Liability for internet banking fraud in Ireland

Steven Murdoch at Light Blue Touchpaper notes that the UK banking code now includes wording to make the customer liable for losses attributable to them “acting without reasonable care”, where “reasonable care” bizarrely includes installing anti-virus software on their PCs.

The Register also picked up on this, as did Brian Krebs in the Washington Post, comparing it with the vastly superior customer protection offered by the US banks.

I was curious, so I went looking at the Irish situation. Needless to say, it’s not pretty.

I couldn’t find anything in the Irish Banking Federation’s Code Of Practice for Personal Customers, unfortunately. However, AIB’s terms and conditions for use of their Internet Banking product contain this:

5 Transactions on the Account:

5.1 The User authorises AIB to act upon any instruction to debit an Account received through AIB Phone & Internet Banking which has been transmitted using all or part of the Registration Number, PAC and/or any other authentication process which AIB may require to be used in connection with AIB Phone & Internet Banking (including but not limited to a Code Card) without requiring AIB to make any further authentication or enquiry, and all such debits shall constitute a liability of the User. Where the User’s Account is maintained in joint names the liability of the Account Holders shall be joint and several.

5.6 Entries in an Account in respect of Bill Payments, Fund Transfers and Top-Ups shall be prima facie evidence that the transfer or debit represented thereby has been duly authorised and shall be binding on AIB and the User unless and until proved to the contrary.

6 International Payments:

6.9 To the extent permitted by law, and notwithstanding anything to the contrary herein, AIB shall not be liable for, and shall be indemnified in full by the User against, any loss, damage or other liability that the User or AIB may suffer arising out of or in connection with the User’s use of the International Payment services (whether as the sender or receiver of an International Payment) unless such loss, damage or liability is caused by AIB’s fraud, wilful default or negligence. In no circumstances will AIB be liable for any increased costs or expenses, or for any loss of profit, business, contracts, revenues or anticipated savings or for any special, indirect or consequential damage of any nature whatever.

As far as I can tell, basically the AIB have no liability here at all — if a bad guy gets hold of your PIN code and account number, and empties your account, tough luck.

What about Bank of Ireland? It seems they agreed to refund phishing losses in an incident back in 2006. But their 365online Terms and Conditions now say this:

13 Indemnity

13.2 Without prejudice to the generality of Clause 13.1 above, the Bank shall have no liability whatsoever in respect of any loss suffered by the Customer as a result of their breach of Clause 4 [jm: Security/Authentication] by way of knowingly, negligently or recklessly disclosing the Security Devices or any of them.

So it’s all pretty bad news for Irish banking customers. This is pretty bad news — it’s only a matter of time before Irish banks are targeted by a new Banking Trojan, and given that antivirus software has an 80% miss rate these days, even having an up-to-date AV scanner isn’t going to be much help.

My answer? Don’t do internet banking on Windows machines. Simple as that.

This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.

3 Comments

  1. Gavin
    Posted April 15, 2008 at 17:22 | Permalink

    I think if the bank has done everyone one can reasonably expect to implement a secure system, then it’s not unfair to hold the customer liable.

    I mean if I don’t secure my house properly and it’s robbed, will an insurance company pay out ? I wouldn’t have thought so.

    If there’s a fault in the security system, obviously that’s the banks liability.

    No ?

  2. Posted April 22, 2008 at 15:55 | Permalink

    Internet banking fraud has been in increase these days.I think in this case the security of the bank failed so its banks liability , they have to pay every thing back to the customer.

  3. Posted April 23, 2008 at 14:49 | Permalink

    I agree with banks, bill here. Yes you analogy of home insurance works, but internet banking is a different kettle of fish. If banks are using new technologies to cut branch costs such as the internet, they have to ensure cutomers know what they are dealing with.

    To use another analogy if you were queing up in a bank to deposit money ready to use their services and it was robbed, yes you would be compensated. You are being targeted for using the banks service and many are unaware of the risk.

    My best advice is use a reputatble bank and as secure computer as you can find when accessing you bank account deatils online.