As most banking transactions moved online, unfortunately we see a corresponding rise in innovative online scams. But banks have repeatedly assured us that they have put in place multiple layers of protection to prevent and seek out online scammers.
We are made to believe our life-savings and transactions are almost theft-proof. Even if scammed, there are adequate measures for recovery and compensation.
Yet many of us frequently go online not to do transactions but to ensure our money is still there. With online banking all our savings can be wiped out in an instant without a trace, and we won’t even know how it happened.
It was in such a moment, I checked my accounts in a locally-incorporated multinational bank (name withheld for the time being).
This time I was greeted with a revised set of terms and conditions (TCs), which I had to agree before proceeding further. With our faith placed in our banking system and regulatory authorities, normally we would just click acceptance without reading the voluminous legal document.
Maybe I was bored, but I decided to read the Online Banking TCs this time and what a shock I had. I reproduce here excerpts of the TCs (edited for brevity but with paragraph numbers retained for clarity/reference).
To better appreciate the gravity of the TCs as you read, imagine the police advising you on how to keep your house safe from robbery, but when a theft occurs the police refuse to entertain your report, claiming it is your fault for not adhering to the advisory.
“Online and Mobile Banking Terms and Conditions
- Governing Terms and Conditions
(a) By accessing the Services, you are deemed to have accepted these Terms.
- Security Obligations
- You must keep each Identifier secret at all times. You are advised NOT TO:
(i) Write down the Identifier;
(ii) Use simple passwords, Security Device PIN and 6-Digit PIN which may be easy to guess such as birthdays, telephone numbers, dates of birth;
(iv) Record or store your Identifiers on any software or applications which automatically retains it (for example, any computer screen prompts or ‘save password’ feature or the like on an internet browser);
(v) Use the same Password, Security Device PIN and 6-Digit PIN without regularly changing it;
(vi) Use the same Passwords, Security Device PIN and the 6-Digit PIN with other internet sites or other mobile applications.
(j) To enhance security, we would advise against transacting online over a local area network (LAN), virtual private network (VPN) or any public internet access which may not be secure.
(l) You should install personal firewall and anti-virus software onto your computer(s) and mobile device(s) and have them updated regularly.
- Your liability
- You will be fully responsible for losses and consequences arising from or in connection with use of the Services (including, without limitation, the use of the Security Device/ Mobile Secure Key) if any of the following occurs: –
(ii) You have failed to take or carry out the precautionary security measures as advised by us to you; (Note: it is assumed that ‘precautionary security measures’ are defined as in item 4: Security Obligations)”
So, there you have it. Precautionary security measures have become security obligations and enforced as TCs to disclaim any liability on the part of the Bank.
Honestly, how many of us are not “in breach” of the security obligations outlined above. These are normally termed as advisory rather having legal effect unless it is done willfully.
Furthermore, how does one define ‘simple’ in terms of the identifiers, or the frequency of changing these identifiers?
With mobile devices and payments made at the site of the product or service provider, how could one assure if internet access is secure if we had to use third party access? Operating software are automatically set to access the best available internet access.
Most software or applications now prompts us to save our identifiers online. We are not even sure if it gets automatically saved if we refuse such prompts. Firewall and anti-virus software are updated automatically, rather than us prompting it manually.
When it comes to a legal claim or dispute, it seems even with these ambiguous advisory turned into TCs, the banks have the final say on how these are determined.
Usually, when a scam is discovered a client would report to the bank and the police. But I am sure on the part of the bank, it would investigate all possible breaches, including of course, the security obligations, and pin the blame on the client, even if that was not the cause of the breach.
What is the point of having multilayer protection to deter scams, when ultimately banks can deny liability based on these spurious security obligations? Isn’t these identifiers which the clients are responsible for, only the first line of defence?
In any case, our country seems to be a super-magnet for online scammers and data leaks. I wouldn’t be surprised all our personal identifiers are available all over, even if we take the precautionary measures.
Mind you, the above excerpts only part of a 6-page document for online and mobile banking, in addition to a 38-page General Terms and Conditions covering all accounts, products and services. Rest assured, in almost every clause the Bank takes pain to absolve itself of any liability on their part.
Risks and returns are basic features of business. Deposits and lending are the core business of banking, which is almost risk free, but guarantees returns from interest rate markups. Yet, banks want to eliminate any risk or liability, transferring it to its very clients who are sustaining its business.
I wonder whether such a practice is universal worldwide, which this multinational bank should know, or whether it is exploiting the weak oversight of our regulatory institutions.
Has Bank Negara been consulted on, or monitoring such TCs? Is this the industry practice for all banks in Malaysia? I am surprised that consumer and industry watchdogs haven’t raised this matter yet.
Banks should know that if this practice is prevalent, clients would switch their banking assets to safer alternatives free of scams. Eventually this may make a run on the very deposits that banks depend for their business and profits.
Ultimately, such practice will only embolden scammers, if the clients are faulted first for any scam, the case closed, and no further investigations are taken by the bank or the regulatory or enforcement authorities on the real culprits.
Warning! After reading this, please don’t rush to check or transact your accounts in one go.
The Bank says “they are not liable for any loss or damage which you may suffer from any interruption or other failure in providing the Services, or in transmitting instructions or information relating to the Services, communication or providing notice(s) to you or in connecting with the Online Banking and/or Mobile Banking App; which is caused by any circumstances beyond our control”.