Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Secure online banking
A quest towards joint responsibilities

Thesis EMBA
P.M.W.J. (Paul) van Dommelen
November, 2013
Nyen...
Page | ii
Title page

Title:

Secure online banking, a quest towards joint responsibilities

Document:

Final Thesis Executive MBA

...
Page | iv
Preface
For the past two years I have been on a personal journey. A journey towards the completion of
my Executive MBA pro...
Page | vi
TABLE OF CONTENTS
Title page ................................................................................................
4.2.6.

What is gross negligence? ...........................................................................................
7.2.3.
7.3.

Terms and conditions ...........................................................................................
Page | x
1.

EXECUTIVE SUMMARY

The phenomenon financial identity theft exists for decades, possibly even ages, and is perhaps
even...
aware or capable of. Determining whether or not somebody has acted with gross negligence is
difficult if not impossible wh...
All elements in this model will have to be fulfilled in order to achieve joint responsibilities. Based
on this assessment ...
Page | 4
2. INTRODUCTION
It was on a Friday morning when Mrs. de Vries (67 years of age), who lives in Amsterdam
received an e-mail...
to a fraudulent account. After this phone call, both Mrs. de Vries and Mr. de Groot were asking
themselves the same questi...
3. THESIS FOCUS
3.1. History
The previously described types of crime are part of so-called identity theft. What do we mean...
2013). Cybercrime has become the most popular and widespread term. In this research we
should be careful using this term s...
justifications of this standpoint and the way forward (Dijsselbloem, 2012). The scope of this
debate is focused on the dif...
retransfers the customer to the fake website when the customer types in the FSP’s website in
their internet browser or whe...
(“Website Toyota verspreidt week lang malware - Security.NL,” 2013). According to Chengyu
Song et al., drive-by downloads ...
The main academic area of this research is ethics. This research will provide answers to the
necessary elements of joint r...
The following sub question will be answered by means of a combination of a desk research
literature review (chapter 4) and...
Page | 14
4. LITERATURE REVIEW
This literature review will provide insights and answers to the first six sub research questions
(par...
topic as on the main limitations of her research (Meulen, 2011). Van der Meulen refers to this
as: “Due to the lack of emp...
This decrease has continued during the
first half year of 2013. As displayed in
figure 2, the financial losses over the
se...
number of occasions during the first
6 months of 2013). In the same
period the Dutch Central Statistical
Bureau (CBS) repo...
image and customer satisfaction. Opportunity costs are the missed opportunities for other
investments, money spent on secu...
can use these tools to communicate their story and potentially impact the feelings and thoughts
of other customers. This h...
4.2. Legal framework
The responsibilities and liabilities of the FSPs and their customers are arranged by Dutch laws.
This...
a lost or stolen payment instrument, as arranged in article 7:529 BW (BW:7b, 2013). It’s
important to notice that the FSP ...


Personal attributes (something or somewhere the customer is), for example biometrics,
geographical locations or custome...
than they should do from a legal perspective. Up until 2012 there had not been any signals in the
media or court of FSPs t...
fact, the mandatory measures with regards to the protection against online fraud are more or less
the same for the studied...


The customer should verify if the behavior of the website for authentication and the
verification of the transaction is...
what the customer can expect as a duty of care. This will make it very difficult for a consumer to
know what to expect fro...
The final judgment about the act of gross negligence is to be filed by the financial affairs
complaints institute (KiFid) ...
by the customer related to the duty of care of the FSP. We could for example argue that, the FSP
should have the potential...
their customers on the detection measures of fraudulent activities (“SP: verplicht
internetbankieren op vakantie is zot - ...
4.2.8. Conclusion
The liability enforcement is clearly arranged by law. The responsibilities of the customer and the
FSPs ...
4.3. The ethical point of view
In her book “Computer Ethics” Deborah G. Johnson asks the question how these ethical issues...
products. The real question is where the consumer’s duty to protect its interest ends, and where
the businesses’ duty to p...
business violates this duty and is negligent when, there is a failure to exercise the care that a
reasonable person could ...
responsibility of paying for their own injuries, the social costs theory will encourage carelessness
in consumers. An incr...
The second type is responsibility as ability. This means that in order to be responsible, a person
should have had the abi...
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Secure online banking, a quest towards joint responsibilities
Upcoming SlideShare
Loading in …5
×

Secure online banking, a quest towards joint responsibilities

8,980 views

Published on

Master thesis focusing on the quest towards joint responsibilities for secure online banking.

Published in: Business, Economy & Finance
  • Be the first to comment

Secure online banking, a quest towards joint responsibilities

  1. 1. Secure online banking A quest towards joint responsibilities Thesis EMBA P.M.W.J. (Paul) van Dommelen November, 2013 Nyenrode Business Universiteit Page | i
  2. 2. Page | ii
  3. 3. Title page Title: Secure online banking, a quest towards joint responsibilities Document: Final Thesis Executive MBA Report status: Final version Author: P.M.W.J. (Paul) van Dommelen Thesis supervisor: Professor Dr. R.J.M. Jeurissen Class: EMBA 10 Date: 08-11-2013 E-mail address: paul.van.dommelen@capgemini.com Nyenrode Business University Capgemini Nederland B.V. Straatweg 25 Reykjavikplein 1 3620 AC Breukelen 3543 KA Utrecht Page | iii
  4. 4. Page | iv
  5. 5. Preface For the past two years I have been on a personal journey. A journey towards the completion of my Executive MBA program. It has been fun, informative and above all a very challenging experience. I’m grateful for all the knowledge and experiences that I have obtained. I have enjoyed a lot of interesting, nice, intense and also relaxing moments with my classmates of the EMBA10 class. Their personal views and experiences have made this MBA a truly unique and rewarding experience. I’m proud to present my master thesis, the final step towards completion of the EMBA program. My master thesis focuses on joint responsibilities for secure online banking. This topic has been the subject of intense debates, both in private as well as in public settings. These debates have drawn my attention, both from a professional as well as a personal interest. I have devoted the past 6 months to analyze this problem and to find opportunities to improve the current situation. I became passionate about this research because of the complexity and importance of the subject and feel personally committed in helping to resolve the current problems. I would like to show my appreciation to my employer, Capgemini and more specific my manager René Roest. They have provided me with the opportunity to enroll in this program. I would like to thank my colleague Nienke van den Brink who has been my company supervisor for this thesis. Next to my employer and colleagues, I would like to thank the Nyenrode Business Universiteit, their professors, staff and partner universities. I would especially like to thank Professor Dr. R.J.M. Jeurissen, who has been my faculty supervisor during this thesis. I’m thankful for the guidance, knowledge and energy he has provided to me. I would also like to thank the participants of the focus interviews as they have invested their personal time to allow me to find answers to my questions. Finally I would like to express my deepest gratitude and appreciation to my partner Beeshema and our daughter Lakisha. They have been an incredible support during the difficult and challenging moments. The dedication and amount of energy which they have had to invest to keep our personal lives as normal as possible is truly remarkable. I couldn’t have been able to achieve the obtained results without their love and support. I can only imagine how difficult it must have been to always get the answer “next year” when a family activity was proposed. The good news is: the next year is yet to come! Page | v
  6. 6. Page | vi
  7. 7. TABLE OF CONTENTS Title page ................................................................................................................................................ iii Preface...................................................................................................................................................... v 1. Executive summary ........................................................................................................................... 1 2. Introduction ........................................................................................................................................ 5 3. Thesis focus ........................................................................................................................................ 7 3.1. History ......................................................................................................................................... 7 3.2. Types of customer targeted online banking fraud ................................................................. 9 3.2.1. Phishing ............................................................................................................................... 9 3.2.2. Pharming ............................................................................................................................. 9 3.2.3. Social engineering ............................................................................................................ 10 3.2.4. Malware ............................................................................................................................. 10 3.3. 3.4. Reason for the research ........................................................................................................... 11 3.5. Scope of the research ............................................................................................................... 12 3.6. Research methodology ............................................................................................................ 12 3.7. The research problem .............................................................................................................. 12 3.8. Research goals........................................................................................................................... 13 3.9. 4. Management problem .............................................................................................................. 11 Abbreviations ............................................................................................................................ 13 Literature review .............................................................................................................................. 15 4.1. What is the impact of the problem? ...................................................................................... 15 4.1.1. Number of fraudulent occasions and hard costs ........................................................ 15 4.1.2. Soft costs for Financial Services Providers .................................................................. 18 4.1.3. Costs for impacted customers........................................................................................ 19 4.1.4. Impact on society ............................................................................................................. 20 4.1.5. Conclusion ........................................................................................................................ 20 4.2. Legal framework ....................................................................................................................... 21 4.2.1. Legal responsibilities and liabilities................................................................................ 21 4.2.2. How Financial Services Providers take care of their duty of care ............................ 22 4.2.3. Compensation policies of Financial Services Providers ............................................. 23 4.2.4. The customer’s responsibilities specified in the terms and conditions .................... 24 4.2.5. Liability .............................................................................................................................. 27 Page | vii
  8. 8. 4.2.6. What is gross negligence? ............................................................................................... 27 4.2.7. Government...................................................................................................................... 29 4.2.8. Conclusion ........................................................................................................................ 31 4.3. The ethical point of view ........................................................................................................ 32 4.3.1. A power balance of responsibilities............................................................................... 32 4.3.2. Responsibility types ......................................................................................................... 35 4.3.3. Elements of responsibility .............................................................................................. 37 4.3.4. Moral consciousness ........................................................................................................ 37 4.3.5. Joint responsibility ........................................................................................................... 38 4.3.6. Who should be responsible? .......................................................................................... 39 4.3.7. Conclusion ........................................................................................................................ 40 4.4. View from market research..................................................................................................... 41 4.4.1. The view on the customer’s abilities to detect............................................................. 41 4.4.2. How customers currently secure themselves ............................................................... 44 4.4.3. The view on the Financial Services Provider’s duty of care ...................................... 44 4.4.4. Conclusion ........................................................................................................................ 47 5. Conceptual model ............................................................................................................................ 49 6. Customer research ........................................................................................................................... 51 6.1. 6.2. Scope and limitations ............................................................................................................... 52 6.3. The sample ................................................................................................................................ 52 6.4. Data collection technique........................................................................................................ 53 6.5. Interview questions design ...................................................................................................... 53 6.6. 7. Research type ............................................................................................................................ 51 Variable measurement and validation ................................................................................... 54 Research results ................................................................................................................................ 55 7.1. Elements of responsibility....................................................................................................... 55 7.1.1. Perceived level of security............................................................................................... 55 7.1.2. Level of customer awareness per type of fraud ........................................................... 56 7.1.3. Level of knowledge about preventive measures.......................................................... 57 7.1.4. Power balance of responsibility ..................................................................................... 60 7.2. The moral standard .................................................................................................................. 62 7.2.1. Current customer’s responsibility and legal liability .................................................... 62 7.2.2. Online banking fraud compared to physical crime ..................................................... 64 Page | viii
  9. 9. 7.2.3. 7.3. Terms and conditions ...................................................................................................... 65 Future joint responsibilities and liabilities ............................................................................ 67 7.3.1. 7.3.2. 8. Future customer responsibility and liability ................................................................. 67 Activities and responsibility of the Financial Services Provider ............................... 67 Analyses and conclusions ............................................................................................................... 71 8.1. Answers to the research questions ........................................................................................ 71 8.1.1. What is the current impact of online banking fraud? ................................................. 71 8.1.2. What is the legal framework of the responsibilities and liabilities? .......................... 72 8.1.3. What is the ethical view on joint responsibility? ......................................................... 75 8.1.4. What is the known view on moral standards from market research? ...................... 77 8.1.5. What is the moral standard for the duty of care / due care of the Financial Services Provider? ............................................................................................................................ 78 8.1.6. What is the moral standard for the customer’s behavior related to gross negligent behavior? ........................................................................................................................................... 79 8.1.7. To what extent are the critical elements of responsibility fulfilled in the current situation? ........................................................................................................................................... 80 8.1.8. What are potential future joint responsibilities, liabilities and measures for the Financial Services Providers and their customers in the customer’s point of view? ............. 82 8.2. Answer to the main research problem .................................................................................. 83 8.3. Limitations................................................................................................................................. 84 8.4. Recommendations for future research .................................................................................. 85 9. recommendations............................................................................................................................. 87 9.1. Recommendations to Financial Services Providers and the NVB .................................... 87 9.2. Recommendations to online banking customers ................................................................ 88 9.3. Recommendation to the government and regulators ......................................................... 88 9.4. Recommendations to judges and Financial Compliant Institute (KiFid) ........................ 89 10. Bibliography .................................................................................................................................. 91 Appendices................................................................................................................................................. 99 Appendix 1: demographics of focus interviews participants ....................................................... 101 Appendix 2: Focus interview questionnaire ................................................................................... 103 Page | ix
  10. 10. Page | x
  11. 11. 1. EXECUTIVE SUMMARY The phenomenon financial identity theft exists for decades, possibly even ages, and is perhaps even as old as the introduction of identities itself. With the introduction of personal computers, the World Wide Web and the Smartphone, a new form of financial identity theft emerged. This paper focuses on high tech financial identity theft targeting online banking customers of Dutch Financial Services Providers (FSPs) by means of phishing, pharming, social engineering and malware. For the past couple of years, FSPs have increased their efforts in finding ways to mitigate these threats by creating a variety of (technical) solutions. Despite these measures, FSPs have been confronted with an increase in the impact and the costs over the past couple of years. FSPs would like to involve their customers and join forces in order to mitigate the likelihood of successful attacks on the customer’s online banking account. In order to do so, FSPs will have to find a way to deal with the informative arrears, competences and skills of their customers. We are currently confronted with cases in which some of the FSPs are not reimbursing the financial losses of their customers, because these customers - according to the FSP - have acted in a gross negligent way. As a result, current debates focus on what kind of responsibility distribution amongst the FSP’s and their customers is correct and morally acceptable. This responsibility distribution is the focus of this document. The main research problem of this research is: “how can a Financial Services Provider create joint responsibilities for the prevention of customer targeted online banking fraud - between themselves and their customers - in an ethical way?” This research has been executed by combination of a literature review (desk research) and customer focus interviews (field research). By using the literature review, some research questions have been answered and the important gaps in the current literature were identified. In order to fill these gaps, a field customer research was executed, using focus interviews with groups of Dutch retail online banking customer. One of the main problems in the current situation is the absence of a clear moral standard for secure customer behavior and a clear moral standard for the FSP’s duty of care. On the one hand, the duty of care for the FSP is not clearly defined by law or regulations, neither is it publicly communicated what measures FSPs are taking to protect their customers. Therefore it’s difficult to determine if FSP’s are protecting their customers in the best possible ways. On the other hand, customers are being held responsible for measures that they are not necessarily Page | 1
  12. 12. aware or capable of. Determining whether or not somebody has acted with gross negligence is difficult if not impossible when moral customer standards are not determined and validated. The research has indicated that different moral standards should apply amongst different groups of customers. These moral standards should be based on the customers’ skills and knowledge, for example mental capabilities and computer skills. The research has identified that the current customer knowledge regarding the threats of online banking and protective means as well as their current skills are low. Despite the current level of skills and knowledge, from an ethical perspective it seems reasonable to shift the current power balance of responsibilities and liabilities to joint responsibilities. The past situation in which the FSP reimbursed the financial damages is leading to moral hazard and moral unconsciousness amongst their customers. Shifting the power balance however doesn’t mean that responsibilities are simply shifted from the FSP to the customer. Joint responsibilities means that everyone receives a part of the total responsibility, in the condition that the total sum of responsibilities increase. For example when a customer receives the responsibility to take certain measures, the FSP will have to receive the responsibility to inform their customers about their responsibility, the necessity, the means to take care of this responsibility and the potential effects of not taking these measures. Overall, as a society we should improve the moral consciousness of the threats and security measures related to the internet and more specific to online banking. This is a joint responsibility for the NVB, FSPs, their customers and the government. Shifting the power balance of responsibility to a due care model seems legitimate once the necessary preconditions have been met. These preconditions have been grouped and assessed into the following model: Page | 2
  13. 13. All elements in this model will have to be fulfilled in order to achieve joint responsibilities. Based on this assessment we can conclude that there are gaps (displayed in orange and red) between the current state of fulfillment of the individual elements and the desired state. This research indicates that the absence of clearly defined moral standards - for both the customer and the FSP - and clear communication about preventive information from the FSPs to their customers are the root causes to the missing elements. Solving these two root causes will have a positive effect to all the (partly) unfulfilled elements. It’s recommended that FSP’s will take the lead in closing these gaps. Besides the FSP’s, the NVB, customers, government, legislators, judges and the KiFid will also have to take actions in order to close the gaps. This report therefore includes recommendations to all these stakeholders. The moral standards are vital parts in the quest towards joint responsibilities. This paper doesn’t define the different moral standards. Therefore, a new research is required focusing on the different moral standards of the customers. Page | 3
  14. 14. Page | 4
  15. 15. 2. INTRODUCTION It was on a Friday morning when Mrs. de Vries (67 years of age), who lives in Amsterdam received an e-mail from her Financial Services Provider (FSP). In the e-mail the FSP explained that they would like to update the contact details of Mrs. de Vries in their database. Mrs. de Vries was asked to click on a link in the e-mail in order to be redirected to the FSP’s website. On this website she updated her mobile phone number. A couple of days later Mrs. de Vries received a phone call from her FSP, the FSPs’ employee introduced herself as Laura Janssen, working for the security department of the FSP. She informed Mrs. de Vries that she would like to verify that the phone number indeed belongs to Mrs. de Vries. The employee tells Mrs. de Vries that she is not allowed to disclose her personal pin code as a means of verification. The FSP’s employee asked Mrs. de Vries to take her debit card and the online banking device. The FSP’s employee provides Mrs. de Vries with a code (the so called challenge code) and asked her to disclose the corresponding code on her banking device (the so called response code). The FSP’s employee verified the code and asked Mrs. de Vries to go through the same procedure once again. After a successful verification, the FSP’s employee thanked Mrs. de Vries for her understanding and wished her a pleasant remainder of the day. About three days ago, Mr. de Groot (32 years of age) who lives in Twente needed to transfer money to his friend. He logged in to the FSP’s online banking website and entered the details of the transaction. In order to approve the transaction, the FSP’s website instructed Mr. de Groot to use his mobile phone as a means of verification and approval. He received a SMS from the FSP with a code, entered the code and validated the transaction. The FSP’s website displayed a screen informing Mr. de Groot that it’s currently busy on their website and instructed him to be patient. After 20 seconds the website informed him that something went wrong with the verification of the transaction. Mr. de Groot was instructed to request a new code, using his mobile phone. He requested and received this new code. He then typed the code into the web browser. Mr. de Groot received a confirmation of the request and logged off from the online banking environment. Although Mrs. de Vries and Mr. de Groot are not familiar with each other, they do have something in common. Both of them received a phone call from their FSP informing them that they had become victims of online banking fraud. Criminals had used the verification codes of Mrs. de Vries and Mr. de Groot in order to transfer money from their online banking accounts Page | 5
  16. 16. to a fraudulent account. After this phone call, both Mrs. de Vries and Mr. de Groot were asking themselves the same questions: What has just happened to me? How could this happen? How come I didn’t notice this? Is this real? Who is responsible? Who is liable for this? Will I receive a reimbursement or compensation for the financial damages? Two weeks later Mrs. de Vries received a letter from her FSP informing her that they were not going to reimburse the financial damage, since Mrs. de Vries had shared her access codes which is in violation with the FSP’s terms and conditions. Mr. de Groot also received a message from his FSP (which is a different FSP) informing him that they were going to compensate him for his financial losses. While both had been the victims of online banking related fraud, the financial compensation result differs. Is this right? Is this ethical? This thesis will focus on these questions and will guide us on a quest towards joint responsibilities for the prevention of these types of crime. Page | 6
  17. 17. 3. THESIS FOCUS 3.1. History The previously described types of crime are part of so-called identity theft. What do we mean when we speak of identity theft, what is the definition? Koops & Leenes have studied the definition of identity theft and came to the following conclusion: “Identity theft is often perceived as one of the major upcoming threats in crime. However, there is no commonly accepted definition of ‘identity theft’ or ‘identity fraud’, and it is impossible to study the real threat of this phenomenon without conceptual clarity.” (Koops & Leenes, 2006). After studying all relevant definitions, they came to the following definition which in my opinion is the most accurate: “Identity ‘theft’ is fraud or another unlawful activity where the identity of an existing person is used as a target or principal tool without that person’s consent.” There are many different forms of identity fraud and not all of them take financial advantage of the target. In their literature review about identity theft, Newman and McNally have identified seven different types of identity theft (Newman & Mcnally, 2005). One of these types is defined as financial scams or also called Financial Identity Theft. They define these Financial Scams as: “There is a wide variety of scams that may be committed with the goal of obtaining from victims their personal information. These types of identity theft are obviously also related to the exploiting of specific technologies and information systems. Fraudsters place false “store fronts” on the web that imitate well known web retailers, or send tricky email or pop-up solicitations ("phishing") requesting financial and personal information. The majority of these types of fraud use relatively tried and true old scams adapted to new technologies. They all essentially depend on tricking or duping the victim”. Or in a shorter version as defined by Nicole S. van der Meulen (Meulen, 2011) : “Financial identity theft refers to the misuse of identity of another person in an effort to unlawfully obtain financial benefits”. The phenomenon financial identity theft exists for decades, possibly even ages, and is perhaps even as old as the introduction of identities itself. While the problem has been around for a very long time, the nature of the problem has changed. With the introduction of personal computers, the World Wide Web (later on in this paper referred to as the internet or online) and the Smartphone, a new form of financial identity theft emerged. This digital way of financial identity theft is often referred to as a high tech method, online crime or cyber crime (Johnson, 2009). Cybercrime is referred to as crime committed by means of computers or the internet (Dictionary, Page | 7
  18. 18. 2013). Cybercrime has become the most popular and widespread term. In this research we should be careful using this term since it includes more types of crime than only financial identity theft. It for example includes anything from illegally downloading music files to stealing millions of dollars from online bank accounts. Cybercrime also includes non-monetary offenses, such as creating and distributing viruses to other computers or posting confidential business information on the Internet (Techterms, 2013). These high tech methods are a variant on the low tech “old-fashioned” methods such as robbery and pick pocketing. The examples described in the introduction of this paper are forms of these high tech methods. This paper focuses on high tech financial identity theft targeting customers of FSPs. In this research we will therefore use the term customer targeted online banking fraud. The first forms of fraud with online banking were reported by the Dutch Central Bank (De Nederlandsche Bank) in the annual reports of 2007 and 2008 (DNB, 2008)(DNB, 2009), figures were however not disclosed. Hafkamp and Steenvoorden refer to this as “serious and sophisticated attacks on online banking since the beginning of 2007” (Hafkamp & Steenvoorden, 2010). Thus while the first forms of high tech online crimes targeting online banking started in 2007 and rapidly emerged; the publicly available information about the real problem is vague. Though, the year 2007 can be marked as the starting point of the online banking related identity theft in the Netherlands. FSPs jointly launched their first customer awareness campaign related to these new types of crime during 2008 and have launched more awareness campaigns later on, for example the “drie keer kloppen” (knocking three times) campaign and the most recent campaign “Veilig Bankieren” (Secure Banking). Despite these campaigns and the joint efforts of the FSPs, Police Force and the Ministry of Justice the impact of these high tech crimes has emerged (“Intensieve samenwerking politie, justitie en banken tegen internetfraude -Nederlandse Vereniging van Banken,” 2011). Although the financial damages increased for the FSPs, this initially didn’t impact their customers. Up until 2012, the FSPs had always reimbursed their customer the financial losses due to these types of crime. In the beginning of 2012 the situation changed as some of the FSPs decided not to compensate their customers because they had violated the general terms and conditions of online banking (Kassa, 2012). This new policy of some of the FSPs resulted in a media debate as well as debates in the ministry of Finance and Dutch government about the Page | 8
  19. 19. justifications of this standpoint and the way forward (Dijsselbloem, 2012). The scope of this debate is focused on the different responsibilities and liabilities of all parties involved. Since the points of view of various stakeholders are different and conflicting this topic is likely to remain a debate in the near future. 3.2. Types of customer targeted online banking fraud There are a number of high tech methods which are currently targeting the FSPs and their customers. It’s important to understand the different methods that criminals use to commit these forms of crime, as these types of crimes will be referred to in this research. 3.2.1. Phishing Phishing is referred to as the attempt to acquire personal information in order to abuse this information for identity theft. Criminals are trying to obtain the customer’s personal data such as usernames, passwords, pin codes, debit cards and other private information. A well known form of phishing is the distribution of fake e-mails. Criminals send out e-mails that appear to come from a legitimate source such as a FSP in which they ask the customer to visit a website (which has the same layout as the website of the FSP) in order to check their credentials, to reply to the e-mail or to open an attachment(“Phishing Definition,” 2013). The intent of the criminal is either to receive the customer’s details or to install malware on the customer’s personal device. When the criminal wants to obtain the customer’s personal data, the e-mail or website for example instruct the customer to update their private information and ask for the username, passwords and / or response codes of the FSP. When the criminal wants to install malware, the e-mail will request the customer to open an attachment. When the customer opens the attachment the malware will automatically be installed without the knowledge of the customer. The e-mail could also request the customer to visit a website which is infected by malware. Once the customer visits the website malware will automatically be installed without the customer’s knowledge. Criminals will use the obtained data in order to abuse the customer’s identity. They will use this information to log-in to the customers online banking account. Then they will transfer the money from the victim’s bank accounts. 3.2.2. Pharming Pharming is yet another way hackers attempt to manipulate users on the Internet. While phishing attempts to capture personal information by getting users to visit a fake website, pharming redirects users to false websites (“Pharming Definition,” 2013). The criminal for example posts a fake website in a search engine giving the search result the name of the FSP’s website or Page | 9
  20. 20. retransfers the customer to the fake website when the customer types in the FSP’s website in their internet browser or when they click on the bookmark in their favorites (the criminal might have used malware to change the bookmark into the fake website). The fake website has the same look and feel as the original website. When a customer enters their online banking credentials the information is stored in the criminal’s database and reused for financial identity theft (Faber, 2011). 3.2.3. Social engineering Social engineering is a method in which the criminal uses human interaction in order to obtain personal information(“Social engineering attack definition,” 2013). A well-known way of social engineering is a criminal who pretends to be an employee of the FSP. The so called employee will inform the customer that something is wrong with their internet bank account and will request the customer to verify their credentials by means of sharing their online banking credentials or to visit an online website and follow the security procedure. The so-called employee will assist the customer in performing the necessary activities. During the conversation the criminal will harvest the necessary information such as the response codes of the online banking devices or the pin code. The obtained information will be used for financial identity theft. 3.2.4. Malware Malware is the abbreviation of malicious software. Malware refers to a software program designed to damage or do unwanted actions on a computer system. Common examples of malware include viruses, Trojan horses, and spyware (“Malware Definition,” 2013). Malware can gather data from a user's system without the user’s knowledge. This can include anything from the Web pages a user visits to personal information, such as passwords. Furthermore, it can interfere in the communication between a website and the customer’s personal device, for example by changing the website without the knowledge of the customer. Changing a website can for example be used to add an additional payment while the customer is performing a transaction or to change the account number of the beneficiary of the original payment. A customer’s personal computer usually becomes infected when a customer visits a website that abuses security weaknesses in software on their device to install malware (also called drive-by download). Drive-by downloads can also be initiated by advertisements (“‘Criminelen dol op verspreiden malware via advertenties’ | nu.nl/binnenland | Het laatste nieuws het eerst op nu.nl,” 2013). This has for example happened to the Dutch news website www.nu.nl (“Gevaarlijke malware verspreid via NU.nl - Security.NL,” 2013) and the website of Toyota Page | 10
  21. 21. (“Website Toyota verspreidt week lang malware - Security.NL,” 2013). According to Chengyu Song et al., drive-by downloads are currently one of the most severe threats for users on the internet (Meulen, 2011). Other potential ways to infect a device is by installing software that is not obtained from the original manufacturer or opening email attachments from unknown sources. Another form of being infected by malware is by using an infected device of a third party that for example is infected on purpose, for example in a malicious internet café. 3.3. Management problem The Dutch FSPs have designed their online banking platform based on strong security measures such as strong authentication methods. FSPs have increased their efforts in finding ways to mitigate the threat of unauthorized money transfers by creating a variety of technical solutions. Despite these measures FSPs have been confronted with an increase in the financial losses over the past couple of years. The FSPs would like to involve and join forces with their customers, in order to mitigate the likelihood of successful attacks on the customer’s online banking account. Customers are however not necessarily aware and knowledgeable of the current threats and required security measures. There seems to be a different level of playing field between the capabilities and knowledge of the FSPs and their customers. Even within the group of customers different levels of capabilities and knowledge exist. FSPs will have to find a way to deal with the informative arrears, competences and skills of their customers. The nature of this management problem is the distribution of responsibilities. 3.4. Reason for the research The current media debates are focused on the kind of distribution of responsibility that is correct and morally acceptable rather than what is legally correct. There is however no clear definition or agreement in this matter. FSPs would benefit from clarity in these debates. This would provide guidance in the ongoing attempts to maintain and further increase the security of online banking in collaboration with their customers. In order to be able to join forces, all stakeholders should first agree on the best way forward. This requires an investigation into what is morally and ethical right according to the perspectives of all relevant stakeholders. In addition, there are little insights in the awareness, the customers’ opinion and their acceptance rates towards increased security measures. Page | 11
  22. 22. The main academic area of this research is ethics. This research will provide answers to the necessary elements of joint responsibility and to what extent these elements are present in the current situation. 3.5. Scope of the research The focus of this research is about joint responsibilities for secure online banking. Hence, the mitigation of financial losses due to financial identity theft. The types of crime that are in scope of this research are: phishing, pharming, social engineering and malware. The geographical scope of this research is limited to Dutch FSPs who provide online banking facilities and to the customers of these FSPs. 3.6. Research methodology The first part of this research is the literature review (described in chapter 4). This literature review has been executed using desk research. By using desk research all currently available materials to this research have been studied and combined into the literature review. After the literature review the important gaps in the current literature for this research were identified. In order to fill these gaps, a field customer research was executed, using focus interviews (described in chapter 6). 3.7. The research problem This research focuses on the following main research problem: how can a Financial Services Provider create joint responsibilities for the prevention of customer targeted online banking fraud - between themselves and their customers - in an ethical way? In order to answer this main research problem, the following sub questions will be answered by means of a desk research literate review (chapter 4): 1. What is the current impact of online banking fraud? 2. What is the legal framework of the responsibilities and liabilities of the Financial Services Provider and their customers? 3. What is the ethical view on joint responsibility? 4. What is the known view on moral standards from market research? 5. What is the moral standard for the duty of care / due care of the Financial Services Provider? Page | 12
  23. 23. The following sub question will be answered by means of a combination of a desk research literature review (chapter 4) and interview field research (chapter 6 and chapter 7): 6. What is the moral standard for the customer’s behavior related to gross negligent behavior? And the following sub questions will be answered by means of interview field research (chapter 6 and chapter 7): 7. To what extent are the critical elements of responsibility fulfilled in the current situation? 8. What are potential future joint responsibilities, liabilities and measures for the Financial Services Providers and their customers in the customer’s point of view? The main research question and sub questions will be answered in paragraph 8.1. 3.8. Research goals The objective of this research is to provide answers to the questions stated in paragraph 3.7. In order to answer these questions the research has been executed in a staged approach and this report has been structured accordingly.  Execute literature review (chapter 4) o Define the impact of the problem (paragraph 4.1) o Define the legal context of the problem (paragraph 4.2) o Define current measures towards the problem (paragraph 4.2.2) o Define necessary elements for liability (paragraph 4.2.5) o Define necessary elements for responsibility (paragraph 4.3.3) o Define known points of view from market research (paragraph 4.4)  Design conceptual model (chapter 5)  Execute qualitative research; perform customer focus interviews (chapter 6)  Describe results of customer focus interviews (chapter 7)  Analyze all information retrieved from interviews and research (chapter 8)  Recommendations (chapter 9) 3.9. Abbreviations FSP Financial Services Providers Personal device Computer, Laptop, Smartphone, Tablet, Smart TV Page | 13
  24. 24. Page | 14
  25. 25. 4. LITERATURE REVIEW This literature review will provide insights and answers to the first six sub research questions (paragraph 3.7). In this chapter, each of these sub research questions will be covered in a separate paragraph. 4.1. What is the impact of the problem? The impact of phishing, social engineering, pharming and malware can be measured in various ways. When the Dutch media reports about the impact of these types of crime, we usually find information relating to the number of fraudulent occasions and information relating to the amount of financial losses for the FSPs. This information is disclosed by “Nederlandse Vereniging van Banken” (The Dutch Banking Association) also called the NVB. The impact is however bigger than just the financial impact on the FSPs since there are more stakeholders involved. Newman & Mcnally explain that these types of crime are dual crimes, which affects the individual whose identity was stolen as well as the business whose service was stolen (Newman & Mcnally, 2005). In their research Newman & Mcnally point out that we should not only think about costs as a figure for financial losses (defined as hard costs) but also for costs related to prevention, investigation and conviction (defined as soft costs). These soft costs impact more stakeholders than only the FSP and their customers; they have an impact on the society as a whole. This paragraph will explore the hard costs as well as the soft costs for the involved stakeholders. 4.1.1. Number of fraudulent occasions and hard costs In the Netherlands, the facts and figures related to the costs and occasions of phishing, social engineering, pharming and malware are published by the NVB. These figures are reported on a voluntary base. The NVB claims that these figures are undisputed since FSPs jointly agreed to be transparent about the fraudulent occasions. It’s important to notify that this is an agreement without any legal obligation. Specialized companies in the field of cyber security such as McAfee, Versafe and Checkpoint question the legitimacy of the reported figures. Those companies have reported fraudulent occasions which have not been reported by the NVB (“Internetbankieren ligt zwaarder onder vuur - Follow the Money,” 2012). Those companies however have commercial interest to report fraudulent occasions since preventing these occasions is their main commercial activity. It’s therefore also questionable if these reports are legitimate. In her research Van der Meulen mentioned the unavailability of empirical information related to this Page | 15
  26. 26. topic as on the main limitations of her research (Meulen, 2011). Van der Meulen refers to this as: “Due to the lack of empirical information, especially in the Netherlands, about cases of financial identity theft, much of the research remains in the hypothetical area”. Thus it remains unclear whether or not the presented figures by the NVB are indeed legitimate. There is no academic proof to claim that these figures are not legitimate nor is there academic proof to support the statement of the NVB. The figures presented by the NVB can therefore best be seen as minimum figures. It’s important to highlight that the numbers published by the NVB only specify the losses for the FSPs. The fraudulent losses of customers who have not received a reimbursement are not included in these figures. Furthermore, this is only a report on the number of successful attempts. The NVB doesn’t publish specified figures related to the unsuccessful attempts. In their reports they state that the number of unsuccessful attempts is undoubtedly bigger than the reported number of successful attempts (NVB, 2011). A recent research indicated that almost 35% of the Dutch online banking users have at least received one phishing e-mail (“Nederlanders massaal benaderd door internetcriminelen - Emerce,” 2013). Figure 1: Financial losses Online Banking 2008 - Q1 – Q2 2013 As displayed in figure 1, the financial losses on online banking platforms related to phishing, social engineering, pharming and malware have increased from 2.1 million euro in 2008 to 34.8 million euro in 2012 (“Fraude internetbankieren stijgt eerste half jaar met 14% -Nederlandse Vereniging van Banken,” 2012) and have declined to 4.2 million euro in the first half of 2013. The increase up until 2012 was very substantial. Back in 2012 the NVB has indicated this trend as worrisome (“Steeds meer slachtoffers bankfraude - Nieuwsuur.nl,” 2012). The historic trend showed a continuous cycle of increasing financial damages. In 2013 the NVB reported the first decrease in financial damages, not on a year by year basis but on a six months bases (NVB, 2013). Page | 16
  27. 27. This decrease has continued during the first half year of 2013. As displayed in figure 2, the financial losses over the second half of the year had decreased from 24.8 million euro during the first 6 months of 2012 to 10 million euro during the second 6 months of 2012 and to 4.2 million euro during the first 6 months of 2013. According to the NVB this decrease Figure 2: Financial losses Online Banking 2012 + Q1 – Q2 2013 is the result of the increasing efforts of FSPs on prevention and detection of fraudulent patters and behavior as well as due to an increasing effort of the Electronic Crimes Task Force (NVB, 2013). The NVB also reports an increase in the customers’ awareness. There is however no statistical data or other empirical information that supports their statements. Furthermore, we don’t know if this will continue in the future. The NVB states in her press release on the 2013 figures that “the current decrease doesn’t mean that we can rest assured as criminals are likely to continue to find new ways to commit these types of fraud. Therefore FSPs have a maximum focus to mitigate fraud and to inform their customers” (NVB, 2013). The Dutch police force expects an ongoing increase in the number of frauds on online banking because the criminals are getting better organized, which will result in larger and more effective attacks. According to their research, the increasing usage of mobile devices for online banking will also increase the level of attacks because it will create a new platform with opportunities for fraudsters (IPOL, 2012). Despite the financial losses, the NVB claims that online banking is safe (NVB, 2012). The question whether or not this is a true statement can best be answered by a comparison between the number of fraudulent occasions (as displayed in figure 3) and the total number of online banking users. Between 2010 and 2012 the number of Figure 3: total number of fraudulent occasions 2010 - 2012 fraudulent occasion had increased from 1.383 occasions to 10.900 occasions (there are currently no publicly available figures about the Page | 17
  28. 28. number of occasions during the first 6 months of 2013). In the same period the Dutch Central Statistical Bureau (CBS) reported an increase of online banking users from 10 million in 2010 to 13,2 million in 2012. As displayed in figure 4 this means that the total percentage of fraudulent Figure 4: percentage of impacted users 2010 - 2012 occasions on a yearly basis related to the total amount of online banking users has increased from 0,014% to 0,0828% (CBS, 2012). Although this is an increase of 499,57 % during the period the odds of being impacted as an individual user is indeed very small; this seems to supports the statement of the NVB that from a collective user perspective online banking is safe. 4.1.2. Soft costs for Financial Services Providers A part of the impact is the effort that the FSPs are undertaking in order to battle crime. These categories of costs have been explored in an earlier research by the Cambridge University (Anderson et al., 2012). In this research different cost categories have been indicated. This includes costs that can be quantified as crime prevention, detection, handling fraudulent cases and coordination. On the aspect of prevention, FSPs are confronted with costs for creating awareness amongst their customers using campaigns and promotional material and security related preventive measures on the FSP’s system application landscape and employees (for example security training). Costs related to crime detection are for example costs for forensics tools and employees that analyze the payments in order to detect fraudulent behavior. Handling costs are costs related to working on fraudulent cases and reimbursements. Coordination costs are related to management and time spent on working with stakeholders such as the diverse cyber crime taskforces. Although FSPs are able to calculate these costs, there is no (public) data available about these costs. The NVB has stated that FSPs have increased their efforts towards cyber crime prevention (NVB, 2013). No specifications or costs are however mentioned. In their research, the Cambridge University estimated the total global costs of countermeasures for FSPs (direct costs which are specified as defense cost) at 1 billion dollar per year (Anderson et al., 2012). Another important aspects of costs indicated in the research of the Cambridge University are the more indirect costs, for example costs related to opportunity costs, potentially missed business, Page | 18
  29. 29. image and customer satisfaction. Opportunity costs are the missed opportunities for other investments, money spent on security cannot be used to spend on other activities that might have had a positive effect on the FSP’s revenue. Furthermore, negative media coverage and perception of the safety of the online banking channel might have a negative effect on the image of the online banking channel or the FSP. This might result in a lower customer satisfaction and potentially in missed business. Although it’s difficult to calculate these costs, the importance of these costs should not be neglected. The research of the Cambridge University has specified the indirect losses related to the loss of customers confidence for card related fraud (such as skimming as a factor 2,3 of the direct losses (hard costs) (Anderson et al., 2012). Unfortunately, there hasn’t been any (public) research executed focusing on the indirect costs of online banking fraud in general. 4.1.3. Costs for impacted customers Just like the FSPs, customers are confronted with costs when they become a victim of fraud. Whether or not these costs include hard costs as well as soft costs depends on the compensation policy of the FSP that will be discussed in paragraph 4.2.3. The Cambridge University has not specified the hard costs and soft costs for the customer in their research (Anderson et al., 2012), nor has other (public) research related to this topic been executed. Therefore, there are no figures available that identify the total impact. Newman & Mcnally have specified the types of soft costs customers who become a victim will incur (Newman & Mcnally, 2005). They refer to these costs as “human costs”. These costs include the time and effort required to resolve various problems created by the theft, such as contacting the FSP and the police force as well as waiting until the losses have been compensated. Especially when the victim lives paycheck to paycheck (Meulen, 2011). Another aspect of these costs are the shock of discovery and the feeling of being a victim that might have an emotional or psychological impact (Meulen, 2011). Finally, an important cost is the costs of the decrease in the perception of security. The security perception of the customer is intertwined with the indirect soft costs of the FSPs, as described in paragraph 4.1.2. Although the costs for the customer are not clear and the chance of becoming a victim as a customer is currently 0,0828 % (as described in paragraph 4.1.1), it’s important to recognize these costs. Since, for an impacted customer, the chance of being a victim is not 0,0828 % but 100 %. Hence, for impacted customers the statistical data are not relevant. Social media tools are increasing the importance of taking these customers into account since every individual customer Page | 19
  30. 30. can use these tools to communicate their story and potentially impact the feelings and thoughts of other customers. This has resulted in negative media coverage in consumer programs such as Nieuwsuur.nl (“Steeds meer slachtoffers bankfraude - Nieuwsuur.nl,” 2012) and Kassa (Kassa, 2012). 4.1.4. Impact on society Online banking fraud is impacting more stakeholders than only the FSPs and their customers. Those stakeholders are for example, the government, ministers and public bodies such as the NCTB, the police force and the criminal justice system (Newman & Mcnally, 2005). The costs to society have not been researched and researching the total amount of costs to society might be impossible. According to Newman and Mcnally, a part of the costs to society is impossible to calculate. These costs include costs related to the (feeling of) public safety risks / threats, burdens created by FSPs, higher premiums, other costs passed on by FSPs to customers, increased paranoia which may result in financial costs and an overall decreased confidence in the promised benefits of the information age (for example the online banking platform) (Newman & Mcnally, 2005). 4.1.5. Conclusion It’s difficult to define the exact impact of the problem. A part of the problem has been converted to financial impact but the validity of these figures cannot be claimed from an academic perspective. Other parts of the problem have not been converted into financial impact or are very difficult to convert to financial impact at all. The costs of online banking related crime are higher than only the reported losses by the NVB. Furthermore, the impact is bigger than just the impact on the targeted FSPs and directly impacted customers. In the end, the entire society is impacted because of perception of security as well as costs that are made by the government, for example for conviction of the criminal. Although it’s not possible to determine the exact impact of the entire problem, we can at least conclude that there is a problem and that the impact of the problem has increased over the past five years. Page | 20
  31. 31. 4.2. Legal framework The responsibilities and liabilities of the FSPs and their customers are arranged by Dutch laws. This chapter will explore the applicable legal framework and the connecting responsibilities and liabilities. 4.2.1. Legal responsibilities and liabilities The legal responsibilities of the FSPs are arranged in the Dutch Civil Code book 6 and 7. The Dutch FSPs have also confirmed themselves and their customers to additional legal responsibilities in their own (product) terms and conditions. The first relevant element relates to duty of care, arranged in article 6:248 BW (BW:6, 2013). This article relates to the generic duty of care of contracts and agreements. This article states that an agreement does not only have the - between the two parties agreed legal affects - but also those related to habits of reasonableness and fairness. Another connected article is article 7:401 BW (BW:7, 2013) which states that, the contractor during the contract has to take the care of a good contractor. The second relevant element is related to the use of the personalized safety attributes (the mechanisms that customers can use to identify themselves and perform transactions, such as codes, passwords, the card reader and the card). The Dutch Civil Code book 7B provides more specified articles connected to payment transactions. Article 7.525 BW (BW:7b, 2013) states that a FSP has to ensure that the personalized safety attributes of the customer’s payment instrument will not be accessible for third parties. Article 7:524 BW (BW:7b, 2013) states that the user of the payment instrument has to apply to the products term and conditions. This article also states that the customer has to take all reasonable measures in order to guarantee the security of the personalized safety attributes. The third relevant element relates to the law in cases of wrong or fraudulent transactions. Article 7:526 BW (BW:7b, 2013) arranges the notification period for the customer. According to this article the customer has to notify the FSP within 13 months after the date of the wrong transaction. Article 7:528 BW (BW:7b, 2013) states that if the customer applies the notification period the FSP will have to reimburse the transacted amount immediately if the transaction was indeed not authorized by the customer. The FSP is however allowed to deduct an amount of maximum € 150,- on the reimbursement when unauthorized transaction is initiated by the use of Page | 21
  32. 32. a lost or stolen payment instrument, as arranged in article 7:529 BW (BW:7b, 2013). It’s important to notice that the FSP is legally allowed to deduct this € 150,- in case of any unauthorized transaction initiated by the use of a lost or stolen payment instrument. Thus irrespective if this had happened due to negligent behavior of the customer. This article also states that the FSP - according to the product terms and responsibilities, as stated in article 7:524 BW (BW:7b, 2013) - will not have to reimburse any money if the customer has acted fraudulent, intentional or with gross negligence (“grove nalatigheid”). The FSP has to prove that the customer has indeed acted with gross negligence (and not the other way around). Besides the law, the FSPs have to comply with all the obligations that they have specified in their (product) terms and conditions. FSPs have for example specified that they will inform their customers on topics such as security and that they will provide the customer with possibilities to check the transaction on their accounts, for example using (digital) statements. 4.2.2. How Financial Services Providers take care of their duty of care Within the limitations of the above described law, FSPs are free to create their own policies about their duty of care. FSPs do not disclose all the efforts they are performing to take care of their duty of care. Therefore, this paragraph is not limitative and is only describing the publicly known aspects. In general, the policies of the FSPs can be divided into four topics: secure the channel, educate the customer, monitor transactions and clean the internet (Hafkamp & Steenvoorden, 2010). Securing the channel and educating customers are forms of so called target hardening. This refers to measures that are introduced to increase the efforts of successfully obtaining the target (Meulen, 2011). In this case there are two targets: the customer and the FSPs. FSPs have introduced variations on the existing authentication mechanisms, for example by introducing new authentication mechanisms or changes in the dialogue (Hafkamp & Steenvoorden, 2010). Dutch FSPs have chosen to implement authentication mechanisms based on at least “two factor authentication”. Two factor authentication refers to the usage of at least two of the following available factors:  knowledge (something the customer knows), for example a code or username;  possession (something the customer has), for example a token, card or phone; Page | 22
  33. 33.  Personal attributes (something or somewhere the customer is), for example biometrics, geographical locations or customer profiling. Next to those authentication mechanisms, FSPs are securing their online banking channels in other ways, for example by detecting malicious behavior in the browser. FSPs try to educate their customers by means of providing security related information, brochures and awareness campaigns. Customer security related duties are specified in the (product) terms and conditions and on the websites of the FSPs. Awareness campaigns are executed in collaboration with the NVB. Those campaigns inform the customers of the potential threats by means of commercials on television, radio and the internet for example on www.veiligbankieren.nl. In those commercials, customers are asked to be aware, to check the URL of the website, the entered payment and the security of their computer. The Dutch ING bank is taking the awareness and customer target hardening one step further, they offer the customer free security software for their personal computers (“Beveilig uw computer - ING Veilig bankieren,” 2013). The third aspect, monitoring transactions means that the FSP monitors the initiated payments and checks those payments for deviant patterns. Those deviant patterns can be based on the customer profile or generic malicious behavior such as cash out points or account numbers. When deviant patterns are spotted, the FSP will hold and investigate the payment. FSPs are not transparent about their monitoring activities since this is sensitive information. It’s therefore not clear to what extent the Dutch FSPs are performing these monitoring activities. The final aspect is cleaning the internet. FSPs have joined their forces with the police force and other public bodies in order to notice, take down and trace the criminals and their websites and servers. This include activities such as elimination malicious websites, for example phishing website or servers that collect the information from infected computers (Meulen, 2011). 4.2.3. Compensation policies of Financial Services Providers As discussed in paragraph 4.2.1, FSPs are allowed to deduct 150 euro on every financial compensation. They also have the ability to refuse any compensation if the customer has acted gross negligent. Up until today, no signals are available that FSPs are deducting the legally possible 150 euro on each compensation. It seems that, FSPs choose not to penalize their customers if they have not acted in a negligent way. Thus, FSPs are accepting more liabilities Page | 23
  34. 34. than they should do from a legal perspective. Up until 2012 there had not been any signals in the media or court of FSPs that didn’t compensate private customers for their full hard costs (including the 150 euro) of fraudulent cases on online banking. This means that FSPs compensated their customers for their hard costs (the financial losses) but not for their soft costs (as described in paragraph 4.1.3). During 2012, the first signals of private customers that didn’t receive any compensation or only a partial compensation, came to the media’s attention. These cases are based on situations where, the FSPs are of the opinion that the customer has acted in gross negligent way. FSPs have thus changed their policies of compensations in cases of gross negligence or, their opinions on what should be indicated as gross negligent behavior. This means that in the current situation, customers are only compensated for their hard costs when they have not acted in a gross negligent way, soft costs are never compensated. 4.2.4. The customer’s responsibilities specified in the terms and conditions As discussed in paragraph 4.2.1, the customer legally has to apply to the product’s terms and conditions, guarantee the security of the personalized safety attributes and should not act in a gross negligent way. These law statements do not provide the customer with full clarity on their responsibilities. In order to find more specific information, the customer will have to read the FSP’s product terms and conditions. All FSPs are free to create their own terms and conditions within the limits of the Dutch law. FSPs have taken this freedom and created their own specific terms and conditions. This makes it difficult to provide a generic overview of all the customer’s responsibilities. For this paragraph, the terms and conditions of the three large Dutch FSPs have been studied: ING, Rabobank and ABN AMRO. Both ING (ING, 2013) and Rabobank (Rabobank, 2013) have specified the terms and conditions in one document, ABN AMRO uses four different documents: the general terms and conditions (AMRO, 2010), the general conditions access ABN AMRO (AMRO, 2007), payment services retail customers (AMRO, 2013) and the glossary document payment services retail customers (AMRO, 2012). The first notable aspect is that, all the FSPs have updated their online banking related terms and conditions. In these updated terms and conditions, the safety measures that the customer has to take are expanded and described at more length. On the one hand this provides the customers with more clarity about their responsibilities. On the other hand this mandates more responsibilities from the customers than in previous versions, a shift in responsibilities. Customers do have to comply with these measures and if they don’t apply these measures it could be seen as an act of gross negligent behavior and thus liability. The second notable aspect is that, the FSPs seem to be more in agreement about the responsibilities of their customers. In Page | 24
  35. 35. fact, the mandatory measures with regards to the protection against online fraud are more or less the same for the studied FSPs. The most important online banking related terms and conditions related to customer responsibilities can be divided in prevention, detection and notification. The below provides an overview of the most important measures the customer has to take:  The customer should make sure that the device, software and internet connection are secure, irrespective if a customer uses its own device, software or (wireless) internet connection or those of a third party.  The customer has to use security software for the device, software and (wireless) internet connection. This security software should protect against unwanted actions / access or computer viruses. The minimum aspects are a legal and up-to-date version of the operating system, browser and security software that should at least include a virus scanner and a firewall.  The plug-ins, such as Adobe Reader, Adobe Flash and Java should regularly be updated (ABN AMRO specific condition).  The device and software should have an access control, for example using an unlock code.  The device should comply with the minimum technical and system requirements, specified on the website of the FSP.  Security and authentication codes (included challenge and response codes generated by the security token or the FSP’s website) are personal codes and should never be shared with a third party (for example on the phone or a website that doesn’t belong to the FSP). The customer has to take all reasonable measures to prevent the use of these aspects by third parties. What measures are reasonable is depending on the circumstances.  The FSP can give additional security related directions on their websites; the customer has to apply to these directions.  When browsing on the website, the customer should continuously verify if the website is still secure. The customer has to make sure that the URL starts with https:// and that the security lock in the URL bar is displayed. Furthermore the customer should verify that the entered URL is correct and that the websites certificate is validated by the FSP. Page | 25
  36. 36.  The customer should verify if the behavior of the website for authentication and the verification of the transaction is conform the FSPs’ standards. (ABN AMRO specific condition). The detection and notification related terms and conditions are:  The customer should always verify their online banking transaction history after they have initiated an online transaction, in order to make sure that the transaction has been executed according to the customer’s specifications. If the customer identifies any differences, the customer should immediately contact the FSP.  In case a customer suspects fraud, the FSP should immediately be notified by the customer.  The customer should notify the FSP at least within 14 days after the fraudulent transaction became visible in the online banking platform. These 14 days are limited in cases of an occasion that required immediate attention. (ING specific condition). Although the FSPs have updated their terms and conditions and specified the customer’s responsibilities, it is still questionable if this is sufficient. The terms and conditions are still not very specific. For example it is still questionable what should be defined as a secure environment, what up-to-date means and what the FSP defines as a virus scanner and which virus scanners are accepted. There are for example virus scanners on the internet that pretend to be a virus scanner but are in fact malware. And there is also malware that pretends to be a free (trail) version of a trustworthy brand, such as AVG, known as “shareware” (“Malware vermomd als gratis antivirus AVG - Computerworld,” 2011). This software has the same look and feel as the real virus scanner and seems very legitimate for an ordinary user. Although the terms and conditions do also inform the customer about their legal liability in the event of gross negligence, it doesn’t specify what gross negligence is. It is thus questionable whether or not these terms and conditions provide the customers with sufficient information to act in a responsible way. We could argue if the average customer will read the lengthy terms and conditions, is able to understand what is expected and is able to take all these measures. The NVB has recently announced that FSPs are going to standardize their terms and conditions (“Banken krijgen uniforme veiligheidseisen | nu.nl/tech | Het laatste nieuws het eerst op nu.nl,” 2013). Finally, the terms and conditions of the FSPs provide very limited information related to Page | 26
  37. 37. what the customer can expect as a duty of care. This will make it very difficult for a consumer to know what to expect from the FSP. 4.2.5. Liability Being responsible or acting in a negligent way on itself is not sufficient to be liable for something. Bovens described three generic categories that should be met in order to be liable: culpability, causal relationship and negligence (Bovens, 1990). Culpability means that somebody should be guilty of the offense of a standard. This means that there should be human behavior, an act or the omission that seems to have contributed to a situation. The standard refers to the standard of behavior that can reasonably be expected. Causal relationship means that there should be a causal relationship between the behavior and the act of a person and the resulting situation / damage. Somebody will only be liable when there is a causal relation between the act or the negligence of the person and the resulting situation. According to Bovens, it’s not only important to determine if somebody - due its act - has contributed to the situation, the person should also be blameworthy for the act (negligent). This means that the person should have had real possibilities to act in a different way. All these three categories should be met in order to be liable. 4.2.6. What is gross negligence? The Dutch civil law as well as the terms and conditions of the FSPs do not provide a generic answer to what gross negligence is. In her book about computer ethics Johnson defines negligence as: “to be a failure to do something that a reasonable and prudent person would have done. In common law it is assumed that individuals who engage in certain activities owe a duty of care; negligence is a failure to fulfill that duty”. Thus negligence presumes a standard of behavior that can reasonably be expected of an individual engaged in a particular activity (Johnson, 2001). In his book about responsibility and liability for FSPs and their customers, M.R. Mok argues that it’s difficult to decide what gross negligence is (Mok, 2005). Mok identifies two potential solutions. The first solution is that the FSP should always have to compensate the losses since the online banking platform is also providing them benefits in terms of costs savings. The second solution is to accept that becoming the victim of theft is a fact of life that is the risk of the consumer. He claims that both solutions have their benefits and that the real question is where we should set the borders. According to Mok, the problem is however the translation towards legislation. He states that “we should be aware that legislation in many cases is nothing more than a fig leaf in order to mask the insolubility of a problem” (Mok, 2005). Page | 27
  38. 38. The final judgment about the act of gross negligence is to be filed by the financial affairs complaints institute (KiFid) or the judge. Because FSPs in the past have always compensated their customer for online banking related fraudulent losses, it’s difficult to create a clear point of view based on jurisdiction, especially for malware and pharming related frauds because these cases have not yet been subjected to official complaints or lawsuits. For phishing and social engineering related frauds there are only a very limited number of judgments available. The three most recent cases have been studied. In a compliant case on 30-01-2012, a customer that provided the security codes to the fraudster on the phone, was only held partly liable for the phishing damage. Because the FSP had not contradicted a claim of the NVB that the FSPs will always compensate their customers (a statement being made by the NVB during 2010). The KiFid was of the opinion that the losses should be shared, resulting in a loss of €_17.000,- each (KiFid, 2012). On 16-4-2013 the KiFid handled a case with the same fraudulent situation. However, in this case the KiFid’s opinion was that the FSP had been clear in their communications (and that the NVB has changed their statements related to compensations policies) and declines the claim of the customer, resulting in a customer loss of €_26.111,- for the committed fraud, excluding the costs of the lawyer (KiFid, 2013a). In another compliant case on 23-6-13, a customer is also held liable because of phishing related losses. In this case the KiFid even adds the following statement to their judgment: “the FSP, in principle can be confident that fraud is impossible when the customer is acting according to the safety regulations” (KiFid, 2013b). No substantiation or proof has however been added to this statement. In a lawsuit related to phishing and the same modus operandi as in the previous two cases the judge support the point of view of the KiFid (Rechtspraak, 2012). Thus in the case of phishing the KiFid and the judge claim that a customer is acting gross negligent when the customer violates the terms and conditions of the FSPs. Because the FSPs have expanded their terms and conditions (as discussed in paragraph 4.2.4), it will likely become more difficult for a customer to prove to opposite. When the arguments of the KiFid and the judge are being studied, it’s questionable if there is a clear notion of the standard of behavior that can reasonably be expected of an individual engaged in online banking activities. At least, there is no reference being made to such standards. Johnson also claims, the legislators, lawyers and judges will have to completely understand computer and information technology to respond appropriately to these cases (Johnson, 2001). Giving the reasoning and the question being asked in the above described cases, it’s questionable whether or not those requirements are being fulfilled. Apparently no arguments have been made Page | 28
  39. 39. by the customer related to the duty of care of the FSP. We could for example argue that, the FSP should have the potential ability to recognize suspicious payments patterns or at least deviating behavior. We could also argue that transferring the entire savings balance to a domestic account should be recognized by the FSPs and that they have a duty of care to protect the customer and that not protecting is negligent. This view is supported by Dr. M.J.G van Eeten, a Dutch professor who focuses on the Governance of Cyber security. In the Dutch consumer program Kassa (Kassa, 2013), Mr. van Eeten has claimed that FSPs should be able to detect deviations in the customer’s payment behavior. Unfortunately, the standard is also unclear in this case, there is very little knowledge and agreement about the moral standard of behavior for the FSPs, thus it’s difficult to determine whether or not the duty of care has been violated. As a final aspect, we notice that the judge as well as the KiFid is requesting that customers prove that they haven’t acted in a gross negligent way. This is however conflicting with the European guidelines and Dutch law. As described by van Raaij, the onus of proof is reverse, the FSP has to prove their innocence to what they have been charged for by the consumers (Raaij, 1997). 4.2.7. Government From a legal point of view, it’s also interesting to explore the current points of view from the government or political debates. Because, the points of view of the government might potentially lead to future legislation. The general point of view of the Dutch government is that they only have a limited task in the area of business to consumer, in the sense of legal regulation. The government is only willing to impose legal laws and regulations in cases of serious physical or financial risks for the customer. The majority of tasks related to consumer protection is normally delegated to the deliberation between the consumer organizations and the producers (Raaij, 1997). In the Dutch House of Representatives (de Tweede Kamer), official questions have been raised related to the power balance shift of responsibility. Based on the answers from the minister of Finance we can conclude that, the government is aware of the power shift but has no current considerations as long as it occurs within the law. According to the minister of Finance, there are no signals that FSPs do not comply to those laws (Dijsselbloem, 2012) (Dijsselbloem, 2013). The opposition questions if the current power shift is indeed correct from an ethical perspective. Some of the political parties are of the opinion that FSPs should always compensate their customers for their losses (“‘Altijd geld terug bij internetcrime’ - AD.nl,” 2013) other parties are of the opinion that some of the terms and conditions of the FSPs are asking too much from Page | 29
  40. 40. their customers on the detection measures of fraudulent activities (“SP: verplicht internetbankieren op vakantie is zot - Security.NL,” 2013). Recently, the reimbursement policies of the Dutch FSPs have been discussed for voting in the Dutch House of Representatives. The house of representatives have adapted a resolution of Nijboer and Merkies stating that FSPs should compensate customers for their direct financial losses in cases of phishing or malware (“Kamer: bank moet schade phishing vergoeden - BNR Nieuwsradio,” 2013). Although this resolution has been adapted, this doesn’t change the obligations of the FSPs, nor does it provide any more clarity. This is due to the fact that the resolution includes the disclaimer that the customer should not have acted in a gross negligent way. Unfortunately, the resolution does not specify what the moral standard for gross negligent behavior should be, nor does it specify how FSPs should fulfill their duty of care. Although the duty of care and gross negligent behavior have been questioned and discussed, this doesn’t result in any agreements, consensus or clarity from a governmental perspective. The Dutch government is in favor of a more digital community, as this creates important benefits for the Dutch country, their citizens and Dutch companies. To be more specific to the thesis subject: the Dutch government is in favor of the online banking channel because it provides attractive benefits for society. In general, one of the main responsibilities of the government is to protect its citizens and to take measures that protect or enhance their safety (Raaij, 1997). The digital economy brings new knowledge, risks and responsibilities of which secure online banking is one. The government is thus also one of the stakeholders who should take responsibility for the education of Dutch consumers and should not simply delegate this responsibility to only the FSPs. The government could for example enforce the creation of information packages and campaigns as well as educational components, for example in the educational system. Within the cyber security strategy document, the Dutch government states that security is a core task of the government, also in the cyber domain. They also state that the government has a responsibility to enhance the online security and privacy of their citizens. The Dutch government commits itself to increase the cyber security awareness of their citizens, companies and governments, to counter cyber criminals and to prevent social dislocation due to cyber incidents. If necessary, the government will impose rules, regulations and standards (NCTV, 2013). Page | 30
  41. 41. 4.2.8. Conclusion The liability enforcement is clearly arranged by law. The responsibilities of the customer and the FSPs are only defined on a high level; the law doesn’t provide the moral standards. The terms and conditions of the FSPs describe the responsibilities and liabilities of especially the customer. The responsibilities of the FSPs are not clearly defined. Although the FSPs have a duty of care that is arranged by law, it’s has not been specified what this duty of care implies. FSPs are relatively free to define how to apply their own duty of care. Although FSPs have created more specific terms and conditions and have invested in information campaigns, it’s still not completely clear what is expected from the customer and if we can expect the customer to read, understand and execute the expected (moral standards). Despite the duty of care and investments in securing the channel, educating the customer, the monitoring of transactions and the cleaning of the internet, fraud is still being applied. Since 2012 Financial Service Providers have claimed that customers have handled in a gross negligent way in cases when the customer deviated from the terms and agreements. Both the financial affairs complaints institute and the judge have (partly) supported the FSPs in their point of view in specific cases. This support is however questionable since it’s not clear if the duty of care from the FSPs is taken into account in the correct way in these cases. Neither is it clear if a moral standard has been defined and if it’s feasible to expect the average customer to comply with this standard. We should be careful in considering the law as a solution towards this problem, especially since it’s difficult to determine what the standard of reasonably expected behavior should be for all parties involved. Determining whether or not somebody has acted with gross negligence is difficult if not impossible when these standards are not determined and validated. We should first determine and communicate the standard and specifications of gross negligent behavior and duty of care from a moral and ethical perspective before the law should use it as a standard to which we judge. Furthermore, it’s important to conclude that by law the FSPs has to prove that the customer has acted in gross negligent way; it’s not up to the customer to prove the opposite. Besides the responsibility of the FSP’s and their customers there is a responsibility for the government to enhance the cyber security and the cyber security awareness. Page | 31
  42. 42. 4.3. The ethical point of view In her book “Computer Ethics” Deborah G. Johnson asks the question how these ethical issues should be solved. Johnson explains: “to say that computer ethical issues arise because there is a vacuum of policies, leaves open whether the vacuum should be filled with laws or with something else. It is quite possible that vacuums are better left to personal choices, institutional policies or social conventions rather than to the imposition of law. It is also important to remember that this doesn’t need to be an either / or matter. In a wide variety of cases, what seems to be needed, is a multiplicity of approaches” (Johnson, 2001). Johnson also states that, “simply handling online crime as a normal crime could potentially cause issues because the danger is that we may be so taken with the similarities of the cases that we fail to recognize important differences”. Johnson draws a distinction between new versions of old crime and crimes that couldn’t exist without computer. “When a new version of an old crime is executed it’s tempting to think of this new version of crime as morally equivalent of the old crime. This however ignores relevant aspects, such as different instruments being used and it are these different instruments that seem to affect the moral character of a crime. The online crime issue can therefore best be understood as new species of generic moral issues” (Johnson, 2009). This means that we cannot simply apply our existing standard in the “offline world” towards the “online world” in order to reach the moral standard for normal behavior. We should thus explore in this paragraph the ethicality of the different aspects. It’s important to recognize that there are functional differences between law and ethics. As Jeurissen describes in his book “the difference between law en ethics lies in the motivation to adhere to standards. Ethics always require inner motivation: people must urge themselves to behave morally, from an inner agreement with a moral principle. And they must be free to do so. Law does not require the inner agreement, but is based on external compulsion”. Jeurissen further explains that ethics and law can best be seen as complementary and that the ethics is sometimes ahead on the law since it often takes a number of years for a law to get passed (Jeurissen, 2007). 4.3.1. A power balance of responsibilities In order to understand the situation from an ethical perspective, we will first explore the more generic aspects of ethics in relation to a consumer / professional relationship. As described in the earlier paragraphs, it seems that there is shift in the balance of responsibilities for secure online banking. Manuel G. Velasquez described three views about the relationship of business towards consumers. To him it is clear that part of the responsibility for consumer’s damages must rest on the consumer themselves since individuals are often careless in their use of Page | 32
  43. 43. products. The real question is where the consumer’s duty to protect its interest ends, and where the businesses’ duty to protect the consumers’ interest begins (Velasquez, 1998). Velasquez described three different theories in this regard: the contract view, the due care view and the social costs view. 1 “According to the contract view, the relationship between a business firm and its customers is essentially a contractual relationship, and the firm’s moral duties to the customer are those created by this contractual relationship. When a consumer buys a product, this view holds that the consumer voluntarily enters into a ‘sales contract’ with the business firm. The act of entering into a contract is subject to several secondary moral constraints:  both parties of the contract must have full knowledge of the nature of the agreement they are entering;  neither party of a contract must intentionally misrepresent the facts of the contractual situation to the other party;  neither party of a contract must be forced to enter the contract under duress or undue influence. Full knowledge implies that the seller has the duty to disclose exactly what the customer is buying and what the terms of the sale are. At a minimum, this means that the seller has a duty to inform the buyer of any facts about the product that would affect the customer’s decision to purchase the product. For example if a defect that poses a security risk exists, then the customer should be informed” (Velasquez, 1998). Thus this view means that the Financial Service Provider has to explain all the defects, weaknesses and threats of the online banking platform to their customers. The contract view is however not applicable to this situation since the customer doesn’t have full knowledge of the nature of the product and its potential security flaws. FSPs and customers do not share the same information and are not equally skilled in this matter. Customers therefore have to rely on the judgment of the FSP. “The due care theory of the business’ duties to consumers is based on the idea, that consumers and sellers do not meet as equals and that the consumers’ interest are particularly vulnerable to being harmed by the business who has a knowledge and an expertise that the consumer does not have. Because businesses are in a more advantage position, they have a duty to take special care to ensure that consumers’ interests are not harmed by the products that they offer them. The 1 The following explanations of these three views are quotes from his book when placed between quotation marks. Page | 33
  44. 44. business violates this duty and is negligent when, there is a failure to exercise the care that a reasonable person could have foreseen would be necessary to prevent others from being harmed by use of the product. A business is not morally negligent when, others are harmed by a product and the harm was not one that the manufacturer could possibly have foreseen or prevented. Nor is the business morally negligent after having taken all reasonably steps to protect the customer and to ensure that the consumer is informed of any irremovable risks that might still attend the use of the product. For example, a business cannot be said to be negligent when the customer is acting careless or misusing the product. In determining the safeguard that should be built into a product, the business must also take into consideration the capacities of the persons who will use the product. If the business anticipates that a product will be used by persons that are too inexperienced to be aware of the dangers attendant on the use of the product, then the business owes them a greater degree of care than if the anticipated users where of ordinary intelligence and prudence. The difficulty with this view is that there is no clear method for determining when one has exercised enough due care, there is no hard and fast rule. A second difficulty is that it assumes that the business can discover the risk before the consumer buys and uses it” (Velasquez, 1998). For the FSPs, this second difficulty can however be eliminated. FSPs have the possibility to inform their customer on new discovered risks during the contract since they know who their customers are and because they have the ability to communicate with them directly. The problem is thus to determine when enough due care has been executed (as discussed in paragraph 4.2.8). “The social cost view holds that a business should pay the costs of any damages sustained through any defects in the products. Even when the business exercised all due care in the design and build of the product and has taken all reasonable precautions to warn customers of every foreseen danger. This theory is a very strong version of the doctrine of ‘caveat vendor’: let the seller take care. By having the business bear all the external costs that result from damages as well as the ordinary internal costs of design and build, all costs will be internalized and added on as part of the price of the product at the initial sales. Hence, informing the customer of the total costs at the sale. Second, since manufacturers have to pay the costs of damages, they will be motivated to exercise greater care and therefore to reduce the number of incidents. A criticism to this view is that passing the costs of damages on to all consumers (socializing the costs in the form of higher prices), consumers are also being treated unfairly. A second criticism of this theory attacks the assumption that passing the costs of all damages on the businesses will reduce the number of accidents. On the contrary, critics’ claim, by relieving consumers of the Page | 34
  45. 45. responsibility of paying for their own injuries, the social costs theory will encourage carelessness in consumers. An increase in consumer carelessness will lead to an increase in consumer damages” (Velasquez, 1998). This theory is thus leading to moral hazard amongst consumers. We have seen that in the past, FSPs have used the social costs view in cases of fraudulent losses on online banking. During 2012, FSPs have started to apply the contract view in at least some of the cases. This means that responsibilities are shifting from a phase in which the FSP took full responsibilities to a phase where the responsibilities will be divided and shared between the FSPs and their customers. Because of the equality in knowledge and positions between the customer and the FSPs and the fact that the customer doesn’t have full knowledge, it however seems better to transfer to the due care theory instead of the contract view. The Dutch Government seems to support this claim. They state that “we can’t expect our citizens to completely understand and assess the security and privacy aspects of the increasing complex ICT services and products offered by large international companies. Therefore there is a clear responsibility for these companies to care of the customer’s security and privacy. They need to be transparent about their efforts and measures for enhanced cyber security (NCTV, 2013). 4.3.2. Responsibility types In order to completely understand responsibility, we will have to define responsibility. Responsibility in this research is defined as: “responsible is the person or authority which can be regarded as the cause or one of the causes of the effect of an action, or has a role, position or function that involves accountability” (Jeurissen, 2007). The second aspect we will have to do is to define what type of responsibility is actually shifting. In his book Bovens describes five types of responsibilities of which four have initially been defined by the English legal philosopher Hart (Bovens, 1990). The first type is responsibility as a cause; this means having caused a specific situation. In the situation of fraud of online banking we could argue that the FSP, the customer as well as the fraudster are part of the cause since the customer and the FSP have provided the fraudster with the opportunity to commit the fraud. If we define the cause in more strict terms as the one who has committed the fraud then the fraudster is the only responsible person. Within the context of this research we will use the strict definition of being responsible as a cause, thus the fraudster is the responsible person. Page | 35
  46. 46. The second type is responsibility as ability. This means that in order to be responsible, a person should have had the ability to execute the responsibility. Whether or not a customer has the ability to execute the responsibility of secure behavior depends for example on the mental ability as well as security related knowledge of the individual. Second, the question whether or not the customer or the FSP has the ability to detect and prevent the fraud, depends on the modus operandi and the target of the fraud. This responsibility type thus applies to both the customer and the FSP. The third type is responsibility as a duty. The FSP has the duty of care against the customer. The customer has the duty not to act in a gross negligent way. We have already seen these duties in previous paragraphs of this research. The fourth type is defined as responsibility as a liability. In terms of liability again all three stakeholders can be held liable (though the real responsible and liable person should be the fraudster). In case when it’s impossible to catch the fraudster, somebody else should be held liable since somebody has to take ownership of the losses. It depends on situation to situation if the FSP, the customer or both will be held liable. This depends on the duty of care and moral customer standard. In order to be responsible in the sense of liability, the second and third type of responsibility should at least be applicable and preferably also the first type. The fifth and final type is responsibility as a virtue. This is the positive variant of a responsibility. The customer could see it as a virtue to act in a responsible way and helping to prevent fraudulent behavior. For the FSP it seems mandatory to take responsibility as a virtue since they offer a service to their customers for which their customer pay. Bovens also refers to responsibility as active and passive. Active responsibility refers to being responsible during the act (responsible behavior) where passive responsibility refers to being held responsible after the act (Bovens, 1990). In this research responsibility will be referred to as primarily active responsibility in the sense of responsibility as ability and duty. This primarily aspect might result in passive responsibility in the sense of liability. Page | 36

×