By ‘telephone banking’ we mean a service which the customer can use to give instructions and get information by speaking to bank staff by telephone. (We deal separately with services accessible through the telephone network using a computer.)
In one sense, telephone banking is as old as the widespread use of the telephone: some banks have always been willing to accept instructions by telephone from trusted customers well known to them, as part of their ordinary branch banking service. By a gradual process, customers came to be asked ‘security questions’ designed to elicit knowledge likely to be possessed only by the customer, as a means of verifying that the telephone caller was the customer and not an imposter. The content of such questions would be derived from the customer information in the bank’s possession, and their scope would not be subject to prior agreement. A customer might be asked the date when the account had been opened, or the customer’s previous address or telephone number, or spouse’s second forename, for example. As a further check, banks might also return the customer’s call to a telephone number already known to the bank to belong to the customer.
With the introduction of telephone banking as a distinct service not tied to a relationship between the customer and an ordinary branch of the bank, practice crystallised into technical and procedural mechanisms, and a distinct liability régime. Customer and bank now usually agree at the outset of the relationship a small category of ‘security information’ to be used to verify the customer’s authority to give telephone instructions. This will usually include a password chosen by the customer.
The attraction of modern telephone banking to the bank is that it saves the cost of maintaining a branch. One of the attractions to the customer is the availability of the service twenty four hours a day. The inevitable result is that the customer will rarely if ever be known to the individual member of the bank staff who takes the customer’s call. Security procedures cannot be based on personal knowledge or derived by common sense from a general body of customer information. Instead, the bank’s system may select the security information to be used to verify the session from the previously agreed items provided by the customer, and prompt the staff member with the appropriate questions and the answers to be treated as correct. So the customer may be asked to provide the third, sixth and seventh characters from the agreed password, followed by the make of the customer’s first car.
These procedures are designed to ensure that most bank staff do not know more than a fragmentary part of the customer’s security information, and have something in common with the procedures designed to preserve the secrecy of a customer’s PIN for a cash dispenser card. The bank taken as a whole must nevertheless know the customer’s security information in order to use it for verification.
The procedure for limiting the spread of knowledge of the customer’s security information within the bank has the inevitable side effect of encouraging the customer to write that information down. Even people who can remember their password reliably will find difficulty in supplying specific characters chosen at random from its sequence; and an effort to avoid using publicly available information (like a mother’s maiden name, found in birth certificates available to all) can lead to the use of esoteric information liable to be forgotten.
Also, while it limits the opportunity for fraud by bank staff who deal with customers, it may not eliminate the possibility entirely since there will be situations where a customer may wish to deal with a particular member of the bank’s staff for a series of telephone transactions. This is a natural human desire on the part of a customer, and banks may not wish to frustrate it. But it means that the opportunity then exists for a particular staff member to accumulate a full set of security information for the customer, which could be used to impersonate the customer. Customers are given no information about how this risk is managed.
Just as technical and procedural security mechanisms have become formalised on the arrival of telephone banking as a distinct service, so risk allocation has been documented. The terms currently in use tend to cover both telephone banking and online banking where access is provided by computer (whose special characteristics are discussed below). Two distinct trends are emerging.
Some banks are using terms closely based on those used for card transactions, so that the customer is bound by fraudulent instructions but liability is limited to £50. Among those adopting this approach are the Co-operative Bank and Lloyds TSB. (The terms of the ‘first-e’ service of the Banque d’Escompte do not make it clear that the customer is bound by fraudulent instructions, but in any event the customer is said to be insured against loss from such instructions, so its service may be considered to fall into the same group.) The terms of the ‘marbles’ service of HFC Bank are of particular interest in limiting the customer’s liability to £50 generally, but reducing that limit to zero where fraudulent use occurs over the Internet (so that in this case the bank carries the whole of the risk). The telephone and online terms of First Direct, the telephone banking division of HSBC Bank, provide in clear terms for the bank to carry the whole of the risk of fraudulent use unless the bank can prove that the customer acted fraudulently or with gross negligence (not defined) or failed to observe the required precautions against disclosure of security information. The terms of the Woolwich online service limit the customer’s liability for fraudulent use to £50, but among the cases where this limit does not apply is the case where the customer has failed to comply with the terms. One of the terms is that the customer must not keep a written record of the security information used to authenticate transactions. We comment below on the customer’s dilemma in the face of such provisions.
But other banks provide for the customer to be bound by fraudulent instructions, and provide no limit on the resulting liability. Among those in this group are Prudential Banking plc, the Halifax and the Bank of Scotland. (The banks named are mentioned purely by way of example; and it should be made clear that a customer’s liability exposure always ceases once the bank is notified of a compromise of the password or other security information.)
A typical unlimited liability approach is found in the published Banking General Terms and Conditions of the Egg service provided by Prudential Banking plc, which are commendable for their lucid and straightforward language. Condition 3 deals with security, and the material terms are as follows (with emphasis added to terms relevant for risk allocation):
3.1 We may establish security procedures with you either by post, telephone or Internet (when available). You must keep your security details and password secret. If you make written records of any security details or password, you must disguise them so that they cannot easily be understood by anyone else.
3.2 You must tell us as soon as possible if:
you think that someone else knows your security details or password;
you have forgotten your security details or password;
you think that someone else (other than a joint account holder or authorised person) is trying to use your account.
Until you tell us, you will be responsible for any instruction in writing or by telephone or Internet which we receive and act on, even if it was not given by you. Normally we will pay back into your account the amount of any payments we make after you have told us. But, if we can show that you have acted fraudulently or have been grossly negligent or have not kept your security details and password secret you will be responsible for all payments we make and all losses on your account. We will have no other liability to you.
We will do all that we reasonably can to prevent unauthorised access to our Internet banking service and make sure that it is secure.
3.8 You will tell us as soon as you can if you find any failure, delay or error in our Internet banking service, especially in the sending or receiving of instructions. Our records of your Internet instructions will be conclusive unless there is a clear mistake. Condition 5, dealing with ‘taking money out of your accounts’, is also relevant (it is again shown with emphasis added to the risk allocation language):
5.1 We can make payments and account transfers on instructions you give us:
by using any card we have provided on your account;
on documents you or an authorised person have signed (but not copies or facsimiles);
by telephone and Internet (when available), subject to our withdrawal limits, as long as we have checked your identity from the security information and passwords and even if the order was given by someone else using your security information and passwords. Like the cash dispenser liability régime, this looks rather similar to the card transaction régime. But once again the balance of risk has shifted towards the customer. The most striking difference is that there is no £50 limit. As is clear from Egg clause 3.2, the customer’s whole available balance (up to the amount of any applicable withdrawal limits) is at risk. And the customer’s protection rests wholly on the secrecy of the security information, without any physical indication (such as loss of a card) to alert the customer to any compromise of the secrecy.