The Consumers’ Institute has reached an impasse in its discussions with the New Zealand Bankers Association over the controversial new banking Code of Practice, which potentially makes internet banking customers liable for online fraud.
The Institute’s Marc Wendelborn says he expects a lot of appeals to the Banking Ombudsman and “case-by-case decisions” before rules are firmly established. He describes the current negotiating position between the Bankers Association and Consumers Institute as an “impasse”, but adds that the institute will continue to talk with the association.
Meanwhile, InternetNZ is preparing to propose amendments to the code. InternetNZ believes bankers will be reasonable in interpreting the new section in the Code of Practice, which allow them to hold customers liable for fraudulent transactions if their virus and spyware protection is not up to date.
“But we don’t believe the wording of the clause indicates that clearly enough,” says InternetNZ spokesman Jordan Carter.
The final form of Internet-NZ’s proposed rewording has not yet been settled, Carter says.
He says the provision, interpreted literally as it stands, is inequitable in that it imposes greater liability on the customer for internet banking fraud than for any other form of banking.
It’s unclear what “up-to-date” means in the context of malware protection, Carter says. Bankers could hold the user liable if the fraud was perpetrated using an exploit for which a patch had been released only a week before the incident.
There is also the question of what the code will consider to be a current operating system, he says. For example, will Windows XP users be potentially liable now that Windows Vista has been released?
“We think the wording is unclear and needs tightening up,” he says.
Wendelborn says his organisation also wants to see the liability of parties to the transaction more fully spelt out. “That was the aim from the beginning in drafting this code and we don’t think it’s been achieved,” he says. “This puts the decision on liability basically in the hands of the bank.”
Other potentially liable parties might include the provider of an unsatisfactory malware filter, Wendelborn says.
But he agrees that to be too specific about what protection and what operating systems should be used might impose unreasonable restrictions on the customer’s choice. Nevertheless, the Consumers’ Institute believes the banks can steer an acceptable course between these two extremes.
There are also privacy concerns attached to the banks claiming the right to investigate a customer’s computer to assure protection is adequate, he says. Legal conflict of the provision with the Consumer Guarantees Act and Fair Trading Act is another risk yet to be explored.
The Institute also believes there is still a lot banks can do to make their part of the system more secure, he says.
Alan Yates of the Bankers Association says it will consider the proposals put to it by InternetNZ and jointly by Computerworld and the Dominion Post. “I am consulting with the banks on it, of course. I can’t give a timeframe for that process to reach a conclusion, and in the meantime, I would prefer not to comment,” Yates says.