The Bankers’ Association has rewritten its Code of Practice, removing controversial provisions allowing banks to inspect their customers’ computers in cases of online fraud.
The move is expected to boost customer confidence that losses from online fraud will be covered by the banks.
In June last year, the association wrote new provisions into the code to allow inspections to determine whether customers had effective protection against malware.
The requirement, and others placing restrictions on the customer, provoked a reaction that led to discussions between the Bankers’ Association, Computerworld, the Dominion Post, InternetNZ and consumer organisations and the subsequent withdrawal and rewriting of the code.
The new code retains the head clause stating that the banks will reimburse the customer “if you incur a direct loss that is due to a security breach of our Internet Banking system as a result of our failure to take reasonable care and is not caused or contributed to by you.”
The conditions outlined for not reimbursing losses have, however, been significantly loosened.
A provision that would have protected banks from liability if the customer had “used a computer or device that does not have appropriate protective software and operating system installed and up-to-date” has been replaced by a clause stating that the customer must “know or believe” the device does not have “reasonably up to date” software [our emphasis].
The code reflects the current minimum standards agreed on by the banks, says association head Alan Yates. Individual banks are free to set more liberal standards in their own terms and conditions and to use these as a competitive weapon, he says.
In the aftermath of criticism of last year’s version of the code, Westpac in particular made marketing capital out of promising not to apply the conditions strictly and to reimburse customers for any failure that did not involve deliberate collusion in fraud.
A customer who believes he or she has still been treated unfairly in a case of loss through internet banking can take advantage of the dispute resolution procedures that all banks have, says association spokesman John Bishop. If still dissatisfied they are free to take the question to the Banking Ombudsman, who will apply the terms of the code or, as a last resort, take the bank to court.
“That would be a very drastic step” but it is available, says Yates. It’s not a matter of the bank’s word being worth more than the customer’s.
Critics still question whether the head clause in the new code should say it all and that the more detailed clauses are either redundant or an attempt to water down the banks’ commitment. Points of detail have also been raised, such as whether security systems merely need to be installed or are required to be running at the time of an incident.
Clearly a customer would not be liable for loss if, for example, an automatic software update turned off the security screening without their knowledge, Yates says, but if the customer had deliberately turned security off to speed up processing, then it would probably be fair to expect them to pay, even though the conditions do not strictly say that.
The older code disclaimed bank liability if the customer had stored internet banking passwords even in a secure cache of the kind provided by a number of security software vendors. Under the new code’s terms passwords may be stored “in a secure facility acceptable to your bank”.
Customer responsibility for protecting passwords and deflecting malware extends to “not opening attachments or running software from untrusted or unknown sources”, but the banks can be expected to be reasonable in applying such a condition, Yates says.