Home > Uncategorized > Liability Issues when Banking Transaction Fraud Occurs

Liability Issues when Banking Transaction Fraud Occurs

Liability Issues when Banking Transaction Fraud Occurs
Just yesterday I had a very interesting telephone conversation with someone concerning liability issues when banking transaction-related fraud occurs. If a bank customer’s savings account is drained by a fraudster, who is liable, the customer or the bank?

This issue is by no means new. You might recall the incident that occurred in 2005 in which an owner of a small business, Joe Lopez, found that funds had been transferred from his company’s Bank of America account without his authorization. He reported what had occurred to the bank, which launched an investigation that showed that a keystroke logging program had been installed on Lopez’s PC. The perpetrators gained remote access to this PC, copied the stolen information, and used it to make money transfers to a bank in Latvia that ultimately ended up in their hands. Informing Lopez that the fraud was due to Lopez’s failure to secure his computing system rather than the bank’s failure to provide suitable security, the bank initially refused to replenish the stolen funds. Lopez disagreed. The press picked up the story, making it look as if Lopez had been victimized by a gigantic, customer-indifferent bank. Fearing public relations damage, the Bank of America reversed its position and compensated Lopez for the money he had lost.
In common law countries such as the U.S. and U.K. laws do not really have much meaning or impact until they have been tested in legal cases. To the best of my knowledge, very few rulings in which banking customers have sued banks for transaction fraud have occurred in the U.S. If this is true, then my musings concerning this issue are purely speculative. Still, the principle of due diligence is very firmly established in civil cases in which a party is sued for failure to warn of reasonable harm. This principle is bound to apply to future banking transaction fraud cases. Consider how due diligence would apply to both the plaintiff and defendant in such cases:
• Plaintiff—Reasonable precautionary measures would include choosing a strong password and changing it frequently, running anti-malware software and updating it whenever updates become available and using it to scan for and eradicate malware, installing operating system, browser, and application patches whenever they become available, using an account that does not have superuser privileges whenever non-system administrator tasks are being performed, assigning file, directory, and share permissions that at a minimum to not allow unknown users to write to or modify content, capturing a sufficient amount of audit information and inspecting it daily, make frequent backups, and more.
• Defendant—Reasonable precautionary measures would include requiring strong authentication (ideally, two-factor authentication), providing strong encryption for all customer-to-business transactions, verifying that all customer-to-business applications work as intended and have not been maliciously altered, capturing a sufficient amount of audit information, making frequent backings, flagging and temporarily suspending suspicious transactions, and more.
After considering all the security control measures likely to be classified as due diligence measures from both a customer and banking point of view, it would be almost impossible to successfully argue in a court of law that a user (the plaintiff) has practiced due diligence in bank transaction security. User security practices are generally abysmal, as shown by many studies that have indicated that somewhere around 25 percent (or possibly higher) of users’ machines are infected by malware such as rootkits, keystroke logging Trojans and spyware, and bots. Banks are generally better in practicing what might be construed as due diligence in customer banking transactions with one glaring exception—in the US password-based authentication is often the rule in customer banking transactions. U.S. banks (with the largest ones generally an exception) are afraid to tighten security for fear that customers will be inconvenienced and will thus move their bank accounts elsewhere. Still, if I were on a jury in a civil case in which a customer had been defrauded in a banking transaction, I would be inclined to side with the defendant (the bank).
Should and will banks do more to protect themselves against transaction fraud-related lawsuits? Should they create customer agreements that spell out customer security responsibilities, just as employees of organizations so often have to read and sign a statement of acceptable computer use, and require customers to sign these agreements? My prediction is that banks in the long run will. Why? With computer crime and fraud escalating so dramatically, banks need a greater level of legal protection. Additionally, with previous court rulings siding with fast food restaurant customers who claimed they were painfully and irreparably injured because they were served a cup of coffee that scalded their months, honestly, what choice do banks really have?

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.