Scammers, banks and your rights
If you’ve been scammed, you might be surprised at the lack of sympathy from your bank. But that doesn’t have to be the end of it, writes Rob Stock.
The message from the Banking Ombudsman is clear: If you are a victim of credit card, or online banking fraud, and your bank won’t compensate you, then complain.
Banking Ombudsman Nicola Sladden warned in her annual report that banks were not always taking a consistent approach to deciding whether to compensate fraud victims, despite all the banks being covered by the Code of Banking Practice fraud guarantee.
The code says: ‘‘We’ll reimburse any of those fraud losses if you: weren’t dishonest or negligent, complied with our terms and conditions for electronic banking or card use, and, took reasonable steps to protect your banking.’’
But banks interpret words such as ‘‘reasonable’’ in different ways, and they do not have the automatic right to refuse compensation to customers who failed to comply with the letter of the terms and conditions.
Sladden asked one bank to change its terms and conditions as they were inconsistent with the code’s fraud pledge, though she did not name the bank.
ANZ even sets a subjective, not objective, standard of proof in its credit card terms and conditions, saying it is not liable to pay compensation when ‘‘we believe’’ the customer has been negligent, or dishonest, or failed to take reasonable steps to protect their banking. These cases provide occasional glimpses of banks’ unfair and inconsistent treatment of requests for compensation.
One case illustrated how a bank set an extremely high bar on ‘‘reasonable’’. It refused to compensate a woman for thefts made by her grandson, who watched as she entered her Pin in a shop.
The Banking Ombudsman found the unnamed bank was wrong to claim the woman had not taken reasonable steps to protect her Pin, saying: ‘‘the standard of care required in such circumstances is reasonable care, not extreme care or the use of every possible precaution’’.
Other complaints indicate banks were sometimes unwilling to accept liability when their failures had contributed to fraud losses.
One centred on a woman whose friend found out her phone banking password, called the bank and managed to get past security questions, using vague answers, and then changed the woman’s internet banking password to steal $5000.
The bank told her she had caused the loss by failing to keep her phone banking password safe.
The ombudsman told the bank it should compensate her.
It’s not publicly known how often banks reject appeals for compensation, and why, because no data is collected. Netsafe chief executive Martin Cocker says the rules should be applied consistently.
He says that if banks can pick and choose how they follow the rules, then there is a case for legislation. He is calling for a government agency which could gather data, and could inquire into issues such as fairness and consistency in banks’ fraud compensation decisions.
Every year, $20 million to $30m of scam losses are reported to Netsafe, Cocker says, but nobody really knows how much is lost.
Fraud expert Bronwyn Groot says there are some issues that do need investigation. One is the effectiveness of credit card ‘‘chargeback’’ systems. The Banking Ombudsman found in one case that the chargeback system had not even been tried to get one man his money back when he was charged by a streaming service but was unable to access any content.
The bank said he had authorised the transactions by entering his card details on the website, though as a goodwill gesture, it refunded the amount charged to his card.
The ombudsman found the bank failed to properly advise the man about the chargeback process, and that it could have required the merchant to provide evidence the man had authorised the transaction.
The bank agreed its service had been poor and offered $500 as compensation.
Banks monitor online banking and card activity looking for unusual activity, and tools like Kiwibank’s KeepSafe system go beyond relying solely on access number and password security.
But Groot believes there is a case for inquiring into how well banks and credit card providers are sharing information about scams, and blocking payments to suspected scammers’ bank accounts.
Changes are under way at the Banking Ombudsman scheme, which is independently reviewed every five years. The 2019 review recommended the ombudsman be given explicit powers to inquire into systemic issues within the banking system.
The Banking Ombudsman was also working to update its memorandum of understanding with the Financial Markets Authority (FMA), and set one up with the Reserve Bank, to work more closely with the two bank regulators.
Now Labour has secured a second term, the banking sector expects the Government to push ahead with its plans for fair conduct laws for banks and insurers, to be policed by the FMA and the Reserve Bank.
Westpac, Kiwibank and ANZ have all argued in court that the code is not part of their contracts with customers, though they have all set out information on fraud compensation in their terms and conditions, bringing that portion of it into their contractual arrangements with customers.
While banks have obligations to customers to help keep them safe, the onus is also on customers to take reasonable steps to protect their banking security.
Banks set out their expectations for customer security in their terms and conditions, and also through online guides to safe online shopping and cyber security.
These set out expectations around choosing safe Pin numbers and passwords and never writing them down. They also caution against the common responses by customers dealing with the multiple passwords and Pins required in the modern world.
In agreeing to have a credit card, or to use online banking, bank customers agree to these terms and conditions, though fraud victims who do not follow them to the letter may still get compensation, if they fight for it.
Sladen says each claim for fraud compensation turns on the facts of the case, ‘‘not simply what is the bank’s legal obligation’’.
The woman who fell victim to her own grandson would appear to have breached some banks’ terms and conditions.
BNZ’s credit card contract, for example, tells cardholders they must ‘‘not allow another person to see your Pin or passcode when you enter it into an ATM, eftpos terminal, computer, mobile phone or any other device’’.
But Sladden says the most common reasons banks will decline compensation are breaches of the terms and conditions, or negligence.
‘‘In order to conclude a customer has acted negligently, the bank must demonstrate that a reasonable person in that situation would have acted differently to how the customer acted,’’ says Sladden.
Simply falling for a romance scam, or being conned by a cold-caller does not automatically mean you have been negligent.
‘‘In as society as diverse as New Zealand, it is sometimes difficult to determine what is ‘reasonable’,’’ Sladden says.
‘‘We’ve been working with the industry to promote a consistent approach. We encourage banks to fully understand what the customer did, why they did it, and whether a reasonable person in that situation would have acted the same.’’
Research shows that with people facing a plethora of Pins and passwords many end up writing them down, or recording them in electronic notes on their laptops or mobile phones.
In one case the ombudsman dealt with, a man stored his banking password on his phone, but didn’t have a Pin lock on the device. The ombudsman found he had not taken reasonable care to safeguard his banking, and had to bear his own loss when a thief got hold of his phone and stole money from his accounts.
When it comes to compensation, victims of ‘‘push payments’’ have the hardest task.
‘‘These scams are where the customer makes the payment, having been deceived about the true recipient or purpose of the transfer as in romance, investment, and invoice scams,’’ Sladden says.
‘‘The fraud guarantee doesn’t apply to ‘push payment’ scams because the customer has authorised the payment,’’ she says.
But banks have a duty of care to customers, particularly the vulnerable.
One example was of a woman who was suckered into a ‘‘push payment’’ romance scam.
She instructed the bank to send a payment overseas, but then changed her mind and cancelled it, leading the bank to make a note about the possibility that the woman was the target of a fraudster.
The fake romancer was able to talk the woman round, and later she made four international transactions totalling $50,000.
When the bank refused to make any compensation, the woman complained to the Banking Ombudsman.
‘‘We found no evidence that the bank asked [the woman] about the nature and purpose of the transactions, thereby losing the opportunity to identify potential ‘red flags’, that is, indications of a possible scam,’’ Sladden says.
‘‘We recommended she and the bank share equally the losses from three of the four transactions,’’ she says.
The bank paid the woman $25,000.