Secure online banking, a quest towards joint responsibilities
Upcoming SlideShare
Loading in...5
×
 

Secure online banking, a quest towards joint responsibilities

on

  • 6,572 views

Master thesis focusing on the quest towards joint responsibilities for secure online banking.

Master thesis focusing on the quest towards joint responsibilities for secure online banking.

Statistics

Views

Total Views
6,572
Views on SlideShare
6,572
Embed Views
0

Actions

Likes
0
Downloads
49
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Secure online banking, a quest towards joint responsibilities Secure online banking, a quest towards joint responsibilities Document Transcript

  • Secure online banking A quest towards joint responsibilities Thesis EMBA P.M.W.J. (Paul) van Dommelen November, 2013 Nyenrode Business Universiteit Page | i
  • Page | ii
  • Title page Title: Secure online banking, a quest towards joint responsibilities Document: Final Thesis Executive MBA Report status: Final version Author: P.M.W.J. (Paul) van Dommelen Thesis supervisor: Professor Dr. R.J.M. Jeurissen Class: EMBA 10 Date: 08-11-2013 E-mail address: paul.van.dommelen@capgemini.com Nyenrode Business University Capgemini Nederland B.V. Straatweg 25 Reykjavikplein 1 3620 AC Breukelen 3543 KA Utrecht Page | iii
  • Page | iv
  • Preface For the past two years I have been on a personal journey. A journey towards the completion of my Executive MBA program. It has been fun, informative and above all a very challenging experience. I’m grateful for all the knowledge and experiences that I have obtained. I have enjoyed a lot of interesting, nice, intense and also relaxing moments with my classmates of the EMBA10 class. Their personal views and experiences have made this MBA a truly unique and rewarding experience. I’m proud to present my master thesis, the final step towards completion of the EMBA program. My master thesis focuses on joint responsibilities for secure online banking. This topic has been the subject of intense debates, both in private as well as in public settings. These debates have drawn my attention, both from a professional as well as a personal interest. I have devoted the past 6 months to analyze this problem and to find opportunities to improve the current situation. I became passionate about this research because of the complexity and importance of the subject and feel personally committed in helping to resolve the current problems. I would like to show my appreciation to my employer, Capgemini and more specific my manager René Roest. They have provided me with the opportunity to enroll in this program. I would like to thank my colleague Nienke van den Brink who has been my company supervisor for this thesis. Next to my employer and colleagues, I would like to thank the Nyenrode Business Universiteit, their professors, staff and partner universities. I would especially like to thank Professor Dr. R.J.M. Jeurissen, who has been my faculty supervisor during this thesis. I’m thankful for the guidance, knowledge and energy he has provided to me. I would also like to thank the participants of the focus interviews as they have invested their personal time to allow me to find answers to my questions. Finally I would like to express my deepest gratitude and appreciation to my partner Beeshema and our daughter Lakisha. They have been an incredible support during the difficult and challenging moments. The dedication and amount of energy which they have had to invest to keep our personal lives as normal as possible is truly remarkable. I couldn’t have been able to achieve the obtained results without their love and support. I can only imagine how difficult it must have been to always get the answer “next year” when a family activity was proposed. The good news is: the next year is yet to come! Page | v
  • Page | vi
  • TABLE OF CONTENTS Title page ................................................................................................................................................ iii Preface...................................................................................................................................................... v 1. Executive summary ........................................................................................................................... 1 2. Introduction ........................................................................................................................................ 5 3. Thesis focus ........................................................................................................................................ 7 3.1. History ......................................................................................................................................... 7 3.2. Types of customer targeted online banking fraud ................................................................. 9 3.2.1. Phishing ............................................................................................................................... 9 3.2.2. Pharming ............................................................................................................................. 9 3.2.3. Social engineering ............................................................................................................ 10 3.2.4. Malware ............................................................................................................................. 10 3.3. 3.4. Reason for the research ........................................................................................................... 11 3.5. Scope of the research ............................................................................................................... 12 3.6. Research methodology ............................................................................................................ 12 3.7. The research problem .............................................................................................................. 12 3.8. Research goals........................................................................................................................... 13 3.9. 4. Management problem .............................................................................................................. 11 Abbreviations ............................................................................................................................ 13 Literature review .............................................................................................................................. 15 4.1. What is the impact of the problem? ...................................................................................... 15 4.1.1. Number of fraudulent occasions and hard costs ........................................................ 15 4.1.2. Soft costs for Financial Services Providers .................................................................. 18 4.1.3. Costs for impacted customers........................................................................................ 19 4.1.4. Impact on society ............................................................................................................. 20 4.1.5. Conclusion ........................................................................................................................ 20 4.2. Legal framework ....................................................................................................................... 21 4.2.1. Legal responsibilities and liabilities................................................................................ 21 4.2.2. How Financial Services Providers take care of their duty of care ............................ 22 4.2.3. Compensation policies of Financial Services Providers ............................................. 23 4.2.4. The customer’s responsibilities specified in the terms and conditions .................... 24 4.2.5. Liability .............................................................................................................................. 27 Page | vii
  • 4.2.6. What is gross negligence? ............................................................................................... 27 4.2.7. Government...................................................................................................................... 29 4.2.8. Conclusion ........................................................................................................................ 31 4.3. The ethical point of view ........................................................................................................ 32 4.3.1. A power balance of responsibilities............................................................................... 32 4.3.2. Responsibility types ......................................................................................................... 35 4.3.3. Elements of responsibility .............................................................................................. 37 4.3.4. Moral consciousness ........................................................................................................ 37 4.3.5. Joint responsibility ........................................................................................................... 38 4.3.6. Who should be responsible? .......................................................................................... 39 4.3.7. Conclusion ........................................................................................................................ 40 4.4. View from market research..................................................................................................... 41 4.4.1. The view on the customer’s abilities to detect............................................................. 41 4.4.2. How customers currently secure themselves ............................................................... 44 4.4.3. The view on the Financial Services Provider’s duty of care ...................................... 44 4.4.4. Conclusion ........................................................................................................................ 47 5. Conceptual model ............................................................................................................................ 49 6. Customer research ........................................................................................................................... 51 6.1. 6.2. Scope and limitations ............................................................................................................... 52 6.3. The sample ................................................................................................................................ 52 6.4. Data collection technique........................................................................................................ 53 6.5. Interview questions design ...................................................................................................... 53 6.6. 7. Research type ............................................................................................................................ 51 Variable measurement and validation ................................................................................... 54 Research results ................................................................................................................................ 55 7.1. Elements of responsibility....................................................................................................... 55 7.1.1. Perceived level of security............................................................................................... 55 7.1.2. Level of customer awareness per type of fraud ........................................................... 56 7.1.3. Level of knowledge about preventive measures.......................................................... 57 7.1.4. Power balance of responsibility ..................................................................................... 60 7.2. The moral standard .................................................................................................................. 62 7.2.1. Current customer’s responsibility and legal liability .................................................... 62 7.2.2. Online banking fraud compared to physical crime ..................................................... 64 Page | viii
  • 7.2.3. 7.3. Terms and conditions ...................................................................................................... 65 Future joint responsibilities and liabilities ............................................................................ 67 7.3.1. 7.3.2. 8. Future customer responsibility and liability ................................................................. 67 Activities and responsibility of the Financial Services Provider ............................... 67 Analyses and conclusions ............................................................................................................... 71 8.1. Answers to the research questions ........................................................................................ 71 8.1.1. What is the current impact of online banking fraud? ................................................. 71 8.1.2. What is the legal framework of the responsibilities and liabilities? .......................... 72 8.1.3. What is the ethical view on joint responsibility? ......................................................... 75 8.1.4. What is the known view on moral standards from market research? ...................... 77 8.1.5. What is the moral standard for the duty of care / due care of the Financial Services Provider? ............................................................................................................................ 78 8.1.6. What is the moral standard for the customer’s behavior related to gross negligent behavior? ........................................................................................................................................... 79 8.1.7. To what extent are the critical elements of responsibility fulfilled in the current situation? ........................................................................................................................................... 80 8.1.8. What are potential future joint responsibilities, liabilities and measures for the Financial Services Providers and their customers in the customer’s point of view? ............. 82 8.2. Answer to the main research problem .................................................................................. 83 8.3. Limitations................................................................................................................................. 84 8.4. Recommendations for future research .................................................................................. 85 9. recommendations............................................................................................................................. 87 9.1. Recommendations to Financial Services Providers and the NVB .................................... 87 9.2. Recommendations to online banking customers ................................................................ 88 9.3. Recommendation to the government and regulators ......................................................... 88 9.4. Recommendations to judges and Financial Compliant Institute (KiFid) ........................ 89 10. Bibliography .................................................................................................................................. 91 Appendices................................................................................................................................................. 99 Appendix 1: demographics of focus interviews participants ....................................................... 101 Appendix 2: Focus interview questionnaire ................................................................................... 103 Page | ix
  • Page | x
  • 1. EXECUTIVE SUMMARY The phenomenon financial identity theft exists for decades, possibly even ages, and is perhaps even as old as the introduction of identities itself. With the introduction of personal computers, the World Wide Web and the Smartphone, a new form of financial identity theft emerged. This paper focuses on high tech financial identity theft targeting online banking customers of Dutch Financial Services Providers (FSPs) by means of phishing, pharming, social engineering and malware. For the past couple of years, FSPs have increased their efforts in finding ways to mitigate these threats by creating a variety of (technical) solutions. Despite these measures, FSPs have been confronted with an increase in the impact and the costs over the past couple of years. FSPs would like to involve their customers and join forces in order to mitigate the likelihood of successful attacks on the customer’s online banking account. In order to do so, FSPs will have to find a way to deal with the informative arrears, competences and skills of their customers. We are currently confronted with cases in which some of the FSPs are not reimbursing the financial losses of their customers, because these customers - according to the FSP - have acted in a gross negligent way. As a result, current debates focus on what kind of responsibility distribution amongst the FSP’s and their customers is correct and morally acceptable. This responsibility distribution is the focus of this document. The main research problem of this research is: “how can a Financial Services Provider create joint responsibilities for the prevention of customer targeted online banking fraud - between themselves and their customers - in an ethical way?” This research has been executed by combination of a literature review (desk research) and customer focus interviews (field research). By using the literature review, some research questions have been answered and the important gaps in the current literature were identified. In order to fill these gaps, a field customer research was executed, using focus interviews with groups of Dutch retail online banking customer. One of the main problems in the current situation is the absence of a clear moral standard for secure customer behavior and a clear moral standard for the FSP’s duty of care. On the one hand, the duty of care for the FSP is not clearly defined by law or regulations, neither is it publicly communicated what measures FSPs are taking to protect their customers. Therefore it’s difficult to determine if FSP’s are protecting their customers in the best possible ways. On the other hand, customers are being held responsible for measures that they are not necessarily Page | 1
  • aware or capable of. Determining whether or not somebody has acted with gross negligence is difficult if not impossible when moral customer standards are not determined and validated. The research has indicated that different moral standards should apply amongst different groups of customers. These moral standards should be based on the customers’ skills and knowledge, for example mental capabilities and computer skills. The research has identified that the current customer knowledge regarding the threats of online banking and protective means as well as their current skills are low. Despite the current level of skills and knowledge, from an ethical perspective it seems reasonable to shift the current power balance of responsibilities and liabilities to joint responsibilities. The past situation in which the FSP reimbursed the financial damages is leading to moral hazard and moral unconsciousness amongst their customers. Shifting the power balance however doesn’t mean that responsibilities are simply shifted from the FSP to the customer. Joint responsibilities means that everyone receives a part of the total responsibility, in the condition that the total sum of responsibilities increase. For example when a customer receives the responsibility to take certain measures, the FSP will have to receive the responsibility to inform their customers about their responsibility, the necessity, the means to take care of this responsibility and the potential effects of not taking these measures. Overall, as a society we should improve the moral consciousness of the threats and security measures related to the internet and more specific to online banking. This is a joint responsibility for the NVB, FSPs, their customers and the government. Shifting the power balance of responsibility to a due care model seems legitimate once the necessary preconditions have been met. These preconditions have been grouped and assessed into the following model: Page | 2
  • All elements in this model will have to be fulfilled in order to achieve joint responsibilities. Based on this assessment we can conclude that there are gaps (displayed in orange and red) between the current state of fulfillment of the individual elements and the desired state. This research indicates that the absence of clearly defined moral standards - for both the customer and the FSP - and clear communication about preventive information from the FSPs to their customers are the root causes to the missing elements. Solving these two root causes will have a positive effect to all the (partly) unfulfilled elements. It’s recommended that FSP’s will take the lead in closing these gaps. Besides the FSP’s, the NVB, customers, government, legislators, judges and the KiFid will also have to take actions in order to close the gaps. This report therefore includes recommendations to all these stakeholders. The moral standards are vital parts in the quest towards joint responsibilities. This paper doesn’t define the different moral standards. Therefore, a new research is required focusing on the different moral standards of the customers. Page | 3
  • Page | 4
  • 2. INTRODUCTION It was on a Friday morning when Mrs. de Vries (67 years of age), who lives in Amsterdam received an e-mail from her Financial Services Provider (FSP). In the e-mail the FSP explained that they would like to update the contact details of Mrs. de Vries in their database. Mrs. de Vries was asked to click on a link in the e-mail in order to be redirected to the FSP’s website. On this website she updated her mobile phone number. A couple of days later Mrs. de Vries received a phone call from her FSP, the FSPs’ employee introduced herself as Laura Janssen, working for the security department of the FSP. She informed Mrs. de Vries that she would like to verify that the phone number indeed belongs to Mrs. de Vries. The employee tells Mrs. de Vries that she is not allowed to disclose her personal pin code as a means of verification. The FSP’s employee asked Mrs. de Vries to take her debit card and the online banking device. The FSP’s employee provides Mrs. de Vries with a code (the so called challenge code) and asked her to disclose the corresponding code on her banking device (the so called response code). The FSP’s employee verified the code and asked Mrs. de Vries to go through the same procedure once again. After a successful verification, the FSP’s employee thanked Mrs. de Vries for her understanding and wished her a pleasant remainder of the day. About three days ago, Mr. de Groot (32 years of age) who lives in Twente needed to transfer money to his friend. He logged in to the FSP’s online banking website and entered the details of the transaction. In order to approve the transaction, the FSP’s website instructed Mr. de Groot to use his mobile phone as a means of verification and approval. He received a SMS from the FSP with a code, entered the code and validated the transaction. The FSP’s website displayed a screen informing Mr. de Groot that it’s currently busy on their website and instructed him to be patient. After 20 seconds the website informed him that something went wrong with the verification of the transaction. Mr. de Groot was instructed to request a new code, using his mobile phone. He requested and received this new code. He then typed the code into the web browser. Mr. de Groot received a confirmation of the request and logged off from the online banking environment. Although Mrs. de Vries and Mr. de Groot are not familiar with each other, they do have something in common. Both of them received a phone call from their FSP informing them that they had become victims of online banking fraud. Criminals had used the verification codes of Mrs. de Vries and Mr. de Groot in order to transfer money from their online banking accounts Page | 5
  • to a fraudulent account. After this phone call, both Mrs. de Vries and Mr. de Groot were asking themselves the same questions: What has just happened to me? How could this happen? How come I didn’t notice this? Is this real? Who is responsible? Who is liable for this? Will I receive a reimbursement or compensation for the financial damages? Two weeks later Mrs. de Vries received a letter from her FSP informing her that they were not going to reimburse the financial damage, since Mrs. de Vries had shared her access codes which is in violation with the FSP’s terms and conditions. Mr. de Groot also received a message from his FSP (which is a different FSP) informing him that they were going to compensate him for his financial losses. While both had been the victims of online banking related fraud, the financial compensation result differs. Is this right? Is this ethical? This thesis will focus on these questions and will guide us on a quest towards joint responsibilities for the prevention of these types of crime. Page | 6
  • 3. THESIS FOCUS 3.1. History The previously described types of crime are part of so-called identity theft. What do we mean when we speak of identity theft, what is the definition? Koops & Leenes have studied the definition of identity theft and came to the following conclusion: “Identity theft is often perceived as one of the major upcoming threats in crime. However, there is no commonly accepted definition of ‘identity theft’ or ‘identity fraud’, and it is impossible to study the real threat of this phenomenon without conceptual clarity.” (Koops & Leenes, 2006). After studying all relevant definitions, they came to the following definition which in my opinion is the most accurate: “Identity ‘theft’ is fraud or another unlawful activity where the identity of an existing person is used as a target or principal tool without that person’s consent.” There are many different forms of identity fraud and not all of them take financial advantage of the target. In their literature review about identity theft, Newman and McNally have identified seven different types of identity theft (Newman & Mcnally, 2005). One of these types is defined as financial scams or also called Financial Identity Theft. They define these Financial Scams as: “There is a wide variety of scams that may be committed with the goal of obtaining from victims their personal information. These types of identity theft are obviously also related to the exploiting of specific technologies and information systems. Fraudsters place false “store fronts” on the web that imitate well known web retailers, or send tricky email or pop-up solicitations ("phishing") requesting financial and personal information. The majority of these types of fraud use relatively tried and true old scams adapted to new technologies. They all essentially depend on tricking or duping the victim”. Or in a shorter version as defined by Nicole S. van der Meulen (Meulen, 2011) : “Financial identity theft refers to the misuse of identity of another person in an effort to unlawfully obtain financial benefits”. The phenomenon financial identity theft exists for decades, possibly even ages, and is perhaps even as old as the introduction of identities itself. While the problem has been around for a very long time, the nature of the problem has changed. With the introduction of personal computers, the World Wide Web (later on in this paper referred to as the internet or online) and the Smartphone, a new form of financial identity theft emerged. This digital way of financial identity theft is often referred to as a high tech method, online crime or cyber crime (Johnson, 2009). Cybercrime is referred to as crime committed by means of computers or the internet (Dictionary, Page | 7
  • 2013). Cybercrime has become the most popular and widespread term. In this research we should be careful using this term since it includes more types of crime than only financial identity theft. It for example includes anything from illegally downloading music files to stealing millions of dollars from online bank accounts. Cybercrime also includes non-monetary offenses, such as creating and distributing viruses to other computers or posting confidential business information on the Internet (Techterms, 2013). These high tech methods are a variant on the low tech “old-fashioned” methods such as robbery and pick pocketing. The examples described in the introduction of this paper are forms of these high tech methods. This paper focuses on high tech financial identity theft targeting customers of FSPs. In this research we will therefore use the term customer targeted online banking fraud. The first forms of fraud with online banking were reported by the Dutch Central Bank (De Nederlandsche Bank) in the annual reports of 2007 and 2008 (DNB, 2008)(DNB, 2009), figures were however not disclosed. Hafkamp and Steenvoorden refer to this as “serious and sophisticated attacks on online banking since the beginning of 2007” (Hafkamp & Steenvoorden, 2010). Thus while the first forms of high tech online crimes targeting online banking started in 2007 and rapidly emerged; the publicly available information about the real problem is vague. Though, the year 2007 can be marked as the starting point of the online banking related identity theft in the Netherlands. FSPs jointly launched their first customer awareness campaign related to these new types of crime during 2008 and have launched more awareness campaigns later on, for example the “drie keer kloppen” (knocking three times) campaign and the most recent campaign “Veilig Bankieren” (Secure Banking). Despite these campaigns and the joint efforts of the FSPs, Police Force and the Ministry of Justice the impact of these high tech crimes has emerged (“Intensieve samenwerking politie, justitie en banken tegen internetfraude -Nederlandse Vereniging van Banken,” 2011). Although the financial damages increased for the FSPs, this initially didn’t impact their customers. Up until 2012, the FSPs had always reimbursed their customer the financial losses due to these types of crime. In the beginning of 2012 the situation changed as some of the FSPs decided not to compensate their customers because they had violated the general terms and conditions of online banking (Kassa, 2012). This new policy of some of the FSPs resulted in a media debate as well as debates in the ministry of Finance and Dutch government about the Page | 8
  • justifications of this standpoint and the way forward (Dijsselbloem, 2012). The scope of this debate is focused on the different responsibilities and liabilities of all parties involved. Since the points of view of various stakeholders are different and conflicting this topic is likely to remain a debate in the near future. 3.2. Types of customer targeted online banking fraud There are a number of high tech methods which are currently targeting the FSPs and their customers. It’s important to understand the different methods that criminals use to commit these forms of crime, as these types of crimes will be referred to in this research. 3.2.1. Phishing Phishing is referred to as the attempt to acquire personal information in order to abuse this information for identity theft. Criminals are trying to obtain the customer’s personal data such as usernames, passwords, pin codes, debit cards and other private information. A well known form of phishing is the distribution of fake e-mails. Criminals send out e-mails that appear to come from a legitimate source such as a FSP in which they ask the customer to visit a website (which has the same layout as the website of the FSP) in order to check their credentials, to reply to the e-mail or to open an attachment(“Phishing Definition,” 2013). The intent of the criminal is either to receive the customer’s details or to install malware on the customer’s personal device. When the criminal wants to obtain the customer’s personal data, the e-mail or website for example instruct the customer to update their private information and ask for the username, passwords and / or response codes of the FSP. When the criminal wants to install malware, the e-mail will request the customer to open an attachment. When the customer opens the attachment the malware will automatically be installed without the knowledge of the customer. The e-mail could also request the customer to visit a website which is infected by malware. Once the customer visits the website malware will automatically be installed without the customer’s knowledge. Criminals will use the obtained data in order to abuse the customer’s identity. They will use this information to log-in to the customers online banking account. Then they will transfer the money from the victim’s bank accounts. 3.2.2. Pharming Pharming is yet another way hackers attempt to manipulate users on the Internet. While phishing attempts to capture personal information by getting users to visit a fake website, pharming redirects users to false websites (“Pharming Definition,” 2013). The criminal for example posts a fake website in a search engine giving the search result the name of the FSP’s website or Page | 9
  • retransfers the customer to the fake website when the customer types in the FSP’s website in their internet browser or when they click on the bookmark in their favorites (the criminal might have used malware to change the bookmark into the fake website). The fake website has the same look and feel as the original website. When a customer enters their online banking credentials the information is stored in the criminal’s database and reused for financial identity theft (Faber, 2011). 3.2.3. Social engineering Social engineering is a method in which the criminal uses human interaction in order to obtain personal information(“Social engineering attack definition,” 2013). A well-known way of social engineering is a criminal who pretends to be an employee of the FSP. The so called employee will inform the customer that something is wrong with their internet bank account and will request the customer to verify their credentials by means of sharing their online banking credentials or to visit an online website and follow the security procedure. The so-called employee will assist the customer in performing the necessary activities. During the conversation the criminal will harvest the necessary information such as the response codes of the online banking devices or the pin code. The obtained information will be used for financial identity theft. 3.2.4. Malware Malware is the abbreviation of malicious software. Malware refers to a software program designed to damage or do unwanted actions on a computer system. Common examples of malware include viruses, Trojan horses, and spyware (“Malware Definition,” 2013). Malware can gather data from a user's system without the user’s knowledge. This can include anything from the Web pages a user visits to personal information, such as passwords. Furthermore, it can interfere in the communication between a website and the customer’s personal device, for example by changing the website without the knowledge of the customer. Changing a website can for example be used to add an additional payment while the customer is performing a transaction or to change the account number of the beneficiary of the original payment. A customer’s personal computer usually becomes infected when a customer visits a website that abuses security weaknesses in software on their device to install malware (also called drive-by download). Drive-by downloads can also be initiated by advertisements (“‘Criminelen dol op verspreiden malware via advertenties’ | nu.nl/binnenland | Het laatste nieuws het eerst op nu.nl,” 2013). This has for example happened to the Dutch news website www.nu.nl (“Gevaarlijke malware verspreid via NU.nl - Security.NL,” 2013) and the website of Toyota Page | 10
  • (“Website Toyota verspreidt week lang malware - Security.NL,” 2013). According to Chengyu Song et al., drive-by downloads are currently one of the most severe threats for users on the internet (Meulen, 2011). Other potential ways to infect a device is by installing software that is not obtained from the original manufacturer or opening email attachments from unknown sources. Another form of being infected by malware is by using an infected device of a third party that for example is infected on purpose, for example in a malicious internet café. 3.3. Management problem The Dutch FSPs have designed their online banking platform based on strong security measures such as strong authentication methods. FSPs have increased their efforts in finding ways to mitigate the threat of unauthorized money transfers by creating a variety of technical solutions. Despite these measures FSPs have been confronted with an increase in the financial losses over the past couple of years. The FSPs would like to involve and join forces with their customers, in order to mitigate the likelihood of successful attacks on the customer’s online banking account. Customers are however not necessarily aware and knowledgeable of the current threats and required security measures. There seems to be a different level of playing field between the capabilities and knowledge of the FSPs and their customers. Even within the group of customers different levels of capabilities and knowledge exist. FSPs will have to find a way to deal with the informative arrears, competences and skills of their customers. The nature of this management problem is the distribution of responsibilities. 3.4. Reason for the research The current media debates are focused on the kind of distribution of responsibility that is correct and morally acceptable rather than what is legally correct. There is however no clear definition or agreement in this matter. FSPs would benefit from clarity in these debates. This would provide guidance in the ongoing attempts to maintain and further increase the security of online banking in collaboration with their customers. In order to be able to join forces, all stakeholders should first agree on the best way forward. This requires an investigation into what is morally and ethical right according to the perspectives of all relevant stakeholders. In addition, there are little insights in the awareness, the customers’ opinion and their acceptance rates towards increased security measures. Page | 11
  • The main academic area of this research is ethics. This research will provide answers to the necessary elements of joint responsibility and to what extent these elements are present in the current situation. 3.5. Scope of the research The focus of this research is about joint responsibilities for secure online banking. Hence, the mitigation of financial losses due to financial identity theft. The types of crime that are in scope of this research are: phishing, pharming, social engineering and malware. The geographical scope of this research is limited to Dutch FSPs who provide online banking facilities and to the customers of these FSPs. 3.6. Research methodology The first part of this research is the literature review (described in chapter 4). This literature review has been executed using desk research. By using desk research all currently available materials to this research have been studied and combined into the literature review. After the literature review the important gaps in the current literature for this research were identified. In order to fill these gaps, a field customer research was executed, using focus interviews (described in chapter 6). 3.7. The research problem This research focuses on the following main research problem: how can a Financial Services Provider create joint responsibilities for the prevention of customer targeted online banking fraud - between themselves and their customers - in an ethical way? In order to answer this main research problem, the following sub questions will be answered by means of a desk research literate review (chapter 4): 1. What is the current impact of online banking fraud? 2. What is the legal framework of the responsibilities and liabilities of the Financial Services Provider and their customers? 3. What is the ethical view on joint responsibility? 4. What is the known view on moral standards from market research? 5. What is the moral standard for the duty of care / due care of the Financial Services Provider? Page | 12
  • The following sub question will be answered by means of a combination of a desk research literature review (chapter 4) and interview field research (chapter 6 and chapter 7): 6. What is the moral standard for the customer’s behavior related to gross negligent behavior? And the following sub questions will be answered by means of interview field research (chapter 6 and chapter 7): 7. To what extent are the critical elements of responsibility fulfilled in the current situation? 8. What are potential future joint responsibilities, liabilities and measures for the Financial Services Providers and their customers in the customer’s point of view? The main research question and sub questions will be answered in paragraph 8.1. 3.8. Research goals The objective of this research is to provide answers to the questions stated in paragraph 3.7. In order to answer these questions the research has been executed in a staged approach and this report has been structured accordingly.  Execute literature review (chapter 4) o Define the impact of the problem (paragraph 4.1) o Define the legal context of the problem (paragraph 4.2) o Define current measures towards the problem (paragraph 4.2.2) o Define necessary elements for liability (paragraph 4.2.5) o Define necessary elements for responsibility (paragraph 4.3.3) o Define known points of view from market research (paragraph 4.4)  Design conceptual model (chapter 5)  Execute qualitative research; perform customer focus interviews (chapter 6)  Describe results of customer focus interviews (chapter 7)  Analyze all information retrieved from interviews and research (chapter 8)  Recommendations (chapter 9) 3.9. Abbreviations FSP Financial Services Providers Personal device Computer, Laptop, Smartphone, Tablet, Smart TV Page | 13
  • Page | 14
  • 4. LITERATURE REVIEW This literature review will provide insights and answers to the first six sub research questions (paragraph 3.7). In this chapter, each of these sub research questions will be covered in a separate paragraph. 4.1. What is the impact of the problem? The impact of phishing, social engineering, pharming and malware can be measured in various ways. When the Dutch media reports about the impact of these types of crime, we usually find information relating to the number of fraudulent occasions and information relating to the amount of financial losses for the FSPs. This information is disclosed by “Nederlandse Vereniging van Banken” (The Dutch Banking Association) also called the NVB. The impact is however bigger than just the financial impact on the FSPs since there are more stakeholders involved. Newman & Mcnally explain that these types of crime are dual crimes, which affects the individual whose identity was stolen as well as the business whose service was stolen (Newman & Mcnally, 2005). In their research Newman & Mcnally point out that we should not only think about costs as a figure for financial losses (defined as hard costs) but also for costs related to prevention, investigation and conviction (defined as soft costs). These soft costs impact more stakeholders than only the FSP and their customers; they have an impact on the society as a whole. This paragraph will explore the hard costs as well as the soft costs for the involved stakeholders. 4.1.1. Number of fraudulent occasions and hard costs In the Netherlands, the facts and figures related to the costs and occasions of phishing, social engineering, pharming and malware are published by the NVB. These figures are reported on a voluntary base. The NVB claims that these figures are undisputed since FSPs jointly agreed to be transparent about the fraudulent occasions. It’s important to notify that this is an agreement without any legal obligation. Specialized companies in the field of cyber security such as McAfee, Versafe and Checkpoint question the legitimacy of the reported figures. Those companies have reported fraudulent occasions which have not been reported by the NVB (“Internetbankieren ligt zwaarder onder vuur - Follow the Money,” 2012). Those companies however have commercial interest to report fraudulent occasions since preventing these occasions is their main commercial activity. It’s therefore also questionable if these reports are legitimate. In her research Van der Meulen mentioned the unavailability of empirical information related to this Page | 15
  • topic as on the main limitations of her research (Meulen, 2011). Van der Meulen refers to this as: “Due to the lack of empirical information, especially in the Netherlands, about cases of financial identity theft, much of the research remains in the hypothetical area”. Thus it remains unclear whether or not the presented figures by the NVB are indeed legitimate. There is no academic proof to claim that these figures are not legitimate nor is there academic proof to support the statement of the NVB. The figures presented by the NVB can therefore best be seen as minimum figures. It’s important to highlight that the numbers published by the NVB only specify the losses for the FSPs. The fraudulent losses of customers who have not received a reimbursement are not included in these figures. Furthermore, this is only a report on the number of successful attempts. The NVB doesn’t publish specified figures related to the unsuccessful attempts. In their reports they state that the number of unsuccessful attempts is undoubtedly bigger than the reported number of successful attempts (NVB, 2011). A recent research indicated that almost 35% of the Dutch online banking users have at least received one phishing e-mail (“Nederlanders massaal benaderd door internetcriminelen - Emerce,” 2013). Figure 1: Financial losses Online Banking 2008 - Q1 – Q2 2013 As displayed in figure 1, the financial losses on online banking platforms related to phishing, social engineering, pharming and malware have increased from 2.1 million euro in 2008 to 34.8 million euro in 2012 (“Fraude internetbankieren stijgt eerste half jaar met 14% -Nederlandse Vereniging van Banken,” 2012) and have declined to 4.2 million euro in the first half of 2013. The increase up until 2012 was very substantial. Back in 2012 the NVB has indicated this trend as worrisome (“Steeds meer slachtoffers bankfraude - Nieuwsuur.nl,” 2012). The historic trend showed a continuous cycle of increasing financial damages. In 2013 the NVB reported the first decrease in financial damages, not on a year by year basis but on a six months bases (NVB, 2013). Page | 16
  • This decrease has continued during the first half year of 2013. As displayed in figure 2, the financial losses over the second half of the year had decreased from 24.8 million euro during the first 6 months of 2012 to 10 million euro during the second 6 months of 2012 and to 4.2 million euro during the first 6 months of 2013. According to the NVB this decrease Figure 2: Financial losses Online Banking 2012 + Q1 – Q2 2013 is the result of the increasing efforts of FSPs on prevention and detection of fraudulent patters and behavior as well as due to an increasing effort of the Electronic Crimes Task Force (NVB, 2013). The NVB also reports an increase in the customers’ awareness. There is however no statistical data or other empirical information that supports their statements. Furthermore, we don’t know if this will continue in the future. The NVB states in her press release on the 2013 figures that “the current decrease doesn’t mean that we can rest assured as criminals are likely to continue to find new ways to commit these types of fraud. Therefore FSPs have a maximum focus to mitigate fraud and to inform their customers” (NVB, 2013). The Dutch police force expects an ongoing increase in the number of frauds on online banking because the criminals are getting better organized, which will result in larger and more effective attacks. According to their research, the increasing usage of mobile devices for online banking will also increase the level of attacks because it will create a new platform with opportunities for fraudsters (IPOL, 2012). Despite the financial losses, the NVB claims that online banking is safe (NVB, 2012). The question whether or not this is a true statement can best be answered by a comparison between the number of fraudulent occasions (as displayed in figure 3) and the total number of online banking users. Between 2010 and 2012 the number of Figure 3: total number of fraudulent occasions 2010 - 2012 fraudulent occasion had increased from 1.383 occasions to 10.900 occasions (there are currently no publicly available figures about the Page | 17
  • number of occasions during the first 6 months of 2013). In the same period the Dutch Central Statistical Bureau (CBS) reported an increase of online banking users from 10 million in 2010 to 13,2 million in 2012. As displayed in figure 4 this means that the total percentage of fraudulent Figure 4: percentage of impacted users 2010 - 2012 occasions on a yearly basis related to the total amount of online banking users has increased from 0,014% to 0,0828% (CBS, 2012). Although this is an increase of 499,57 % during the period the odds of being impacted as an individual user is indeed very small; this seems to supports the statement of the NVB that from a collective user perspective online banking is safe. 4.1.2. Soft costs for Financial Services Providers A part of the impact is the effort that the FSPs are undertaking in order to battle crime. These categories of costs have been explored in an earlier research by the Cambridge University (Anderson et al., 2012). In this research different cost categories have been indicated. This includes costs that can be quantified as crime prevention, detection, handling fraudulent cases and coordination. On the aspect of prevention, FSPs are confronted with costs for creating awareness amongst their customers using campaigns and promotional material and security related preventive measures on the FSP’s system application landscape and employees (for example security training). Costs related to crime detection are for example costs for forensics tools and employees that analyze the payments in order to detect fraudulent behavior. Handling costs are costs related to working on fraudulent cases and reimbursements. Coordination costs are related to management and time spent on working with stakeholders such as the diverse cyber crime taskforces. Although FSPs are able to calculate these costs, there is no (public) data available about these costs. The NVB has stated that FSPs have increased their efforts towards cyber crime prevention (NVB, 2013). No specifications or costs are however mentioned. In their research, the Cambridge University estimated the total global costs of countermeasures for FSPs (direct costs which are specified as defense cost) at 1 billion dollar per year (Anderson et al., 2012). Another important aspects of costs indicated in the research of the Cambridge University are the more indirect costs, for example costs related to opportunity costs, potentially missed business, Page | 18
  • image and customer satisfaction. Opportunity costs are the missed opportunities for other investments, money spent on security cannot be used to spend on other activities that might have had a positive effect on the FSP’s revenue. Furthermore, negative media coverage and perception of the safety of the online banking channel might have a negative effect on the image of the online banking channel or the FSP. This might result in a lower customer satisfaction and potentially in missed business. Although it’s difficult to calculate these costs, the importance of these costs should not be neglected. The research of the Cambridge University has specified the indirect losses related to the loss of customers confidence for card related fraud (such as skimming as a factor 2,3 of the direct losses (hard costs) (Anderson et al., 2012). Unfortunately, there hasn’t been any (public) research executed focusing on the indirect costs of online banking fraud in general. 4.1.3. Costs for impacted customers Just like the FSPs, customers are confronted with costs when they become a victim of fraud. Whether or not these costs include hard costs as well as soft costs depends on the compensation policy of the FSP that will be discussed in paragraph 4.2.3. The Cambridge University has not specified the hard costs and soft costs for the customer in their research (Anderson et al., 2012), nor has other (public) research related to this topic been executed. Therefore, there are no figures available that identify the total impact. Newman & Mcnally have specified the types of soft costs customers who become a victim will incur (Newman & Mcnally, 2005). They refer to these costs as “human costs”. These costs include the time and effort required to resolve various problems created by the theft, such as contacting the FSP and the police force as well as waiting until the losses have been compensated. Especially when the victim lives paycheck to paycheck (Meulen, 2011). Another aspect of these costs are the shock of discovery and the feeling of being a victim that might have an emotional or psychological impact (Meulen, 2011). Finally, an important cost is the costs of the decrease in the perception of security. The security perception of the customer is intertwined with the indirect soft costs of the FSPs, as described in paragraph 4.1.2. Although the costs for the customer are not clear and the chance of becoming a victim as a customer is currently 0,0828 % (as described in paragraph 4.1.1), it’s important to recognize these costs. Since, for an impacted customer, the chance of being a victim is not 0,0828 % but 100 %. Hence, for impacted customers the statistical data are not relevant. Social media tools are increasing the importance of taking these customers into account since every individual customer Page | 19
  • can use these tools to communicate their story and potentially impact the feelings and thoughts of other customers. This has resulted in negative media coverage in consumer programs such as Nieuwsuur.nl (“Steeds meer slachtoffers bankfraude - Nieuwsuur.nl,” 2012) and Kassa (Kassa, 2012). 4.1.4. Impact on society Online banking fraud is impacting more stakeholders than only the FSPs and their customers. Those stakeholders are for example, the government, ministers and public bodies such as the NCTB, the police force and the criminal justice system (Newman & Mcnally, 2005). The costs to society have not been researched and researching the total amount of costs to society might be impossible. According to Newman and Mcnally, a part of the costs to society is impossible to calculate. These costs include costs related to the (feeling of) public safety risks / threats, burdens created by FSPs, higher premiums, other costs passed on by FSPs to customers, increased paranoia which may result in financial costs and an overall decreased confidence in the promised benefits of the information age (for example the online banking platform) (Newman & Mcnally, 2005). 4.1.5. Conclusion It’s difficult to define the exact impact of the problem. A part of the problem has been converted to financial impact but the validity of these figures cannot be claimed from an academic perspective. Other parts of the problem have not been converted into financial impact or are very difficult to convert to financial impact at all. The costs of online banking related crime are higher than only the reported losses by the NVB. Furthermore, the impact is bigger than just the impact on the targeted FSPs and directly impacted customers. In the end, the entire society is impacted because of perception of security as well as costs that are made by the government, for example for conviction of the criminal. Although it’s not possible to determine the exact impact of the entire problem, we can at least conclude that there is a problem and that the impact of the problem has increased over the past five years. Page | 20
  • 4.2. Legal framework The responsibilities and liabilities of the FSPs and their customers are arranged by Dutch laws. This chapter will explore the applicable legal framework and the connecting responsibilities and liabilities. 4.2.1. Legal responsibilities and liabilities The legal responsibilities of the FSPs are arranged in the Dutch Civil Code book 6 and 7. The Dutch FSPs have also confirmed themselves and their customers to additional legal responsibilities in their own (product) terms and conditions. The first relevant element relates to duty of care, arranged in article 6:248 BW (BW:6, 2013). This article relates to the generic duty of care of contracts and agreements. This article states that an agreement does not only have the - between the two parties agreed legal affects - but also those related to habits of reasonableness and fairness. Another connected article is article 7:401 BW (BW:7, 2013) which states that, the contractor during the contract has to take the care of a good contractor. The second relevant element is related to the use of the personalized safety attributes (the mechanisms that customers can use to identify themselves and perform transactions, such as codes, passwords, the card reader and the card). The Dutch Civil Code book 7B provides more specified articles connected to payment transactions. Article 7.525 BW (BW:7b, 2013) states that a FSP has to ensure that the personalized safety attributes of the customer’s payment instrument will not be accessible for third parties. Article 7:524 BW (BW:7b, 2013) states that the user of the payment instrument has to apply to the products term and conditions. This article also states that the customer has to take all reasonable measures in order to guarantee the security of the personalized safety attributes. The third relevant element relates to the law in cases of wrong or fraudulent transactions. Article 7:526 BW (BW:7b, 2013) arranges the notification period for the customer. According to this article the customer has to notify the FSP within 13 months after the date of the wrong transaction. Article 7:528 BW (BW:7b, 2013) states that if the customer applies the notification period the FSP will have to reimburse the transacted amount immediately if the transaction was indeed not authorized by the customer. The FSP is however allowed to deduct an amount of maximum € 150,- on the reimbursement when unauthorized transaction is initiated by the use of Page | 21
  • a lost or stolen payment instrument, as arranged in article 7:529 BW (BW:7b, 2013). It’s important to notice that the FSP is legally allowed to deduct this € 150,- in case of any unauthorized transaction initiated by the use of a lost or stolen payment instrument. Thus irrespective if this had happened due to negligent behavior of the customer. This article also states that the FSP - according to the product terms and responsibilities, as stated in article 7:524 BW (BW:7b, 2013) - will not have to reimburse any money if the customer has acted fraudulent, intentional or with gross negligence (“grove nalatigheid”). The FSP has to prove that the customer has indeed acted with gross negligence (and not the other way around). Besides the law, the FSPs have to comply with all the obligations that they have specified in their (product) terms and conditions. FSPs have for example specified that they will inform their customers on topics such as security and that they will provide the customer with possibilities to check the transaction on their accounts, for example using (digital) statements. 4.2.2. How Financial Services Providers take care of their duty of care Within the limitations of the above described law, FSPs are free to create their own policies about their duty of care. FSPs do not disclose all the efforts they are performing to take care of their duty of care. Therefore, this paragraph is not limitative and is only describing the publicly known aspects. In general, the policies of the FSPs can be divided into four topics: secure the channel, educate the customer, monitor transactions and clean the internet (Hafkamp & Steenvoorden, 2010). Securing the channel and educating customers are forms of so called target hardening. This refers to measures that are introduced to increase the efforts of successfully obtaining the target (Meulen, 2011). In this case there are two targets: the customer and the FSPs. FSPs have introduced variations on the existing authentication mechanisms, for example by introducing new authentication mechanisms or changes in the dialogue (Hafkamp & Steenvoorden, 2010). Dutch FSPs have chosen to implement authentication mechanisms based on at least “two factor authentication”. Two factor authentication refers to the usage of at least two of the following available factors:  knowledge (something the customer knows), for example a code or username;  possession (something the customer has), for example a token, card or phone; Page | 22
  •  Personal attributes (something or somewhere the customer is), for example biometrics, geographical locations or customer profiling. Next to those authentication mechanisms, FSPs are securing their online banking channels in other ways, for example by detecting malicious behavior in the browser. FSPs try to educate their customers by means of providing security related information, brochures and awareness campaigns. Customer security related duties are specified in the (product) terms and conditions and on the websites of the FSPs. Awareness campaigns are executed in collaboration with the NVB. Those campaigns inform the customers of the potential threats by means of commercials on television, radio and the internet for example on www.veiligbankieren.nl. In those commercials, customers are asked to be aware, to check the URL of the website, the entered payment and the security of their computer. The Dutch ING bank is taking the awareness and customer target hardening one step further, they offer the customer free security software for their personal computers (“Beveilig uw computer - ING Veilig bankieren,” 2013). The third aspect, monitoring transactions means that the FSP monitors the initiated payments and checks those payments for deviant patterns. Those deviant patterns can be based on the customer profile or generic malicious behavior such as cash out points or account numbers. When deviant patterns are spotted, the FSP will hold and investigate the payment. FSPs are not transparent about their monitoring activities since this is sensitive information. It’s therefore not clear to what extent the Dutch FSPs are performing these monitoring activities. The final aspect is cleaning the internet. FSPs have joined their forces with the police force and other public bodies in order to notice, take down and trace the criminals and their websites and servers. This include activities such as elimination malicious websites, for example phishing website or servers that collect the information from infected computers (Meulen, 2011). 4.2.3. Compensation policies of Financial Services Providers As discussed in paragraph 4.2.1, FSPs are allowed to deduct 150 euro on every financial compensation. They also have the ability to refuse any compensation if the customer has acted gross negligent. Up until today, no signals are available that FSPs are deducting the legally possible 150 euro on each compensation. It seems that, FSPs choose not to penalize their customers if they have not acted in a negligent way. Thus, FSPs are accepting more liabilities Page | 23
  • than they should do from a legal perspective. Up until 2012 there had not been any signals in the media or court of FSPs that didn’t compensate private customers for their full hard costs (including the 150 euro) of fraudulent cases on online banking. This means that FSPs compensated their customers for their hard costs (the financial losses) but not for their soft costs (as described in paragraph 4.1.3). During 2012, the first signals of private customers that didn’t receive any compensation or only a partial compensation, came to the media’s attention. These cases are based on situations where, the FSPs are of the opinion that the customer has acted in gross negligent way. FSPs have thus changed their policies of compensations in cases of gross negligence or, their opinions on what should be indicated as gross negligent behavior. This means that in the current situation, customers are only compensated for their hard costs when they have not acted in a gross negligent way, soft costs are never compensated. 4.2.4. The customer’s responsibilities specified in the terms and conditions As discussed in paragraph 4.2.1, the customer legally has to apply to the product’s terms and conditions, guarantee the security of the personalized safety attributes and should not act in a gross negligent way. These law statements do not provide the customer with full clarity on their responsibilities. In order to find more specific information, the customer will have to read the FSP’s product terms and conditions. All FSPs are free to create their own terms and conditions within the limits of the Dutch law. FSPs have taken this freedom and created their own specific terms and conditions. This makes it difficult to provide a generic overview of all the customer’s responsibilities. For this paragraph, the terms and conditions of the three large Dutch FSPs have been studied: ING, Rabobank and ABN AMRO. Both ING (ING, 2013) and Rabobank (Rabobank, 2013) have specified the terms and conditions in one document, ABN AMRO uses four different documents: the general terms and conditions (AMRO, 2010), the general conditions access ABN AMRO (AMRO, 2007), payment services retail customers (AMRO, 2013) and the glossary document payment services retail customers (AMRO, 2012). The first notable aspect is that, all the FSPs have updated their online banking related terms and conditions. In these updated terms and conditions, the safety measures that the customer has to take are expanded and described at more length. On the one hand this provides the customers with more clarity about their responsibilities. On the other hand this mandates more responsibilities from the customers than in previous versions, a shift in responsibilities. Customers do have to comply with these measures and if they don’t apply these measures it could be seen as an act of gross negligent behavior and thus liability. The second notable aspect is that, the FSPs seem to be more in agreement about the responsibilities of their customers. In Page | 24
  • fact, the mandatory measures with regards to the protection against online fraud are more or less the same for the studied FSPs. The most important online banking related terms and conditions related to customer responsibilities can be divided in prevention, detection and notification. The below provides an overview of the most important measures the customer has to take:  The customer should make sure that the device, software and internet connection are secure, irrespective if a customer uses its own device, software or (wireless) internet connection or those of a third party.  The customer has to use security software for the device, software and (wireless) internet connection. This security software should protect against unwanted actions / access or computer viruses. The minimum aspects are a legal and up-to-date version of the operating system, browser and security software that should at least include a virus scanner and a firewall.  The plug-ins, such as Adobe Reader, Adobe Flash and Java should regularly be updated (ABN AMRO specific condition).  The device and software should have an access control, for example using an unlock code.  The device should comply with the minimum technical and system requirements, specified on the website of the FSP.  Security and authentication codes (included challenge and response codes generated by the security token or the FSP’s website) are personal codes and should never be shared with a third party (for example on the phone or a website that doesn’t belong to the FSP). The customer has to take all reasonable measures to prevent the use of these aspects by third parties. What measures are reasonable is depending on the circumstances.  The FSP can give additional security related directions on their websites; the customer has to apply to these directions.  When browsing on the website, the customer should continuously verify if the website is still secure. The customer has to make sure that the URL starts with https:// and that the security lock in the URL bar is displayed. Furthermore the customer should verify that the entered URL is correct and that the websites certificate is validated by the FSP. Page | 25
  •  The customer should verify if the behavior of the website for authentication and the verification of the transaction is conform the FSPs’ standards. (ABN AMRO specific condition). The detection and notification related terms and conditions are:  The customer should always verify their online banking transaction history after they have initiated an online transaction, in order to make sure that the transaction has been executed according to the customer’s specifications. If the customer identifies any differences, the customer should immediately contact the FSP.  In case a customer suspects fraud, the FSP should immediately be notified by the customer.  The customer should notify the FSP at least within 14 days after the fraudulent transaction became visible in the online banking platform. These 14 days are limited in cases of an occasion that required immediate attention. (ING specific condition). Although the FSPs have updated their terms and conditions and specified the customer’s responsibilities, it is still questionable if this is sufficient. The terms and conditions are still not very specific. For example it is still questionable what should be defined as a secure environment, what up-to-date means and what the FSP defines as a virus scanner and which virus scanners are accepted. There are for example virus scanners on the internet that pretend to be a virus scanner but are in fact malware. And there is also malware that pretends to be a free (trail) version of a trustworthy brand, such as AVG, known as “shareware” (“Malware vermomd als gratis antivirus AVG - Computerworld,” 2011). This software has the same look and feel as the real virus scanner and seems very legitimate for an ordinary user. Although the terms and conditions do also inform the customer about their legal liability in the event of gross negligence, it doesn’t specify what gross negligence is. It is thus questionable whether or not these terms and conditions provide the customers with sufficient information to act in a responsible way. We could argue if the average customer will read the lengthy terms and conditions, is able to understand what is expected and is able to take all these measures. The NVB has recently announced that FSPs are going to standardize their terms and conditions (“Banken krijgen uniforme veiligheidseisen | nu.nl/tech | Het laatste nieuws het eerst op nu.nl,” 2013). Finally, the terms and conditions of the FSPs provide very limited information related to Page | 26
  • what the customer can expect as a duty of care. This will make it very difficult for a consumer to know what to expect from the FSP. 4.2.5. Liability Being responsible or acting in a negligent way on itself is not sufficient to be liable for something. Bovens described three generic categories that should be met in order to be liable: culpability, causal relationship and negligence (Bovens, 1990). Culpability means that somebody should be guilty of the offense of a standard. This means that there should be human behavior, an act or the omission that seems to have contributed to a situation. The standard refers to the standard of behavior that can reasonably be expected. Causal relationship means that there should be a causal relationship between the behavior and the act of a person and the resulting situation / damage. Somebody will only be liable when there is a causal relation between the act or the negligence of the person and the resulting situation. According to Bovens, it’s not only important to determine if somebody - due its act - has contributed to the situation, the person should also be blameworthy for the act (negligent). This means that the person should have had real possibilities to act in a different way. All these three categories should be met in order to be liable. 4.2.6. What is gross negligence? The Dutch civil law as well as the terms and conditions of the FSPs do not provide a generic answer to what gross negligence is. In her book about computer ethics Johnson defines negligence as: “to be a failure to do something that a reasonable and prudent person would have done. In common law it is assumed that individuals who engage in certain activities owe a duty of care; negligence is a failure to fulfill that duty”. Thus negligence presumes a standard of behavior that can reasonably be expected of an individual engaged in a particular activity (Johnson, 2001). In his book about responsibility and liability for FSPs and their customers, M.R. Mok argues that it’s difficult to decide what gross negligence is (Mok, 2005). Mok identifies two potential solutions. The first solution is that the FSP should always have to compensate the losses since the online banking platform is also providing them benefits in terms of costs savings. The second solution is to accept that becoming the victim of theft is a fact of life that is the risk of the consumer. He claims that both solutions have their benefits and that the real question is where we should set the borders. According to Mok, the problem is however the translation towards legislation. He states that “we should be aware that legislation in many cases is nothing more than a fig leaf in order to mask the insolubility of a problem” (Mok, 2005). Page | 27
  • The final judgment about the act of gross negligence is to be filed by the financial affairs complaints institute (KiFid) or the judge. Because FSPs in the past have always compensated their customer for online banking related fraudulent losses, it’s difficult to create a clear point of view based on jurisdiction, especially for malware and pharming related frauds because these cases have not yet been subjected to official complaints or lawsuits. For phishing and social engineering related frauds there are only a very limited number of judgments available. The three most recent cases have been studied. In a compliant case on 30-01-2012, a customer that provided the security codes to the fraudster on the phone, was only held partly liable for the phishing damage. Because the FSP had not contradicted a claim of the NVB that the FSPs will always compensate their customers (a statement being made by the NVB during 2010). The KiFid was of the opinion that the losses should be shared, resulting in a loss of €_17.000,- each (KiFid, 2012). On 16-4-2013 the KiFid handled a case with the same fraudulent situation. However, in this case the KiFid’s opinion was that the FSP had been clear in their communications (and that the NVB has changed their statements related to compensations policies) and declines the claim of the customer, resulting in a customer loss of €_26.111,- for the committed fraud, excluding the costs of the lawyer (KiFid, 2013a). In another compliant case on 23-6-13, a customer is also held liable because of phishing related losses. In this case the KiFid even adds the following statement to their judgment: “the FSP, in principle can be confident that fraud is impossible when the customer is acting according to the safety regulations” (KiFid, 2013b). No substantiation or proof has however been added to this statement. In a lawsuit related to phishing and the same modus operandi as in the previous two cases the judge support the point of view of the KiFid (Rechtspraak, 2012). Thus in the case of phishing the KiFid and the judge claim that a customer is acting gross negligent when the customer violates the terms and conditions of the FSPs. Because the FSPs have expanded their terms and conditions (as discussed in paragraph 4.2.4), it will likely become more difficult for a customer to prove to opposite. When the arguments of the KiFid and the judge are being studied, it’s questionable if there is a clear notion of the standard of behavior that can reasonably be expected of an individual engaged in online banking activities. At least, there is no reference being made to such standards. Johnson also claims, the legislators, lawyers and judges will have to completely understand computer and information technology to respond appropriately to these cases (Johnson, 2001). Giving the reasoning and the question being asked in the above described cases, it’s questionable whether or not those requirements are being fulfilled. Apparently no arguments have been made Page | 28
  • by the customer related to the duty of care of the FSP. We could for example argue that, the FSP should have the potential ability to recognize suspicious payments patterns or at least deviating behavior. We could also argue that transferring the entire savings balance to a domestic account should be recognized by the FSPs and that they have a duty of care to protect the customer and that not protecting is negligent. This view is supported by Dr. M.J.G van Eeten, a Dutch professor who focuses on the Governance of Cyber security. In the Dutch consumer program Kassa (Kassa, 2013), Mr. van Eeten has claimed that FSPs should be able to detect deviations in the customer’s payment behavior. Unfortunately, the standard is also unclear in this case, there is very little knowledge and agreement about the moral standard of behavior for the FSPs, thus it’s difficult to determine whether or not the duty of care has been violated. As a final aspect, we notice that the judge as well as the KiFid is requesting that customers prove that they haven’t acted in a gross negligent way. This is however conflicting with the European guidelines and Dutch law. As described by van Raaij, the onus of proof is reverse, the FSP has to prove their innocence to what they have been charged for by the consumers (Raaij, 1997). 4.2.7. Government From a legal point of view, it’s also interesting to explore the current points of view from the government or political debates. Because, the points of view of the government might potentially lead to future legislation. The general point of view of the Dutch government is that they only have a limited task in the area of business to consumer, in the sense of legal regulation. The government is only willing to impose legal laws and regulations in cases of serious physical or financial risks for the customer. The majority of tasks related to consumer protection is normally delegated to the deliberation between the consumer organizations and the producers (Raaij, 1997). In the Dutch House of Representatives (de Tweede Kamer), official questions have been raised related to the power balance shift of responsibility. Based on the answers from the minister of Finance we can conclude that, the government is aware of the power shift but has no current considerations as long as it occurs within the law. According to the minister of Finance, there are no signals that FSPs do not comply to those laws (Dijsselbloem, 2012) (Dijsselbloem, 2013). The opposition questions if the current power shift is indeed correct from an ethical perspective. Some of the political parties are of the opinion that FSPs should always compensate their customers for their losses (“‘Altijd geld terug bij internetcrime’ - AD.nl,” 2013) other parties are of the opinion that some of the terms and conditions of the FSPs are asking too much from Page | 29
  • their customers on the detection measures of fraudulent activities (“SP: verplicht internetbankieren op vakantie is zot - Security.NL,” 2013). Recently, the reimbursement policies of the Dutch FSPs have been discussed for voting in the Dutch House of Representatives. The house of representatives have adapted a resolution of Nijboer and Merkies stating that FSPs should compensate customers for their direct financial losses in cases of phishing or malware (“Kamer: bank moet schade phishing vergoeden - BNR Nieuwsradio,” 2013). Although this resolution has been adapted, this doesn’t change the obligations of the FSPs, nor does it provide any more clarity. This is due to the fact that the resolution includes the disclaimer that the customer should not have acted in a gross negligent way. Unfortunately, the resolution does not specify what the moral standard for gross negligent behavior should be, nor does it specify how FSPs should fulfill their duty of care. Although the duty of care and gross negligent behavior have been questioned and discussed, this doesn’t result in any agreements, consensus or clarity from a governmental perspective. The Dutch government is in favor of a more digital community, as this creates important benefits for the Dutch country, their citizens and Dutch companies. To be more specific to the thesis subject: the Dutch government is in favor of the online banking channel because it provides attractive benefits for society. In general, one of the main responsibilities of the government is to protect its citizens and to take measures that protect or enhance their safety (Raaij, 1997). The digital economy brings new knowledge, risks and responsibilities of which secure online banking is one. The government is thus also one of the stakeholders who should take responsibility for the education of Dutch consumers and should not simply delegate this responsibility to only the FSPs. The government could for example enforce the creation of information packages and campaigns as well as educational components, for example in the educational system. Within the cyber security strategy document, the Dutch government states that security is a core task of the government, also in the cyber domain. They also state that the government has a responsibility to enhance the online security and privacy of their citizens. The Dutch government commits itself to increase the cyber security awareness of their citizens, companies and governments, to counter cyber criminals and to prevent social dislocation due to cyber incidents. If necessary, the government will impose rules, regulations and standards (NCTV, 2013). Page | 30
  • 4.2.8. Conclusion The liability enforcement is clearly arranged by law. The responsibilities of the customer and the FSPs are only defined on a high level; the law doesn’t provide the moral standards. The terms and conditions of the FSPs describe the responsibilities and liabilities of especially the customer. The responsibilities of the FSPs are not clearly defined. Although the FSPs have a duty of care that is arranged by law, it’s has not been specified what this duty of care implies. FSPs are relatively free to define how to apply their own duty of care. Although FSPs have created more specific terms and conditions and have invested in information campaigns, it’s still not completely clear what is expected from the customer and if we can expect the customer to read, understand and execute the expected (moral standards). Despite the duty of care and investments in securing the channel, educating the customer, the monitoring of transactions and the cleaning of the internet, fraud is still being applied. Since 2012 Financial Service Providers have claimed that customers have handled in a gross negligent way in cases when the customer deviated from the terms and agreements. Both the financial affairs complaints institute and the judge have (partly) supported the FSPs in their point of view in specific cases. This support is however questionable since it’s not clear if the duty of care from the FSPs is taken into account in the correct way in these cases. Neither is it clear if a moral standard has been defined and if it’s feasible to expect the average customer to comply with this standard. We should be careful in considering the law as a solution towards this problem, especially since it’s difficult to determine what the standard of reasonably expected behavior should be for all parties involved. Determining whether or not somebody has acted with gross negligence is difficult if not impossible when these standards are not determined and validated. We should first determine and communicate the standard and specifications of gross negligent behavior and duty of care from a moral and ethical perspective before the law should use it as a standard to which we judge. Furthermore, it’s important to conclude that by law the FSPs has to prove that the customer has acted in gross negligent way; it’s not up to the customer to prove the opposite. Besides the responsibility of the FSP’s and their customers there is a responsibility for the government to enhance the cyber security and the cyber security awareness. Page | 31
  • 4.3. The ethical point of view In her book “Computer Ethics” Deborah G. Johnson asks the question how these ethical issues should be solved. Johnson explains: “to say that computer ethical issues arise because there is a vacuum of policies, leaves open whether the vacuum should be filled with laws or with something else. It is quite possible that vacuums are better left to personal choices, institutional policies or social conventions rather than to the imposition of law. It is also important to remember that this doesn’t need to be an either / or matter. In a wide variety of cases, what seems to be needed, is a multiplicity of approaches” (Johnson, 2001). Johnson also states that, “simply handling online crime as a normal crime could potentially cause issues because the danger is that we may be so taken with the similarities of the cases that we fail to recognize important differences”. Johnson draws a distinction between new versions of old crime and crimes that couldn’t exist without computer. “When a new version of an old crime is executed it’s tempting to think of this new version of crime as morally equivalent of the old crime. This however ignores relevant aspects, such as different instruments being used and it are these different instruments that seem to affect the moral character of a crime. The online crime issue can therefore best be understood as new species of generic moral issues” (Johnson, 2009). This means that we cannot simply apply our existing standard in the “offline world” towards the “online world” in order to reach the moral standard for normal behavior. We should thus explore in this paragraph the ethicality of the different aspects. It’s important to recognize that there are functional differences between law and ethics. As Jeurissen describes in his book “the difference between law en ethics lies in the motivation to adhere to standards. Ethics always require inner motivation: people must urge themselves to behave morally, from an inner agreement with a moral principle. And they must be free to do so. Law does not require the inner agreement, but is based on external compulsion”. Jeurissen further explains that ethics and law can best be seen as complementary and that the ethics is sometimes ahead on the law since it often takes a number of years for a law to get passed (Jeurissen, 2007). 4.3.1. A power balance of responsibilities In order to understand the situation from an ethical perspective, we will first explore the more generic aspects of ethics in relation to a consumer / professional relationship. As described in the earlier paragraphs, it seems that there is shift in the balance of responsibilities for secure online banking. Manuel G. Velasquez described three views about the relationship of business towards consumers. To him it is clear that part of the responsibility for consumer’s damages must rest on the consumer themselves since individuals are often careless in their use of Page | 32
  • products. The real question is where the consumer’s duty to protect its interest ends, and where the businesses’ duty to protect the consumers’ interest begins (Velasquez, 1998). Velasquez described three different theories in this regard: the contract view, the due care view and the social costs view. 1 “According to the contract view, the relationship between a business firm and its customers is essentially a contractual relationship, and the firm’s moral duties to the customer are those created by this contractual relationship. When a consumer buys a product, this view holds that the consumer voluntarily enters into a ‘sales contract’ with the business firm. The act of entering into a contract is subject to several secondary moral constraints:  both parties of the contract must have full knowledge of the nature of the agreement they are entering;  neither party of a contract must intentionally misrepresent the facts of the contractual situation to the other party;  neither party of a contract must be forced to enter the contract under duress or undue influence. Full knowledge implies that the seller has the duty to disclose exactly what the customer is buying and what the terms of the sale are. At a minimum, this means that the seller has a duty to inform the buyer of any facts about the product that would affect the customer’s decision to purchase the product. For example if a defect that poses a security risk exists, then the customer should be informed” (Velasquez, 1998). Thus this view means that the Financial Service Provider has to explain all the defects, weaknesses and threats of the online banking platform to their customers. The contract view is however not applicable to this situation since the customer doesn’t have full knowledge of the nature of the product and its potential security flaws. FSPs and customers do not share the same information and are not equally skilled in this matter. Customers therefore have to rely on the judgment of the FSP. “The due care theory of the business’ duties to consumers is based on the idea, that consumers and sellers do not meet as equals and that the consumers’ interest are particularly vulnerable to being harmed by the business who has a knowledge and an expertise that the consumer does not have. Because businesses are in a more advantage position, they have a duty to take special care to ensure that consumers’ interests are not harmed by the products that they offer them. The 1 The following explanations of these three views are quotes from his book when placed between quotation marks. Page | 33
  • business violates this duty and is negligent when, there is a failure to exercise the care that a reasonable person could have foreseen would be necessary to prevent others from being harmed by use of the product. A business is not morally negligent when, others are harmed by a product and the harm was not one that the manufacturer could possibly have foreseen or prevented. Nor is the business morally negligent after having taken all reasonably steps to protect the customer and to ensure that the consumer is informed of any irremovable risks that might still attend the use of the product. For example, a business cannot be said to be negligent when the customer is acting careless or misusing the product. In determining the safeguard that should be built into a product, the business must also take into consideration the capacities of the persons who will use the product. If the business anticipates that a product will be used by persons that are too inexperienced to be aware of the dangers attendant on the use of the product, then the business owes them a greater degree of care than if the anticipated users where of ordinary intelligence and prudence. The difficulty with this view is that there is no clear method for determining when one has exercised enough due care, there is no hard and fast rule. A second difficulty is that it assumes that the business can discover the risk before the consumer buys and uses it” (Velasquez, 1998). For the FSPs, this second difficulty can however be eliminated. FSPs have the possibility to inform their customer on new discovered risks during the contract since they know who their customers are and because they have the ability to communicate with them directly. The problem is thus to determine when enough due care has been executed (as discussed in paragraph 4.2.8). “The social cost view holds that a business should pay the costs of any damages sustained through any defects in the products. Even when the business exercised all due care in the design and build of the product and has taken all reasonable precautions to warn customers of every foreseen danger. This theory is a very strong version of the doctrine of ‘caveat vendor’: let the seller take care. By having the business bear all the external costs that result from damages as well as the ordinary internal costs of design and build, all costs will be internalized and added on as part of the price of the product at the initial sales. Hence, informing the customer of the total costs at the sale. Second, since manufacturers have to pay the costs of damages, they will be motivated to exercise greater care and therefore to reduce the number of incidents. A criticism to this view is that passing the costs of damages on to all consumers (socializing the costs in the form of higher prices), consumers are also being treated unfairly. A second criticism of this theory attacks the assumption that passing the costs of all damages on the businesses will reduce the number of accidents. On the contrary, critics’ claim, by relieving consumers of the Page | 34
  • responsibility of paying for their own injuries, the social costs theory will encourage carelessness in consumers. An increase in consumer carelessness will lead to an increase in consumer damages” (Velasquez, 1998). This theory is thus leading to moral hazard amongst consumers. We have seen that in the past, FSPs have used the social costs view in cases of fraudulent losses on online banking. During 2012, FSPs have started to apply the contract view in at least some of the cases. This means that responsibilities are shifting from a phase in which the FSP took full responsibilities to a phase where the responsibilities will be divided and shared between the FSPs and their customers. Because of the equality in knowledge and positions between the customer and the FSPs and the fact that the customer doesn’t have full knowledge, it however seems better to transfer to the due care theory instead of the contract view. The Dutch Government seems to support this claim. They state that “we can’t expect our citizens to completely understand and assess the security and privacy aspects of the increasing complex ICT services and products offered by large international companies. Therefore there is a clear responsibility for these companies to care of the customer’s security and privacy. They need to be transparent about their efforts and measures for enhanced cyber security (NCTV, 2013). 4.3.2. Responsibility types In order to completely understand responsibility, we will have to define responsibility. Responsibility in this research is defined as: “responsible is the person or authority which can be regarded as the cause or one of the causes of the effect of an action, or has a role, position or function that involves accountability” (Jeurissen, 2007). The second aspect we will have to do is to define what type of responsibility is actually shifting. In his book Bovens describes five types of responsibilities of which four have initially been defined by the English legal philosopher Hart (Bovens, 1990). The first type is responsibility as a cause; this means having caused a specific situation. In the situation of fraud of online banking we could argue that the FSP, the customer as well as the fraudster are part of the cause since the customer and the FSP have provided the fraudster with the opportunity to commit the fraud. If we define the cause in more strict terms as the one who has committed the fraud then the fraudster is the only responsible person. Within the context of this research we will use the strict definition of being responsible as a cause, thus the fraudster is the responsible person. Page | 35
  • The second type is responsibility as ability. This means that in order to be responsible, a person should have had the ability to execute the responsibility. Whether or not a customer has the ability to execute the responsibility of secure behavior depends for example on the mental ability as well as security related knowledge of the individual. Second, the question whether or not the customer or the FSP has the ability to detect and prevent the fraud, depends on the modus operandi and the target of the fraud. This responsibility type thus applies to both the customer and the FSP. The third type is responsibility as a duty. The FSP has the duty of care against the customer. The customer has the duty not to act in a gross negligent way. We have already seen these duties in previous paragraphs of this research. The fourth type is defined as responsibility as a liability. In terms of liability again all three stakeholders can be held liable (though the real responsible and liable person should be the fraudster). In case when it’s impossible to catch the fraudster, somebody else should be held liable since somebody has to take ownership of the losses. It depends on situation to situation if the FSP, the customer or both will be held liable. This depends on the duty of care and moral customer standard. In order to be responsible in the sense of liability, the second and third type of responsibility should at least be applicable and preferably also the first type. The fifth and final type is responsibility as a virtue. This is the positive variant of a responsibility. The customer could see it as a virtue to act in a responsible way and helping to prevent fraudulent behavior. For the FSP it seems mandatory to take responsibility as a virtue since they offer a service to their customers for which their customer pay. Bovens also refers to responsibility as active and passive. Active responsibility refers to being responsible during the act (responsible behavior) where passive responsibility refers to being held responsible after the act (Bovens, 1990). In this research responsibility will be referred to as primarily active responsibility in the sense of responsibility as ability and duty. This primarily aspect might result in passive responsibility in the sense of liability. Page | 36
  • 4.3.3. Elements of responsibility As earlier indicated, the current issues are related to the due care of the FSPs and gross negligent behavior. We have also determined that there should be a moral standard to which we can judge behavior in order to determine if someone is negligent or not. This moral standard can be seen in the light of a moral responsibility to act in an ethical way (ethical behavior). In this research ethical behavior is defined as: “Acting ethically is acting in accordance with the values and norms which we consider binding for ourselves and others, within reason” (Jeurissen, 2007). In his book Jeurissen describes five aspects to which we can determine if a customer can be held responsible:  Duty: is there an obvious moral obligation or standard that applies in the situation or that goes with the job or person we assess?  Knowledge: was the person we assess aware of this obligation, standard or value, or should the person, within reason, have been aware of it?  Volition: was the person we assess legally capable to make the decision and was there no (external) coercion?  Ability: was the person we assess (mental) able to act and were there alternatives?  Intention: was the person able to calculate the consequences of its action and has the mental capacity to consider different alternatives? All the above elements should be in place before we can conclude that someone is morally responsible for an act and the result of this act and can potentially be held liable. Although the above criteria are less important in the strict law perspective than in the ethical perspective (Bovens, 1990), we should include the criteria of both perspectives when trying to find an answer to main question of this research (paragraph 3.7). Thus, when we assess whether or not a customer should be responsible for the financial damage of a fraud, we shouldn’t only use the criteria of liability (paragraph 4.2.5) but also the above criteria for moral responsibility. 4.3.4. Moral consciousness According to the law and FSPs’ terms and conditions, customers have the duty to act in a responsible way. The next question is whether or not customers are aware of this responsibility. In his research paper, Brinkmann refers to this as “moral awareness” (Brinkmann, 2004). In another research executed by McGregor, the customer’s responsibility awareness is referred to as “moral consciousness” (McGregor, 2006). In this paper McGregor answers the question to why people in their consumer role do not have a well-developed moral conscience. In this paper McGregor described a phenomenon, which he calls consumer immaturity. McGregor refers to a Page | 37
  • research of Whitbeck that gives an answer to why consumer are immature: “we now live in a society that is changing so rapidly, especially technologically, that we are presented with consumption decisions that have no correlates in the experience of previous generations. Therefore, constructing good responses to moral problems takes great effort and attention. Consumers have to learn how to avoid pitfalls that leave them open to corruption or neglect of their responsibilities” (Whithbeck, 1998). McGregor argues that, “many consumers are operating at a very immature level of moral development, relative to their role as consumers. Their sense of moral rightness comes from accepting the rules and standards of the collective consumer group. And, this group is not in good moral standing. To further develop their moral conscience, consumers need guidance creating the moral context within which they exercise their moral responsibilities and they would need to have full information”. Thus if FSPs want to hold their customer responsible they need to help their customers to improve their moral consciousness. This is however not only the responsibility of the FSPs. Improving the moral consciousness for internet security (of which online banking is a part) is a duty of the entire society, including the customer themselves. 4.3.5. Joint responsibility The due care responsibility theory (paragraph 4.3.1) represents a joint responsibility between multiple stakeholders. There are a number of different stakeholders in the responsibility chain of secure online banking who all carry different responsibilities. All these stakeholders together share the total responsibility of secure online banking, each on their own manner. The FSP for example has the responsibility to secure the online banking platform and to inform their customers about the necessary and mandatory security measures the customer has to take. The customer for example has the responsibility to comply with these mandatory security measures. Another stakeholder with responsibility is the government, for example by imposing new laws and regulations or improving the level of awareness of their citizens (as discussed in paragraph 4.2.7). Outside the scope of this research, we might be able to identify even more stakeholders. Joint responsibility is thus a matter of sharing responsibilities. The power balance shift of responsibility needs to be more than just a simple shift of a part of the responsibility to another stakeholder or just increasing the responsibility of one stakeholder without impacting the responsibilities of the other stakeholders. Van Luijk and Schilder describe what they call a moral elementary truth: “in cases where responsibilities are being shared, the total responsibility increases” (Luijk & Schilder, 1998). In other words, the total pie of responsibilities will grow when the pie is divided into more pieces. Thus, the current power balance isn’t only increasing the responsibility of the customer (to comply with the mandatory security measures) but will also Page | 38
  • increase the responsibilities of the other stakeholders, for example by improving communication, education and also by increasing the current duty of care of the FSPs. Joint responsibility is thus more than dividing or distributing responsibilities, “joint responsibility is about how to organize responsibilities in such a way that a surplus of effective responsibility will be created” (Luijk & Schilder, 1998). 4.3.6. Who should be responsible? Given the very low chances of becoming a victim to online banking fraud (paragraph 4.1.1); we could argue that becoming a victim is just a matter of bad “moral luck”. As Witteveen describes in his book “we speak about moral luck when the fact that a person handles in a better (or worse) way is due to a fortuitous circumstance instead of due to the fact that a person has deliberately handled a situation in a better way” (Witteveen, 1989). For the chances of becoming a victim of - especially the malware related crime - we could support this view since it’s very difficult for a customer to spot malicious behavior (as will be discussed in paragraph 4.4.1). However when we look at the chances of becoming a victim from a preventive perspective, for example by means of complying to the FSPs’ terms and conditions (paragraph 4.2.4), this view can be rejected since taking these measures is more than just moral luck. Based on the arguments of Witteveen, we should ask ourselves a second question: are we asking too much from the FSPs in terms of duty of care or the customer in terms of not acting in a gross negligent way. This happens “when we keep somebody accountable for more than the power of control of the person” (Witteveen, 1989). And this is exactly the question in our quest towards the span of the duty of care and negligent behavior. In terms of online banking related fraud and prevention this questions cannot be answered by available literature. Johnson explains that, “when security is breached, questions of blame and accountability are raised. Although the intruder is obviously at fault, attention may also turn to those who were responsible for security. This is a complicated dilemma, device owners (customers) and website / system providers (FSPs) choose whether they want to invest (time, money) in security or not. The question is: if someone chooses not to take steps to protect a system from intruders, are they, partially at least to blame when an intruder breaks in. We might even say it’s foolish not to protect your system. Nevertheless, it seems wrong to blame those who don’t install security, “because we don’t know the details of their circumstances”. Johnson has the following conclusion to this dilemma: “In the IT-configured society of today, it seems difficult to defend the idea that a user with means has no responsibility for trying to secure a computer on the internet, if only because of the illicit uses for which the machine might be used for fraudulent activities. We expect people who own guns to have trigger locks on the guns; perhaps we are now at the point that we should expect people who have Page | 39
  • computers on the internet to use strong passwords” (Johnson, 2009). Personally I would like to change the last part of this phrase “to use strong passwords” to “to take preventive actions” since there are more measures a customer can take than just a strong password (for example the measures described in paragraph 4.2.4). 4.3.7. Conclusion In cases of online banking related fraud, the fraudster abuses the customers or the personal computer of the customer. Based on the above statements it’s difficult to defend that the customer has no responsibility at all. When being held responsible, it’s however important that all the elements of responsibility are present. Furthermore we have identified that joint responsibility implies an increase in responsibility for all involved stakeholders and not just a shift from the one to the other. Firstly, this means that the customers should know and understand their responsibilities. Communicating and understanding those responsibility is a joint responsibility on itself. The FSPs should undertake sufficient efforts to help their customers to understand their responsibilities and to help them to take preventive actions. The customers and the society do have the responsibility to take this matter serious and to try to understand what is required; they should improve their moral consciousness in this matter. It’s impossible to improve moral consciousness when FSPs and society are not providing the necessary information but it’s also impossible when the customer is not willing or able to understand. Secondly, this means that the customer needs to have the volition and ability to act according to these responsibilities. Customers should also understand the consequences of their actions, especially the consequences of not taking the required security measures. Thirdly, this means that the entire duty of care of the FSPs will increase and that communication on itself will not be enough. Based on the ethical theories the responsibility power balance should shift towards the due care theory. This is however legitimate if all stakeholders succeed in taking care of all the elements of responsibility and when we have developed moral standards. In the absence of clear knowledge on the availability of the necessary responsibility elements and agreement on the moral standards, the remainder of this research will focus on obtaining answers to the following research questions: Page | 40
  •  To what extent are the critical elements of responsibility fulfilled in the current situation?  What is the moral standard for the duty of care / due care of the Financial Services Provider?  What is the moral standard for the customer’s behavior related to gross negligent behavior?  What are potential future joint responsibilities, liabilities and measures for the Financial Services Providers and their customers in the customer’s point of view? 4.4. View from market research The above formulated remaining questions could not be answered looking from the perspective of the law or the ethical perspective. In this paragraph we will explore if the available market research can help to identify the answers to those questions. This will be done be exploring the known view of experts and the customer. 4.4.1. The view on the customer’s abilities to detect “In the absence of a utopian world, it seems necessary that we must strive to improve our computer systems and communications, our standards, our expectations of education and our world as a whole. Overall awareness of computer system vulnerabilities and security countermeasures is greater than it was a few years ago. The potential opportunities and gains from misuse seem to be increasing. However, our society does not seem to be getting significantly more moral on the whole, despite some determined efforts on the part of a few individual and groups” (Rogerson, 2004). According to David S. Wall there is an overall lack of public knowledge about the real risks of cybercrime. And according to David S. Wall “those who are not discouraged from going online often are unable to make informed choices about the risks that they may face, especially where the threat is new” (Wall, 2008). Hence, according to experts the awareness and therefore the ability to detect (or perhaps even protect) is low. When awareness is low we can at least conclude that an important element of moral responsibility is missing. The government is of the opinion that “we could expect a certain level of basic cyber hygiene and ability of citizens using IT devices. For example being careful with personal information, taking care of software updates and using strong passwords” (NCTV, 2013). Accord to governmental research, the awareness of cyber security amongst citizens has increased. However, despite this increase, the risk perception amongst ICT users is still limited and there is a large risk Page | 41
  • related to overconfidence. Dutch citizens rank their cyber security skills as a 7, which according to this research is overrated. For example 66% of respondents didn’t know how their device could be used for malicious activities and passwords most often do not comply to the advices security standards (“Alert Online stimuleert veilig online gedrag | Nieuwsbericht | Rijksoverheid.nl,” 2013). Experts are questioning whether or not well-informed customers could be able to detect and protect themselves against the risk of fraud. H. Cate is of the opinion that the most basic protection is personal judgment and that this can play a vital role in protection “the actions of individuals may provide the best defense against identity theft” (Meulen, 2011). Other experts such as Solove are of the opinion that the role of the consumer is very minimal, if existing at all. Marron, another expert states: “the problem becomes pitched not as one of systemic institutional culpability, but as lack of awareness on the part of individuals”. These experts claim that, the best phishing websites manage to fool 90% of participants (Meulen, 2011). The Dutch National Cyber Security Centre claims that a success ratio of 30% should be attainable for phishing websites (NCSC, 2012). Drive-by downloads are even more dangerous because they are extremely difficult to detect for consumers. (Provos, Mcnamee, Mavrommatis, Wang, & Modadugu, 2008). Although these forms of fraud might be difficult to detect this doesn’t mean that there is nothing the customer can do. Drive-by downloads for example, are usually abusing insecure old versions of web browsers and can only be detected by the right and up-to-date virus scanner. And although phishing website or social engineering is executed in a very professional way, the customers have been informed by their FSPs that they always have o check the URL, the certificate and that they will never ask for codes by means of a phone call. Experts seem to agree that it’s too much to ask a customer to detect malicious behavior but do not provide a general point of view related to prevention. Hence by using and combing the points of view of the experts we will not be able to create a generic moral standard for customer behavior. To answer whether or not the necessary the elements of responsibility are present, we need to find out whether or not the online banking customers are willing, knowledgeable and capable of executing their responsibilities and are willing to accept the potential consequences. Unfortunately, there is no complete research available that provides insights in the willingness, knowledge and ability of customers to prevent and detect. Capgemini has recently conducted a research (executed by TNS NIPO) amongst Dutch consumers and their awareness of aspects such a cybercrime, viruses, phishing and fake website. This research indicates that 14% of the Page | 42
  • consumers rank themselves as very knowledgably about these threats and 52% of the consumers rank their knowledge as reasonably well (Capgemini, 2013). Unfortunately, this research doesn’t shed any light on whether or not these customers really are aware of the threats or that they only think to be aware. Nor does it provide insights in the knowledge of customers and their ability to take preventive measures. Another research executed by the Lieberman Research Group and the company Unisys, identifies that only 18% of Dutch consumers are seriously concerned about computer security in relation to viruses or spam and only 10% of Dutch consumers are seriously concerned about the security of online banking (Unisys, 2013a). Also this research doesn’t provide more details or answers about the knowledge and ability of the Dutch consumer. In another research, Unisys compares the outcome of the Netherlands to eleven other countries (Unisys, 2013b). This comparison gives some perspective of the score of the Netherlands. Dutch consumers are by far the least concerned about internet security. The level of concern in countries such as the United States (the least concerned country after the Netherlands) and Spain is about 50% higher and the level of concern in Germany is about 100% higher than in the Netherlands. Although we are all on the same World Wide Web and generally exposed to the same risks, there is a significant difference in the Dutch concern level. According to the Dutch National Cyber Security Centre (NCSC), the ability of the average Dutch internet user is not very high. They claim that the average internet user doesn’t have sufficient knowledge and skills in order to protect them from digital risks. They are very much afraid that the ongoing digitalization will increase the arrears. The NCSC assesses the average Dutch online consumer as very vulnerable (NCSC, 2012). This is especially true for the group of consumers that are classified as illiterate (“digibeet”). According to a research from Yvette Bommeljé 1.5 million Dutch consumers that use the internet can be classified as illiterate. She explains that 9% of the Dutch consumers don’t have any computer skills and 18% of the Dutch consumers’ computer skills can be classified as very low. This means that at least 27% of the Dutch online consumers do not have the necessary skills to operate their computers. Another 21% of the Dutch consumers is classified as having little computer skills. 48% of the Dutch consumers do not master their computer skills on a sufficient level. The same research indicated that of these consumers 82% used their computer in order to perform online banking activities (Bommeljé, 2013). Page | 43
  • 4.4.2. How customers currently secure themselves It might be possible to define the moral standard of behavior based on current measures customers are taking. There is no research available related to the customers current measures against phishing and social engineering. For malware and pharming related measures there is a research executed focusing on measures Dutch consumers are taking in order to secure their computer (Van Deursen, 2012). According to this research, 87% of the consumers have installed a virus scanner, 72% has installed a firewall and 59% of the consumers keep track of automated updates. Only 10% of the respondents doesn’t take any safety measures or doesn’t know if they take any measures. This research shows that there is a certain variance between the different age groups, gender, level of education and profession. Students and individuals between 16 and 35 years of age take less security measures than other respondents. Also, the research indicates that men on average take more security measures than women and medium to higher educated respondents seem to take more security measures than the lower educated counterparts. The majority of respondents in all different groups seem to take care of a virus scanner, firewall and automatic updates. Thus, we can argue that not taking care of these three measures can be identified a deviation from the moral standard. These measures can best be seen as the absolute set of minimum security requirements (NCSC, 2012). Customers that only take these security measures do not comply with the terms and conditions of the FSPs (as specified in paragraph 4.2.4). Unfortunately, there is no research available on the awareness and current level of compliance of the customer related to the other measures mandated by terms and conditions. Based on literature we therefore cannot create a standard for moral behavior related to the entire set of demanded measures. 4.4.3. The view on the Financial Services Provider’s duty of care The European Central Bank has recently finished a report focusing on recommendations for the security of internet payments. The European Central Bank commences this report with the following statement “given the current experience of regulators, legislators, FSPs and the general public that payments made over the internet are subject to higher rates of fraud than traditional payment methods the Forum decided to develop recommendations for the security of internet payments. These reflect the experience of overseers and supervisors in their home countries and take into account the feedback obtained in a public consultation. Furthermore the report includes some best practices” (ECB, 2013). Although the report of the European Central Bank Page | 44
  • only provides recommendations it seems like a solid first attempt to identify what a FSP should have to take care in order to fulfill their duty of care. According to this report FSPs should take care of the following high-level aspects:  Strong customer authentication (at least two factor)  Implement effective processes for authorizing payments as well as for monitoring transactions and systems in order to identify abnormal customer payment patters and prevent fraud.  Engage in customer awareness and education on security issues with a view to enable their customers to use such services safely and efficient. Furthermore, the report provides the following (for this research relevant) detailed recommendations:  FSPs could provide security tools (e.g. devices and/or customized browsers, properly secured) to protect the customer interface against unlawful use or attacks (e.g. “man in the browser” attacks).  FSPs should ensure that the prior information supplied to the customer contains specific details relating to the internet payment services. These should include, as appropriate: o clear information on any requirements in terms of customer equipment, software or other necessary tools (e.g. antivirus software, firewalls); o a step-by-step description of the procedure for the customer to submit and authorize a payment transaction and/or obtain information, including the consequences of each action; o guidelines for the proper and secure use of all hardware and software provided to the customer; o description of the responsibilities and liabilities of the FSPs and the customer respectively with regard to the use of the internet payment service.  FSPs should use fraud detection and prevention systems to identify suspicious transactions, before the FSP’s finally authorizes transactions or e-mandates. Such systems should be based, for example, on parameterized rules (such as black lists of compromised or stolen card data), and monitor abnormal behavior patterns of the customer or the customer’s access device (such as a change of Internet Protocol (IP) address identified by geo-location IP checks, or IP range during the internet payment services session, sometimes atypical e-merchant categories for a specific customer or Page | 45
  • abnormal transaction data, etc.). Such systems should also be able to detect signs of malware infection in the session (e.g. via script versus human validation) and known fraud scenarios. The extent, complexity and adaptability of the monitoring solutions, while complying with the relevant data protection legislation, should be commensurate with the outcome of the risk assessment.  FSPs should provide assistance and guidance to customers, where needed, with regard to the secure use of the internet payment services. FSPs should communicate with their customers in such a way as to reassure them of the authenticity of the messages received.  FSPs should set limits for internet payment services and could provide their customers with options for further risk limitation within these limits. They may also provide alert and customer profile management services.  Within the set limits, FSPs could provide their customers with the facility to manage limits for internet payment services in a safe and trusted environment.  FSPs could enable customers to specify general, personalized rules as parameters for their behavior with regard to internet payments and related services, e.g. that they will only initiate payments from certain specific countries and that payments initiated from elsewhere should be blocked, or that they may include specific payees in white or black lists. Next to these recommendations of the European Central Bank, experts have identified how customers differ in their level of skills, awareness and vulnerability. FSPs (and their customers) could therefore benefit when they don’t apply a one-size-fits-all policy to the above recommendations but to apply specific customer profiles. In terms of expected duty of care of the FSP, the customers’ opinions have not been researched. On their website, the Dutch Consumers union (Consumentenbond) state that, “when FSPs are increasing the measures a customer has to take it becomes easier for the FSPs to blame their customer for gross negligent behavior”. They are of the opinion that certain aspects of the FSPs’ terms and conditions are too strict in order to be practical executable for their consumers, for example the requirement to check their electronic statements every two weeks (Consumentenbond, 2013). Page | 46
  • 4.4.4. Conclusion By using the recommendations of the European Central Bank we seem to have a solid moral standard for the FSP’s duty of care. We have identified that the majority of customers at least keep track of their virus scanner, firewall and automatic updates. Therefore we can argue that customers should at least take these preventive measures in order to behave in a moral way. Since no research related to the other demanded measures from the FSP’s terms and agreements is available we cannot identify a complete set of moral behavior. Unfortunately, the known views of the market don’t provide us with a complete answer to the remaining questions of this research:  To what extent are the critical elements of responsibility fulfilled in the current situation?  What is the moral standard for the customer’s behavior related to gross negligent behavior?  What are potential joint future responsibilities, liabilities and measures for the Financial Services Providers and their customers in the customer’s point of view? In order to answer these three remaining questions, a new research needs to be executed amongst customers of Dutch FSPs. This customer research will be executed within the scope of this research and will be introduced in chapter 6. Page | 47
  • Page | 48
  • 5. CONCEPTUAL MODEL In the previous chapter, the quest towards joint responsibilities started and the elements for joint responsibilities were identified. All these elements together can be grouped in a conceptual model, as displayed in figure 5. On the highest level, five different building blocks can be identified: ethical customer responsibility, ethical FSF responsibility, joint responsibility, effectuation and liability. Joint responsibility is the center of this model. The arrows represent the preconditions to joint responsibility and all the different building blocks are necessary input elements to joint responsibility. The necessary elements are preconditions in the normative sense. The arrows are thus no prevailed relations in the empirical sense. The result of this model is that, all the different elements (arrowed towards joint responsibility) need to be present in order to be able to implement joint responsibilities and liabilities. Responsibility in this perspective can best be seen as the responsibility to prevent. Responsibility is supported and enforced by the elements of effectuation. When individual responsibilities have been identified, the FSPs and their customers together can create joint responsibilities. In the unfortunate occasion where these joint responsibilities fail to prevent fraud on the online banking platform, liability will come into play. Whether or not a customer is liable, will eventually have to be decided by a judge. The judge should determine whether or not all elements of this conceptual model have been fulfilled. Only when all elements have been fulfilled can the judge decide that the customer is liable. Figure 5: conceptual model Page | 49
  • The element of the first building block ethical responsibility is divided into two main elements. The responsibilities of the customer (paragraph 4.3.3) and the responsibility of the FSP: due care (paragraph 4.3.1) and duty of care (paragraphs 4.2.1, 4.2.2 and 4.4.3). Joint responsibilities have not yet been identified. Joint responsibilities will be the outcome of the quest of this research and recommendations to achieve joint responsibilities will be described in chapter 9. The elements of effectuation have been described in paragraph 4.2.1. The elements of the final building block, liability have been identified in paragraph 4.2.5. Page | 50
  • 6. CUSTOMER RESEARCH In the literature review (chapter 4) some gaps are defined that are related to the customer’s perception, knowledge and abilities (paragraph 4.4.4). These gaps have to be closed in order to provide answers to this quest for joint responsibilities. Up until this point, the research didn’t clarify whether or not the necessary elements for moral customer responsibility are present. Neither did the research provide a moral standard for customer behavior. The three unanswered research questions are:  To what extent are the critical elements of responsibility fulfilled in the current situation?  What is the moral standard for the customer’s behavior related to gross negligent behavior?  What are potential joint future responsibilities, liabilities and measures for the Financial Services Providers and their customers in the customer’s point of view? 6.1. Research type Customer research can be executed in two possible ways, either in a quantitative approach (summarized as ‘counting’) or a qualitative approach (summarized as ‘understanding’). There is no previous research available on the subject of this research. We do not yet know the opinion or the abilities of the customers. As a starting point for the interviews, I expected responsibility for online security to be a difficult topic for customers, since it’s an aspect the average customer don’t usually has to think about. Providing sound insights for this research means that customers have to provide more detailed answers than simply a yes / no, or to rate a scale (like it’s usually being done in the quantitative approach). In order to be able to draw proper conclusions, it’s important to find the underlying reasons and motivations of the given answer. It are those arguments and inner perspectives of the customer that are most valuable. Qualitative research provides insight into how customers perceive this specific topic instead of just how many customers share a specific opinion. In order to gain an understanding of the customers’ thoughts, I have opted for a qualitative research The qualitative research has been executed by means of group focus interviews. “Focus groups are used to get insights in differences in opinion between people about a certain topic. In a focus group, it is easier for the participants to feel more comfortable as opposed to in one on one interview. In a one on one interview, the participant might not feel free to express his or her Page | 51
  • opinion because of maybe it being used against them” (Krueger, 2009). According to Slocum (Slocum, 2003), “focus groups are useful to:  gauge the nature and intensity of stakeholders’ concerns and values about the issues;  obtain a snapshot of public opinion when time constraints or finances do not allow a full review or survey;  obtain input from individuals as well as interest groups;  obtain detailed reaction and input from a stakeholder or client group to preliminary proposals or options;  collect information on the needs of stakeholders surrounding a particular issue or concept;  determine what additional information or modification may be needed to develop consultation issues or proposals further.” 6.2. Scope and limitations The interview population for this research is retail online banking users of Dutch FSPs. The usage of this interview therefore, is firstly limited to the retail segment. Secondly, these interviews will primarily be useful for Dutch FSPs. Customer of foreign FSPs might have different opinions; therefore the outcome of this research cannot directly be applied to foreign markets. As a final limitation, this qualitative research will provide insight into how customers think and not necessarily about how many customers support an opinion. 6.3. The sample Due to the nature of qualitative research the number of participants has been limited compared to quantitative research. A total of five focus interviews have been conducted. Each interview included five to six customers, with a total of 26 customers. I have created convenience samples. Per focus interview I have asked one person in my network to select another person and to those selected person, to ask another person to be involved in the interview. I have based my initial pick of the five people on their age, educational level, living area and nationality. Each individual received the instruction to select another Dutch online banking retail banking customer whom they knew but who they didn’t know too well. By using this approach, I tried to create as much randomness as possible in the sample. After identifying the candidates, I checked if different ages, educational levels, living areas and nationalities had been selected in order to create a representative sample of Dutch customers. The demographics of the participants are displayed in appendix 1. Page | 52
  • 6.4. Data collection technique Before commencing the interviews, I had composed a list of questions based on the findings in the literature review (chapter 4). I built in a sequence in the questionnaire, which I followed during the interviews. The details of the questions are included in appendix 2. I didn’t share the questionnaire with the participants and had only used the questionnaire as a reference and guideline to structure the interviews. I did not provide the participants with more information than only the subject of my thesis before the start of the interviews. At the start of the interview, I invited the participants to respond to each other’s answers and to be involved in a discussion between the different participants whenever different points of view were voiced. I informed the participants that the answers to the questions where not a matter of right or wrong. I also informed them that they were allowed to withhold their opinion or change their opinion after arguments of other participants. 6.5. Interview questions design In paragraph 4.3.3 of the literature review, the elements of moral responsibility have been defined. In this paragraph we concluded that all the necessary elements need to be present in order to be able to hold the customer responsible from an ethical perspective. In paragraph 4.4.4 of the literature review, we identified an absence of a clear moral standard. The first part of the research is designed in order to identify whether or not the necessary elements are present amongst the population of customers in this research. Furthermore these questions are designed to identify the current security related activities and capabilities of the population. Knowing their activities and capabilities is expected to be important input for drafting the moral standard. The answers to these questions are described in chapter 7. The general interview topics are: 1. Perceived level of security on online banking 2. Level of customer awareness per type of fraud 3. Level of moral hazard 4. Level of knowledge about means of prevention per type of fraud 5. Current legal liability 6. Activities, responsibilities & liabilities of the Financial Services Provider 7. Cyber crime related to physical crime The final goal of this research is to be of assistance to the FSPs in creating policies and to implement and execute these policies, including future responsibilities and liabilities. In the literature review the power balance shift and connected responsibilities have been discussed Page | 53
  • (paragraph 4.3.1 and paragraph 4.3.5). Unfortunately, this doesn’t provide sufficient assistance towards the FSPs. As Professor Dr R.J.M. Jeurissen explained to me: “Responsibility is a social constructed concept. The concept of joint responsibility originates and will be settled in a negotiation between all relevant stakeholders in which ones responsibilities will be defined. This is an arguing / bargaining process”. The second part of the interview will explore the ethically relevant stakes of the customer in this negotiation. The answers to these questions will provide insights regarding what kinds of responsibilities and liabilities customers find morally plausible for themselves and for the FSPs. The answers to these questions are described in chapter 7. The general interview topics are: 1. Acceptable mandatory future customer responsibilities 2. Acceptable mandatory future customer liabilities 3. Future activities, responsibilities & liabilities for the FSP The objective is that the customers’ answers combined with the obtained knowledge in the literature review, will result in guidelines and answers in the quest towards joint responsibilities. This will allow FSPs to compare their policies and points of view with the points of view of their customers in order to find commonalities and gaps. 6.6. Variable measurement and validation Each interview has been digitally recorded, memorized and structured per interview question by means of a matrix structure (preserved by the author) (Groenland, 2010). Firstly, the interviews were analyzed on a stand-alone basis to cross check the answers of the participants on consistency. Secondly, the analyses of the different interviews were combined and analyzed again. The qualitative analyses were executed using the guidelines of Hennie Boeije (Boeije, 2012). These analyses were then compared to the conceptual model and the literature review of this report. Page | 54
  • 7. RESEARCH RESULTS In this chapter the outcome of the focus interviews will be presented as an objective description of the inputs of all five interviews combined. This chapter is structured in the three main topics of the interview: elements of responsibility, the moral standard and future joint responsibilities and liabilities. 7.1. Elements of responsibility In chapter 4.3.3 of the literature review, the necessary elements of ethical responsibility have been described. In order to be responsible from an ethical perspective a customer should have the duty, knowledge, volition, ability and intention to act in secure way. These elements are a key cornerstone for responsibility. This part of the interview has been structured in order to generate inputs for the answer to the following research question: to what extent are the critical elements of responsibility fulfilled in the current situation? 7.1.1. Perceived level of security Some participants explained that they had been hesitant in using the online banking technology during the introduction phase, about a decade ago. Due to experience and improvements of the online banking channel these considerations have vanished away. Nowadays all participants feel secure while using online banking. According to the participants, the Financial Service Provider is taking care of their security, for example by means of passwords and tokens. This provides participants with a comfortable feeling. Security is not on top of participant’s mind during online banking activities. Participants also feel that their payment data is secure while using iDEAL. Despite this trust, some of the participants are still reserved to use iDEAL while buying goods from web shops because they find it difficult to determine whether or not the web shop is legit. For mobile banking there were a couple of participants who were hesitant in using mobile banking. They were not sure whether it is as secure as a personal computer due to the lack of security measures such as a virus scanner and code generation tokens. Those participants have decided not to make use of mobile banking at all. Page | 55
  • 7.1.2. Level of customer awareness per type of fraud When asked about the awareness of types of fraud, most participants answered they are aware of frauds applied on online banking. It was only the group of students who initially answered not to be aware of any online fraud. None of the participants had personally been impacted by any means of online banking fraud. Phishing / Pharming When asked about the types of fraud, all participants are aware of the phishing frauds, particularly by means of spam mails. Almost all participants have received at least one phishing mail in the past. Participants are also aware that they should never fill-in the requested information in these mails. The FSPs have informed the participants that they would never ask for that kind of information by means of mail. Participants however seem to be less aware of the fact that these mails can also redirect customers to a website containing a fake log-in screen or a malware virus sample. Participants have never seen this kind of act. Only one participant is of the opinion that he might become a victim of a phishing mail. The participant explains that he is concerned that criminal organizations are becoming more and more sophisticated and it might therefore become more difficult to spot fake mails, for example because of lay-out or sender verification. Furthermore, the participant claims that it’s confusing that the FSPs are sending him mails as well. According to this participant the Financial Services should never send any mails at all, this would make it easier for him to know that a mail is always fake. Within the focus group of this participant the other participants changed their opinions after this statement. They agree that in the future the odds of becoming a victim could potentially increase. Without any exception, participants add that the group of customer that have low computer skilled, a low I.Q or belong to the group of elderly would face higher odds of becoming a victim. Social engineering Participants are less aware of the existence and threats of social engineering types of fraud. Almost none of the participants identified social engineering as a potential fraud. When asked about, half of the participants explain that they have vaguely heard of social engineering phone calls, especially targeting elderly people. These participants are aware that fraudsters are trying to obtain the pin code of these victims but apart from that there is little to no knowledge about how social engineering is being applied amongst the participants. The other half of the participants does not know about this type of fraud. After the interviewer explained how social engineering is being applied participants were asked if they think they could become a victim of Page | 56
  • this type of fraud. The answer to this question varies. The vast majority of the participants, answered that they would never become a victim of this type of fraud. These participants say, they would either disconnect or ask for a physical appointment. The other participants are not sure about their odds of becoming a victim. If the scam is executed in a very sophisticated and convincing way, they are afraid that they might be caught by this type of fraud. This could be, because the fraudster is tapping into the customer’s curiosity or because of a moment of inattentiveness. Malware Only two participants spontaneously come up with malware as a potential way to commit fraud. After the interviewer informed the participants about the existence of malware, about a quarter of the participants seem to know of the existence. The knowledge about how it’s been applied is very limited. Only two participants know that malware can be installed and can corrupt the secure browser session. These participants however do not know how they can spot malicious behavior on their computer other than installing a virus scanner. A limited number of participants think they would spot deviant behavior on their FSPs website, for example a different sequence of screens. These participants however, do not really know what they need to do in case this happens. All participants agree that the odds of becoming a victim of this type of fraud are higher than for the other types of fraud. The odds differ per participants and range from everything between unknown and 70%. Participants explain that they do not know how to prevent and detect fraud apart from using a virus scanner. They are also not sure if this virus scanner would provide them with 100% protection. They identify this type of fraud as being too sophisticated to detect. The group of students state that although they won’t be able to indentify if their computer has been impacted, they would more likely be able to prevent the virus from infecting the computer. They have been raised with the internet and therefore claim they know better what to and not do. 7.1.3. Level of knowledge about preventive measures Participants received multiple questions related to their current knowledge about preventive measures as well as about the measures they take. Known measures Participants were asked what kind of measures the FSP requires them to take. All participants know that they should not share their pin code, passwords or other identification codes with others. Participants also know that they have to prevent individuals from looking over their Page | 57
  • shoulder when performing banking activities and they are not allowed to store their pin code and debit card in the same location. For the majority of participants this is common knowledge. Some of the participants are aware of these measures because of the awareness campaigns. For the vast majority of participants this is everything they know. A couple of participants divided over the different groups, know that they have to take additional measures. These customers know that they have to check the websites’ URL and if the lock icon in the address bar is present. Some participants also know that they have to change their password on a regular basis and to log-off at the end of each session. As soon as these participants shared this knowledge in their groups some of the other participants agree that they indeed have to take these measures, others remain unaware. There were two participants who knew that they have to arrange an upto-date virus scanner, firewall and software. The other participants were not aware of these requirements. When participants were asked about their opinion on these measures, they all responded that the measures are normal and very reasonable. There was only one group of participants who questioned themselves whether or not this indeed is everything they have to do (focus group 1). After being asked, none of the participants were aware of the content of the FSP’s terms and conditions. All participants responded in the same way: I will not read the terms and conditions, this is not feasible because it’s such a difficult and lengthy document. And the FSPs should know that we don’t read these terms and conditions. Executed measures There is a potential gap between the measures participants know they have to take and what measures they are actually taking. Therefore, participants were asked how they currently protect themselves and what kind of activities they perform while transferring money. All participants explain that they perform the activities they know they have to perform. When asked about an up to date virus scanner, not all participants were aware if they have a virus scanner installed and whether or not it’s up to date. The majority of participants have a free of charge virus scanner installed, which they have downloaded from the internet. A limited group of participants makes use of a firewall, up to date browsers and operating systems. The other participants do not know if they comply with these measures, as they explained not to understand these kinds of technicalities. Page | 58
  • When logging-in to the online banking platform, only some of the participants explain that they do not perform any control activities. About 50% of the participants check if the address starts with “https://” and if the address is correct. Some of these participants also check the lock icon but nobody checks the certificate. While initiating a transaction, all participants check if they have keyed-in the correct account number and amount. During the moment of signing of the transaction, participants usually check if the amount is still correct. After the transaction has been signed, the majority of the participants also check if the account balance has been adjusted. Only a very limited group of participants will check the details of the transaction history screen. Some of the participants of mobile banking do not perform mobile banking activities on a non secured network, such as a free wifi hotspot. They also do not use mobile banking in public locations where people can easily read their screens. Information provided by the Financial Services Provider All participants find that the FSP should do a better job in informing their customer about the required measures, the reasons for these measures and how fraud is applied. The majority of the participants find the current information very lacking. Some say the FSPs do not provide them with any information at all, or that the information is limited. They have received or might have received some messages, but these where either difficult to read or hidden between all kinds of commercial messages. The provided information is not tailored to the personal situation, for example elderly, kids or non Dutch speaking citizens. Some participants are aware of the information campaigns such as “driekeerkloppen” and “veiligbankieren” but the content has long been forgotten. According to these participants, these campaigns only create a limited awareness and only for a limited amount of time. The majority of participants receive “bankmail” from their FSP (mail messages in the online banking environment). Almost none of the participants have read these messages since they usually contain unwanted commercial information. Some participants think they have never received any kind of information and others don’t know if they have received this kind of information during the initial sale of the product. The vast majority of participants would like to receive readable and understandable communication from their FSP regarding the measures they have to take, why they have to take these measures, what kind measures the FSPs are taking and examples about how fraud is being applied. Page | 59
  • 7.1.4. Power balance of responsibility Who is responsible? When participants were asked who in their opinion is responsible for the safety of online banking, three different responses can be distinguished, distributed between the different focus groups. There is a group who holds the FSP responsible for secure online banking. According to them the FSPs offer the product and should therefore be responsible. Second, these participants argue that Financial Service Providers are forcing their customers to use the online channels and therefore should be responsible. Third, these participants argue that the FSPs are the experts. According to this group, the fraudulent scams are impossible to detect for a customer. Therefore the FSPs have to make sure that they prevent these types of crime in any possible way. Another group of customers find themselves and the FSP responsible. According to this group the primary responsibility is at the FSP’s side. According to this group, the customer has the responsibility to act in a secure way and to follow the guidelines provided by the FSP. For example not to disclose personal login credentials. This group of participants adds that, customers should act as secure as possible but that a customer can never completely prevent fraud from happening, thus there is a limit to the responsibility of the customer. For example when social engineering or malware is being applied in a very sophisticated way they do not find it fair to hold the customer responsible. In case of malware these participants will hold the FSP responsible. In case of social engineering these participants don’t know who should be held responsible since it’s neither due to the customer or the FSP. The third group of participants is only a limited group. This group primarily holds the government and the central bank responsible. They have to audit the FSPs and have the responsibility to control the police force that should arrest these criminals. There is also a participant in this group that holds the government and the internet service provider responsible. According to this participant they have to filter and control the internet and make sure that spam and malware doesn’t exist or at least will be contested. During each of the interviews, participants started debates on whether or not the customer has a responsibility. Defenders of the joint responsibility argue that there are limits to what a FSP can do and that eventually the customer has the responsibility to follow the guidelines. The group of participants that defend a full FSPs responsibility argues that the FSPs are already forcing their customers to use these online channels by closing all the physical branches. To them, it would be Page | 60
  • a bridge too far if the FSPs would also force the customer to take responsibility. The defenders of the government’s responsibility agreed to a dual responsibility between the FSPs and the government. The participants didn’t reach a consensus as a group and only a limited number of participants changed their initial opinion (in mutual ways) after this debate. Who is liable? Participants were asked who should absorb the costs in case of fraudulent activities. All participants agree that as a default the FSP should be liable. After this initial reaction in every group there were participants who started to debate that there are also cases in which the customer could be liable. According to these participants a customer should be liable when the customer has acted in “foolish” way (negligent). The participants that support this view find it difficult to define clear situations or borders to define who is responsible under what circumstances. They think there is a large grey area and some are of the opinion that the liability should be judged for every unique situation. Some of these participants would like to introduce a yellow card system. In the first occasion the customer shouldn’t be liable, the second time the customer should be liable up to a certain percentage. The reason for this yellow card system is the fact that everybody can make a mistake. Making a mistake once is human, according to them. After these statements, the other smaller group of participants remains of the opinion that the customers should never be liable. There is a strong disagreement between the different participants. For phishing related fraud there is group of participants who hold the FSP liable in any case. There is also a group that is of the opinion that this should be judged from time to time, primarily based on how obvious the phishing has been. For example, when it’s well designed, this would mean no liability or a maximum liability of 50% of the damage for the customer. When the phishing mail was too obvious, this would result in a 100% liability for the customer. All groups reached a consensus between one of these two points of view after their debates. For social engineering types of fraud, all participants except the group of lower educated participants of 50 years and older, answer that the customer should be 100% liable once pin codes or other log-in credentials were shared (when no violence was being used). The majority of participants in the group of lower educated participants of 50 years and older answered that the FSPs should always be liable because they are the ones who should secure the deposits. Page | 61
  • For malware types of fraud, all participants except one, holds the FSP liable for the losses. According to the participants the FSP should always make sure the website is secure, since it’s impossible for the customer to detect. Again all participants explained that there is special group that should be better protected and therefore cannot be held liable or should only become liable after very intense education. Participants make this special exception for all types of fraud. Participants also add that the FSP should prove that the customer has acted in a gross negligent way. 7.2. The moral standard In both the law (paragraph 4.2.1) and ethics (paragraph 4.3) the moral standard is used in order to define if a customer has acted in a gross negligent way. Identifying the moral standard is thus an important aspect in our quest towards joint responsibilities and liabilities. In paragraph 4.4.4 of the literature review we have identified the absence of a clear moral standard. As indicated in paragraph 4.4.1, experts disagree on the customers’ ability to detect and prevent online banking fraud. In paragraph 4.4.2, only a limited set of current customer preventive activities were identified. From previous research it’s not clear if the customer is taking more measures and what customers perceive as their current responsibilities and liabilities. Neither is it clear what customers would define as course negligent behavior. This part of the interview has been structured in order to generate inputs for the answer to following research question: what is the moral standard for the customer’s behavior related to gross negligent behavior? 7.2.1. Current customer’s responsibility and legal liability Participants were asked what they find to be their current responsibilities to prevent fraudulent activities. Participants answered that they feel responsible for taking the measures as indicated in paragraph 7.1.3. Level of moral hazard Participants were also asked if they feel morally responsible for secure behavior. In three out of five group interviews all participants answered that they feel a moral responsibility. Though, they also answered that they are not really aware of this responsibility on a day-to-day basis. The group of higher educated participants between the age of 18 and 34 collectively answered that they didn’t feel morally responsible for secure behavior. This is in connection with their answers to the responsible stakeholders, 4 out of 5 members of this group defended the opinion that they didn’t have any responsibility. In the other groups, participants defended the statement that the Page | 62
  • customer doesn’t have any responsibility but there were also participants who felt morally responsible for secure behavior. Participants were asked if they care about the financial losses that currently occur due to these types of crime. Only one of the participants was aware of the amount of annual financial losses. The two groups of highly educated participants answered that they would have to care about the financial losses, as eventually they would have to pay the losses themselves by means of increasing commercial rates of the FSPs. However, since the commercial rates haven’t really changed over the past couple of years, they don’t really care. Neither do they care that they currently have to pay a limited amount per person for these losses. The other groups answered that they didn’t really care about the losses. All groups of participants however answered that they would care about the financial losses if these losses were so high that it would impose a threat for the future existence of the FSP or their own savings and deposits. Legal liability Participants were asked if they are aware of the legal arrangements regarding liability. None of the participants was aware of the legal liabilities. When asked if the participants knew that they legally have an excess risk (“eigen risico”), participants weren’t aware this is arranged by law or either thought there could be some kind of excess risk but didn’t know for what amount. Gross negligent behavior Participants were asked what they would describe as gross negligent behavior. In all groups of participants gross negligent behavior is defined as deviating from the rules on purpose. For the participants this means: acting in a certain way while knowing that an act is wrong and deviates from the rules and would lead to negative consequences. Participants added that this wrong doing must be a free choice without compulsion. Participants explain that being aware of the consequences is important to their definition. Participants define certain groups such as elderly, kids and persons with a lower I.Q. as being potential groups who are not aware of the consequences of an act. When asked about an example of an act of gross negligent behavior, all participants explain that in general, deliberately sharing a pin code without any force is gross negligent behavior. The majority of the participants also defined sharing other log-in credentials such as TAN and response codes as gross negligent behavior. Participants were specifically asked if deviating from Page | 63
  • the FSP’s terms and conditions is an act of gross negligent behavior. None of the participants defined this as gross negligent behavior. Participants explained that these terms and conditions are impossible to read and understand for an average consumer. Some of the participants explained deviating might be negligent but definitely not gross negligent. The group of students defined this deviation only as gross negligent if the customer deviates from all the separate contents of the terms and conditions and if the terms and conditions would be readable and understandable for each customer. According to this group, customers should comply with a certain limit of measures, for example at least 75% in order to receive a reimbursement of 100%. The group of students was also specific in their opinion on the need for computer security. According to this group, not having a virus scanner is negligent, but cannot be defined as gross negligent. According to some of the participants, the FSPs should provide clarity in what exactly gross negligent behavior means to them. Participants do not see a need for a single uniform definition amongst all FSPs as long as it’s clear to customers what the differences are. This would allow their customers to choose between FSPs based on these conditions. 7.2.2. Online banking fraud compared to physical crime In the quest towards joint responsibilities it’s important to find out if FSPs can leverage the existing knowledge of insurance providers about the power balance of physical crime. Participants were therefore asked if and how they relate online banking fraud to physical crime. The participants’ answers can be divided into two groups. There is a group of participants that completely relates cyber crime to physical crime. According to this group, it’s just a form of digital crime. Both types of crime try to steal your money. The other group of customers doesn’t relate these types of crime since the one crime is physical and personal and directly connected. While online crimes are more distant and more difficult to spot. Participants were asked if they have any type of insurance policy against physical crime and if they have accepted the terms and conditions in this insurance policy. Almost all participants have an insurance policy and accepted the terms and conditions of their insurance policy. Almost none of the participants know the exact contents of these terms and conditions but they assume that it would include explanation on what kind of measures the customer has to take. Almost all of these participants would also accept the fact that a deviation from these terms and conditions might result in a lower to no reimbursement of their damages. There are only two participants who wouldn’t expect their insurance provider to reimburse no or only a part of the damage if Page | 64
  • they had deviated from the terms and conditions. They claim that everybody can make a mistake, for example forgetting to lock the door when leaving the house in a real hurry. In these cases, the insurance provider should reimburse the losses despite the fact that the terms and conditions require the customer to always lock the door. All participants would accept that they have to invest in certain measures, such as a lock on the door as long as these measures are according to market standards and as long as these measures do not change all the time. Furthermore, these measures should preferably be free of charge (paid by the FSP) or either heavily discounted. It’s important to note that none of the participants who are ING customers have installed the free virus scanner that ING provides to them. Participants don’t remember whether or not ING has provided them with information about this offer. With this perspective in mind, participants were asked to what extent they would accept mandatory measures for online banking related fraud. The majority of participants would not close an insurance policy to prevent the losses of these types of fraud. The FSPs is already charging fees for taking care of the customer’s money; therefore if necessary the FSP should take care of this insurance according to these participants. There is a small group who would like to purchase such insurance as long as the insurance premium is very low (a couple of euro’s per month). 7.2.3. Terms and conditions As previously described, participants were not aware of the required measures, for example indicated in the terms and conditions. Participants do not see it as their responsibility to read the terms and conditions in relation to fraud prevention. Participants find that the FSP should inform their customers with separate communication. This communication should be easy to understand and short. Customers would also like to receive this information using multiple media, such as brochure, online, radio and television. Furthermore, participants find that the FSPs will need to offer a helpdesk function, for example on the phone or in the branch. Customers should be actively informed about these helpdesk. These helpdesks should for example help the customer to understand and take all the required technical measures. Participants also want the FSPs and the government to create educational material, for example in schools and during the integration courses. Participants argued that the FSP should explain why these measures are important. Understanding the importance and consequences would improve their awareness and willingness to take more measures. Participants also state that the Financial Service Providers will have to verify that the customer has obtained the required knowledge. Page | 65
  • As part of the interview, I had informed the participants about the required security measures they have to take according to these terms and conditions. All participants were very negatively surprised by this information and called this a very extensive way of the FSPs to hedge and transfer a very large portion of the risk towards the customer. Participants didn’t agree that deviating from these measures could be defined as gross negligent behavior. According to all participants, the FSPs are over asking on the capabilities and possibilities of the customer. Participants also indicate that this list of required measures is way more extensive as communicated in the “driekeerkloppen” and “veiligbankieren” campaigns. This information should be universal. All participants said they do not fully comply with all these required measures. Participants find that it’s impossible to ask customers to always use up to date software. They find that the FSP should at least allow their customers to use the most previous version of the software. Participants would also like to receive a list of what kind of virus scanners are certified by the FSP. When the Financial Service Providers takes care of the necessary information, support and allows the most previous software version, the vast majority of participants said they would accept a required virus scanner, firewall, internet browser, verification of IP address / personal computer and software updates. Although the participants would accept these measures they do not agree that deviating from these measures would imply gross negligent behavior. Other requirements such as checking the debit card every day, checking the transaction history every two weeks, checking the websites certificate and updating plug-ins and Java are too much to ask for according to the participants. Participants indicate that it’s also impossible to check all these requirements on the personal computer of a third party. They understand that they have to be careful when using online banking facilities, for example in internet café’s. But a personal computer of a friend, family member or work should be trustworthy enough. Participants argue that if they have to check these computers the FSP could better restrict the usage of online banking to only their personal computers. Page | 66
  • 7.3. Future joint responsibilities and liabilities In the literature review the power balance shift and connected responsibilities have been discussed (chapter 4.3.1 and chapter 4.3.5). In the literature review no research to future responsibilities and liabilities between FSPs and their customers has been identified (paragraph 6.5). This part of the interview is structured in order to generate inputs for the answer to following research question: what are potential future responsibilities, liabilities and measures for the FSPs and their customers in the customer’s point of view? 7.3.1. Future customer responsibility and liability When asked if participants could think of any other kind of future responsibility they answered they couldn’t think of additional measures other than described in paragraph 7.2.1. Participants however indicated that if the FSPs would improve their communications, they would have the responsibility to read and understand the communication. If the communication is not clear the participants would have the responsibility to reach out to the helpdesk of the FSP. Participants were asked what kind of customer liability would be acceptable to them based on the assumption that the FSP would take care of all requirements previously indicated by the participants. Participants answered that they would like to eliminate the standard excess risk. Excess risk should only be charged when a customer is negligent. Participants indicate this as the category “foolish”. For their own liability in the event of not being negligent at all or being gross negligent, participants stick to their opinions as presented in paragraph 7.1.4. 7.3.2. Activities and responsibility of the Financial Services Provider Participants were asked what kind of activities they think their FSPs are taking to prevent fraud. Participants explain that they only know the measures they see, such a randomization devices, pin codes, passwords and app updates. Participants assume that the FSPs are securing their websites. They think the FSPs are performing a lot of other activities too, but they don’t know for sure. Some participants would like to receive more information from the FSP. They would like to know how their FSP is securing their money and how secure their FSP actually is. Some participants would like to have a third party who would control and certify the FSP’s efforts and measures and publish the results. This would allow them to choose for the most secure provider. Page | 67
  • Communication Participants were asked what kind of additional activities their FSP should execute in the future. Participants strongly hold their FSPs responsible for information, education and awareness campaigns to their customers. They would like to receive more information about the level of security of their provider, the threats the customers are facing, the ways fraud is applied, the potential security measures and the consequences of deviating from these measures. Not only should they intensify and improve their communications. The FSPs should also verify that the customer has read and understood the measures. According to the participants, this information should be send on a regular reoccurring basis. Participants again state that they would also like be informed about the need and consequences and about the way these types of fraud are applied. Customer profiling Participants were asked if the FSPs are allowed to use their transaction data for profiling purposes. In all interview groups there were two reactions, one group of participants immediately would allow the FSPs to use this data and the other group wouldn’t allow the FSP to use this data. Participants that wouldn’t allow profiling explain that they are very much concerned about their privacy. In all groups participants started to debate whether or not this would be a breach in privacy. All groups eventually reach the same conclusion: the FSP is allowed to use this data but only when the following requirements are met:  customers should be informed about this activity;  profiling data can only be used for fraud mitigating activities and not for commercial activities;  profiling should be executed automatically and not by a human being, neither accessible by a human being;  customers should have an opt-out possibility. Participants were also asked if the FSPs are allowed to block a transaction when the transaction deviates from the customer’s payment profile. All participants are of the opinion that the FSPs should hold the payment and then verify the payment with the customer. Only when the customer confirms a fraud or when the customer cannot be reached after a predetermined period the FSP is allowed to block the transaction. Page | 68
  • Malware detection Participants were asked if the FSP is allowed to monitor the information being sent between the customer’s personal computer and the online banking platform (monitoring the session) for malicious behavior. Almost all participants allow the FSP to monitor this to a certain extent. The FSP is not allowed to breach the privacy of the customer and for example not scan the customer’s personal computer. Only in the group of medium educated customers between 50 and 99 some participants would not allow the FSP to do this at any time. Participants were asked if the FSP is allowed to block the access to the online banking environment when malicious behavior is detected. The group of students and the group of higher educated participants between the age of 18 and 34 would allow the FSP to block their access at any time. The FSP should however provide feedback on their website about what is wrong and how the matter can be resolved. The other groups would not allow the FSP to block the access immediately. The FSP should provide information about the matter and the risk on the online banking platform. Though, the customer should still have the possibility to continue and perform a transaction. Participants explain that they are aware that this would transfer all the risk to the customer; they accept the risk after being informed. Only after a certain period of time, the FSP is allowed to block the access. Participants would also like to receive feedback on the website about the condition of their browser, plug-ins and software. This should however not restrict their access to the online banking environment. When an extreme risk is being detected, the FSP should notify the customer and explain the risk, though the customer should again have the possibility to accept the risk and proceed. Functionality restriction Participants were asked if they would allow their FSP to limit their functionality based on their risk profile. Participants are in favor of such restrictions if they are being applied to protect the customer. Furthermore, the customer’s risk profile should be determined in close cooperation with the customer, for example by using a questionnaire. The majority of the participants however find that this risk profile should only be an advice. The customer should always be able to deviate from this profile and for example increase the functionality. The FSPs should however inform the customer of the risks that are connected to this deviating and should ask the Page | 69
  • customer to accept the risk. This risk profiling should reoccur every x period or on the customer’s request. Participants were asked if they would like to have options to limit the functionality of the online banking platform themselves. All participants would like to have these options as long as they are easy to understand and always adjustable by the customer. Page | 70
  • 8. ANALYSES AND CONCLUSIONS This chapter analyzes the individual research questions and the central research problem. Based on these analyses, the conclusions, limitations and recommendations for future research will be presented. 8.1. Answers to the research questions In this paragraph the sub research questions (paragraph 3.7) will be answered. These questions will be analyzed based on the findings in the literature review (chapter 4) and / or the outcome of the customer research (chapter 7). After the analyses, the conclusion to each research question will be presented. 8.1.1. What is the current impact of online banking fraud? The impact of customer targeted online banking related fraud has been specified within paragraph 4.1. The impact can be defined in terms of the number of attempts and costs. The total number of fraudulent attempts is not (publicly) available. Based on research we know that at least 35% of the Dutch online banking users have been approached by a fraudster. We also know that the number of successful attempts increased to 10.900 in the year 2012. Compared to the number of online banking users, this means that in the year 2012 the chances of becoming a victim were 0,0828%. In terms of costs the impact can be subdivided into hard costs and the soft costs. These two groups can again be subdivided into the hard and soft costs for the FSP, the customer and society. The hard costs for the FSP are reported by the NVB. The figures in paragraph 4.1.1 indicate an increase of the hard costs to 34.8 million euro in the year 2012. Starting in the second half of 2012 we see a decrease of the hard costs to 4.2 million euro on a 6 months base. Hard costs for customers occur when the FSP choose not to reimburse the fraudulent losses of their customer. The total amount of hard costs is not (publicly) reported and it’s therefore not possible to define the impact in terms of hard costs for the customer. Soft costs for the FSP are costs related to the prevention, detection, handling and coordination of fraudulent activities (paragraph 4.1.2). Soft costs for the customers are related to the time and Page | 71
  • effort spend to resolve the problem, the emotional and psychological impact and the perception of security of the online banking channel (paragraph 4.1.3). The soft costs for society are related to costs made by the government in terms of prevention, detection and conviction of the fraud and fraudsters (paragraph 4.1.4). No figures are available on the total soft costs for the stakeholders. Conclusion Based on the hard costs for the FSPs we can conclude that the problem has increased up until the first 6 months of 2012 and decreased afterwards. Although we have seen a decrease of these losses in the past 12 months, it would be too early to conclude that the problem is being contained as the number of reported attempts, are still increasing. The current amount of hard costs is still significant. When discussing the total problem, we should keep in mind that soft costs are likely to account for a large part of the total costs and these costs are currently not specified at all. 8.1.2. What is the legal framework of the responsibilities and liabilities? The legal framework of responsibilities and liabilities is described in the Dutch law (paragraph 4.2.1). Within the conceptual model this is subdivided into effectuation and liability (chapter 5). Effectuation is subdivided into law, moral standards and enforcement. According to the Dutch law, both parties have to comply with a contract as well as the related habits of reasonableness and fairness (moral standards). The FSPs have to take care of their duty of care and the customer has the obligation not to act in a gross negligent way. The law states, the FSPs have to reimburse the financial losses of their customers with a maximum deduction of €150, - if the customer has not acted in a gross negligent way. Thus, the FSP has the primary liability. If the customer has acted in a gross negligent way the customer is then fully liable for the direct losses. The FSP however has to prove that the customer has acted in a gross negligent way. The law also states that gross negligent behavior is a failure to fulfill a duty. The law itself is thus clearly described and enforcement is arranged. Without clear definitions of moral standards, there is however little value in the law and enforcement. The moral standard of the FSP is intertwined with the duty of care. The duty of care for preventing customers from becoming a victim of online banking fraud is not specified in the general law. Neither has it been questioned by the judges in recent court cases. It’s unclear what the exact responsibilities of the FSPs are. FSPs have however managed to connect their desired moral customer standard to the law. They have specified the customer’s responsibilities Page | 72
  • within the products terms and conditions, which are part of the contract between the FSP and their customers. FSPs are of the opinion that deviating from these terms and conditions is an act of gross negligent behavior and should result in non-reimbursement for financial losses. The judges and KiFid have recently supported the FSPs in their opinions. Even though, at first, this seems in order, it’s questionable if the claim of the FSP is indeed correct. While analyzing the terms and conditions (paragraph 4.2.4), we have identified that some of the requirements are vague. Neither the terms nor conditions are specific in what is defined as gross negligent behavior. Gross negligence presumes a standard of behavior that can reasonably be expected of an individual engaged in a particular activity. The terms and conditions are however not necessarily connected to the moral standard. Does the customer for example have the necessary knowledge and capabilities to take care of these measures? And perhaps as important: is it plausible to assume that an average customer will be able to read and understand the terms and conditions? Based on research it’s not clear if FSPs can demand these measures from their customers. And what about the FSP? Did the FSP take care of their duty of care? What can we reasonably expect a FSP to do to protect their customers? Even with responsibilities, the moral standard and liabilities properly defined, being responsible or acting in a gross negligent way is not sufficient to become liable. If the FSP chooses to hold their customer liable this would mean that the requirements of culpability, causal relationship and negligence have to be met (paragraph 4.2.5). These three aspects have to be assessed in every individual situation by the judge or the KiFid. They will also have to assess if the FSP’s have taken care of their duty of care and whether or not the moral standard is correct (paragraph 4.2.8). The participants of the interview were questioned about their opinion on responsibility and liability (paragraph 7.1.4). The answers related to their responsibilities will be analyzed in paragraph 8.1.3. In general all participants agree that as a default, the FSP should be liable. Participants do not accept the standard possibility of the 150 euro deduction on reimbursements. According to the majority of the participants, this should only be deducted in cases of negligent behavior of the customer. Some participants would never accept any liability at all, because it’s the FSP who offers (according to some participants even forced) the product to the customer. The majority of the participants however agree that, in cases of gross negligent behavior the customer could be (partially) liable. What can be defined as gross negligent behavior according to the participants cannot be defined in a generic way. This is different from customer to customer, Page | 73
  • for example based on the age and personal (computer) skills and per type of fraud. In their view, for phishing types of fraud, the liability should differ based on the level of sophistication of the phishing mail. For social engineering the customer should always be liable and for malware the participants are of the opinion that the customer should never be liable because the FSPs should be hold responsible for taking care of the security of their website. Regarding the terms and conditions (paragraph 7.2.3), participants are of the opinion that the current demanded measures are a very extensive way of the FSP to hedge and transfer the risk towards the customer. Participants feel that the FSPs are asking too much of the customers’ capabilities (also defined in paragraph 4.3.6 of the literature review). Participants define gross negligent behavior as: acting in a certain way while knowing that an act is wrong and deviates from the rules and would lead to negative consequences. Deviating from the terms and conditions should - according to the participants - not be seen as an act of gross negligent behavior. None of the participants complies with the current measures described in the terms and conditions, simply because they do not know the contents. Participants feel that the FSPs are currently not taking care of their informative responsibility. Participants explain that the information flow about the responsibilities, the ways to act responsible and the consequences of not complying is very limited if even existing. Therefore, according to the participants the FSPs are not complying with their duty of care. The government clearly states that they have a responsibility to increase the cyber awareness of their citizens and that security as well as cyber security is a core activity and responsibility of the government. For example by imposing law, standards and regulations (paragraph 4.2.7). This means that the government is one of the responsible stakeholders. Conclusion The moral standards for the duty of care of the FSP as well as moral behavior of the customers are not clearly defined. Based on the current descriptions we cannot judge whether or not FSPs have acted in accordance with their duty of care. Duty of care should be univocal between the different FSPs. The government or regulator should together with the FSP’s and the NVB create regulations that describe the duty of care and should assess whether or not the FSPs are complying with these regulations. The moral standard of customer behavior cannot simply be mandated by the FSPs in their terms and conditions. FSPs should first determine the standard of behavior and acceptable measures together with their customers. FSPs should take into account that these standards might be different from customer to customer, for example based on their Page | 74
  • knowledge and (computer) skills. The regulator should make sure that the correct standards are determined. FSPs should also ensure a way of communication that is reasonable. Given the fact that none of the research participants were aware of the contents of the terms and conditions it’s safe to conclude that the current way of communication is not sufficient. The opinion of the FSPs about the customers’ liability is conflicting with the opinion of the customer on their liability. This is likely connected with the expected moral standard. FSPs, the NVB and regulators should thus not only define clear moral standards but also make sure to connect the correct liabilities. In case of a trail or a complaint, the judge or the KiFid should determine if the duty of care has been taken into account and if the expected measures are according to the moral customer standard. Non compliance could mean that a customer is not liable. 8.1.3. What is the ethical view on joint responsibility? The question in this case is where the duty of the customers starts and where it ends. In the past we have seen behavior related to the social cost view (paragraph 4.3.1). The FSP always reimbursed the financial losses. As previously described, there are interview participants that still support this compensation policy and who would like to continue in this way in the future (paragraph 7.1.4). A disadvantage of this view is however the effect of moral hazard. Participants were asked if they feel morally responsible for secure behavior (paragraph 7.2.1); three out of five groups of participants indicated that they do feel morally responsible for secure behavior. Despite this feeling, they are not really aware of this moral responsibility and their behavior on a day-to-day basis. The other two groups didn’t feel morally responsible for secure behavior. Participants indicated that they do not really care about the losses, as long as losses are not so high that it would impact their existing savings at their FSP. This underlines the statements in the literate that moral hazard is indeed present in the current situation. This lack of moral consciousness has also been defined within the literature review (paragraph 4.3.4). This is because we are confronted with issues that have no correlation with issues or experiences of previous generations. Customers will need guidance and full information in order to improve their moral consciousness. Improving the moral consciousness is not only the responsibility of the FSP. The government also has a clear responsibility to improve the moral consciousness of their citizens (paragraph 4.2.7). Improving the moral consciousness is thus a task that the FSP’s should fulfill together with the government and customers / citizens. The law is designed according to the contract view (paragraph 4.3.1). This view holds that both parties enter into a voluntary contract and that the duties of the involved parties are those created by the contractual relationship. Recently, we have noticed that FSPs are adapting to this Page | 75
  • view in their reimbursement policies. This view implies that all parties have full information. The customer however doesn’t have full information, for example about the security level and flaws of the FSPs system. Embracing this view is thus not correct from an academic perspective. According to the FSPs, the government and some researchers, we have reached a point where we should expect customers to take certain preventive actions. In the IT-configured society of today, it seems impossible to defend that the customer has no responsibility at all. Neither is it impossible to defend that the FSP and their customers are equal. Therefore, it would be better to embrace the due care theory (paragraph 4.3.1). The due care theory is based on the idea that FSPs and their customers do not meet as equals and therefore FSPs will have to take special care, due care, to protect their customers. FSPs would have to fully inform their customers about the irremovable risks of the product or accept full liability for undisclosed risks or defects. When the customer accepts these or the customer acts in a gross negligent way, the customer would become liable. In case of due care, we can speak about joint responsibilities. It’s important to understand that joint responsibility is not just a matter of splitting the responsibilities between the stakeholders. In the literature review (paragraph 4.3.5) we have identified that where responsibilities are being shared, the total responsibility increases. In this specific case, it means that where the customer receives the responsibility to take certain measures, it becomes the responsibility of the FSP to ensure that the customer is able to understand and take these measures. When being held responsible, it’s important that all the elements of responsibility are in place. The first customer element is duty. The question of duty is whether or not there is an obvious moral obligation or standard that applies in the situation? The second customer element is knowledge. Knowledge addresses the question if the person was aware of the obligation and standards or if they reasonably should have been aware. The third customer element is volition. Volition addresses the question if the customer is legally capable to make the decision and defines if there wasn’t any (external) coercion? The fourth customer element is ability. Ability refers to whether or not the customers are able to act and if there are alternatives. The fifth and final customer element is intention. Intention refers to whether or not the customer is able to calculate the consequences of the action and has the mental capacity to consider the alternatives. When one of these elements is not in place, we cannot state that someone is fully responsible from an ethical perspective. Whether or not the necessary elements are fulfilled will be analyzed in paragraph 8.1.7. Page | 76
  • Conclusion We have identified that the past policies of always reimbursing the customers’ losses is causing moral hazard amongst customers. FSP’s should however not switch their new reimbursement policies to the contract view as they are currently doing. FSP’s should instead switch their reimbursement policies towards the due care view. Switching responsibilities will increase the total pie of responsibilities. Customers for example will have to receive the responsibility to act in accordance with the moral standard and FSPs will have to receive the responsibility to protect, inform, educate and support their customers in the best possible way. Overall, as a society we should improve our moral consciousness on the threats and security measures related to the internet and more specific online banking. This is a joint responsibility for the NVB, FSPs, their customers and the government. 8.1.4. What is the known view on moral standards from market research? The view from market research has been described in paragraph 4.4. According to known research, the awareness of customers and therefore their availability to detect customer targeted online banking fraud is low. The average Dutch consumer doesn’t have sufficient knowledge and skills to protect themselves from digital risks. The average customers is also overestimating their skills (paragraph 4.4.1) Experts seem to agree, that in general, it’s too much to ask a customer to identify malicious behavior on their devices. This is especially true for the group of illiterate users. Research has indicated that the vast majority of users however takes care of a virus scanner, firewall and software updates. The moral standards for the duty of care related to online banking have not been specified in the law. The European Central Bank created a report focusing on recommendations for the security of internet payments (paragraph 4.4.3). Although this report only includes recommendations it seems to be a solid guideline for a moral standard. Conclusion Research indicates that consumers posses different internet skills; this underlines the previous conclusion of different moral standards amongst online banking customers. FSP should be aware of the skills of their customers and should connect the mandatory measures to these skills. Based on the literature, we cannot define a complete moral standard for customer behavior. The payment recommendations of the European Central Bank should be included in the moral standard for duty of care. FSPs should be assessed on their compliance towards these standards by regulators and by the judge or KiFid in case of a trail or complaint. Online banking customers should at least install a virus scanner, firewall and take care of software updates. Page | 77
  • 8.1.5. What is the moral standard for the duty of care / due care of the Financial Services Provider? A part of this question has already been answered in the market view on moral standards for the FSP (paragraph 8.1.4). We have concluded that in order to take care of their duty of care, FSPs should comply with the payment recommendations of the European Central Bank (paragraph 4.4.3). Due care should also be added to the moral standard (paragraph 4.3.7). FSPs will have to take all reasonable steps to protect the customer and to ensure that the customer is informed of any irremovable risks. This connects to the findings of the focus interviews. The provided information should be short, easy to read, presented into multiple ways (not only on one media type), connected to the capabilities and risk profile of the customers and should be send on a reoccurring basis (paragraph 7.1.3 and paragraph 7.2.3). Participants have explained that understanding the necessity of these measures, would most likely improve their awareness and willingness to take the required measures. Participants also indicated that the FSP should verify that their customers have obtained the required knowledge and support them if necessary with a helpdesk facility (paragraph 7.3.2). If the FSPs anticipates (or should anticipate) that some of their customers are too inexperienced or unskilled to be aware of the risks, the FSP owes them a greater degree of care compared to customers that are of ordinary intelligence and prudence (paragraph 4.3.1 and paragraph 7.1.3). Conclusion FSPs should comply with the payment recommendations of the European Central Bank and due care responsibilities as part of their duty of care. Regulators should audit and certify whether or not FSPs are complying with their duty of care. The due care of the FSPs should also be included in the audit and certification. The judge or KiFid should in case of a trail or complaint assess if the FSP’s has taken care of the duty of care. FSPs will have to improve their communications and should tailor the communications and duty of care towards the knowledge and skills of the customer. Communications and duty of care is thus not a one-size-fits-all solution. Because of the importance of the measures, FSPs should support their customers in taking those measures, for example with helpdesk facilities. Furthermore, FSPs should verify that the customer has indeed received and understood the provided information. Because we cannot completely define to what extent FSPs are taking care of their duty of care and because due care is a new element, we cannot determine to what extent FSPs are satisfying the duty of care and Page | 78
  • due care elements. However, giving the fact that customers indicate that the provided information is poor we can conclude that these two elements are not completely fulfilled because information is part of the duty of care and due care. 8.1.6. What is the moral standard for the customer’s behavior related to gross negligent behavior? According to the law and the due care view, customers have the responsibility to act according to the moral standard and not to act in a gross negligent way. According to FSP’s this means complying with their terms and conditions (paragraph 4.2.1 and paragraph 4.3.1). In the focus interviews, participants indicated that they do not comply with all the measures in the terms and conditions. They have also indicated that FSPs are over asking on their capabilities (paragraph 7.2.3). This participant statement is even more interesting when we take note of the outcome of the governmental research about the customers’ knowledge and abilities in which they state that customers are overconfident about their cyber security skills (paragraph 4.4.1). Because participants are currently not aware of all the measures and do not understand the importance of these measures, they find it difficult to come up with a new moral standard. The literature and interviews have indicated that multiple moral standards should be created (paragraph 4.4.4 and paragraph 7.2). Based on the literature, we can state that having a virus scanner, firewall en recently updated software (for example the most previous one) can be included in the moral standard for the majority of customers (paragraph 8.1.4). Participants agree that these are reasonable measures (paragraph 7.2.3). Participants also agree that according to the moral standard, they should not share their private access codes. Conclusion The research has indicated that different groups of customers should have different moral standards, based on the knowledge and skills of the customer. Based on the current information we cannot define the different moral standards. In order to define the different moral standards, FSPs together with their customers will first have to define the different groups of customers and then define the generic skills and knowledge of each group. The customers’ responsibility to improve their moral consciousness and their awareness of online fraud should also be included in the moral standard. It’s about time customers take their own online security serious. Page | 79
  • 8.1.7. To what extent are the critical elements of responsibility fulfilled in the current situation? Elements of responsibility The elements of responsibility have been defined in paragraph 4.3.3 and are presented in the conceptual model in chapter 5. The first customer element is duty. In the literature review we have identified that customers do have a moral duty to act in a careful way (paragraph 4.2.1). According to the FSPs, customers also have the duty to act in accordance with the product terms and agreements (paragraph 4.2.4). Based on the outcomes of the focus interviews, we can conclude that customers are not aware of their duty. From the viewpoint of the customer the duty is not completely defined. This element is thus only partially fulfilled. The second customer element is knowledge. The knowledge and awareness of the obligation is very limited amongst all participants (paragraph 7.1.3). The knowledge about the preventive measures is very limited. None of the participants are aware of the measures they have to take according to the terms and conditions. Participants are of the opinion that it’s not reasonable to expect them to be aware since using the terms and conditions for this kind of information are not sufficient (paragraph 7.2.3). This element is thus not fulfilled. The third customer element is volition. Online banking customers are either 18 years and older or are under supervision from their parents or another legal representative. By law these persons or their supervisors should have the legal capabilities to make the decision to become an online banking customer. The types of fraud in scope of this research do in general not use any coercion. This element is thus fulfilled. The fourth customer element is ability. In general participants have answered that they are not capable of taking all the measures that are required by the FSPs. Some measures seem impossible to execute because of the skills of the participants (for example IT skills), others are impossible to execute because of the willingness of the customer (for example check the debit card every day). Participants have also argued that the abilities are different from individual to individual. Especially the group of elderly and lower (computer) skilled customers seems to have a lower ability to meet the demands (paragraph 7.1.3 and paragraph 7.2.3). Participants do still have alternatives other than online banking, for example on the branch office. These options are Page | 80
  • however decreasing. FSPs are closing more and more branches, which makes it more difficult for customers to use alternatives. The element of ability is thus only partially fulfilled. The fifth and final customer element is intention. Participants have indicated that they do not know the modus operandi of most fraudulent practices. Participants are particularly not aware of malware (paragraph 7.1.2). Therefore it’s not likely that the participants will be able to calculate the consequences of for example visiting unsecure websites and not taking care of all computer related security measures. The majority of participants are not aware that FSPs don’t always reimburse their customers losses. Participants are thus not completely aware of the consequences of incorrect actions (paragraph 7.1.4). Legally we can argue that customers have the mental capacity to consider alternatives since they are 18 years and older or supervised. From a moral perspective this depends on the skills of the customer. Customers with low (computer) skills might have lower skills to consider the alternatives, especially when the FSP is promoting the usage of online banking. Overall the element of ability is only partially fulfilled. Conclusion In the interview population, only one of the five elements of responsibility is completely present. This means that, from an ethical perspective, we can conclude that a customer currently cannot be held responsible for the losses due to customer targeted online banking fraud. It doesn’t seem morally right to claim that a customer is acting in a gross negligent way when the customer doesn’t comply with the contents of the terms and regulations. The FSPs, the customer and potentially the government have a joined duty to increase the customers’ awareness on their duty, the preventive measures, the knowledge of the threats and the consequences of these threats. FSPs should also ensure (and regulators should assess) that the required customer measures are aligned with the customer capabilities. These capabilities differ from customer to customer. FSPs should therefore have to decide to either create generic required measures on a very low level, in order to make sure that all customers are able to comply, or they should create different required measures per customer group (where groups are defined based on the customers’ capacity and skills). Page | 81
  • 8.1.8. What are potential future joint responsibilities, liabilities and measures for the Financial Services Providers and their customers in the customer’s point of view? Participants of the focus interviews indicated that FSPs will firstly have to improve their communications and create measures that are connected to the skills and capabilities of their customers (as already concluded in paragraph 8.1.5 and paragraph 8.1.7). Participants added that if this is all well arranged, they would have the responsibility to read and understand the information and take the required measures and if necessary, to reach out the helpdesk of the FSP for support (paragraph 7.3.1). The interview participants indicated that the 150 euro excess risk should only be deducted in case of negligent behavior, meaning that the customer has acted “foolish” but not gross negligent. Other than that, participants stick to their opinions about their earlier presented opinion about their liability (presented in paragraph 8.1.2). In terms of additional responsibilities for the FSP, participants have indicated that their FSPs are allowed to monitor their payments (customer profiling) (paragraph 7.3.2). The majority of participants would like their FSP to monitor their online banking session for malicious behavior and generate feedback on their websites (paragraph 7.3.2). The focus interview participants are of the opinion that online banking should no longer be a one-size-fits-all solution. FSPs should together with their customers create a risk profile of the customer. This risk profile should be connected to the different customer groups in terms of moral standards. When a customer has a high risk profile, the functionality of online banking should be restricted. Participants state that this risk profile should be an advice. The customer should always be able to deviate from this risk profile, though this would mean that the FSP clearly states the risk of the deviation and that the customer would accept the connected risks and liabilities. Within the limits of the risk profile, participants have indicated that they would like to have the ability to set their own security measures, for example limited payment amounts as long as this is adjustable for the customer in an easy way. The risk profiling scoring should reoccur every “x” period (paragraph 7.3.2). Conclusion The participants indicated that they would like to have browser based feedback about the security of their online banking session. This feedback should include potential security risks such as outdated browsers or malicious behavior. The participants also indicated that they would accept a certain set of required measures and liabilities if the FSPs have taken enough due care. Customers indicated additional possibilities (next to the recommendations of the European Central Bank) for the FSP to protect their customers. The participants would accept a limited Page | 82
  • functionality of online banking as long as this is connected to their risk profile (tailored online banking environment). Creating a risk profile would allow the FSP to place their customers within the different customer groups, based on knowledge and skills. The regulator should determine if the correct generic risk profiles have been created. If each of these groups is connected to a moral standard it would be easier to determine what the FSP as well as the judge can expect from the customer, the judge and the KiFid should assess this in case of a trail / complaint. Both the FSP and the customer will have the responsibility to create this risk profile. 8.2. Answer to the main research problem The sub research questions in this chapter have provided answers to the current gaps and future possibilities for joint responsibilities and liabilities. Based on these answers, we can conclude that there is willingness for joint responsibilities among the vast majority of interviewed participants. They are willing to join the FSPs in their quest towards secure online banking. The main research problem of this report is: “How can a Financial Services Provider create joint responsibilities for the prevention of customer targeted online banking fraud - between themselves and their customers - in an ethical way”? In chapter 5 we concluded that all elements in the conceptual model will have to be fulfilled in order to achieve joint responsibilities. Figure 6 represents the assessed availability of the elements in the conceptual model. Figure 6: Conceptual model assessed Page | 83
  • Based on this assessment we can conclude that there are gaps (displayed in orange and red) between the current state of fulfillment of the individual elements and the desired state. In order to be able to achieve joint responsibilities between, these gaps will have to be closed. FSP’s will have to take the lead closing these gaps. As concluded in the sub research questions it will however not only be the FSPs that have to take action. The NVB, customers, government, legislators, judges and the KiFiD will also have to take appropriate actions in order to close the gaps. These actions will be described in chapter 9. Blue elements (culpability, casual relationship and negligence) cannot be assessed on a generic level. These elements need to be assessed by the judge or the KiFid on an individual level for every individual case of fraud. Elements that are green (volition, law and enforcement) are completely fulfilled and will not require attention. The orange elements (duty, ability, intention, duty of care and due care) are only partially fulfilled. The red elements (knowledge and moral standards) are not fulfilled. From an ethical perspective the gaps will need to be closed in order to be able to achieve joint responsibilities. At first sight this assessment might seem overwhelming and one might conclude that FSPs are doing a bad job in the protection of their customer. It’s therefore important to highlight that FSPs are already taking different measures in protecting their customers (paragraph 4.2.2). Though, in spite of all the current efforts, there are clear aspects for improvement. When the outcomes of the different conclusions in this chapter are analyzed, we find that the absence of clearly defined moral standards - for both the customer and the FSP - and clear communication about preventive information from the FSPs to their customers are the root causes to the missing elements. Solving these two root causes will have a positive effect to all the (partly) unfulfilled elements. And as already mentioned, it are not only the FSPs, but also the NVB, the customers, the government, legislators (paragraph 4.2.8), judges and the KiFid that will have to perform efforts in order to achieve a joint responsibility. 8.3. Limitations The known limitations prior to this research have been presented in paragraph 6.2. There are two important limitations that we need to add. This research has not succeeded in creating the moral customer standards. Neither has it been able to assess to what extent FSPs are complying with their own moral standards or the moral standards we could reasonably expect. Another important limitation is the fact that the due care is currently not enforced by any law or Page | 84
  • regulations. Regulators therefore have to impose these new rules and regulations in order to give a legal status towards these recommendations. Without the legal status we can only hold FSPs morally responsible and liable. Without legal enforcement there would be little possibilities for customers to defend these statements in court. 8.4. Recommendations for future research The moral standards are vital parts in the quest towards joint responsibilities. Therefore, a new research is required focusing on the different moral standards of the customers. The research should identify the different knowledge and skills groups amongst the customers and should create a generic moral standard for every different group. Future research could also be executed to determine the total hard and soft costs of customer targeted online banking fraud. Page | 85
  • Page | 86
  • 9. RECOMMENDATIONS The general recommendation is to transfer the view on responsibility and liability to the due care view (based on paragraph 8.1.3) and to create joint responsibilities. In order to achieve ethical joint responsibilities, all elements of the conceptual model as represented in paragraph 8.2 should be completely fulfilled. To fulfill all elements, all involved stakeholders will have to take action. All actions are part of the joint responsibilities of the stakeholders. Some of these actions will have to be executed in collaboration, while other actions can be executed in isolation (paragraph 8.2). The different recommendations are grouped per stakeholder for readability purpose. In general, it is recommended that the FSPs and the NVB will take the lead. Al recommendations are based on the conclusions made in chapter 8. 9.1. Recommendations to Financial Services Providers and the NVB The FSPs are recommended to: 1. in collaboration with their customers and the regulator, identify the different generic moral customer standards. This should results in generic risk profiles with connected responsibilities, liabilities and functionalities; based on the specific capabilities of the customer group (based on paragraphs 8.1.2, 8.1.4, 8.1.5 and 8.1.6). In case FSPs are not willing to create different moral customer standards; they are recommended to create a general moral standard based on the customers that posses the lowest knowledge and skills in order avoid over asking on the customer’s capabilities and skills (based on paragraph 8.1.7); 2. in case FSPs are implementing different risk profiles, FSP’s should in collaboration with their customers, define the risk profile of all individual customers and connect the required measures and liabilities towards these risk profiles (based on paragraph 8.1.7 and paragraph 8.1.8); 3. in collaboration with the government, improve the moral consciousness of their customers about the threats of online banking fraud (based on paragraph 8.1.3 and paragraph 8.1.7); 4. improve the communication towards their customers and tailor the information based on the skills and knowledge of the specific customer. This information needs to be clear and understandable and communicate via separate channels. The communication should include the customers’ responsibilities, required measures, the necessity of these Page | 87
  • measures, the way fraud is currently applied and the potential consequences of becoming a victim (based on paragraphs 8.1.2, 8.1.3 and 8.1.5); 5. verify that their customers have read and understood the communications (based on paragraph 8.1.5); 6. support their customers in taking the required security measures, for example by creating help desk facilities (based on paragraph 8.1.5); 7. implement the online payment recommendations of the European Central Bank (based on paragraph 8.1.4) and take care of due care responsibilities (based on paragraph 8.1.3 and paragraph 8.1.5); 8. terminate the “one-size-fits-all solution” of online banking and instead tailor the functionalities of online banking based on the customers’ risk profile (based on paragraph 8.1.8); 9. provide their customers with possibilities to limit their own online banking functionalities and limits (based on paragraph 8.1.8); 10. create browser based feedback for their customers about the security of their online banking session (based on paragraph 8.1.8). 9.2. Recommendations to online banking customers Customers are recommended to: 1. take notice of the (to be created) required moral standard, act accordingly and reach out for assistance if necessary (based on paragraph 8.1.3); 2. in collaboration with their FSP, define their personal risk profile and take appropriate action (based on paragraph 8.1.8); 3. improve their moral consciousness about the threats of customer targeted online banking related fraud (based on paragraphs 8.1.3, 8.1.6 and 8.1.7); 4. protect their personal devices against the risk of malicious software. At least by installing a virus scanner, firewall and by taking care of the required software updates (based on paragraph 8.1.4). 9.3. Recommendation to the government and regulators The government and their regulators are recommended to 1. in collaboration with the FSPs, create regulations that should describe the duty of care of the FSPs including their due care responsibilities (based on paragraphs 8.1.2, 8.1.5, 8.1.7and 8.1.8); Page | 88
  • 2. include the online payment recommendation of the European Central Bank in the required duty of care and due care regulations (based on paragraph 8.1.4 and paragraph 8.1.5); 3. assess whether or not FSPs are complying with the new regulations. These assessments should be available for regulators, judges and the KiFid (based on paragraph 8.1.2 and paragraph 8.1.5); 4. in collaboration with the FSPs and their customers, assess if the different moral customers standards and the connected responsibilities and liabilities are legitimate (based on paragraphs 8.1.2, 8.1.7 and 8.1.8); 5. in collaboration with the FSPs and their customers, improve the moral consciousness of their citizens about the threats of online banking fraud, for example by means of educational programs and repeating awareness campaigns (based on paragraph 8.1.3 and paragraph 8.1.7). 9.4. Recommendations to judges and Financial Compliant Institute (KiFid) In case of a legal complaint or court case the judge and the KiFid are recommended to: 1. assess whether or not the FSPs have acted in compliance with their duty of care and due care (based on paragraph 8.1.2 and paragraph 8.1.5);  in case of a FSP not complying with these regulations, the judge or KiFid is recommended to assess if this non compliance has negatively impacted the security of the customer in that specific case. Non compliancy could mean that a customer is not liable; 2. assess whether or not the expected measures are according to the to be expected moral customer standard (based on paragraph 8.1.2); 3. (if FSPs choose to implement customer risk profiles) determine if the customer’s risk profile has been defined and assessed correctly (based on paragraph 8.1.8);  in case a FSP and the customers have not defined the correct risk profile, the judge or KiFid is recommended to assess who is at blame and if this non compliance has negatively impacted the security of the customer in that specific case. Non-compliancy could mean that a customer is not liable. Page | 89
  • Page | 90
  • 10. BIBLIOGRAPHY Alert Online stimuleert veilig online gedrag | Nieuwsbericht | Rijksoverheid.nl. (2013). Retrieved November 02, 2013, from http://www.rijksoverheid.nl/ministeries/venj/nieuws/2013/10/28/alert-online-stimuleertveilig-online-gedrag.html “Altijd geld terug bij internetcrime” - AD.nl. (2013). Retrieved May 30, 2013, from http://www.ad.nl/ad/nl/5595/Digitaal/article/detail/3449321/2013/05/30/Altijd-geldterug-bij-internetcrime.dhtml AMRO, A. (2007). Algemene Voorwaarden Toegang ABN AMRO, (34334259), 4–7. Retrieved from https://www.abnamro.nl/nl/prive/betalen/internetbankieren/kenmerken.html AMRO, A. (2010). Algemene Voorwaarden ABN AMRO Bank N.V. Retrieved from https://www.abnamro.nl/nl/prive/abnamro/productvoorwaarden.html AMRO, A. (2012). Voorwaarden Betaaldiensten Particulieren Begrippenlijst, 1–7. Retrieved from https://www.abnamro.nl/nl/prive/abnamro/productvoorwaarden.html AMRO, A. (2013). Betaaldiensten Particulieren. Retrieved from https://www.abnamro.nl/nl/prive/abnamro/productvoorwaarden.html Anderson, R., Barton, C., Rainer, B., Clayton, R., Eeten, M. J. G. Van, Levi, M., … Savage, S. (2012). Measuring the Cost of Cybercrime (pp. 1–31). Retrieved from http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf Banken krijgen uniforme veiligheidseisen | nu.nl/tech | Het laatste nieuws het eerst op nu.nl. (2013). Retrieved June 16, 2013, from http://www.nu.nl/tech/3476952/banken-krijgenuniforme-veiligheidseisen.html Beveilig uw computer - ING - Veilig bankieren. (2013). Retrieved July 04, 2013, from http://www.ing.nl/de-ing/veilig-bankieren/veilig-internetbankieren/beveilig-uwcomputer/index.aspx Page | 91
  • Boeije, H. (2012). Analyseren in kwalitatief onderzoek (pp. 1–179). Den Haag: Boom Lemma uitgevers. Bommeljé, Y. (2013). De burger kan het niet alleen (pp. 1–76). Sdu Uitgevers. Retrieved from http://www.pblq.nl/publicaties/2013/pblqatie-41-de-burger-kan-het-niet-alleen Bovens, M. A. P. (1990). Verantwoordelijkheid en organisatie (1st ed., pp. 1 – 348). Zwolle: W.E.J. Tjeen Willink. Brinkmann, J. (2004). Looking at Consumer Behavior in a Moral Perspective. Journal of Business Ethics, 51(2), 129–141. doi:10.1023/B:BUSI.0000033607.45346.d2 BW:6. (2013). Burgerlijk Wetboek 6 Verbintenissenrecht. BW:7. (2013). Burgerlijk Wetboek 7. BW:7b. (2013). Burgerlijk Wetboek Boek 7b Betalingstransacties. Capgemini. (2013). Trends in veiligheid (No. 0) (p. 72). Retrieved from www.trendsinveiligheid.nl CBS. (2012). Online Banking Users. Retrieved from www.cbs.nl Consumentenbond. (2013). Banken laten beroofde klanten in de kou staan | Consumentenbond. Retrieved July 16, 2013, from http://www.consumentenbond.nl/actueel/nieuws/nieuwsoverzicht-2013/Banken-latenberoofde-klanten-in-de-kou/ “Criminelen dol op verspreiden malware via advertenties” | nu.nl/binnenland | Het laatste nieuws het eerst op nu.nl. (2013). Retrieved June 07, 2013, from http://www.nu.nl/binnenland/3494774/criminelen-dol-verspreiden-malware-viaadvertenties.html Dictionary, C. E. (2013). cybercrime. Collins English Dictionary - Complete & Unabridged 10th Edition. William Collins Sons & Co. Retrieved June 14, 2013, from http://dictionary.reference.com/browse/cybercrime Page | 92
  • Dijsselbloem, J. R. V. A. (2012). Beantwoording kamervragen inzake vergoeding schade bij fraude internetbankieren. Retrieved from http://www.rijksoverheid.nl/documenten-enpublicaties/kamerstukken/2012/11/26/beantwoording-kamervragen-inzake-vergoedingschade-bij-fraude-internetbankieren.html Dijsselbloem, J. R. V. A. (2013). Beantwoording kamervragen inzake vergoeding schade bij fraude internetbankieren 2. Retrieved from http://www.rijksoverheid.nl/documenten-enpublicaties/kamerstukken/2013/01/14/beantwoording-kamervragen-overschadevergoeding-ingeval-van-fraude-bij-internetbankieren.html DNB. (2008). De Nederlandsche Bank Jaarverslag 2007 (pp. 1–182). Amsterdam. Retrieved from http://www.rijksoverheid.nl/documenten-enpublicaties/kamerstukken/2008/04/29/de-nederlandsche-bank-jaarverslag-2007.html DNB. (2009). De Nederlandsche Bank Jaarverslag 2008 (pp. 1–190). Amsterdam. Retrieved from http://www.rijksoverheid.nl/documenten-enpublicaties/kamerstukken/2009/05/25/het-jaarverslag-van-de-nederlandsche-bank-over2008.html ECB. (2013). RECOMMENDATIONS FOR THE SECURITY OF INTERNET PAYMENTS (pp. 1–16). Brussels. Retrieved from http://www.ecb.int/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofp cfinalversionafterpc201301en.pdf?af7f3ee30c31b6dbb0eef7d9e7976c7c Faber, W. (2011). Phishing, Kinderporno en Advance-Fee internet fraud (pp. 1–413). Retrieved from http://www.wodc.nl/onderzoeksdatabase/exploratief-onderzoek-naarbest-practices-high-tech-crime-in-binnen-en-buitenland.aspx Fraude internetbankieren stijgt eerste half jaar met 14% -Nederlandse Vereniging van Banken. (2012). Retrieved June 14, 2013, from http://www.nvb.nl/nieuws/2012/687/fraude-internetbankieren-stijgt-eerste-half-jaar-met14.html Gevaarlijke malware verspreid via NU.nl - Security.NL. (2013). Retrieved June 07, 2013, from Page | 93
  • https://www.security.nl/artikel/46539/1/Gevaarlijke_malware_verspreid_via_NU.nl.htm l Groenland, E. (2010). Kwalitatieve analyse in marktonderzoek : de Matrixmethode, 43(1), 43–48. Hafkamp, W., & Steenvoorden, R. (2010). Experience from the financial sector with consumer data and ICT security. In Securing Electricity supply in the cyber age (pp. 159–170). SpringerScience + Business Media B.V. ING. (2013). Voorwaarden en overige regelingen Voor particuliere rekeninghouders, 1–56. Retrieved from http://www.ing.nl/Images/Voorwaarden-en-overige-regelingen_tcm733137.pdf Intensieve samenwerking politie, justitie en banken tegen internetfraude -Nederlandse Vereniging van Banken. (2011). Retrieved June 14, 2013, from http://www.nvb.nl/nieuws/2011/1133/intensieve-samenwerking-politie-justitie-enbanken-tegen-internetfraude.html Internetbankieren ligt zwaarder onder vuur - Follow the Money. (2012). Retrieved July 03, 2013, from http://www.ftm.nl/original/internetbankieren-ligt-zwaarder-onder-vuur.aspx IPOL. (2012). Nationaal Georganiseerde criminaliteit Nationaal dreigingsbeeld 2012 (pp. 1– 286). Retrieved from http://www.politie.nl/binaries/content/assets/politie/documentenalgemeen/nationaal-dreigingsbeeld-2012/nationaal-dreigingsbeeld-eindrapport.pdf Jeurissen, R. J. (2007). Ethics & Busines. (R. J. Jeurissen, Ed.) (1st ed., pp. 1 – 296). Assen: Royal van Gorcum B.V. Johnson, D. G. (2001). Computer Ethics (Third Edit., pp. 1–240). Texas: Pearson Prentice Hall. Johnson, D. G. (2009). Computer Ethics (Fourth.). London: Pearson Education Inc. Kamer: bank moet schade phishing vergoeden - BNR Nieuwsradio. (2013). Retrieved July 04, 2013, from http://www.bnr.nl/feeds/anp/politiek/468013-1307/kamer-bank-moetschade-phishing-vergoeden Page | 94
  • Kassa. (2013). Wie is verantwoordelijk bij internetfraude? Retrieved July 08, 2013, from http://kassa.vara.nl/tv/afspeelpagina/fragment/wie-is-verantwoordelijk-bijinternetfraude/speel/1/ Kassa, V. (2012). Slachtoffers van malware? Vara Kassa. Retrieved June 14, 2013, from http://kassa.vara.nl/tv/afspeelpagina/fragment/slachtoffer-van-malware-bij-abn-amrogeen-compensatie/speel/1/ KiFid. (2012). Phishing Uitspraak_2012-26. Kifid. Retrieved from http://www.kifid.nl/fileupload/jurisprudentie/GeschillenCommissie/2012/Uitspraak_201 2-26.pdf KiFid. (2013a). Phising Uitspraak_2013-117_Bindend. Kifid. Retrieved from http://www.kifid.nl/fileupload/jurisprudentie/GeschillenCommissie/2013/Uitspraak_201 3-117_Bindend.pdf KiFid. (2013b). Phising Uitspraak_2013-240_Bindend. KiFid. Retrieved from http://www.kifid.nl/fileupload/jurisprudentie/GeschillenCommissie/2013/Uitspraak_201 3-240_Bindend.pdf Koops, B., & Leenes, R. (2006). ID Theft , ID Fraud and / or ID-related Crime . Definitions matter 1 Some existing definitions 2 Identity-related Crime, 2006, 553–556. Krueger, R. A. (2009). Focus Groups: A pracitical Guide for Applied Research (Fourth Edi., pp. 1–219). SAGE publications. Luijk, H. van, & Schilder, A. (1998). Patronen van verantwoordelijkheid (2e oplage., pp. 1– 198). Schoonhoven: Academic Service. Malware Definition. (2013). Retrieved June 29, 2013, from http://www.techterms.com/definition/malware Malware vermomd als gratis antivirus AVG - Computerworld. (2011). Retrieved July 09, 2013, from http://computerworld.nl/beveiliging/74450-malware-vermomd-als-gratisantivirus-avg Page | 95
  • McGregor, S. L. T. (2006). Understanding consumers’ moral consciousness. International Journal of Consumer Studies, 30(2), 164–178. doi:10.1111/j.1470-6431.2005.00473.x Meulen, N. S. van der. (2011). Financial Identity Theft (pp. 1–305). The Hague: T.M.C. Asser press. Mok, M. R. (2005). Door de Bank genomen. (U. van Amsterdam, Ed.) (pp. 1–38). Wassenaar: Vossiuspers UvA. NCSC. (2012). Cybersecuritybeeld nederland (pp. 1–76). Den Haag. Retrieved from www.ncsc.nl NCTV. (2013). Nationale Cybersecurity Strategie 2 (pp. 1–36). Retrieved from www.nctv.nl Nederlanders massaal benaderd door internetcriminelen - Emerce. (2013). Retrieved July 11, 2013, from http://www.emerce.nl/wire/nederlanders-massaal-benaderd-doorinternetcriminelen Newman, G. R., & Mcnally, M. M. (2005). IDENTITY THEFT LITERATURE REVIEW (pp. 1–114). Retrieved from https://www.ncjrs.gov/pdffiles1/nij/grants/210459.pdf NVB. (2011). Vragen en antwoorden: Fraude met internetbankieren. Amsterdam: Security.nl. Retrieved from http://www.security.nl/files/nvb.pdf NVB. (2012). Betalingsverkeer veilig ondanks toename fraude -Nederlandse Vereniging van Banken. Retrieved June 14, 2013, from http://www.nvb.nl/nieuws/2012/1021/betalingsverkeer-veilig-ondanks-toenamefraude.html NVB. (2013). Scherpe daling fraude internetbankieren -Nederlandse Vereniging van Banken. Retrieved June 14, 2013, from http://www.nvb.nl/nieuws/2013/1812/scherpe-dalingfraude-internetbankieren.html Pharming Definition. (2013). Retrieved June 29, 2013, from http://www.techterms.com/definition/pharming Page | 96
  • Phishing Definition. (2013). Retrieved June 29, 2013, from http://www.techterms.com/definition/phishing Provos, N., Mcnamee, D., Mavrommatis, P., Wang, K., & Modadugu, N. (2008). The Ghost In The Browser Analysis of Web-based Malware (pp. 1–9). Retrieved from https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/provos/provos.pdf Raaij, G. A. & W. F. van. (1997). Consumentengedrag (Tweede dru., pp. 1 – 670). Utrecht: Lemma BV. Rabobank. (2013). Algemene voorwaarden voor betaalrekeningen en betaaldiensten van de Rabobank 2013 (pp. 1–31). Retrieved from http://www.rabobank.nl/images/av2013_webversie_29489024.pdf Rechtspraak, D. (2012). ECLI:NL:GHSHE:2012:BY2749. Retrieved June 07, 2013, from http://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:GHSHE:2012:BY2749 Rogerson, T. W. B. & S. (2004). Computer Ethics and Professional Responsibility (First edit., pp. 1–358). Malden: Blackwell Publishing Ltd. Slocum, N. (2003). PARTICIPATORY METHODS TOOLKIT A practitioner’s manual (pp. 1– 167). Belgian Advertising. Social engineering attack definition. (2013). Retrieved June 29, 2013, from http://security4web.org/glossary.php?w=Social engineering attack SP: verplicht internetbankieren op vakantie is zot - Security.NL. (2013). Retrieved June 13, 2013, from https://www.security.nl/artikel/46607/1/SP:_verplicht_internetbankieren_op_vakantie_is _zot.html Steeds meer slachtoffers bankfraude - Nieuwsuur.nl. (2012). Retrieved June 14, 2013, from http://nieuwsuur.nl/onderwerp/327399-steeds-meer-slachtoffers-bankfraude.html Techterms. (2013). Cybercrime Definition. Retrieved June 14, 2013, from http://www.techterms.com/definition/cybercrime Page | 97
  • Unisys. (2013a). Unisys Security Index 2013: The Netherland (p. 17). Amsterdam. Retrieved from http://www.unisyssecurityindex.com/system/reports/uploads/289/original/Unisys Security Index Netherlands 2013.pdf?1370377789 Unisys. (2013b). Unisys Security Index 2013: Global (p. 29). Amsterda. Retrieved from http://www.unisyssecurityindex.com/system/reports/uploads/279/original/Unisys Security Index Global May 2013.pdf?1368701986 Van Deursen, A. J. A. M. & V. D. (2012). Trendrapport internetgebruik 2012 (pp. 1 – 131). Twente. Retrieved from http://www.digivaardigdigiveilig.nl/uploads/Trendrapport_Internetgebruik_2012.pdf Velasquez, M. G. (1998). Business Ethics Concepts and Cases (Fourth Edi., pp. 321–341). Prentice-Hall Inc. Wall, D. S. (2008). Cybercrime, media and insecurity: The shaping of public perceptions of cybercrime1. International Review of Law, Computers & Technology, 22(1-2), 45–63. doi:10.1080/13600860801924907 Website Toyota verspreidt week lang malware - Security.NL. (2013). Retrieved June 21, 2013, from https://www.security.nl/artikel/46721/1/Website_Toyota_verspreidt_week_lang_malwar e.html Whithbeck, C. (1998). An appendix to ethics in engineering practice and research. Witteveen, M. A. P. B. / C. J. M. S. / W. J. (1989). Verantwoordelijkheid: Retoriek en Realiteit (1st ed., pp. 1–196). Zwolle: W.E.J. Tjeen Willink. Page | 98
  • APPENDICES Page | 99
  • Page | 100
  • Appendix 1: demographics of focus interviews participants Demographics per focus group: Focus group 1: age 18 – 34 years, higher educated, mixed living areas Focus group 2: age 50+, majority lower educated, rural area Focus group 3: age 18 – 34 years, medium to higher educated students, majority city Focus group 4: age 35 – 49 years, majority higher educated, city Focus group 5: age 18 – 49 years, lower to medium educated, majority immigrants, city Page | 101
  • Page | 102
  • Appendix 2: Focus interview questionnaire Perceived level of security of on online banking  Have you got any security related concerns using online or mobile banking? Level of customer awareness per type of fraud  Are you aware of fraud executed on online banking? o Which types of fraud do you know and do you know how it is applied?  How would you rate the possibility that you would become a victim of cyber crime?  Have you personally been impacted with fraudulent activities, if yes: o How do you feel about this fraudulent occasion? o How do you describe the communication and relation with your FSP during this occasion? Level of Moral Hazard  Who in your opinion is responsible for the security of online banking?  Who should pay in cases of fraudulent activities and why?  Do you feel morally responsible for secure behavior? Level of knowledge about means of prevention per type of fraud  What do you feel as your current responsibility towards the prevention of fraudulent activities?  What preventive measures do you take?  How do you feel about the information your FSP is providing you with related to prevention possibilities?  Do you know which measures your FSP requires you to take in their terms of use? If yes: o What do you think about these measures? Current legal liability  Do you know that you currently have an excess risk?  FSPs do not want to reimburse your losses in cases of gross negligent behavior. What do you define as gross negligent behavior? Page | 103
  • Activities, responsibilities & liabilities of the Financial Services Provider  Which activities do you think the FSP currently undertakes to prevent fraudulent activities?  What do you feel as the FSP’s current liability toward the prevention of fraudulent activities? Cyber crime related to physical crime  How do you relate cyber crime to physical theft?  Do you accept mandatory insurances towards physical theft?  Do you accept own risk in cases of physical theft?  Do you accept mandatory security measures to prevent physical theft?  To what extent would you accept the above measures for cyber crime related theft? o Would you accept a mandatory insurance policy towards fraud executed due to your own shortcomings? Acceptable mandatory future customer responsibilities  Inform the customer about what they should do according to the terms and conditions and ask them to react.  What would be acceptable safety measures / precautions you would need to take? o Why? Acceptable mandatory future customer liabilities  In general what liability would be acceptable (in terms of amount or percentages)? o Why?  What liability would be acceptable when your PC is used for fraudulent behavior?  What liability would be acceptable when the fraud is executed when you have (indirectly) given your credentials to a fraudster? Future activities, responsibilities & liabilities for the FSP  What kind of additional activities should the FSP do to prevent cybercrime?  Should the FSP give you more information / insights into how cyber crime is committed and what would you do with that information?  What of your customer and payment data is the FSP allowed to use?  Is the FSP allowed to monitor your PC for fraudulent behavior and to what extent? Page | 104
  • o Is the FSP allowed to block your online banking access when malicious software is detected on your PC?  Should the FSP inform you when a security breach is detected in your internet session?  Is the FSP allowed to block your online banking access when the software and security measures on your PC are very outdated and therefore impose a potential security risk?  Should the FSP provide you with options you can set yourself related to access control and security measures? o Should you be able to restrict functionality of the online channel? Page | 105
  • Page | 106