCC 212. (n.d.).
Income Tax Act, 1961, Ss. 131, 133, 138. (n.d.).
India-US FATCA Intergovernmental Agreement (2015). (n.d.).
K.S. Puttaswamy v Union of India (2017) 10 SCC 1. (n.d.).
K.S. Puttaswamy v Union of India (2017) 10 SCC 1. (n.d.).
OECD CRS, 2014; India Finance Ministry Notification (2015). (n.d.).
Prevention of Money Laundering Act, 2002, Ss. 12–13. (n.d.).
Ram Jethmalani v Union of India (2011) 8 SCC 1. (n.d.).
Ram Jethmalani v Union of India (2011) 8 SCC 1. (n.d.).
RBI Master Circular on Customer Service, 2022. (n.d.).
Tournier v National Provincial and Union Bank of England (1924) 1 KB 461. (n.d.).
