Bank customers may cover cost of fraud under new UK proposals

Patrick Jenkins and Sam Jones

http://www.ft.com/intl/cms/s/0/e335211c-2105-11e6-aa98-db1e01fabc0c.html#axzz4A6ziUpN9

Bank customers could be forced to foot the bill for fraud on their accounts, under proposals being discussed by Britain’s lenders in conjunction with the UK government, the Bank of England and spymasters at GCHQ.

Under the plans, individuals or companies with lax online security could find themselves frozen out of banking services or even excluded from the system whereby banks compensate customers whose accounts are hacked.

Consumer groups immediately criticised the plans. Lindsay Cook, co-founder of consumer rights advocacy organisation Money Fight Club, said: “It’s going to be a tax on the less sophisticated, the old and the frail.”

Which? policy and campaigns director Alex Neill said consumers could find themselves locked out of online banking. “Banks should do more work looking at their own systems to see where the potential vulnerabilities are,” he added. “You can’t just say to people ‘oh, you go and figure it out’.”

At present, banks routinely cover the cost of fraud, regardless of blame. Any move to put the burden of fraud losses on to customers is likely to be highly contentious and would be a stark change from current norms in many western countries.

The authorities have become increasingly worried about the vulnerability of financial institutions to cyber attacks, whether from thieves, nation states or terrorists. Banks themselves are also concerned about mounting fraud losses.

Financial fraud losses across UK payment cards, remote banking and cheques totalled £755m last year, up by more than a quarter on the previous year, according to Financial Fraud Action UK, which collates data on the issue.

Some of the biggest increases came in areas linked to online financial services activity. The cost of internet banking fraud leapt 64 per cent to £134m in 2015, according to FFA.

GCHQ, the government’s electronic eavesdropping and cyber security agency, is pushing hard for banks and other private sector organisations to take a more “active” approach when it comes to cyber defence.

The agency believes that companies must do more to try and encourage their own customers to improve their cyber security standards. Customers using outdated software — sometimes riddled with vulnerabilities that hackers can exploit — are a weak link in the UK’s cyber defences, GCHQ officials have told banks. The agency believes it is up to companies to redress the problem, however, and has told the private sector it will not take responsibility for regulatory failings.

A government security official said GCHQ was being forceful in articulating its concerns to regulatory bodies like the Bank of England in order to try and push for tougher rules.

GCHQ declined to comment.

Adrian Leppard, former chief of City of London police, and now a director at cyber security consultancy Templar Executives, said: “It seems reasonable that customers should take the most basic steps to prevent crime and that banks should only have to recompense those who have done so. It is also a good step in encouraging a necessary culture shift that requires society to take such steps. At present there seems little motivation to do so if the banks will always [pay] out!”

Any changes to the system would take several years to implement, according to bankers, and would happen in three or four stages.

As a preliminary move, customers detected using an outdated browser or ineffective antivirus software, would be urged to upgrade. At a second stage, customers may be barred from all but the most basic online banking services.

Some participants in the talks believe a third stage should involve internet service providers barring customers altogether if they are known targets of so-called malware, or malicious software.

In the event that fraud is perpetrated on a customer with poor cyber security, a final step could involve the bank refusing to compensate any losses, according to people briefed on the plans.

Bankers are nervous of being seen to be penalise customers, given the sector’s tarnished reputation following the financial crisis and the multiple scandals that have emerged in its aftermath. Fraud experts said legislative change may be necessary to implement the proposals, unless banks can argue that lax security equates to “gross negligence”.

The proposals could also be politically sensitive, as they may prove more penal for less sophisticated, older customers.

Given the sensitivity, bankers are hoping that GCHQ and the government will push companies beyond the financial sector to engage in the initial stages of the exercise. If there is a general improvement in customers’ software security, it could obviate the need for more punitive sanctions.

Additional reporting by Naomi Rovnick