Banking Review

NZ banks under fire over online fraud liability

The New Zealand Bankers’ Association has taken a harder line than its Australian counterparts in assigning responsibility for online banking fraud losses.

We’ve discussed the challenges of obtaining consistency on this issue before. However, since then the New Zealand Bankers Association has released its revised code of banking practice which differs significantly from that proposed by the ABA.

The contrast between the two has the conspiracy theorists wondering if Australian banks are using their New Zealand based customers as guinea pigs.

Under the new code, New Zealanders may be liable if they have “used a computer or device that does not have appropriate protective software and operating system installed and up to date.” This includes keeping virus scanning, firewall, anti-spyware and anti-spam software up to date.

The code states: “Your computer or device is not part of our system therefore we cannot control, and are not responsible for, its security.”

The extension of the code to give banks the right to access a customer’s PC to verify that they have taken steps to protect it, has privacy advocates concerned. Not to mention the inconvenience caused to customers who can no longer access online banking from work or any other PC over which they do not have control. These issues are leading some in New Zealand to predict a reduction in the number of customers using online banking.

Perhaps the most solid argument against similar moves by ASIC (which regulates the EFT Code in Australia) is AusCERT’s submission to the EFT Code review.

AusCERT argues that while there are some minimum security counter-measures all PC users should take, they will not eliminate the risk entirely and therefore “it is not appropriate to expect account users to bear 100 per cent of the loss of unauthorised transactions.”

It also points out that the growth in zero-day and near zero-day exploits means that a user’s computer may still be successfully compromised even when protective measures are taken.

AusCERT argues the only effective method to protect against malware attacks is chip and PIN technology, similar to that being deployed by Barclays Bank in the UK.

Rather than shift liability to customers, AusCERT says the small number of customers who are repeat victims of malware and phishing attacks due to perceived negligence or user ignorance, should simply be denied access to the online channel.

We’ll be discussing this and other cybercrime issues at our upcoming Cyberwars forum being held in Sydney on August 16.