Lords calls for law to make UK banks liable for online fraud

Lords calls for law to make UK banks liable for online fraud

The UK's House of Lords is calling on the government to make banks legally responsible for losses incurred by customers through electronic fraud.

The House of Lords Science and Technology Committee follow-up report on Internet security, which was published today, says legislation is now needed because the current Banking Code does not offer people enough protection against losses arising from fraud.

By forcing banks to accept liability, they would be provided with an "incentive" to beef up their Internet banking security, says the report.

The committee expressed concern that banks often refuse to refund victims of online fraud when a password or PIN has been used, claiming that the customer must have been negligent or complicit.

This is compounded by the Financial Services Ombudsman and the courts failing to offer an adequate method of redress for victims whose banks refuse to cover losses.

Commenting on the governments refusal to make banks liable, Lord Sutherland of Houndwood, chairman of the committee, says "we are disappointed that they still will not accept that there should be legislation to establish the principle that banks should be liable for refunding the victims of online fraud".

The report again criticises regulations introduced last year, which make consumers report fraud to their bank rather than the police. Currently, police may refuse to accept a customer's assertion that a fraud had been committed if their bank does not support the claim.

"If you were robbed in the street you would expect the police to recognise it as a crime and try to catch the person responsible. If you are a victim of online fraud, you should be entitled to the same protection," says Lord Sutherland.

The committee does welcome the government's decision to review the reporting procedure, having initially rejected calls for change.

Personal data protection is also covered, with the report calling for the introduction of a data security breach notification law that would require public and private sector organisations to inform the public about losses of personal data as soon as they became aware of them.

This would provide an incentive to avoid losses while ensuring that if a breach did occur, people would get an early warning to help them cut risk.

Such a law would be similar to the Californian breach disclosure law that was introduced for financial data breaches by any company dealing with Californians in 2003. That law has been widely copied by many other states in the US. In January this year, California extended the law to cover security breaches involving personal medical data.

Says Lord Sutherland: "The catastrophic loss of data by HMRC in November 2007 seems to have concentrated minds on the importance of data protection both by government and the private sector."

The original August 2007 report slammed a "laissez-faire attitude" towards Internet security but was effectively ignored by the government, which made no commitment to accept any of the major recommendations.

The committee says the government has now taken on board some of its recommendations and is pleased moves are being made to introduce kite-marking of Web sites and a code of conduct for Internet service providers.

You can read the follow-up report here

The Committee's original report can be found here

The Government's response to the original report can be found here

Comments: (0)