Online banking & customer liability

July 30, 2007 at 8:51 pm 2 comments

I hope the New Zealand banks have a master plan because, on the face of it, what they are planning to do just doesn’t add up.

It all started with a new Code of Banking Practice (pdf, 724 KB) introduced on 1st July. Section 8 of the Code now makes Internet Banking customers liable if:

  • “you have used a computer or device that does not have appropriate protective software and operating system installed and up to date;
  • you have failed to take reasonable steps to ensure that the protective systems such as virus scanning, firewall, anti-spyware, operating system and anti-spam software on your computer are up to date;”

It get’s better:

  • The customer is liable up to the balance that would have been available for withdrawal from the account(s), including any Credit Facility,… in other words up to the overdraft limit of the account, and
  • The bank has the “right to request access to your computer or device in order to verify that you have taken all reasonable steps to protect your computer”

By any measure this is extraordinary. Just what does “up to date” mean? If I’m running Windows XP and not Vista, am I liable? What if the protective software is up to date but not running? How exactly does the bank plan to access my computer? What if the problem was a security issue on the bank’s side? Liability up to my overdraft limit? Surely not.

None of this makes sense.

It doesn’t make business sense. Online banking has generally been good for both banks (reduced costs) and customers (increased convenience). Why kill the golden goose?

It doesn’t make operational sense. The chief executive of the Bankers Association himself said, “In the context of the overall banking system and all other types of fraud that occur, the amount is small.” What’s the problem then?

It doesn’t make security sense. As Bruce Schneier once put it, “As long as the banks are not responsible for financial losses from fraudulent transactions over the Internet, banks have no incentive to improve security. But if banks are held responsible for these transactions, you can bet that they won’t allow such shoddy security.”

In their defence, the banks have said they plan PC inspections in rare circumstances, the Code is only a “framework”, and they will continue to reimburse customers on a “case-by-case” basis.

Yeah, right.

Ironically, the Australian parents of the Big 4 NZ banks have no plans to do the same. So, why the special attention on Kiwi customers?


Entry filed under: Aus, authentication, NZ, security, strategy.

OpenID registration Biometrics for kids

2 Comments Add your own

  • […] Towards this end, the Report recommends introducing the principle of vendor liability for negligence by the IT industry. It also calls for the establishment of the principle that banks be held liable for losses incurred as a result of electronic fraud. This is diametrically opposite to what is unfortunately happening in New Zealand as noted in a previous post. […]

  • […] anti-spyware, operating system and anti-spam software” was not up to date. At that time, I said that none of this makes business, operational, or technical sense for the […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: