Case Notes
Search results
Internet banking – unauthorised transactions – fraud – customer identification – transaction limits – compensation for inconvenience
Mr and Mrs J had several accounts which they registered with bank A for internet banking. When logging on to internet banking after an absence of eight days in late 2004 they discovered that a number of unauthorised internet banking transactions totalling about $18,000 had been charged to their accounts.
They advised the bank immediately. It then froze the accounts to ensure that no further transactions could be made. Further checking by the bank and Mr and Mrs J showed that each of the transactions had been separately credited to two accounts with other banks. The banks’ investigations showed that all the account login access had originated through an overseas ISP (internet service provider). Because several days had elapsed, the transactions had been cleared through the other banks and could not be reversed.
The bank refunded the total value of all the transactions to Mr and Mrs J within three days, but did not accept their claim for costs and compensation for inconvenience.
However, Mr and Mrs J considered that the bank’s security procedures for online internet banking were inadequate, and notified me of their complaint. Their view was that:
- the bank’s method for verifying electronic transactions and enabling account access did not comply with current banking industry best practice; and
- the pattern of transactions was so unusual that the bank should have identified them as probably fraudulent, and should have either stopped them or contacted the customer.
Mr J said that the bank should have provided better verification than relying solely on an account identification number and a password. I requested the bank to provide its report about the transactions, and the bank advised that, in its view, some “key logging” software must have been placed on the customer’s computer, which had then recorded the login and password details and had transmitted this information back to the fraudster. It is likely that they had been infected by a “Trojan” virus.
In order to determine current good banking practice in this regard, I surveyed ten banks in March 2005 to find out what customers are told about transaction limits for third party transfers initiated through an internet banking service, as well as banks’ methods for verifying customer account access and steps taken to check for unusual or likely fraudulent transactions.
The responses showed that each bank had a different approach to dealing with transaction limits (for payments to third parties via internet banking) and consequently what customers were told about any facility to enable such payments.
It was clear from the survey that the use of two-factor identification (with or without transaction limits) was not common practice in late 2004, although some banks had recently introduced it. In my report to Mr and Mrs J and the bank I noted that, while it was probably becoming good banking practice to offer a at least a level of security for internet banking consistent with the two-factor systems, I could not conclude that it was a requirement of good banking practice in 2004.
I noted in my report to Mr and Mrs J and the bank that in these particular circumstances the bank had a contractual obligation to reimburse the amount of the unauthorised transactions and that it had fulfilled that obligation promptly, without the need for Mr and Mrs J to take the matter further through the complaints process.
I also noted that the contract does not require the bank to compensate its customers for costs or non-monetary loss resulting from unauthorised transactions, and that while Mr and Mrs J had undoubtedly suffered a good deal of distress and had incurred some costs as a result of the unauthorised transactions, the cause of the loss and distress was the fraudulent activity itself, rather than any action taken (or not taken) by the bank.
I advised Mr and Mrs H that I could not uphold their claim for compensation for inconvenience and distress. They have accepted that, and were aware that the bank by then had a two-factor identification system in place which would probably have prevented the fraud. However, they still considered that the bank should have implemented a better identification system sooner.