Saturday, 14 June 2008

Who should be liable for online fraud?

With a UK Parliamentary Report on Personal Internet Security released last August lambasting banks and ISPs for not doing enough to protect consumers from online fraud, it appears that banks are shirking their responsibilities when it comes to compensating victims of fraud.

According to an article in The Guardian newspaper, a minor amendment to the Banking Code introduced in March provides a loophole for banks to refuse compensation to victims of fraud if the anti-virus software on their computer is not up to date. The Guardian reports that the 2005 Banking Code contains a section (12.9), which advises customers to use "up-to-date antivirus and spyware and a personal firewall".

However, a new section (12.13) has since been added, which reportedly states that, "Unless you [the bank] have acted fraudulently or without reasonable care, you will not be liable for losses caused by someone else which take place through your online banking service." Security experts have interpreted this to mean that banks will be able to shift liability for online fraud to the consumer.

"The new provisions to the Banking Code, which mean that banks may now pass responsibility for card fraud to affected customers if they don't have AV software or firewalls, raise an interesting debate - should banks be able to transfer liability so easily, and how policeable will this be?" asks Holly Marshall, business development manager, UK Financial Services, Unisys.

"A balance of responsibility is needed between banks and consumers. Banks need to take a key role in educating consumers about these new guidelines to ensure they are fully aware of exactly what they are now liable for, but consumers need to take some responsibility too.

"Customers need to be proactive in learning about the guidelines and securing their personal computers to ensure all their dealings on the internet are protected adequately. Government and technology organisations have a role too - to advise and consult with banks on how best to implement and publicise the new provisions without degrading the customer experience."
Marshall has a valid point. Exactly how "policeable" is this new addition to the Banking Code going to be? Are banks going to go out and seize the computers of consumers that are victims of online fraud to check that their anti-virus and spyware is up to date, which is reportedly what banks in New Zealand have the power to do? It seems unlikely given the bad press and consumer backlash that they are likely to suffer as a result of doing just that.

"The technology required to check every single online banking customer's AV settings whilst available, would be expensive, invasive and in a way a piecemeal response to the problem of fraud," says Marshall. "Fraud doesn’t just come from unprotected computers. Insider fraud, bin raiding, and card skimming are equally as prevalent. How would the banks correctly attribute the instance of fraud with the correct cause?"

The new section within the Banking Code sounds like it has been added by lawyers as a safety net for banks that, let's face it, don't want to be paying out millions in consumer compensation. But it does reignite an interesting debate about responsibility for fraud. Instead of adopting an accusatory tone towards customers that are victims of fraud, banks need to work more closely with their customers on educating them about the potential risks, what to look out for, and how to make their online banking experiences safer.

At the same time, banks need to be more transparent about what levels of security they have deployed to protect online banking applications. They cannot expect consumers to be forthcoming about how well their desktop PC is protected if they are not willing to disclose steps they have taken as well.
Posted by Anita Hawser

No comments: