30 May 2005
Key Points:
Banking customers affected by online fraud will have their claims regulated by the EFT Code of Conduct where the account affected was of a non-business nature. Otherwise general law principles will apply so as to apportion loss and blame.
The Australian Bankers' Association has estimated recently that online fraud costs the banking industry $25million per annum. So it is not surprising that banks are at the forefront in combating online fraud, including the adoption of dual layer authentication processes. This usually means that to access their accounts, customers need their nominated password as well as a second, single-use password which is generated by an electronic token or sent to a customer's mobile telephone. This is a response to two of the most common varieties of online fraud - phishing (where a fraudster impersonates a bank online and tricks a customer into providing their banking details and passwords to the fraudster) and Trojans (where viruses are used to install software on to a customer's computer to record their passwords and transmit them to the fraudster).
But there is no foolproof solution to online fraud. In some cases, the second layer of authentication may also be compromised (for example, where a fraudster gains access to a customer's mobile telephone). Furthermore, IT experts have noted that dual layer authentication is ineffective against fraudsters using recent software to effect fraudulent transactions while a customer is logged on. As the risk of fraud cannot be eliminated, the risk needs to be allocated between banks and their customers. In Australia, the EFT Code of Conduct will regulate liability allocation for non-business customers and financial institutions who have subscribed to the Code, but otherwise contract and duties of care in tort will be relevant.
The Joe Lopez case
The issue of risk allocation is being played out in the US courts already. According to US newspaper reports, a businessman called Joe Lopez is suing the Bank of America after a fraudster stole $90,000 from his account, with the bank apparently using a password obtained by a keystroke logger Trojan program which was let into his system by the "Coreflood" virus. Mr Lopez has claimed that the bank was aware of the Coreflood virus but that it failed to warn him to protect himself against it. The case has yet to be heard.
The Lopez case may turn on factual arguments such as whether Mr Lopez would actually have acted on a warning from the bank, but it raises legal issues regarding a bank's potential liability in such cases which may arise closer to home in the future. These include the liability of bankers generally for unauthorised transactions, and the extent of the duty imposed on them to ensure that their customers take adequate security precautions.
Another key issue is whether Mr Lopez was guilty of contributory negligence by not running adequate virus checking software. Lopez says he did run such software but IT commentators say that if he had been running up-to-date versions of popular programmes like Norton Anti-Virus they would have detected and blocked Coreflood.
How would the facts in the Lopez case be dealt with in Australia?
Liability for unauthorised transactions
In Australia, under the EFT Code which applies to "consumer" electronic banking, a customer's liability is usually limited to a maximum of $150 if their PIN or password has been breached, and they did not contribute to the breach. But the customer may be liable for the full extent of the loss if they have shown "extreme carelessness" in failing to protect their PIN or access code.
The EFT Code defines "extreme carelessness" as "a degree of carelessness with the security of the [access] codes which greatly exceeds what would normally be considered careless behaviour." The Code suggests that recording passwords in an obvious manner in a diary would be an example of extreme carelessness. The dangers of phishing are reasonably well known and banks give their customers repeated warnings not to respond to email invitations to "update" or "verify" their banking details. The Australian Bankers' Association launched a three week education campaign alerting customers to the need to protect the security of their online accounts on 8March 2005. But it seems doubtful that honestly and mistakenly providing a password to a fake website is "extreme carelessness" as opposed to, at most, "carelessness".
Among the consumer population the dangers of Trojans are less well known than phishing and it is much more difficult to show that the average consumer home computer user (maybe running Windows 98) acted "with extreme carelessness in failing to protect the security of all the [access] codes" simply by not running a virus checker or not updating it regularly.
Where the EFT Code does not apply, for example, because an account has been designed and established for business use, the risk allocation between a bank and its customers will depend on the terms of the contract between the bank and its customers and on duties of care in tort. Most contracts with business customers are likely to impose obligations on customers to take reasonable security precautions against viruses such as a regularly updated virus checker. Under such contracts, MrLopez as a business customer would probably lose his case if he did not use a standard virus checker that would have blocked Coreflood.
A duty to warn?
A related question is whether a bank is obliged to warn customers about risks to their online information. Like Mr Lopez, a customer who has been defrauded may allege that the bank should have warned them to take precautions against fraud. There is no clear answer to this. While Australian courts have not considered the specific issue, the general rule is that a person does not owe anyone else a duty to protect them from a third party's criminal behaviour. The situation is different if there is a special relationship between the parties, especially if there is a pattern of recurrent criminal behaviour. A special relationship may arise if one party relies or depends on the other, such as an employer and employee or a teacher and student. In some circumstances it may exist between a banker and a customer. It may arise, for example, if the bank is aware that the customer is relying on it to advise him or her of security precautions. There is certainly a pattern of recurrent criminal behaviour by fraudsters targeting online banking customers.
Even if there is a duty to warn of risks generally, most banks in Australia appear to have discharged that duty by the general warnings they give upon log-on to Internet banking. But if a new virus or fraud arises which warrants a more specific warning, the argument about failure to warn will need to be considered afresh.
Conclusions
The law is, as ever, evolving in this area. Naturally, preventing fraud is the preferred outcome for both banker and customer. To minimise exposure in case of attack, bankers should ensure that they inform their customers fully of the risks of online fraud and how to prevent it, but also make it clear that customers should not rely solely on the bank to warn of risks and how to manage them.
For further information, please contact David Kreltszheim and Stuart Gregory.
