WHEN IS A BANK LIABLE IN NEGLIGENCE FOR ATM CARDS AND OTHER CARDS (ELECTRONIC BANKING) ISSUED OUT TO THEIR CUSTOMERS?

Introduction

Presently, there is no legislation on Electronic Banking in Nigeria, The electronic banking guidelines emerged from the findings of a Technical Committee on Electronic Banking set up by the Central Bank of Nigeria in 2003 to find appropriate modalities for the operation of electronic banking in the country. It was indeed the findings and recommendations of the committee that led to the adoption of a set of guidelines on Electronic Banking in August 2003.

Of the key provisions of the Guidelines, only a section deals with issues relating to ATM cards, while another section deals with legal issues that can arise thereof.

Banks might be Liable in Negligence thus:

The Guidelines highlighted the following points as where banks can be liable in negligence to their customer in any electronic banking transactions (ATM cards etc).

Banks will be considered liable for fraud arising from card skimming and counterfeiting except where it is proven that the merchant is negligent. However, the cardholder will be liable for frauds arising from PIN misuse

Banks are obliged not only to establish the identity of their Customers (KYC principle) but also enquire about their integrity and reputation. To this end, accounts should be opened only after proper introduction and physical verification of the identity of the customer

Digital signature should not be relied on solely as evidence in e-banking transactions, as there is presently no legislation on electronic banking in Nigeria

There is an obligation on banks to maintain secrecy and confidentiality of customer’s accounts. In e-banking scenario, there is the risk of banks not meeting the above obligation. Banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc because of hacking /other technological failures. Banks should, therefore, institute adequate risk control measures to manage such risks.

Banks should protect the privacy of the customer’s data by ensuring:

i.          that customer’s personal data are used for the purpose for which they are     compiled. 

ii.         consent of the customer must be sought before the Data is used

iii.        data user may request, free of cost for blocking or rectification of inaccurate data or enforce remedy against breach of confidentiality

iv.        processing of children’s data must have the consent of the parents and there must be      verification via regular mail.

v.         strict criminal and pecuniary sanctions are imposed in the event of default

While recognizing the rights of consumers under the Nigerian Consumer Protection Council Act, which also apply to consumers in banking services generally, banks engaged in e-banking should endeavor to insure themselves against risks of unauthorized transfers from customers account’s, through hacking, denial of services on account of technological failure etc, to adequately insulate themselves from liability to the customers.

Banks are encouraged to install cameras at ATM locations. However, such cameras should not be able to record the keystrokes of such customers

At the minimum, a telephone line should be dedicated for fault reporting, and such a number shall be made known to users to report any incident at the ATM. Such facility must be manned at all times the ATM is operational

Technical Liability Shift for Chip + Pin in Nigeria

a.       Where a non EMV (Europay, Mastercard, Visa) card is used on a non EMV Terminal and a fraud occurs, liability is on either the Card Issuer or the Card Holder. Proof has to be established on which party compromised card details.

b.        Where a non EMV card is used on an EMV Terminal and fraud occurs, liabilityis on the Card Issuer

c.        Where an EMV card is used on a non EMV Terminal and fraud occurs, liability is on the Acquirer

d.        Where an EMV card is used on an EMV Terminal and fraud occurs, liability is on the Card Holder or the Issuer. However, the onus is on the cardholder to prove that their PIN had not been disclosed to a third party willingly or negligently.

e.         Where a hybrid card is used on a non EMV Terminal and fraud occurs, liability is on the Acquirer

f.       Where a hybrid card is used on an EMV Terminal and card treated as magnetic stripe for authorization and fraud occurs, liability is on the Card Issuer

g.      Where a hybrid card is used on an EMV Terminal and card treated as EMV for  authorization and fraud occurs, liability is on the Card Holder or the Issuer. However, the onus is on the cardholder to prove that his/her PIN had not been disclosed to a third party willingly or negligently.

Conclusion

It is settled that negligence, is a question of fact and not of law. So, each case must be decided in the light of the facts pleaded and proved.

Despite its numerous technical specifications, the Guidelines provisions is not enough to check the growing popularity of Electronic banking (ATM cards etc) against the backdrop of growing sophistication in technology related crimes and frauds. Closer examination of the contents of the Guidelines equally shows that the document fails to meet up with the four key areas where electronic banking may have regulatory impact – changing the traditional lines upon which existing regulatory structures are laid; handling concerns about existing public policy issues; changing the nature and scope of existing risks; and rebalancing regulatory rules and industry discretion.

Yinka Olaiya.