Thailand Law Journal 2011 Spring Issue 1 Volume 14

The risks of Internet banking

Most of the attacks on Internet banking used today are based on deceiving the user to steal login data and valid TANs. One method the criminal use is phishing E-Mails. Phishing means sending a host of e-mails pretending to be from a bank in the hope that some users click on a link to a website that gathers their account details and password. Moreover a fraud can be convicted by using malware or Trojan horse, which refers to unsuspecting users download software that contain computer virus. Trojan horse allows fraudsters to track the keystrokes made on their computer or taking screen shots of the visited website. Through this, hackers can obtain the account number or Social Security number and make unauthorized transactions on one’s behalf. Another source of online banking risk comes from the Internet banking users themselves. Act of negligence such as accessing online banking in internet café, giving banking details via E-mails or chat programs or negligence in protecting confidential information in a proper way. This allows third person to steal the access information and facilitate illicit money transfer (BSI, 2011). Last but not least, operational risk cannot be excluded from the risk of Internet banking. The cause of operational risk can be lack of security arrangements, weakness design of the system, lack of implementation and monitoring of banks’ information system, weakness in software design or when the system is hacked by professional cyber criminal (Gkoutzinis, 2006). The speed technology change and the fact that the internet channel is accessible universally make this risk especially critical (Ramakrishnan, 2001). The number of internet banking fraud in Germany increases dramatically. According to the statistic from Federal Criminal Police office, the loss from phishing scam rose 68 percent from 2008 to 2009. England follows the same trend (Dailymail, 2010).

It is important to determine that the financial losses occur in internet banking is borne by the bank, the customer or other parties involved in the internet banking system to identify who is liable for the losses. Thomas et al. (1998) mentioned liability as a key legal issue of Internet banking. But before getting through that, it is necessary to examine the current legal and regulation situation regarding Internet banking in Thailand and in Germany.

Regulations of internet banking

The aspect of electronic banking activities are based on the law of contracts and the law of banker-customer relationship, which is mostly regulated in Banking Act.

In Germany, banking activities, including electronic banking for commercial purposes are regulated by German Banking Act and other secondary statutory and regulatory instrument and is supervised by the Bundesbank (Germany’s national Bank) and the Bundesanstalt für Finanzdienstleistungsaufsicht – Bafin (The Federal Financial Supervisory Authority). These authorities are legitimate to oversee the bank operations and electronic banking activities regarded the security and continuity of the networks. They also cooperate at the international level, above all within the Electronic Banking Group of the Basel Committee. Another authority involves with internet banking is the Bundesamt für Sicherheit in der Informationstechnik - BSI (The Federal Agency for Security in Information Technology). Its duty is to identify the most appropriate technologies and security standards for online banks (Gkoutzinis, 2006).

Besides the Giro contract (bank account), in which a bank agrees to operate the bank account in the name of customer accepting the deposit and carrying out fund transfers as appropriate, during the customer has the right to use the fund deposited in the account; the internet service agreement is required, in order to access the bank account via internet. In this way Internet is used as a mean to transmit instructions to the bank for transferring fund. Internet service contract establishes special rights and obligations regarding availability and the use of online service between bank and its customer. In one hand, the bank is obligated to establish and maintain efficient and reliable internet-accessible online network for its customer. The German law requires appropriate securities standard from the bank such as the banker’s duty care, the duty of confidentiality, the data protection and data privacy and also regulatory standards promoting the systematic and individual safety. Banks must demonstrate good faith, care and diligence in handling customer affairs (Art. 242 BGB). On the other hand, the customer signing the internet service contract obligate to exercise care and skill in transmitting instructions to avoid misleading the bank or facilitating fraud and to immediately inform the bank, when unauthorized payment occurs (Deutsche Bank, 2011). It is very important that the bank customer adheres the security precautions regarding the term of use in internet service agreement, such as keeping the personal banking information or the identification undisclosed to the third parties, using the security devices to access the internet banking and providing correct information about beneficiary’s identity, amount of money and account information by transmitting the order (Gkoutzinis, 2006).

In Thailand, banks and all banking services including Internet banking are overseen by Bank of Thailand (BOT). The BOT provides the financial infrastructure to serve the needs of business and financial sectors. The laws and regulation related to Internet banking are: the commercial banking Act B.E. 2505, which provides clause about bank licensing and commercial bank operations in Thailand; Electronics transaction Act and Electronics Payment Service decree which based on EU Directive e-Money and the regulations from Bank for International Settlements, BIS (Electronic Transactions

Commission, 2011). The bank is obligated to install and maintain reliable system to secure the transaction done via Internet and to prevent unauthorized access to available services. The aim of these acts is to strengthen the credibility and acceptance of electronic transactions, to prevent all risks that might happen to public interests, and to achieve higher standard for Thai payment services as well as gain recognition at international level (BOT, 2010). However, the relationship between the bank and customer is based on contract. As in Germany, the Thai Banking customers have to sign the agreement in order to use the Internet Banking service. This contract contains the terms and conditions of use of electronic services, which can be different from bank to bank. But the main ideas contained in the contract are the obligations for the customers such as to keep the banking information confidentially, to safeguard the User ID and PIN and to inform the bank immediately when the mistakes or errors occur and the clause about bank liability and its limitation (SCB, Kbank, Bangkok Bank). Bank customers have to study this terms and condition of using Internet banking carefully, proving of the neglect of duty based on contract, is a major concern in liability issue.

Bankers Liability

This section examines the liability in Internet banking, which is often seen as a key legal issue (Thomas et al., 1998). Liability means legal responsibility for one's acts or omissions. Failure of a person to meet that responsibility leaves him open to a lawsuit for any resulting damages or a court order to perform (Legal Dictionary, 2011). Liability issue for Internet banking is contractual based and mostly regulated explicitly in the Internet Service Agreement; this can be varied between banks. The Terms and Conditions for Internet banking from Kasikorn Bank, Siam Commercial Bank and Bangkok Bank are considered here as representative of Thai’s Internet banking, during the Deutsche Bank and Commerzbank represent German’s side. Liability issues arising from Internet banking can be classified into 3 categories, namely:

• Human error

Human error can be caused either by customer or the bank. The personal identification number (PIN) and password are used to authorized the Internet banking access and to undertake the transaction. The Thai banks handle this transaction in good faith and regard any transactions conducted by this authorized access as completed and valid (Kbank, SCB, Bangkok Bank). But error can happen, when another person has the access to this Internet banking account. Moreover, the customer can make an error by giving incorrect information about the beneficiary’s identity, amount of money or account information. So the money can be transferred into wrong account. Other human errors can be negligence of maintaining secrecy of account details and passwords and not notifying the bank of known unauthorized payments. So as in the case of losing the authorization instrument or personal data, bank customers must inform their banks immediately, so that the account will be blocked. In case of negligence and there are transaction done by third person, the bank will reserve the right not to liable for any losses (Kbank, SCB, Bangkok Bank). The German banks follow the same approach. But the different from Thai bank is; the German bank will be liable for all the losses incurred after the blocking notification (Deutsche Bank, Commerzbank).

This article is published with the kind permission of Parichat Jantori and addresses the introduction of internet banking in Thailand and discuses the relevant security risks invovled, as well as legislation such as the Thailand Banking Act that serves to regulate online banking practices.