Traditionally, getting defrauded online meant getting your credit card number stolen, which you noticed through unauthorized charges on your statement. More troubling frauds are those which involve unauthorized access to a user’s online banking accounts, which can be used to empty entire bank balances before the users realize what has happened.
In the wake of several large-scale frauds that exposed the potential severity of the problem, the payment card industry codified responsibility for fraudulent credit card charges through legislation and self-regulation, with consumers reassured that they faced “zero liability” for fraudulent transactions. However, there is no similar standard for online bank accounts and when a fraud occurs, banks and consumers are often left to determine liability on a case-by-case basis.
From 2009 to 2019, Canadian banks invested over $100B in cybersecurity. This undeniably prudent step has made the Canadian banking system amongst the most secure anywhere.1 However, this has had the paradoxical effect of ensuring that a bank often has far better security than its customers. With so many individual customers accessing centralized bank systems, the “attack surface” of banking customers is also vastly larger than that of the bank itself. Why would a criminal bother hacking the bank, when you can get access to the assets through their customers, with far less hassle?
The scenario is easy to imagine: A hacker gains remote access to a user’s device, steals the legitimate login credentials, and uses them to empty their bank account. The account itself is never hacked, and there is no breach of bank security. It is as if the criminals simply stole the key to your house before emptying your safe - there are things missing, but no sign of forced entry. Since the criminals have access to your device, it is possible that when the bank reviews the transactions, the request even came from your Internet Protocol (IP) address. This makes the bank suspect that you were in fact the one to request the transaction, meaning no fraud even occurred. Should the bank be responsible to reimburse these amounts, if there is no fault on their part, and nothing to prove that the request was fraudulent?
Does that bank have any liability, when their customer willingly (or unwittingly) gave their password to a bad actor? A recent CBC article highlighted this problem including some recent cases.2 Case law continues to develop as courts attempt to balance the duty of banks to detect and prevent fraud with the duty to execute client instructions in a timely manner. We published an article on this topic earlier this year, that can be found here.
It is easy to assume that there must be insurance somewhere against this kind of risk, but there is no ready-made solution that would apply. Banks carry broad Financial Institution bonds, however the bond programs for major banks have deductibles large enough that they may only be triggered for the very largest of systemic frauds, far larger than what the average person would have in their bank account. Because the user often cannot prove the transactions were fraudulent, neither can the bank, and they would need to provide a proof of loss in order to support a bond claim. Even most modern social engineering coverage requires a verifiably fraudulent request be transmitted to the bank and is generally designed to protect the accounts of each individual bank client. Cyber insurance offered to financial institutions generally covers the theft of data from the bank, but typically not the theft of money or theft of data from a customer. Canada Deposit Insurance Corporation (CDIC) will reimburse a consumer if an institution fails, but there is no coverage under CDIC for fraud losses3. Overall, there are limited places one can seek coverage for these losses.
This is a developing area that is sure to get more attention as the problem evolves, and as cases work their way through the legal system, and we get a clearer picture of the legal liability. In the meantime, basic cybersecurity measures like multifactor authentication and good password hygiene will continue to be the best ways for consumers to protect themselves from being a victim in the first place.
1 Canadian banker association https://cba.ca/fast-facts-the-canadian-banking-system
2 https://www.cbc.ca/news/canada/toronto/bmo-customers-thousands-etransfer-fraud-1.6423576
3 CDIC https://www.cdic.ca/your-coverage/faqs/#information-q5
