Examination of Witnesses (Questions 120
WEDNESDAY 13 DECEMBER 2006
Q120 Lord O'Neill of Clackmannan:
If you make the information available as a percentage of turnover,
that stands for itself. It is not a question of you making a judgment.
It is a question of you just having the guts to publish it.
Mr Whittaker: In the end, dare I say, with respect,
it is not so much that the banks themselves or the banks' systems
are insecure because those banks are not being attacked; it is
their customers that are being attacked unfortunately, and the
levels of controls that they are all deploying at the moment are
broadly equal in the style of techniques they are using, and therefore
trying to draw some sort of judgment or saying this bank is any
stronger or any weaker or is suffering more losses or less losses
than another bank does not help us describe why that bank is being
attacked in the first place.
Lord O'Neill of Clackmannan: I am sorry,
it is not up to you to make the judgment; it is up to the customer,
and if the customer is denied the information then they are in
no position at all to make a judgment.
Q121 Earl of Erroll:
Can I ask a question which might clarify this which is: am I right
in thinking that APACS is actually a banking trade body which
has no responsibility whatsoever to the public and does not actually
have any interface with the government or the general public?
It is actually an internal banking body.
Ms Quinn: Can I say two things in response to
that. You are exactly right, APACS is a trade association and
we have 31 bank members and we work with them to co-ordinate the
fight against fraud. What we are developing next year is a new
government arrangement which is a new board which will replace
what was formerly known as the OFT Payment Systems Taskforce and
that is looking at exactly some of the issues that you are raising
about increased transparency and increased awareness. I am sure
they will be picking up those types of issues.
Q122 Lord Young of Graffham:
I suspect my question is for Mr Whittaker, and thank you very
much, it is a very interesting paper.
Mr Whittaker: Thank you.
Q123 Lord Young of Graffham:
Let us assume for the moment that I have lost money from my account
in some way or another. At the moment all banks will refund that
amount of money. You say on page four of your submission that
banks currently choose to refund money. Is there a legal obligation
to refund or is it a matter of goodwill?
Ms Quinn: There is no legal obligation. The
key is that all banks publish very clear guarantees on their websites
to customers that if customers operate within their terms and
conditions then they will refund any losses they have. It is one
of the things we are looking at through the Banking Code. The
Banking Code sets out standards of good practice against the industry
and that is currently going through a review process. It gets
reviewed every three years. We have just started the review process
for the edition that will be current in 2008. I think it is fair
to say that one of the aspects I expect we will get comments from
stakeholders on is to tighten up some of the fraud guarantees
provided within the Code. I think it is the level of awareness
that we need to look at.
Q124 Lord Young of Graffham:
Can I just take that a bit further. If I lose my cheque book or
somebody steals my cheque book and forges my signature, I get
my money back from the bank?
Mr Whittaker: You do.
Q125 Lord Young of Graffham:
If somebody takes my credit card and forges my signature the credit
card company gives the money back. Are you saying that only in
the case of on-line transactions the bank is not obligated to
give me my money back?
Ms Quinn: There is not an obligation in the
Code. In both the other instances you suggest there is an obligation
in the Code.
Q126 Lord Young of Graffham:
Do you think that is appropriate?
Ms Quinn: I think it will be something looked
at in the review process next year and it will be very interesting
to see what the outcome of that is.
Q127 Earl of Erroll:
Do you think we should replicate something similar to the Bills
of Exchange Act 1888?
Ms Quinn: 1882.
Earl of Erroll: It is my memory!
Q128 Lord Mitchell:
He was there for the third reading!
Ms Quinn: I think one of the things that is
changing is the rules about cheques. At the moment we have in
the UK nothing about certainty of cheques, so if I give you a
cheque and that turns out to be fraudulent, but in good faith
you have banked it and you have withdrawn the funds, if it subsequently
turned out to be fraudulent even two or three weeks later, your
bank could take that money back off you even if you have spent
it. What we have just published is a guarantee that as long as
you have not been complicit in the fraud that is committed, six
days after you have deposited that money that money will definitely
be yours. That will be a change in the cheque arena. One of the
things I would mention about the Banking Code is the key responsibility
it places on the banking industry. The burden of proof lies with
the industry to prove that a customer has been negligent and,
as you can imagine, in terms of customer service you want always
to be relating well to your customer and believing what they tell
Q129 Earl of Erroll:
And that is a change from the early days when banks refused to
refund people who had had money withdrawn from ATMs, and that
is going to stay that way?
Ms Quinn: There is no doubt that that is not
going to change.
Q130 Lord Harris of Haringey:
Could I address a question to Mr Littas. A week or two ago Visa
contacted meI am sure it happens to everybodywith
a suspected fraud on my credit card and we sorted it out, and
then they started selling me identity fraud protection insurance,
which initially sounded quite a good idea, but I thought about
it afterwards and I thought, "No, this is all wrong."
It is the same issue that is coming up. There is a problem and
they are trying to sell you insurance at the same time. Is this
going on? Is this a general situation or just a Visa situation?
Mr Littas: To start with, the company that contacted
you was not Visa. We do not contact individual card holders so
it must have been the bank that issued your particular credit
card who did that.
Q131 Lord Mitchell:
Mr Littas: They may have acted upon information
that we provided of a suspect transaction, but that relationship
of how a bank deals with its card holders is entirely the bank's
responsibility. We do not deal with merchants or with card holders.
Q132 Lord Mitchell:
Alright, somebody contacted me.
Mr Littas: And no doubt it was the bank that
issued your credit card.
Chairman: I think we must move on. Lord
Q133 Lord O'Neill of Clackmannan:
When on-line banking started and when IT was applied in the last
five years, we were sold the idea in terms of increased efficiencies
and things like that but also it was going to be cheaper, and
to an extent that is reflected in the fact that if you have deposit
accounts on-line they tend to afford a higher degree of interest.
Do you think that there is a danger now that the public see on-line
banking as something that affords a higher rate of interest and
the banks themselves see it as a kind of cheap option? You do
not have the branch infrastructure to worry about. You barely
have, in most instances, even the call centresGod forbidto
worry about. Do you think that there ought to be an added dimension
of the local branch so that you can go in there on occasion or
would that destroy the economics? It has been suggested that if
there was a branch dimension you could end phishing at a stroke.
Ms Quinn: Not being a bank ourselves that is
really a question for a specific bank to answer. One of the parallels
I would draw is there has been a lot of discussion over the last
two or three years about the diminution of free-to-use cash machines
in areas of deprivation. There has been an announcement today
where a number of banks have clubbed together and agreed to provide
600 more free-to-use cash machines, and that is an area that banks
continually look at. The key drivers here are things like financial
inclusion, making sure those people who need access to a bank
branch have access to a bank branch, and that is a different issue
I think to the Internet per se.
Q134 Lord O'Neill of Clackmannan:
I take the point about the social banking dimension and there
are other pressures on the banking system to address that. It
is really just this question that it would appear that a lot of
the financial planning of banks in terms of service to customers
has been based on the assumption that Internet banking could afford
great savings but some of these savings have a security downside.
Do you think that, for example, if the branch had a bigger role,
phishing could be eliminated or, alternatively, maybe if branch
marketing departments stopped sending emails then they would not
be quite as vulnerable to phishing expeditions as they are at
Ms Quinn: I think that last point is particularly
valid in that there is a balance, is there not, between the marketing
a bank wants to make of its services, and it wants to deliver
those marketing messages through email or ways that it knows its
customers reads its material, and the kind of information we receive
through phishing emails. That is one of the reasons at industry
level we have made some very clear messages such as your bank
will never ask you to access your website through a link in an
email. That is a very clear message we promote for exactly that
reason. Unfortunately, there is a balance between marketing and
Q135 Lord O'Neill of Clackmannan:
One last point, you mentioned the Banking Code and you say it
is a triennial review. Given the dynamic of your industry at the
moment and the rate of change, do you think that three years is
maybe too long a period to carry out this review and that it should
be every 18 months or something like that because there seem to
be changes happening so dramatically?
Ms Quinn: I think that is a really fair point.
What we have done is we have changed the Banking Code review period
from two years to three years, but what we have is an interim
review process so if there is something where customers are at
a disadvantage there is a process in place where we can have an
interim review specifically about one topic and then the change
will become effective immediately.
Q136 Lord Mitchell:
We just wanted to know the level of international co-operation
between financial institutions who are looking at eCrime.
Mr Whittaker: It is quite profound. We are very
fortunate to have established an excellent relationship with the
Australian banks. They were the first banks who were attacked
in a significant way. They developed a co-operative relationship
dealing with these issues and we learnt a lot from them to start
off and we formed a united front in discussion with international
law enforcement as well. We have broadened that out recently to
encompass some American banks, German banks, Dutch banks, Danish
banks around the world who are suffering these sorts of attacks.
Everyone is learning from the lessons of people who suffered the
hardest knocks first, which unfortunately was Australia and the
Mr Littas: Of course Visa is all about international
co-operation and part of that co-operation is to fight fraud.
I think we have come a long way from a few years ago. Based on
the fraud numbers which have been constantly on the decrease for
the last 10 years, we have now record low fraud levels in Visa
of five basis points, which is five pence on every £100 turnover,
and that is thanks to that co-operation you asked about. We do
co-operate better, we do things better, and we try to introduce
standards and systems with global application.
Have there been any successful attempts to approach agreement
with Eastern European countries or with Nigeria for example?
Mr Pemble: There are a number of international
co-operation agreements. Obviously it is relatively difficult
for financial organisationsand it should beto undertake
law enforcement action themselves. Therefore it is dependent upon
the financial organisations working with their local law enforcement
who can then go through co-operation agreements with the international
law enforcement authorities. Certainly the National High Tech
Crime Unit, as was, had a number of successes in the former Soviet
Union and the Met Police Operation Sterling team have done a considerable
amount of work with the Nigerian authorities. There is considerable
co-operation through organisations such as FIRST and the G8 Line
Group and obviously Interpol and Europol, between the law enforcement
bodies, bringing them together to establish relatively simple
pathways for financial organisations and their customers to report
fraud. Clearly, international legal co-operation can be slow.
Mutual legal assistance treaties move at the speed of diplomacy
not necessarily at Internet speed. I think it is an important
question to be asked as to how from a legislative/international
law point of view this can be improved. More research is needed
and possibly along similar lines to the CTOSE
programme that was run by the European Union a couple of years
ago, which as well as including European Union nations did include
the United States National Institute of Standards and Technology
as well as law enforcement organisations from around the world.
There needs to be greater involvement from the commercial sector.
ENISA, the European Network and Information Security Agency, might
be an appropriate body to lead that or there maybe other organisations
which can pick that cudgel up.
Mr Littas: On international co-operation we
were successfuland I mean by "we" the payment
card industryin working with Interpol on the problem of
counterfeiting which has now very much reduced as a problem. I
met Interpol only last week to try to get them involved on other
types of fraud, in particular "card not present" fraud
which is a growing type of fraud worldwide. We have certainly
provided funding and training and support to Interpol on counterfeiting
but our offer last week was we wanted to do the same thing with
regard to card not present fraud because that is clearly something
we want to tackle head on.
Q138 Lord Harris of Haringey:
In some US states there is a legal obligation on businesses to
notify customers and others of security breaches. Should we have
that sort of legislation here?
Mr Pemble: It is an important question to consider
but it is also important to note that there are considerable differences
between the US state bills. The results have been far from uniformly
positive. There are a relatively large number of potential breaches
reported under the US rules primarily of things like laptop thefts,
where there is a very, very low risk of subsequent identity compromise.
Also there are a significant number of actual compromises that
occur that are only noticed once the fraud starts taking place.
There is also the point that the obvious reputational impact on
an organisation that makes a report is likely to lead organisations
to concentrate to a very great degree on the PR and media management
of the incident which will detract resources from managing the
problem. There is also a particular problem in the payment cards
area, as was mentioned. It is difficult for the organisation that
actually suffers the breach to have that direct relationship with
Q139 Lord Harris of Haringey:
Sorry, they are my details that are potentially being breached;
should not the organisation holding them have an obligation to
inform me of that possible breach?
Mr Whittaker: There are implied obligations
under the Data Protection Act 1998 which does call for data processors
and data controllers to make that judgment call. However under
UK law and under the Data Protection Act, it stresses throughout,
when it comes to the control measures, the importance of making
security and risk management decisions based on your understanding
of the level of harm that could give to the data subject. That
is the right and responsible way to go about the issue. Certainly
when you talk to US commercial enterprises and institutions who
are suffering these independent state legislations out there,
there is some concern that as well-intentioned as the legislation
is (which it is and everyone would applaud it) it does cause its
own level of unintended consequences. One of those is to increase
anxiety. Because the enterprises have got no ability to form a
discretionary view on the level of harm that compromise might
cause, and as you heard some compromises are trivial but you still
have to let the consumer know, so consumers are being bombarded
and in some cases are being warned up to five or six times when
there has been a data compromise, and they cannot easily sort
out themselves the impact that any one of those sorts of cases
is going to cause them. Therefore there is a good argument for
saying if you are going to do this thing, do it in a much more
appropriate and responsible way, making informed decisions about
the level of harm that could be incurred.
5 http://cordis.europa.eu/fetch?CALLER=PROJ_IST&ACTION=D&RCN=60288 Back