By Mr Andrew Charlesworth, Reader in IT Law, and Prof Keith Stanton, Professor of Law (University of Bristol Law School).
The day has arrived on which a cyber attack has succeeded in breaching a bank’s security with the result that customers’ money has been taken from their accounts. According to press reports the accounts of around 40,000 customers of Tesco Bank have been accessed and the bank has refunded £2.5 million to 9,000 who have had money removed.
Banks’ IT systems are an obvious target for cybercriminals. The fact that such systems contain both money and data on customers makes them extremely tempting. As banks have developed new channels for delivery of services, such as websites, mobile applications and social media, these have often been added, or linked, to existing out-dated systems. This increased complexity may mean that new avenues of attack are inadvertently created, and make it difficult for a bank to rapidly pinpoint the source of system risks and breaches. The increased use of distributed computing, with multiple systems running across multiple servers, can also create new system risks and simultaneously increase the number of staff requiring access. While external threats are increasing, it appears that industry insiders remain responsible for a significant share of bank fraud. How the Tesco cyber attack was carried out remains unclear, but the scale and speed of the transfer of funds suggests a degree of sophistication.
Banks have long recognised that they need to devote resources to protecting themselves against evolving risks designed to defeat their defences, and new security methods and financial industry standards are constantly under development. However, banks face a dilemma; the more security features they design into their systems, the less user-friendly those systems tend to become, and bank customers are often unimpressed by even small delays in payment. The risk of security breaches thus has to be balanced against the cost of customer dissatisfaction with services. Consumer tolerance may vary depending on the system used, for example, anecdotal evidence suggests that consumers may be less willing to accept delays on debit card transactions than they are on credit cards. A dissatisfied customer may very quickly become an ex-customer.
The law on unauthorised payments from bank accounts provides clear protection for the customers. Regulation 61 of the Payment Services Regulations 2009 requires a bank to refund the amount of an unauthorised payment transaction to the payer and to restore the debited payment account to the state it would have been in had the unauthorised payment transaction not taken place. The affected Tesco customers are thus entitled to and appear to have received a refund of the money removed from their accounts. In addition, they will also be entitled to payment of any interest that would have been earned if the money had remained in their account and the reversal of any charges incurred because of the fraudulent transactions.
Providing this level of protection for unauthorised payments, while beneficial for customers, is not without its own problems. As consumers adjust to the de-risking of their position, they may be less cautious about online banking, accepting the ‘inevitability’ of fraud, and may be less willing to migrate to more secure payment systems. They may also ‘overtrust’ the level of legal protection available for online services, believing that they have a high level of protection in circumstances when, in fact, it is limited: for example, where they are misled into making authorised payments from their internet bank accounts to fraudsters through a continuous payment authority.
In spite of the practical problems posed by cybercrime for banks, it seems certain that Tesco Bank’s processes will be subject to close scrutiny by the industry regulators. The Prudential Regulation Authority (PRA) will probably not be involved, as this case is, unlike the RBS IT failure of 2012, unlikely to be one that is regarded as having threatened the integrity of the whole payments system. It is however, likely to be considered by the Financial Conduct Authority (FCA) as a possible breach of Principle 3 of its Principles for Businesses. Under this principle, a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. This will raise questions as to whether adequate protections against the risk posed by evolving forms of cybercrime were in place at Tesco Bank. If a failure in this area is established there is the possibility that the bank will face a substantial financial penalty.
There are close precedents. In 2007 Nationwide Building Society was fined £980,000 (which was a large sum in that period) for a breach of Principle 3 when a laptop computer containing customer information was stolen. Although it was accepted that the risk of theft could not be completely eliminated, the penalty was imposed as a result of a finding that the building society did not have effective controls to manage the risks that would arise should such a theft occur and, on the facts, did not respond adequately when the machine was lost. The message given was that, although risks could not be eradicated, they could be managed. The Financial Services Authority in its Final Notice took particular note of the Nationwide’s failure to respond adequately to the heightened awareness of information security risks at the time. It is not clear whether any loss had been suffered by customers in that case. However, the Society did undertake to reimburse any customers who had suffered losses.
The RBS IT failure of 2012 which prevented some customers from undertaking transactions for days as a result of a failed IT upgrade resulted in fines totalling £56 million being imposed by the PRA and FCA. Again it was a breach of Principle 3 which justified the Regulators’ actions. The basis of this finding was again a failure to identify and manage risks: in the case those created by a software upgrade. A finding of particular importance, given the approach of modern regulators, was that the bank’s first line of defence, Technology Services Risk, had a culture of reacting to problems as they arose, rather than attempting to anticipate them. As it did not adopt a proactive approach to identifying and eliminating or managing risks the failure resulting from the upgrade was not anticipated and systems were not in place to minimise its impact when it did occur. The general message is that banks need to design systems which are resilient in the face of problems: whether those problems are internal IT failures or external cyber attacks.
Tesco Bank’s regulatory problems may not be limited to compliance with financial regulation, as the Information Commissioner (ICO) is also taking an interest. While the ICO currently only has the power to issue monetary penalties of up to £500,000, a figure dwarfed by the penalties available to the financial regulators, an adverse finding would be likely to further damage the bank’s reputation. The ICO has been active in this area in the past. Bank of Scotland was fined £75,000 in 2013 for repeatedly allowing customer information to be seen by the wrong recipients and a non-bank (Sony International) was fined £250,000 when its PlayStation Network Platform was hacked with the result that the personal information of millions of customers, including their payment card details was put at risk. When the General Data Protection Regulation (GDPR) comes into force in 2018, banks will have more reason to worry about the ICO. Penalties for serious data breaches under that legislation could be up to 20,000,000 EUR or for an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The message is clear. Financial and data protection regulators will undoubtedly take into account the social and economic value of the service that online banks provide, and the constraints imposed by both the pace of technological change and competition in the financial services marketplace. But banks must have systems in place that provide strong defences against the constantly evolving threat of cybercrime, and they must have systems that provide an appropriate reaction in the event that a cyber attack is successful in penetrating those defences.