Who Carries the Risk of Fraud in Online and Internet Banking?

For conventional banking a cheque is valid only if the person who is purported to have signed it did in fact do so – it is invalid if this person did not sign it. This means that if there is a disputed signature the burden falls on the bank to prove that it is valid and not on the customer to prove that it is fraudulent.

But for many Internet bank accounts a transaction is presumed valid if it is authenticated with the account holder's security codes even if this account holder did not, in fact, use these codes.  In consequence, if these codes are used fraudulently the account holder is likely to be liable for the transaction.  This places the risk of fraud on the customer and not on the bank.

Here are some current examples of terms and conditions that show this process in action.

1. Smile

Our no risk policy

We will repay you any money that is taken from your account due to:

a         any error by our staff or our systems

b       a computer crime which is not identified and stopped by our security system

We will not repay any money that is taken from your account due to circumstances beyond our control. This includes situations where you:

a     tell someone else your Customer Security Codes

b     forget to click on the exit icon when you end your banking session or if you leave your computer unattended

c       key information incorrectly

d     fail to let us know about any potential breach of security or problem

Note that the customer is liable if they fail to notify Smile of a security problem.  Since they will often not know that they have a problem until after the fraud has taken place, this places the risk with the customer in such situations.

2. Egg

Until you tell us, you will be responsible for any instruction in writing or by telephone or Internet which we receive and act on, even if it was not given by you.

This is clear enough – the risk is with the customer and they are liable even when they did not give the instruction.

3. Bank of Scotland

The Customer acknowledges that the supply of the Secured Input when contacting the Bank via the Service is sufficient evidence for the Bank to assume that it is dealing with the Customer without the Bank being required to make any further enquiry or need to verify such authority or instruction and the Bank may act on such authority or instruction or purported authority or purported authority accordingly.

In other words the transaction is valid if made using the security codes even if the account holder was not the one who used them.

4. Halifax

9. You will not be responsible for any transactions using your password or any of your additional security details after you have told us that they might be known or used by someone else.

This statement clearly implies that customers will be liable for any fraudulent transactions that occur before they are aware of security problems and inform the bank accordingly.

The Problem

The main problem is when a customer’s security codes have become known to someone else without the customer being aware of this.  Since home PCs are not very secure, there are a number of ways that such details can be stolen without the customer’s knowledge and the first they might know of a problem is when a statement shows that their account is empty.  Many online bank accounts make the customer liable for transactions up to the point where the customer informs the bank of a problem and this can mean that the customer’s liability for fraudulent use is only limited by the transactions that can be made on their account.

A related problem is that many accounts state that the customer is liable unless they have complied with security requirements such as not revealing passwords.  In the event that someone else obtains these details, any bank is certain to argue that the customer must have revealed these codes and this puts the customer in the position of having to prove that they did not do this in order to avoid being liable for the fraudulent use.

In practice it will be almost impossible to distinguish between a customer who has been lax in protecting their security codes and one who has had these details stolen as a result of the insecurity of their PC even though they have been careful.  It seems inevitable that customers will have a great deal of difficulty in getting banks to bear the cost of fraud in such situations.


From these examples it can be seen that many online bank accounts make customers liable for transactions even if these have been carried out fraudulently by someone else who has stolen and used their security codes.  Customers will generally be fully liable for any fraudulent transactions that take place before they become aware of any problems.

In the worst case the customer will be liable whatever the circumstances, that is, even if they can prove that fraud is involved.  With some accounts customers may not be liable if they can prove a transaction is fraudulent but it is then the customer and not the bank that carries the burden of proof.

In the move from conventional to Online and Internet banking we can hence see that the risk arising from fraudulent transactions has frequently been shifted from banks to their customers.

The Full Report

Foundation for Information Policy Research (FIPR) report entitled “Electronic Commerce: Who Carries the Risk of Fraud?” by Nicholas Bohm, Solicitor, Ian Brown, University College London, and Brian Gladman, Information Security Consultant.

Also available in html format at: http://www.fipr.org/WhoCarriesRiskOfFraud.htm