We began by examining how the risk of cheque forgery is shared as between bank and customer, and proceeded to show that in card transactions a limited part of the corresponding risk is carried by the customer, with the balance being carried by either the bank or the merchant, depending whether the customer is present in the transaction. We now apply the same analysis to banking transactions carried out through a cash dispenser (often called an ‘ATM’, from ‘Automated Teller Machine’), by telephone or by electronic access to the banking system (either by dialling directly into the bank’s system, usually called ‘PC banking’, or through a web page or other form of access over the Internet, called ‘Internet banking’).
The cost to a bank of carrying out a transaction varies very greatly, depending on how the customer gives the necessary instructions. This is shown in the following table, which is based on a 1996 Booz-Allen & Hamilton survey of North American financial institutions with Web sites, quoted in The Emerging Digital Economy published in 1998 by the U.S. Department of Commerce:
Automated Teller Machine $0.27
PC banking $0.015
Internet banking $0.01
The trend of these figures is unsurprising, although their relative disparity is nevertheless striking, and may well have increased since 1996. They help to explain the prevalence of telephone banking and foreshadow the probable growth in online banking (by which we mean both PC banking and Internet banking). There are signs that market pressures are causing the banks to share with their customers at least some of the cost savings involved, as evidenced by the higher interest rates available on some accounts which are accessible only by online electronic means. But neither consumers nor the media have yet paid much attention to the changes in the allocation of fraud risks between bank and customer which have in some cases accompanied the shift to telephone and online banking, with their different procedures for authorising transactions.
In the case of a cheque, the signature is the primary means of verifying that the transaction is authorised by the customer. In the case of a card transaction where the customer is present, signature has a less important rôle, and may be thought to have become secondary to possession of the card. In the case of cash dispensers and telephone and online banking, however, conventional signatures play no part at all, and there is no merchant to take the risk because the transaction is directly between the customer and the bank. The banks have responded with the introduction of alternative security procedures and a different approach to the allocation of risks between themselves and their customers.
Cash dispensers are typically operated by cards authenticated by a four digit personal identification number (‘PIN’). A card and its related PIN are sent to the customer by post on separate occasions. The customer can usually alter the number to one of choice. The banks adopt a variety of technical and procedural methods to limit the number of bank staff who can obtain undetected access to a customer’s PIN; but in order for the bank’s system to respond correctly to the customer’s use of the PIN in a dispenser, it must in principle be able to distinguish a correct PIN from an incorrect one, and so the bank must know the PIN or some value derived from it.
Although different banks’ terms vary in their details, the general rule for the use of cards in cash dispensers is the same as the rule for card transactions when the customer is present, namely that the customer is responsible for:
all transactions carried out by the use of the card with the customer’s authority; and
for all other (i.e. fraudulent) transactions carried out by the use of the card, up to a limit of £50. This limited liability for fraudulent transactions ceases when the customer informs the bank that the card has been lost or stolen. These rules reflect the provisions of the Consumer Credit Act 1974 relating to credit cards, and also the policy of The Banking Code adopted in its current form in September 2000 by the British Bankers’ Association, the Building Societies’ Association and the Association of Payment Clearing Services.
However, the limitation of the customer’s liability for fraudulent transactions to £50 typically does not apply where the customer has been ‘grossly negligent’. This expression does not have a standard legal meaning, and is defined in the banks’ individual terms. The wider the definition, the more easily the customer can lose the benefit of the £50 limit. Cases where the customer will be regarded as grossly negligent are normally defined as including:
failing to take all available steps to keep the card and the PIN safe at all times;
writing the PIN on the card or anything usually kept with it;
not destroying the PIN notification receipt;
Interestingly, the latest revision of The Banking Code is in some respects less favourable to the customer than its immediate predecessor published in 1998. It omits the words ‘without disguising it’, so as to prohibit any writing down of a PIN or other security information, a prohibition rendered impracticable by some bank procedures described below. And the expression ‘gross negligence’ has been replaced by ‘without reasonable care’, which could have the effect of making it easier for the bank to blame the customer for a third party’s fraud. It would be unfortunate if banks began making similar revisions to their terms. But the new revision is helpful in acknowledging for the first time that where a customer’s card details are used fraudulently but where the card has not been lost or stolen, the customer is not liable for any part of the loss arising from the misuse.
The liability régime for cash machines looks very similar to the régime for card transactions where the cardholder is present, but the risks are rather different. The reason is that fraudulent use of a customer’s card in a card transaction where the cardholder is present depends on the card having ceased to be in the cardholder’s possession, a circumstance which the cardholder can in principle discover and use to terminate risk exposure by notifying the bank. Fraudulent cash dispenser withdrawals which appear to have used the cardholder’s card (and cannot be distinguished by the bank from genuine transactions) can be made despite the fact that the card has at all times remained in the cardholder’s possession without the cardholder having any reason to notify the bank of its loss.
Such withdrawals are possible because the genuineness of the transaction at the cash dispenser can be verified only by technical means, and the implementation of technical methods of verification has often been flawed by technical and procedural weaknesses. These weaknesses have been discussed in some detail by Ross Anderson of Cambridge University Computer Laboratory in Why Cryptosystems Fail and Liability and Computer Security: Nine Principles (Anderson 1993, Anderson 1994).
The unwillingness of the banks to admit the existence of technical weaknesses (including the possibility of a card itself being forged) has the practical effect of depriving the customer of the benefit of the £50 limit. The banks have tended to take the view that all disputed transactions except those which formed part of a series later acknowledged as fraudulent (e.g. after the arrest of a criminal) must have been carried out with the card and PIN issued to the customer, and so must have been due either to fraudulent collusion or to gross negligence.
In an otherwise unreported case described in Liability and Computer Security: Nine Principles a bank customer, who happened to be a police constable, complained about phantom ATM withdrawals from his account and demanded a refund of the amounts he claimed were wrongly debited to his account. The bank denied that anyone other than he could have made the withdrawals, and he was charged with making fraudulent claims for a refund. He was subsequently tried and convicted of attempted fraud despite evidence that the bank’s accounting system did not meet acceptable security standards in either design or operation. During the trial it emerged that the bank had no security management or quality assurance functions and that the software operating the bank’s ATM system was routinely changed as often as twice a week with no independent checking or auditing of such changes or their effect. No proper efforts appeared to have been made by the bank to investigate these or other alleged phantom withdrawals.
The police constable customer was suspended as a result of the conviction. He was later reinstated after the conviction was overturned on appeal when the bank refused to provide the defence team with evidence about the operation of their computer systems. Although he was eventually cleared of any wrongdoing, the trauma was obviously severe. This case shows that even where the risks of fraud appear to be carried by the banks, they will sometimes seek to transfer the risk to their customer, with serious consequences for the customer involved.
The sums at risk in cases of fraudulent withdrawal are constrained by the limits placed on the customer’s individual withdrawal transactions and daily total withdrawals, which has helped to reduce the sums at stake in disputes of this kind. This may be one of the reasons why the appropriateness of the underlying liability régime itself seems to have remained unquestioned. The basis of the régime is considered in greater detail below, following an examination of the treatment of telephone and online banking.