Consumer advocates to fight NZ Banking code

Internet advocacy group InternetNZ and the NZ Consumers' Institute have both come out swinging over the New Zealand Bankers Association's (NZBA) decision to allow victims of Internet banking fraud to be potentially held liable for losses.

Representatives from both institutions have met with the NZBA to voice their concerns about the new Banking Code of Practice, which essentially makes Internet banking users liable for fraud-related losses.

"Given how the Code is worded currently, someone whose Internet banking details are stolen could find themselves liable for any money taken from their accounts before they notice the transactions," says Jordon Carter, deputy executive director for InternetNZ.

"Someone whose computer is running a non-current operating system (for example a home PC running Windows 2000) could also be deemed to have non-compliant software, and therefore held liable for any losses," he added.

The new Code, according to the Consumers' Institute's Marc Wendleborn, "places too much responsibility on customers, while banks avoid their own security responsibilities".

"Online banking customers should be nervous," he said. "Some will lose money."

The Code, passed without yielding to the Institute's repeated requests for more clarity on the liability issue, will be challenged on several fronts.

First, it raises issues around privacy -- as some clauses suggest that the banks retain the right to inspect a victim's computer. "And if you don't allow this then they could hold you liable for any losses," Carter said.

Wendleborn describes this approach as "heavy-handed".

"The legality of these regulations in regards to the (NZ) Consumer Guarantees Act and the (NZ) Fair Trading Act remains to be seen," he said.

The Code needs, Wendleborn said, to provide better definitions of what "up to date" security software means if it wishes to judge fraud victims based on their choice of software.

The vagaries of the Code as it stands are endless.

"What is up to date?" Wendleborn asked. "Are we talking a day, a week, a month? Will people have the right to sue Internet security software manufacturers to recoup their lost savings? What happens if you log on at work and lose savings because the company does not have the latest software? Can you sue your work? Will certain Internet security programs be approved by banks and others not?"

James Turner, security consultant at IBRS research said that end-users shouldn't have to be security professionals.

"We shouldn't expect home users to be auditing their home computers for every application, checking the latest data on known vulnerabilities for each application, and taking the appropriate remedial action," he said.

During their recent discussions, the NZBA told the Consumers' Institute that the Code aims to "educate" consumers about the risks of online banking and the steps they could take to reduce those risks.

"We don't think this is the best way to achieve that," Wendleborn said. "We see a significant difference between educating people about Internet security and making them liable for Internet fraud."

Both InternetNZ and the Consumers' Institute are seeking changes to the Code. Carter is currently preparing some concrete suggestions for ways of improving the Code to "give a fairer balance between the responsibilities of bank customers and those of the banks themselves".

The Consumers' Institute wants the NZBA to clearly spell out the liability issue.

"We say that customers should only be liable for the things they can reasonably control," Wendleborn said.

Carter is hoping a vocal New Zealand public might force change.

"The banks are naturally concerned with their public reputation and if the public don't accept the Code as it is, then they would be wise to change it," Carter said. "We hope the banks will accept the sorts of changes that will ease the public concerns that have been raised by the Code as it stands today."

But Wendleborn predicts that it will take a few innocent users being stripped of their money before any major "public backlash" will ensue.

"The banks need to take responsibility for the security of their products," he said. "Banks provide a service. If they are not prepared to back the quality of that service, they shouldn’t be offering it."

These regulations effectively say "we're not liable unless we decide to be", he said. They give banks a convenient, "all-encompassing" out.

"The NZBA says the banks will consider issues on a case by case basis and will do what is reasonable. But reasonable to whom? This puts all the power in the hands of the banks to determine what is fair," Wendleborn said.

"We say it's not acceptable for banks to effectively tell customers that their money might be there today but, through no fault of their own, it may not be tomorrow."

• Related stories

• Alerts

Add your opinion

1. Right Anonymous -- 26/07/07

   This is rediculous. I back the bank on this. It doesn't matter HOW secure the bank makes their product. They could increase it's security 100000 fold, however if some idiot manages to get their home computer infected with a trojan, that security implemented on the service providers end doesn't mean dick. People need to grow up and at least start to take some responsibility when they continue to live an un-eduacated life from a technical perspective.

   • Reply to comment
   • Reply to story
   • Report offensive content

   1. Online banking security Grump -- 26/07/07

      Get real anonymous.
      It's "rediculous" to expect anyone to be able to keep their PC hack- proof when not one of the AV products available to date is capable of detecting more than 90% of the current crop of existing nasties at best.
      Perhaps if they never go online would help but then it makes online banking somewhat difficult do you think?

      • Reply to comment
      • Report offensive content

2. A bank customers nightmare! Keith Styles -- 26/07/07

   If the NZ consumer's association, the legal fraternity and the public generally, don't come down heavily and quickly on the NZ Bankers, many consumers will be out of pocket without a doubt.
   
   Hackers, spammers and virus writers will have a field day with this piece of one sided nonsense. The AVERAGE PC USER WHO HAS BEEN FORCED BY THE BANKS TO USE ONLINE BANKING, doesn't stand a chance and certainly doesn't have the skills to defend themselves against the malware and nasties lurking in every URL and email. The best security software is way beyond the reach of most users. The junk peddled by the marketing spin doctors employed by most anti virus software and malware companies is almost totally useless against the clever efforts of the thieves and robbers who haunt the Internet.
   
   Australian banks have a large holding in the NZ banks. I wouldn't trust the ABA as far as I could throw them.
   
   This nonsense will cross the Tasman as sure as night follows day, unless the NZ government steps in to protect the consumer against what can only be described as a cop out by the banks. They only have them selves to blame for the sorry state of the security they have failed to provide their customers. Good security is available, but the banks have taken the soft (cheap) option and provided no more than is necessary and in most cases it's sadly lacking.
   
   A PC is inherently unsafe. It was designed for convenience, not security. It's up to the banks to protect their customers with much better security measures and identity techniques than is provided at present. They've had more than enough time to deal with the problem of identity theft. It's been around for a very long time.
   I don't know what planet Mr.Anonymous is living on, it's certainly not the earth! PC skills may be sadly lacking, but the blame for that lies squarely with the governments and educators. Many school still do not include basic PC skills in their curriculum and you want everyone to take responsibility for their lack of PC knowledge and online banking. Get real!

   • Reply to comment
   • Reply to story
   • Report offensive content

3. What the ???? Anonymous -- 26/07/07

   Its unbeleivable that the banks have forced their customes onto an online platform, saving the banks billions in dollars to have to process over the counter transactions. They should provide a basic amount of security, for their benefit, Data keys, Dongles, SMS two level authorisations etc etc. Try the Commonwealth Bank here in Australia, they ask for two questons and answers. Guess what when you query something via the phone service they expect you to provide the same answers. Whose else could be on the line, their efforts are a joke, and as a consequence they want to make the victim into the guilty party. Consumers stand up and revolt, after all we are the customer here, and they are meant to be a service provider. These are their tools not yours, the responsibilty should lie with them.

   • Reply to comment
   • Reply to story
   • Report offensive content

4. On line banking liability Anonymous -- 31/07/07

   Hi Anonymous you led off this discussion here with comment RIGHT, backing the banks on this. We here in Romania could not let such a challenge go, we are surprised that you are so confident that we can not trace back through your comments in this forum to your PC. I am sure you know how we do that :+) Anyway, you are infected now, free of charge. You will be able to spot it quickly I know and remove what we have put on (hint: check for root kit) so you will be OK. But do not do any online banking until you do. Your large overdraft limit looks sooo tempting.

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials