ASIC (the Australian companies regulator) is commencing a review of the EFT Code of Conduct – the code that governs the way banks and other deposit takers interact with their customers when they are using electronic means to communicate with their customers. This includes such areas as internet banking and the use of credit and debit cards – but only where they are being used by consumers, not businesses. Bank / business interactions are currently effectively unregulated, but, in practice, for small businesses the banks follow the Code for the most part.
The scope of the review is, from the media release:
- liability issues arising from the growth and growing sophistication of Internet fraud;
- regulation of alternative payment facilities;
- coverage issues, including whether the protections of the Code should extend to small business as well as consumer account holders;
- obligations around mistaken payments;
- administrative arrangements associated with the EFT Code, including compliance monitoring and ASIC’s role as Code administrator; and
- other more specific issues raised by stakeholders in preliminary consultations.
The big one here is obviously the first. The issue here is who pays when a fraudster manages to clean out your account? At present, it is the bank that pays – and then passes the costs on to its customers and shareholders. In practice, what this means is that those of us who do not fall victim to internet fraud pay for those who do. Is this right and fair?
There are many ways that a fraudster can get sufficient access to your account to get at the funds – ranging from phishing attacks to man in the middle and keylogging, to name just a few. Many of these methods can be defeated by either or both of the bank and customer taking reasonable precautions. Running good anti-virus software, a robust firewall and not clicking on links in emails give reasonable surety that you, as a consumer, have done all that can be done from your end.
There are also several steps the bank can also take – ensuring strong security on the bank’s systems, interfaces on the websites designed to defeat the most common forms of attack and reminding their customers to take the appropriate steps to protect themselves to name a few.
Fraud is, however, a fact of life. A sufficiently determined fraudster will always be able to get around these, given enough time and effort (and resources). Even before the internet (remember back then?) bank fraud still happened. Cheques were forged, bank books stolen, fraudulent applications made. The liabilities in the end on these always came down to who’s fault it was – if the bank accepted a cheque with a forged signature, the bank paid. If the customer signed blank cheques that got used for fraud, the customer paid.
This basic principle worked well for centuries. The current Code, however, violates that principle – it does not matter if the customer uses a computer that is riddled with spyware to click on a link in an email to a site that is unencrypted and has spelling mistakes all over it to put in their username and password in plain text. The bank is automatically at fault, just because it runs a web site.
Where the bank is clearly (or even partially) at fault – dumping customers’ records in a normal rubbish bin out the back door for example, I can understand the bank paying. Customers carelessly giving away their details, however, is to me a different question.
The problem is, of course, what happens when an unsophisticated consumer gets fleeced of their life savings? For the bank to say “too bad, so sad, now go away” would probably be a customer relations disaster to put it mildly. Perhaps the best way to deal with this would be increased education of the customers – a session on how to use the web site as a compulsory bit of opening an account, for example, combined with an insurance scheme.
The insurers could offer different levels of excess, maximum cover and premium, while also helping on the education front. If the premium varied depending on the security of the bank’s website and other procedures, then having a secure website would be a positive selling point for new customers and banks relying on plain two factor authentication would be penalised through their customers. The incentives all round would be better and the industry may then really have to consider their web strategy.
Extending the Code to cover small businesses is an interesting idea. The question is, where do you draw the line? Different banks have different criteria for “small” business banking. The Basel accords have further criteria and other regulators have other ideas. When a business earns over a certain threshold of revenue, do they automatically lose all regulated protection as they are now big enough to have an IT support department? Do they need regulated protection and the additional costs that this always entails?
We will be following this process quite closely. Any move to reduce consumer protection can be expected to be very fie