It’s fair to say that last week’s Bloomberg article, claiming that banks in the US are charging their clients for up to $1 billion of losses incurred through online banking fraud, has provoked a frenzied reaction from those in our field.
While much of what the article covered was well-known to us already, with many of the cases referred to having already cropped up in previous posts both on our own blog and elsewhere, there are many of us in the industry who are pleased to see that these issues are now beginning to be covered more widely. Also, the sheer scale of the figures involved came as a surprise even to me.
But simply highlighting the problem is not enough. If $1 billion has been lost to online fraudsters over the past year, then waiting around to rectify the situation may mean the loss of a further billion, so action must be taken to curtail this activity immediately. For me, there is one crucial step which must be taken to ensure this.
Public policy must be changed to ensure that banks are made wholly responsible for any losses incurred through cybercrime. At present, individuals are protected but small businesses and even charities are not. This was one area which the new FFIEC guidelines, published earlier this year, did not fully address, and until they do then this situation will not be brought under control.
Making banks liable for their cybercrime losses will force them to invest in effective and up-to-date security. The situation we have at present is that only large banks are investing the necessary time, effort and resources into protecting their customers, whereas smaller, provincial banks are not. Advice on how to increase security exists, but not all banks are sitting up and taking notice. It is these smaller banks which usually service small businesses or local charities, meaning these organizations are protected neither by law nor by their bank. If this continues to be the case, then small enterprises will start to move their accounts to larger, multinational banks which offer better protection, and this may end up hurting these small banks more in the long-term than taking responsibility for their own security.