Computerworld

UK online banking rules similar to ill-fated NZ code

Revised New Zealand banking code awaiting sign-off

The British Bankers' Association has developed a new banking code requiring online banking customers to to prove they are not "acting without reasonable care". The new UK voluntary Banking Code appears similar to one released in New Zealand last year, which later had to be withdrawn and reconsidered after Computerworld reported it allowed banks to inspect users' computers before accepting liability for online banking fraud. As such, the code effectively shifted the goalposts for liability in cases of loss. Alan Yates, the CEO of the New Zealand Bankers' Association, says work on revising the local code is "progressing". "We haven't got sign-off for the latests changes," he says. He says the Bankers' Association has been consulting on the changes and is awaiting sign-off from its council before releasing the latest version of the code. Now UK web users who fail to keep their antivirus and anti-spyware software up to date may find themselves unable to recoup losses which occur via their online banking accounts, Computerworld UK reports. "The new code, specifically sections 12.9 and 12.11, places the onus on customers to take reasonable care and make sure that their antivirus and anti-spyware software are up to date," said Yuval Ben-Itzhak, chief technology officer at security firm Finjan. "If not, customers might be held responsible for losses on their online banking account," he adds. According to Ben-Itzhak this could potentially include banks rejecting online fraud claims upfront. Last year the New Zealand Bankers' Association released its ill-fated Code of Practice which said liability for any loss resulting from unauthorised internet banking transactions rests with the customer if they have “used a computer or device that does not have appropriate protective software and operating system installed and up-to-date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and anti-spam software on [the] computer, are up-to-date.”

"We reserve the right to request access to your computer or device in order to verify that you have taken all reasonable steps to protect your computer or device and safeguard your secure information in accordance with this code," the code added.

“If you refuse our request for access then we may refuse your claim.”

Once the code was reported in Computerworld, and later in other media, Westpac NZ and National Bank moved to reassure customers they would not be held liable for online banking fraud, effectively distancing themselves from the new code.

The local banks also received little support for the code from their Australian parent companies when put on the spot by Aussie media. Westpac offered a guarantee customers would not be left out of pocket in the event of online fraud while National Bank quickly followed, reassuring customers its online banking terms exceed the “minimum standards” of the new code. National Bank’s managing director of retail banking, Craig Sims, said in a statement the bank would "work with [customers] on a case by case basis to ensure they are not out of pocket.” Sims said permission for inspections could still be sought in “very rare circumstances” to understand how the loss was incurred. “But this will not determine whether we compensate the customer,” he said, reiterating that security is a shared responsibility for banks and their customers.