BANKS should bear all phishing scam losses. Period.

Online banking solutions have made it more accessible and convenient for people to pay their bills, transfer money and check their transaction records, but it has also created new vulnerabilities, which sophisticated cybercriminals are quick to exploit.

Presently, all the losses fall on customers as regulators and banks maintained the stance that it was the customers who have been scammed.

Banks have a standard of care owed to their customers. They have a general duty to protect client accounts, and that duty should extend to preventing or reducing the risk of its customers from being duped by social engineering attacks such as phishing.

Banks may push the responsibility of SMS phishing attempts to customers whenever scammers succeed, but the reality is that they play a far greater role in protecting their customers’ funds.

Phishing attacks and SMS spoofs are just individual parts of a much bigger threat scape, with recent data breaches and the rise of ransomware pointing towards the need for banks to boost their cybersecurity strategies as a whole.

The recent spate of SMS phishing scams at some banks accentuate the need for banks to do more than just enhance infrastructure security measures.

Regulators are focusing on issuing warnings and educating the public on scams. While this is admirable, does it really reduce scam losses when cases seem to be on the rise?

Fraudsters behind scams hold or control bank accounts. Given this, banks are better placed than individuals to identify scams and take steps to protect against losses.

If banks had greater liability for scam losses, they would have a strong incentive to detect and prevent such losses. And given their systems and technology, banks are in a much better position to do this compared to individuals.

Bank Negara Malaysia (BNM), as the banking regulator, should shoulder the blame for such breaches.

It is their job to set the rules for soundness and safety of the banking system and make sure the banks enforce those rules. BNM is negligent in not passing the legislation that protects consumer accounts and in not enforcing security measures at the banks.

And banks are taking advantage of the current legislative and regulatory environment by not proactively securing business accounts.

That said, most banks still struggled to ensure safety of customers’ assets, data, and transactions despite more sophisticated security controls and intensified fraud mitigation efforts. Fraudsters will often find a new or different point of vulnerability when one area is addressed.

What measures have banks put in place to detect unauthorised, unusual activity involving this customer account? Did the banks act quickly enough?

BNM should introduce more stringent guidelines stipulating greater responsibility on the parts of banks to address phishing. It should study how to apportion liabilities of such fraudulent transactions between affected customers and financial institutions.

Given that banks claimed that their banking systems were not compromised, the natural question is whether systems outside of the bank need monitoring and what level of monitoring is appropriate.

Would this extend to policing the entire internet for fraudulent sites mimicking a bank’s websites and monitoring SMS systems? Would this also include monitoring customers’ devices? Would this “policing” function turn into a privacy nightmare?

Campaigns aside, BNM should consider enacting rules such as those in the UK’s Contingent Reimbursement Model (CRM) Code. Signatories to this code have committed to protect their customers with procedures to detect, prevent and respond to “authorised push payment” fraud (where someone tricks you into sending them money from their account).

The Code provides that blameless people should be reimbursed for any losses through bank transfer fraud, provided the victim did not engage in “gross negligence”.

A recent review of the CRM Code found that average reimbursement rates have risen from around 20% to 45% and banks have invested more heavily in systems to help people spot when they may be making a payment to the wrong account.

In a joint submission from consumer groups in the UK to the Review of the Banking Code of Practice, consumer groups have called for banks in the United Kingdom to include a code commitment for banks to take reasonable steps to flag and stop a scam transaction.

In the absence of such a reform in Malaysia, consumers have few means of raising a complaint and pursuing redress against banks that have been recalcitrant in preventing scams, or that has failed to take reasonable steps to recover scam losses.

Banks can and should leverage digital technologies to make banking solutions more convenient and accessible for their customers, without always having to make the security trade-offs.

It is increasingly important to minimise mistaken payments through good system design, rather than relying on moves to get the money back afterwards. – September 9, 2022.

* FLK reads The Malaysian Insight.

* This is the opinion of the writer or publication and does not necessarily represent the views of The Malaysian Insight. Article may be edited for brevity and clarity.