Cyber crime, already a significant threat, has been described as a wave soon to become a tsunami, and the banks face the challenge of providing a secure platform that will counteract the activities of fraudsters, who seem always to be one step ahead of Joe Public.
These are the words of Advocate John Myburgh, the chairperson of the board of the Ombudsman for Banking Services, in his introduction to the ombudsman’s annual report for 2012.
The report, which was released this week, shows that internet banking fraud is on the increase.
As more and more consumers opt to bank online, the number of internet fraud cases increases every year. In 2009, only 45 cases of internet banking fraud were reported to the banking ombudsman. In 2010, there was a surge in such complaints, with 484 cases reported to the ombudsman’s office. The following year, 591 cases of internet banking fraud were reported.
Last year was no different, with complaints to the ombudsman’s office about online banking fraud increasing by three percent, constituting almost 20 percent of the cases handled by his office.
Ombudsman Clive Pillay says the increase last year was largely because of an eight-percent rise in the number of complaints relating to cellphone banking fraud, “which is a major sub-category of internet banking fraud cases”.
The ombudsman’s office closed 810 cases relating to internet banking fraud last year. Of these, 380 related to phishing, 266 to cellphone phishing, and 104 to phishing and a SIM card swap. There were 46 complaints about transfers to incorrect accounts, and 14 complaints in respect of the fees and charges for internet transactions.
Of all the internet banking fraud cases dealt with by the ombudsman, 460 – or 57 percent – were found in favour of the complainants, as opposed to 350 cases – or 43 percent – in favour of the banks. Similarly, in 2011, the ombudsman’s office found in favour of the complainants in most cases (64 percent) of internet banking fraud.
Explaining why most cases involving internet fraud went in favour of the complainants, Pillay says the banks have a responsibility “to provide safe, secure and reliable payment systems”. This is in terms of the Code of Banking Practice, to which all the banks subscribe. “This cannot be overstated,” he says.
To provide a safe, secure and reliable payment system, the banks need to be proactive in preventing fraud, Pillay says.
But you, as a customer, also have a responsibility when you bank. You may not be negligent or act without reasonable care.
Pillay reiterates the advice he issued in his 2011 annual report: never click on a link in an email that purports to come from a bank, never respond to an apparent internet banking-related email and never provide any information about your online banking details in response to a phone call.
Fraudsters are also using cellphone banking platforms to access accounts, and you must never disclose your personal information to anyone who calls you or sends you an SMS requesting your cellphone banking log-on, he says.
Pillay recovered R16.4 million from banks on behalf of consumers last year. (Amounts recovered do not always take the form of cash refunds; they include credits for applying the incorrect interest rate or fee.) The ombudsman’s report does not disclose how much money was awarded according to each category of complaint.
Pillay notes that although there was an increase in the total number of complaints to his office last year (4 450 compared with 3 684 in 2011), many of the complaints did not involve allegations of maladministration, and therefore no monetary awards could be made. “This led to a slight reduction in the number of monetary awards made,” he says.
The ombudsman’s office closed 4 145 cases last year and found mostly in favour of the banks. In 42 percent of cases, the office found in favour of the complainants.
Pillay says the percentage of decisions in favour of complainants dropped from 47 percent in 2011 to 42 percent because many of the complaints did not involve losses arising from maladministration by the banks, but rather complaints from debt-stressed consumers requesting relief from the banks. These requests for relief included extended repayment terms, a reduction in the interest rate and repayment suspension, he says.
Myburgh says that Treating Customers Fairly (TCF) is expected to come into full effect next year.
TCF is a consumer protection policy designed to address the problem of financial services providers possessing relevant information that you, the consumer, do not.
TCF will regulate the design of financial products, the marketing of products and the information provided to consumers, as well as aspects of financial advice, after-sales support and how companies address consumers’ complaints.
“We view the move [to TCF] as a good one, in that it means added protection for the consumer in the highly complex and sometimes confusing industry that is financial services,” Myburgh says.
BANKS SHOULD CHECK THAT ACCOUNTS ARE NOT OPENED TO DEFRAUD YOU
If your bank fails in its duty of care to you and you suffer a loss as a result of its negligence, it can be held liable, as the following case shows.
On April 26 last year, R200 000 was transferred illegally via internet banking from the current account of Mr X, held at Bank A, to three beneficiary accounts held at Bank B.
Mr X’s cellphone wasn’t working on the day that the online fraud occurred, so he could not receive SMS alerts notifying him of activity on his bank account. He discovered three days later that an illegal SIM swap had been carried out in his name. The SIM swap enabled the fraudsters to link the beneficiary accounts to Mr X’s account, by way of one-time passwords sent to his cellphone number via SMS.
Mr X, who denied having disclosed his confidential internet banking details to anyone at any stage, claimed a full refund from Bank B, which was unable to produce documentation, as required by the Financial Intelligence Centre Act (Fica), in respect of the beneficiary accounts used by the fraudsters.
Bank B rejected liability for a number of reasons. It said:
* Fica does not impose liability on delictual grounds on a bank for failure to obtain or keep Fica documentation. (The law of delict concerns the circumstances in which one person can claim compensation from another for harm that has been suffered.)
* Mr X was not one of its customers and therefore it had no contractual relationship with or obligation to him.
* The office of the Ombudsman for Banking Services is mandated to address only matters that arise as a result of the relationship between a customer and his or her bank, and therefore the office had no jurisdiction in this matter.
In response, Clive Pillay, the Ombudsman for Banking Services, said the verification procedure required by Fica is the yardstick when a bank opens an account for a new or an existing customer.
“The verification procedure ensures that an account is not opened for fraudulent purposes. If the account is opened for fraudulent purposes, the bank has a record of where to contact the account-holder,” Pillay says.
Although Bank B could not be held liable for Mr X’s loss in terms of Fica, it was indeed liable on delictual grounds, based on its neglect of a duty of care, he says.
In order to establish delictual liability in the event of a claim arising from a fraudulent transfer, the complainant must prove negligence (or fault) and wrongfulness, the ombudsman says.
If it is established that a bank had a duty to take reasonable care when opening an account, the bank may be liable for losses if it was found to be in breach of that duty, he says.
The ombudsman’s office quoted from the case of Energy Measurements (Pty) Ltd versus First National Bank of SA Ltd, where the court stated: “The opening of an account is a necessary prerequisite to obtain payment ... In the absence of an account which can serve as a conduit … it would be extremely difficult to obtain the proceeds of the theft thereof … A bank is free to either accept or decline the custom of a client, and in opening an account and making the bank’s facilities available to a customer, it creates a potential risk to the public … if that account is thereafter misused for fraudulent purposes … The decision whether an account should be opened provides the best opportunity to prevent fraud from being perpetrated. In view of the above, it is found that it would be reasonable to impose a duty of care on a bank when it receives and processes an application to open an account.”
Pillay concluded that the principles in case law, with reference to the duty of a collecting bank when it collects payment of a cheque on behalf of a customer, can similarly be applied in all cases where a bank account is opened to perpetrate fraud.
In a claim against a beneficiary bank, a complainant must be able to show that:
* The beneficiary bank received money on behalf of a customer who was not entitled to it, because it had been transferred by means of fraud;
* The bank neglected its duty to verify the identity of a customer when opening an account, in contravention of established law and legislation;
* As a result of the bank’s neglect, the complainant suffered a loss; and
* The claim for payment of the amount transferred constitutes proper compensation for the loss.
“We therefore insist that the bank is liable for payment of the complainant’s losses in the absence of proof that it conformed to its duty of care when it opened a beneficiary account,” the ombudsman says.
On the definition of a customer, Pillay says Bank B had quoted definitions in a vacuum or in a specific context, ignoring other relevant clauses in the ombudsman’s terms of reference suggesting that a complainant does not necessarily have to bring a complaint against his or her own bank. “A complainant includes a complainant from one bank with a claim against a third party bank,” he says.
In response to Bank B’s claim that the ombudsman’s office did not have jurisdiction, Pillay pointed the bank to his office’s terms of reference, which provide for sole discretion to “determine whether or not a complaint falls within his or her jurisdiction within these terms of reference”.
In his recommendation, Pillay says the dispute involved a novel aspect applicable only to the recipient bank, namely, that Fica does not impose a liability on delictual grounds. Since there is another bank involved, it was agreed between the ombudsman and the banks that the Fica question would be dealt with first. He recommended Bank B refund the customer R40 000. “The remaining R160 000 is a subject of a further investigation which covers both banks and which could result in the client being refunded further.”
WHAT DOES ‘DUTY OF CARE’ MEAN?
In a number of cases dealt with by the office of the Ombudsman for Banking Services last year, banks were found to have failed in their “duty of care” to their clients.
Broadly speaking, a duty of care is a requirement to act towards others with the caution and prudence that a reasonable person would. If a person or institution fails to meet this standard of care, they could be considered negligent, and you may be able to claim for any damages that result from their negligence.
Your bank has a statutory duty of care and a common law duty of care to you.
An example of a statutory duty of care is the requirement for banks to comply with the Financial Intelligence Centre Act, which compels them “to know” their customers. So, before allowing you to open an account, the bank must obtain a certified copy of your identity document and proof of where you live in the form of an original utility bill, and so on. If a bank opened an account and did not comply with any statutory requirements, it would have failed in its duty of care.
A common law duty of care is more difficult to define, because it depends on the circumstances of each case.
Ombudsman Clive Pillay explains how his office determines a common law duty of care: “We look at case law, where a judge has defined more or less a common law duty of care, and what a prudent banker would have and should have done. We also look at what is considered international best practice for a prudent banker, the codes of other banking ombudsmen and our code of banking practice.”
He reminds customers that the onus is always on the bank to prove that a client has submitted a fraudulent claim or has been deceitful or negligent. The client is not responsible for proving that he or she was not negligent. The bank must prove that the client acted fraudulently or negligently or without reasonable care. And even if the bank can prove that the client was negligent, the bank still has to prove that negligence on the part of the client resulted in the fraud.
The following two cases show how a bank’s failure to fulfil its duty of care compromised the security of clients.
* Rip-off on Gumtree. On relocating to Cape Town, the complainant found a place to live through Gumtree. She paid a holding fee of R1 500 into a bank account and, in terms of the lease agreement, R4 000 into another bank account. A further R5 000 was paid into a third account for the first month’s rent.
The complainant never received the keys to the property. All the funds had been withdrawn by the time she reported the matter to the banks.
She believed that the recipient banks could have recovered her money from the accounts and questioned whether they complied with their duty of care when opening the accounts.
The banks maintained that the client was a victim of a scam that was outside of their control.
While banks have no control over scams, one of the banks failed to open an account in accordance with its duty of care. The bank accepted the recommendation by the office of the banking ombudsman that it refund the complainant R1 500.
* Win some, lose some. The complainant was advised by email that he had won an international lottery and would have to pay administration fees to receive his winnings. He transferred R126 000 into various accounts with one bank and R39 000 into an account with another bank.
On realising it was a scam, he asked the banks to refund him.
During the ombudsman’s investigation, it was found that the accounts opened at the first bank were opened according to its duty of care and that all was above board. The bank could not have known that the account-holder was a fraudster.
The second bank, however, did not adhere to its duty of care when opening the account, and Pillay requested that it refund the client.
The lesson to be learnt in this case, the ombudsman says, is: don’t be too trusting. You can’t blame the bank for your falling victim to fraud and for transactions concluded with third parties. “On the other hand, scam or not, the banks must comply with their duty of care when opening a bank account to ensure that it is not opened for fraudulent purposes.”