Financial Regulation: a preliminary consideration of the Government's proposals - Treasury Contents

Written evidence submitted by Stephen Mason and Nicholas Bohm



  1.  The contemporary use of electronic machines by banks is so widespread, that it is difficult to imagine that the banking system would continue to work at all if such machines were withdrawn. But reliance on electronic machines carries with it hidden risks. There is an important but neglected distinction between purely mechanical machines, such as the first machines produced in the nineteenth century to dispense cigarettes, etc, and modern machines that rely on software, such as cash dispensers ("ATMs"). Software has approximately five defects per 1,000 line of code. Given that most machines that rely on software have millions of lines of code, most commercially produced software products will have thousands of undetected defects. This is why software vendors have to issue updates to software (quite apart from the making of improvements). Such updates are correctly described as "security updates", because some defects can be manipulated by a thief, for instance, for fraudulent purposes. Errors in the construction of purely mechanical machines are apt to make them fail in obvious ways; but software introduces such an enormous increase in complexity as to result in errors whose consequences are very hard to detect.[32]

  2.  The following is offered by way of example. A person authorized to enter a building may be issued with a token (often a plastic card with a magnetic stripe or a chip). To gain entry to the building, the user must swipe the card in a reader, insert the chip part into a reader, or press the card against the surface of a reader located on a wall or door. They may also be required to insert a code. Given this technology, it is taken for granted that the communications between the various items of software prove that (i) the card is physically present, and (ii) that the person to whom the card was issued is the person who enters the building. This assumption can be corroborated by evidence that they used various machines (mainly computers) in the building for a number of hours before leaving. Whilst the evidence that the authorized user used a computer is not conclusive that the person was either physically in the building or used the machine, nevertheless there would be strong circumstantial evidence to indicate they were present in the building from the moment the card was swiped in the reader.

  3.  However, machines run by software and controlled by a bigger machine that is linked to all the machines in the building (controlling computers, readers on different doors, cctv, air conditioning systems, etc) are also often linked to the internet. If the machine and the networked machines are linked to the internet, it is possible that a third person from another country (for instance) might gain access to the system remotely by taking advantage of defects in the system's software and might manipulate the system to make it appear that a person has entered (or left) when they have not.

  4.  The point is this: the fact that the software on a reader adjacent to a door is recorded as having communicated with the software in the central computer to send a message that a particular card has been pressed or inserted into the reader, does not prove that (i) the person whose card it was issued to was in physical possession of the card, nor (ii) that the card was physically present against the card reader to cause the software to send the message to begin with.

  5.  Contemporary banking systems operate on the basis of an association of links (some of which are very flimsy) that the banks themselves use to assume that either (i) their customer, or (ii) another person with the authorization of the customer, is at the ATM or a computer terminal when undertaking an on-line transaction. A bank can never know if their customer is the actual person at the ATM or computer terminal. The bank assumes that the customer is a the ATM if (i) the software in their system communicates with the software linked to an ATM, that (ii) a card is apparently physically present in the ATM, and (iii) the software on the card communicates with the software in the ATM in an attempt to verify that the card is a genuine card, and (iv) the personal identity number (PIN) (one form of electronic signature33) if correct, is that of the customer. Banks use the evidence thus accrued to assess automatically whether to allow the transaction to take place. The problem is that banking systems are not perfect, and can be manipulated, but representatives from the banks and banking industry are on record as claiming over the previous 40 years that their systems are safe and cannot be broken into by malicious outsiders, only for each new item of technology that is introduced by the banking sector to be proven to be open to successful attack.


  6.  When a customer claims that money has been withdrawn from their bank account without their authorization, the legal issue is straight-forward: whether the bank had the authority under its mandate from the customer to debit the account. Where a customer carries out a transaction at an ATM, for instance, the mandate will be fulfilled if the card issued to the customer and the correct PIN are entered in the machine by the customer. It is a primary issue whether the bank can prove that the customer or a person authorized by the customer authorized the withdrawal of the money, or that the carelessness or gross negligence of the customer enabled an unauthorized person to do so (where the mandate authorizes a debit on that basis).

The burden of proof

  7.  It is often suggested in the media that the burden of proof is on the customer to prove they did not withdraw the money. This is not correct. This has never been the legal position.

  8.  Prior to the Payment Services Directive and Payment Services Regulations 2009 (SI 2009/209) ("PSR"), it was for the bank, where it relied on the signature of the customer, to prove the signature was that of the customer if the customer did not accept the signature as their own. As a PIN is one form of electronic signature, the burden of proof has remained with the bank at all times. Under the new law, it is now for the bank to prove on the balance of probabilities that the card issued to the customer was inserted into the ATM by the customer or by a third party with their authority, and that the PIN was entered by the customer or by a third party with their authority. Article 59(1) of the Payment Services Directive (regulation 60 of the PSR) provides that where a user denies effecting or authorizing a transaction, it is for the bank to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts, and not affected by a technical breakdown or some other deficiency.


  9.  In the case of Job v Halifax PLC (not reported) Case number 7BQ00307,[33] Mason argued on Mr Job's behalf that the bank had to produce evidence of the trail of communications between the various items of software associated with the transactions in dispute. The learned county court judge rejected this. However, the position has changed, and where the customer does not accept they authorized the transaction, article 59(2) of the Payment Services Directive (regulation 60 of the PSR) provides that the use of a payment instrument (that is, the card issued to the customer by the bank) is not in itself necessarily sufficient proof either that: (i) the transaction was authorized by the customer, or (ii) that the customer acted fraudulently, or (iii) the customer failed with intent or gross negligence to fulfill one or more of his obligations under Article 56.

  10.  Regulation 60 of the Payment Services Regulations now provides that it is for the bank to provide a complete chain of evidence to prove their case: beginning with the records of the ATM, any communications systems used between the ATM and the bank back-end systems, and the processing of the data in the bank's systems. So much the better; but the introduction of these more detailed requirements will still not be sufficient to protect the customers of the banks, however, if the general rule continues to be applied that machines may be assumed to work correctly. Such a rule effectively negates the requirement for evidence that systems are in fact working correctly, thereby ignoring the vulnerability of commercial software.

The card

  11.  One problem relating to the nature of the evidence is the card issued to the customer by the bank. The customer is almost always told by an employee or agent of the bank to destroy the card when the customer has cause to make a complaint. The card includes an Application Transaction Counter ("ATC"). The ATC is increased by one each time a transaction takes place. A test of the card will help to determine whether the ATC has been increased, and the test can enable a comparison of the transactions recorded on the customer's statements to establish whether there are any discrepancies. This is important evidence, and can help demonstrate whether the customer is telling the truth when they assert that they were not responsible for the disputed transaction. As a direct result of the bank telling the customer to destroy their card, the bank deliberately requests the destruction of evidence, knowing that legal proceedings may be taken by the customer to recover the money. For this reason, a bank can be held in contempt of court where such advice is given and acted upon. That banks issue such instructions to the customer is of utmost concern, because many customers destroy their cards when given such instructions by their bank, only to learn much later that the information on the card could have demonstrated that they were telling the truth.


  12.  Since April 2007 (Home Office Counting Rules For Recorded Crime, Fraud and Forgery) consumers have been compelled to report fraud to their bank, and not to the police. If the bank determines that the customer was responsible for the withdrawal (or somebody authorized by them, or they were negligent), then the bank will not reimburse the customer. The customer can then complain to the police, but all the police will invariably do is give the customer a crime report number, and refuse to take any further action.

  13.  The reasons why the police do not tend to take action seem to be: (i) the high number of cases reported, (ii) the time, expense and expertise necessary to follow up such a complaint, and (iii) the apparently low importance attached to such crimes.


  14.  When a customer complains to a bank about unauthorized withdrawals, some banks act with commendable speed and within the law. The legal position is set out by regulation 61 of the PSR, that is (subject to regulations 59 and 60) the bank must immediately refund the amount of the unauthorized payment transaction to the customer, and where applicable, restore the account to the state it would have been in had the unauthorized payment transaction not taken place. Unfortunately, there are a number of banks which do not comply with this requirement, and undertake what they call an "investigation", only to inform the customer that as far as the bank is concerned, the withdrawal was carried out by the customer. The customer then in practice has to gather evidence to prove they were not responsible for the transaction.


  15.  It appears from the evidence that we have seen of how complaints are adjudicated by the Financial Ombudsman Service by people that have had money stolen from their accounts, that employees working for this authority have no understanding of the technical issues relating to digital evidence, nor do they appear to understand that it is for the bank to prove it did not let a thief steal its customer's money. Even when evidence from witnesses is put forward by the customer to demonstrate that they were not in the vicinity of an ATM when money was withdrawn, adjudicators at the Financial Ombudsman Service continue to accept the evidence provided by the bank. Often the bank will merely assert that because they claim the chip was read, it therefore follows that the customer was responsible for taking the money. It seems that adjudicators at the Financial Ombudsman Service tend to agree with the banks. The Service does not obtain evidence from the bank about the transaction in question to enable the customer to submit it to an appropriate expert for evaluation. It provides an inadequate protection for bank customers with disputed transactions.

  In our view, the following action should be considered if this issue is to be taken seriously:

  16.  The government must change the rules for reporting and dealing with theft from banks accounts (either via ATMs or on-line), and for providing accurate figures for theft and fraud. At present, the only figures given for losses are those provided by UK Payments Administration Limited. These figures are not very clear and lack transparency. For instance, where a bank declines to refund a customer, the money in dispute is not considered by the bank as a loss, which means the loss is not reported to the UK Payments Administration Limited, and is not included in the overall figures produced by this agency. The amount of money that might be in dispute may be considerable, and the figures given by the UK Payments Administration Limited are highly likely to be inaccurate for this reason.

  17.  Police forces must have more funding to train police officers in digital criminal activities. It is crucial for the authorities to acknowledge that education, training and the provision of appropriate information technology to the police in respect of these crimes is essential. The failure to understand this fundamental point in the 21st century means that criminals will continue to be successful in stealing money.

  18.  The banks must put more robust methods in place to provide for the security of customers' accounts. They will not do so without the necessary incentive; and while they can pass the loss to their customers, they lack that incentive. The authorities appear to regard banking security as a matter for the banks. This approach worked well enough when a bank robbery meant that the bank lost money: it is up to the bank to decide how much to spend to protect itself from loss.[34] But modern banking is different: now bank robberies are electronic, and banks can protect themselves from loss by allowing it to fall on their customers by relying on the willingness of the law to presume that their systems are working correctly. In these new circumstances, banks can no longer be the judges of how to prevent fraud, because it is not them but their customers who carry the risk. This places wholly new demands on the competence of bank regulators, and it is not clear either that they recognize this or that they possess the necessary skills.

  19.  Consideration must be given to the general rule that machines may be assumed to work correctly. This rule ignores the susceptibility of commercial software to being manipulated successfully to the detriment of the customer.[35]


  20.  Crime relating to bank accounts is complex. Unfortunately, the banking sector and police are, in general terms, treating this problem simplistically.

  21.  Some indication of the scale and importance of the issue can be derived from the case of R v Bunu. It was heard at Hull Crown Court in July 2008. Not guilty pleas were entered and a five to six day trial ensued. The accused was found guilty of conspiracy. Media reports indicate that when he was arrested, police officers recovered details of more than 1,900 accounts (some on a laptop), eight false cash point fronts, detailed lists of supermarkets around the country, card-cloning devices and between £3,000 and £4,000 in cash. The fingerprints of the accused were found on tape used to stick the false fronts on cash machines. It was estimated that about £43,000 was stolen, but it could have around £1.1 million if they had used all of the 2,000 sets of details they had obtained. In four months, two thieves obtained details from more than 2,000 victims and cloned them on to loyalty cards, writing the PINs on the signature strips. They then travelled around the country to withdraw up to £500 a time with each card and using different cash points to avoid detection.

  22.  Apart from the importance of this case as a demonstration of how easy it is for criminals to steal from banks using ATMs, there is a more telling point. In discussing the case after the conviction and sentence with one of the lawyers, it became clear that there was no indication by the banks or the prosecution as to whether each of the customers whose account details had been obtained by the thieves had been informed that their accounts had been compromised. Conceivably, customers might have had money stolen from their account by way of ATMs, but the banks might have asserted that it must have been the customer who made the withdrawals, even though it might have been because of the actions of Bunu and his accomplices. In this respect, it ought to be a requirement for the crown or the police or the banks, or all of these agencies, to inform the customers that their accounts have been compromised (unless this occurs in any event).

  23.  The members of the Committee are welcome to get in touch for further information, should they consider it necessary.

17 January 2011

Stephen Mason is barrister ( and a member of the IT Panel of the Bar of England & Wales. He is also the general editor of International Electronic Evidence (British Institute of International and Comparative Law, 2008).

Nicholas Bohm is a retired solicitor, formerly a partner in a major City of London law firm, and currently a member of the Law Society's Technology and Law Reference Group and a Trustee of the Foundation for Information Policy Research.

32   For references for the points made here, and for a more detailed treatment of this topic, see Stephen Mason, Electronic Evidence, (LexisNexis Butterworths, Second edition, 2010) Chapter 5 and the references contained therein. Back

33   The judgment is reproduced in full in the Digital Evidence and Electronic Signature Law Review 6 (2009) 235-245. Back

34   Banks and their customers are debtors and creditors. Although it is commonplace to speak of "my money in the bank", and indeed hallowed by the Companies Acts to include an entry in a company's accounts for "cash at bank", the cash actually held by a bank belongs to the bank, not its customers. The customers' only assets are their debt claims against the bank (if their accounts are in fact in credit). So when cash is stolen from a bank, it is the bank's cash, and the bank suffers the loss-the customers are not affected (unless the loss brings down the bank, of course). Back

35   See Stephen Mason, Electronic Evidence, (LexisNexis Butterworths, Second edition, 2010) Chapter 5 for a detailed consideration of this presumption. Back

previous page contents

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2011
Prepared 3 February 2011