Many things have changed. Not the banks
Bank fraud has increasingly climbed up in detriment of bank clients and customers. Customers’ complaints evolve as fraudsters develop new and innovative scams. Scams are often based in manipulative techniques known as “social engineering” designed to cheat on people, leading them into parting with their cash or sharing confidential information. Clients often tell us that their credit or identity cards details were disclosed and used in a fraudulent way. In general, customers have no idea how scammers obtained so much of their personal data. In this aspect, banks’ monitoring duty is essential to prevent fraud. Banks put up a defensive barrier upon answering information requests from their victims-customers: if any customer disclosed sensitive information to scammers or authorized a transaction that turned out to be fraudulent, banks are released from liability. Scarce IT skills are not financial assets worthy of protection – by banks, at least.
I take care of you
Situation is about to change. There exists a bank liability towards its clients. Since they are institutions authorized to receive the savings of the public, banks are regulated and monitored by the State through a strict regulation regarding their IT security standards.
This liability is objective, even though when the provisions of the ordinary regime of the Civil Code are applied instead of the provisions of law 24.240. Within this framework, consumers can assert this liability as well as SMEs and companies.
Banks operate risky systems and must protect their users-customers, who delegate the treatment of sensitive personal data on them. In turn, banks are responsible for their security systems and the required duty of care.
I must know you
Besides the general duty of care, there is a special duty connected with the control of clients’ transactions in order to avoid incidents within a digital environment required to be monitored by each institution. Let’s see some situations incurred by banks:
– When the bank did not guarantee a complete record and traceability of the transactions performed through Electronic Channels within a safe environment for their generation, storage, transportation, custody and recovery.
– When the bank did not comply with the “know your customer” policy implemented by the Central Bank of the Argentine Republic (“BCRA”) that requires banks to take special steps aiming to “minimize risks” in case of suspicious situations for the entity. This must be proved but, in case of misfortune, the presumption is against them.
– When the bank did not follow the guidelines established by Communication “A” Nº 6878 of the BCRA governing entities’ responsibilities, whereby banks “shall adopt rules and procedures with the purpose to check if the movements of the customers’ accounts are in accordance with the activities declared by them”, evaluating many aspects of the transaction before making payment.
If I monitor, I can prevent
Many fraudulent schemes involve the use of banking services because, besides the disruption brought by cryptocurrencies, blockchain ad virtual wallets (such as Mercado Pago), most money transfers and trade must be made through banks’ IT platforms. Thus, banks and their employees are in a position to detect, block or report suspected fraud. If they fail to do so, they should be liable for lack of compliance.
It is implicit in the contract
We assume there is an implicit term in the agreement between banks and their clients and customers: the duty of care. For instance, if the bank has reasonable grounds to believe that a customer is being defrauded, it should refrain from executing an instruction given by the customer. In this line, if the bank suspects of a suspicious transaction, further investigation should be conducted. If banks fail to do so, we understand they incur liability in case of fraud. And customers shouldn’t be blamed for negligence or lack of experience upon providing personal data. Responsibility lies on banks regarding IT security systems, monitoring and control. To monitor and control an unusual customer’s activity is one of the several tools to prevent scams and fraud. “Focus should be on crime prevention, not only on the right to compensation”.
Conclusion
If the bank authorized an unusual transaction or through an unusual channel, then it failed to comply with the basis of the customer-bank relationship and is considered to have breached the duty of care. “Clients and customers should never be considered to be acquainted with IT skills and to be aware of the risks they have to face daily”.
Author: Martín Elizalde
Senior Consultant at Foresenics
