News 

Banks currently bear the cost of online banking and card fraud, but experts predict the changes will give financial institutions a get-out-of-jail card when customers seek recompense.

"The new banking code allows the banks to further dump the cost of their problems onto customers," said Steven Murdoch, a banking security expert at Cambridge University. "It would be one more option for them to select from."

Online banking fraud totalled £22.6 million, according to UK payments association Apacs, while card-not-present fraud, which includes internet, phone and mail order purchases cost £290 million.

The banking code has always advised customers to use up-to-date anti-virus and firewall software, but a subtle change to the document now includes the warning that: "If you act without reasonable care, and this causes losses, you may be responsible for them."

The problem for customers is that it could be almost impossible to prove how fraudsters got their information. It could be from card skimming or rifling through the banks' own bins, as well as from a consumer's computer.

"This is a similar scenario as the current situation with Chip and PIN; it is effectively the customer who has to show they have not been negligent in order to be refunded for fraudulent transactions," Murdoch told Shopper. "In both cases, it is nearly impossible for a customer to prove their innocence. This is why the House of Lords recommended

ADVERTISEMENT

that customers be protected by law, not a voluntary code."

The banking authorities have played down the changes, but refused to deny the potential for withholding payments.

"The code has always included that people should look after personal data, it's just been made a little clearer," Brian Capon, a spokesperson for the British Bankers' Association, informed Shopper. "People are reading more into it than necessary. Banks would be reasonable and this is not intended as a get-out clause, provided you have done everything reasonable to keep your computer safe."

However, security experts are not so sure that banks won't at some point lose patience with the escalating bill for fraud online.

"The banks are taking a lot of financial damage on these issues and so the crime ultimately is against the bank," Danny Harrison, ID theft manager at security firm CPP, told Shopper earlier this year. "At what point are they going to say 'we won't pay'?"

Another concern raised by critics of the code, which came quietly into effect on March 31st 2008, is how it will be policed and whether the onus is on the banks or the customer to prove they had taken reasonable precautions. And what are reasonable precautions?

"Banks aren't going to go around in jack boots seizing computers, but they might be able to tell by the type of hack whether common up-to-date software could have prevented the problem," said Capon. "If you never update your anti-virus and it's five years out of date then that's different from updating once a week."

The irony of the situation is that much of the security that the banking industry insists is vital is actually of little help in stopping fraud.

"The advice included in the banking code is also not particularly helpful," said Murdoch. "Even up to date anti-virus software misses 80 per cent of malware and firewalls are almost completely ineffective at stopping the types of malware used to commit fraud."

The first test case should make interesting reading.