Journal of Information, Law and Technology
Who Carries The Risk Of Fraud?
Nicholas Bohm, Solicitor
Ian Brown, University College, London
Brian Gladman, Information Security Consultant
The authors gratefully acknowledge the help they have received from
Ross Anderson, Richard Clayton, Gilead Cooper, Alex Hamilton and Peter Landrock
in comments on earlier drafts.
Foundation for Information Policy Research
This is a refereed article published on: 31 October 2000
Citation: Bohm et al, 'Electronic Commerce: Who Carries the Risk of Fraud?', 2000 (3) The Journal of Information, Law and Technology (JILT).
Banks must prove the authenticity of their customers' handwritten instructions if challenged, but for telephone and online banking some banks are adopting terms which could make customers liable for transactions they have not authorised. Neither the security technology available to customers, nor the security techniques that ordinary customers can be expected to use, are adequate to protect customers from this risk of liability, and the terms in question are arguably unfair.
Keywords: Banking, Fraud, Internet, Non-repudiation, Online terms, Security, Technology
Much debate about the risk of fraud in electronic commerce takes place without any clear understanding about who bears the corresponding risk in conventional commercial transactions. This paper examines risk in the banking transactions which underpin much of commerce, whether electronic or conventional. We compare traditional transactions such as payments by cheque or credit card with the use of newer remote voice and data systems. We then analyse who bears the risk of fraud, and explore measures used or needed to reduce it. We argue that the approach taken by banks is unfair to their customers in some cases, fails to encourage the development of adequate security measures, and prevents the banking system from playing its proper part in the development of electronic commerce in the United Kingdom. Our analysis is based on English law except where otherwise stated: the law of other jurisdictions may not be the same.
Electronic commerce includes electronic transactions between commercial and industrial companies, often using structured data, and not necessarily involving payments. Although the analysis in this paper can be applied to electronic commerce of that kind, we are concerned primarily with the two main other kinds of electronic commerce: electronic shopping with credit and debit cards, and online banking.
2: Forged cheques
If your bank debits your account with payment of a cheque that you did not sign, it has no authority for the debit it has applied and must credit your account with the amount charged. The quality of the forgery and care taken by the bank are irrelevant: a cheque is a bill of exchange, and under section 24 of the Bills of Exchange Act 1882:
‘where a signature on a bill is forged ... , the forged ... signature is wholly inoperative, and no right to retain the bill or to give a discharge therefor or to enforce payment thereof against any party thereto can be acquired through or under that signature, unless the party against whom it is sought to retain or enforce payment of the bill is precluded from setting up the forgery ...’.
The Bills of Exchange Act 1882 did not introduce new law. It codified the contemporary common law, and reflected the more general rule which still prevails in English law. This rule is that if someone wishes to enforce a document against you on the basis that you are bound by it because you signed it, and if you deny that you signed it, then it for them to prove that the signature it bears was made or authorised by you, and not for you to prove that it was not. (The reference in section 24 to a party being ‘precluded from setting up the forgery’ is a reference to circumstances where someone who did not in fact make a signature is nevertheless bound by it under the doctrine of estoppel. An example is a case where a customer fails to protest that his signature has been forged on a cheque, because it was forged by a member of his family, for example: he will not be allowed to reject a later cheque where his signature has been forged by the same person, as his conduct has led the bank to believe that the signature is genuine.)
Banks might wish to offer current account services on the basis that they would take reasonable care to verify their customers’ signatures, but that the customer would carry the risk of clever forgeries. In some legal systems that alternative rule may apply, but in England and Wales it is precluded by the plain terms of section 24 of the Bills of Exchange Act.
An obvious advantage of the existing rule is that the bank can decide for itself (at its own risk) what level of care to apply to signature verification. Items of small value will not usually be checked at all, but unusual or very large items may be checked not only by careful inspection of the signature and comparison with a specimen card, but also by alternative means such as a telephone call to the customer.
If the bank rejects a cheque presented for payment by the forger, nobody suffers an unfair loss. But if the forged cheque is presented by a merchant who has accepted it from the forger in exchange for goods or services, the merchant suffers the loss despite having had no means of attempting to verify the genuineness of the signature. For many years, merchants either accepted that risk or declined to take cheques. Cheque fraud led more and more merchants to refuse to take cheques, which annoyed bank customers and cut into the banks’ fee income. The banks therefore introduced the use of cheque guarantee cards covering cheques up to a modest limit (£50 when introduced in 1965 and now more usually £100 or £250). The effect was to transfer the risk of small forgeries from the merchant to the bank: the banks could be seen as delegating to the merchant the signature verification process (using the signature on the card for comparison) in relation to smaller amounts (where they might themselves already apply little or no care to verification checks).
Although the rule that the bank bears the risk of forgery is plain, it does not follow that customers can easily reject any debit to their account based on a cheque simply by claiming that it is a forgery. Although some forgeries are crude enough to be obvious to anyone, others are considerably more skilful. If the bank produces a cheque bearing a signature which even on close inspection is indistinguishable from the customer’s signature, perhaps supported by the evidence of a professional document examiner, then the customer cannot expect to succeed by mere unsupported denial. The customer will in effect have to rebut the evidence produced by the bank, and may in some cases be unsuccessful in doing so even though the signature is indeed a forgery.
To make this point does not amount to exposing some fundamental flaw in procedures that rely on signatures: it merely shows, as is evident to common sense, that those procedures are not perfect. Controlled trials show that professional document examiners misattribute 6.5% of documents while untrained persons of comparable educational attainment perform much worse with a mismatch rate of 38.3% (Kam 1997, Kam 1998). Indeed, examiners assert that forged signatures are almost always easy to distinguish from genuine ones on close examination, however convincing they may be on casual inspection (Harrison 1958).
Forensic examination is not limited to naked eye examination of the image of the signature. It may be enlarged, examined using optical, electron and ion microscopes, and subjected to a variety of chemical analyses. These may detect retouching or even identify the manufacturer and batch number of the ink. But genuine conflicts of experts do still occur, and the sources of error in the document examining art are a continuing topic of research and dispute within that profession. A recent study suggests that examiners’ mistakes are largely psychological; people are liable to see what they want to, and even experts may subconsciously select specimens of handwriting from a criminal suspect which match a given handwriting sample (Beck 1995).
It is worth noting that no prospective forger occupies a privileged position: anyone with access to specimens of a customer’s signature is well placed to produce a forgery. The bank will always have such specimens, but signatures are not secret: even where a customer uses a distinctive signature for cheques, any recipient of a cheque will thereby obtain a specimen. This proposition does not hold for other cases considered below.
Because banks cannot practicably examine all signatures closely enough to detect forgeries which may nevertheless be evident on close examination, and because a minority of forgeries are so good that they cannot be detected at all, we conclude that they run real risks (and indeed incur real costs) from forgery of cheques and other written instructions. Acceptance of these risks and costs has not proved a major impediment to UK current account banking as a business. We suggest that this conclusion should be used as a point of comparison for the acceptability of the corresponding risks in other forms of banking and payment transactions discussed below.