The bank was taken aback by the order of the IT secretary of Tamilnadu as the adjudicator under the Information Technology Act, when he directed the bank to pay Rs 12.85 lacs as the compensation to an Abu Dhabi based NRI for the loss suffered by him in a “Phishing Fraud” . (1)
“Phishing” is a security risk that many computer users are getting to be familiar. In this case the account holder received an email that appeared genuine, which asked him to provide the use rid and password for his internet banking account to avoid his account getting closed. He parted with these details and he lost about Rs 7,00,000 from his account.
The bank took a view that the loss is on account of the carelessness of the account holder and refused any compensation as they had advised all account holders not to part with their userid and password to anybody. How could he be so irresponsible and give away his password and then claim that the bank should compensate him? But the adjudicator did not agree to this point of view.
This is an interesting dilemma for all entities like banks and depositories that provide online service to their clients. Where does their liability end for the loss suffered by their clients? Under what circumstances will they continue to be liable even if the loss was the outcome of a failure by the account holder?
Similar issues have been there with respect to offline transactions too. For example the loss suffered by credit card holders on account of misuse of their card details or loss of money from the bank account by fraudulent instructions.
One of the accepted doctrines in legal theory is that the entity that is best equipped to manage the risk should be liable to the loss arising out of such risk. This doctrine has been followed not just in online transaction. It has been used in fixing liability in terms of workplace accidents, accidents in amusement park and and so on.
For many this may look very unfair. Shouldn’t the responsibility of the service provider end when it has put in place risk containment measures and warned the users about the potential risks? Why should it bear the brunt of a fraud when ingenious souls manage to find a way around the protective walls?
There are studies comparing the incidents of banking frauds between the countries that placed the primary responsibility on the service provider and on the customer. These studies showed that when the legal structure supported the above doctrine the extent of fraud was much less. The service providers continuously upgraded their risk containment systems as they could not hide behind “fine prints” in the forms that they make their clients sign and the disclaimers that they publish. They cannot limit their risk with firewalls and dematerialized zones in their data centers. They have no option but innovative in saving their clients from their own foolishness. They are forced to look for patterns, trends, exceptions, track locations from where the transaction originate, raise alert when exceptions occur and so on. But if still a client is faced with a loss, he is compensated unless they can prove the customer connivance or involvement. We can’t just declare “Caveat Emptor”.
Risk mangment therefore becomes a managerial decision, may be more than technical solutions. (Read on Digital Security – Business, People and Economics for some more thoughts on this)
Ref: (1) https://indialawnews.org/tag/human-rights/
"Customers don't expect you to be perfect. They do expect you to fix things when they go wrong." Donald Porter, British Airways
If you like this post, share it with your friends
“Phishing” is a security risk that many computer users are getting to be familiar. In this case the account holder received an email that appeared genuine, which asked him to provide the use rid and password for his internet banking account to avoid his account getting closed. He parted with these details and he lost about Rs 7,00,000 from his account.
The bank took a view that the loss is on account of the carelessness of the account holder and refused any compensation as they had advised all account holders not to part with their userid and password to anybody. How could he be so irresponsible and give away his password and then claim that the bank should compensate him? But the adjudicator did not agree to this point of view.
This is an interesting dilemma for all entities like banks and depositories that provide online service to their clients. Where does their liability end for the loss suffered by their clients? Under what circumstances will they continue to be liable even if the loss was the outcome of a failure by the account holder?
Similar issues have been there with respect to offline transactions too. For example the loss suffered by credit card holders on account of misuse of their card details or loss of money from the bank account by fraudulent instructions.
One of the accepted doctrines in legal theory is that the entity that is best equipped to manage the risk should be liable to the loss arising out of such risk. This doctrine has been followed not just in online transaction. It has been used in fixing liability in terms of workplace accidents, accidents in amusement park and and so on.
For many this may look very unfair. Shouldn’t the responsibility of the service provider end when it has put in place risk containment measures and warned the users about the potential risks? Why should it bear the brunt of a fraud when ingenious souls manage to find a way around the protective walls?
There are studies comparing the incidents of banking frauds between the countries that placed the primary responsibility on the service provider and on the customer. These studies showed that when the legal structure supported the above doctrine the extent of fraud was much less. The service providers continuously upgraded their risk containment systems as they could not hide behind “fine prints” in the forms that they make their clients sign and the disclaimers that they publish. They cannot limit their risk with firewalls and dematerialized zones in their data centers. They have no option but innovative in saving their clients from their own foolishness. They are forced to look for patterns, trends, exceptions, track locations from where the transaction originate, raise alert when exceptions occur and so on. But if still a client is faced with a loss, he is compensated unless they can prove the customer connivance or involvement. We can’t just declare “Caveat Emptor”.
Risk mangment therefore becomes a managerial decision, may be more than technical solutions. (Read on Digital Security – Business, People and Economics for some more thoughts on this)
Ref: (1) https://indialawnews.org/tag/human-rights/
"Customers don't expect you to be perfect. They do expect you to fix things when they go wrong." Donald Porter, British Airways
If you like this post, share it with your friends
