WEDNESDAY 13 DECEMBER 2006

MR COLIN WHITTAKER, MS SANDRA QUINN, MR MATTHEW PEMBLE, MS SANDRA ALZETTA AND MR ROBERT LITTAS

  Q120  Lord O'Neill of Clackmannan: If you make the information available as a percentage of turnover, that stands for itself. It is not a question of you making a judgment. It is a question of you just having the guts to publish it.

  Mr Whittaker: In the end, dare I say, with respect, it is not so much that the banks themselves or the banks' systems are insecure because those banks are not being attacked; it is their customers that are being attacked unfortunately, and the levels of controls that they are all deploying at the moment are broadly equal in the style of techniques they are using, and therefore trying to draw some sort of judgment or saying this bank is any stronger or any weaker or is suffering more losses or less losses than another bank does not help us describe why that bank is being attacked in the first place.

  Lord O'Neill of Clackmannan: I am sorry, it is not up to you to make the judgment; it is up to the customer, and if the customer is denied the information then they are in no position at all to make a judgment.

  Q121  Earl of Erroll: Can I ask a question which might clarify this which is: am I right in thinking that APACS is actually a banking trade body which has no responsibility whatsoever to the public and does not actually have any interface with the government or the general public? It is actually an internal banking body.

  Ms Quinn: Can I say two things in response to that. You are exactly right, APACS is a trade association and we have 31 bank members and we work with them to co-ordinate the fight against fraud. What we are developing next year is a new government arrangement which is a new board which will replace what was formerly known as the OFT Payment Systems Taskforce and that is looking at exactly some of the issues that you are raising about increased transparency and increased awareness. I am sure they will be picking up those types of issues.

  Q122  Lord Young of Graffham: I suspect my question is for Mr Whittaker, and thank you very much, it is a very interesting paper.

  Mr Whittaker: Thank you.

  Q123  Lord Young of Graffham: Let us assume for the moment that I have lost money from my account in some way or another. At the moment all banks will refund that amount of money. You say on page four of your submission that banks currently choose to refund money. Is there a legal obligation to refund or is it a matter of goodwill?

  Ms Quinn: There is no legal obligation. The key is that all banks publish very clear guarantees on their websites to customers that if customers operate within their terms and conditions then they will refund any losses they have. It is one of the things we are looking at through the Banking Code. The Banking Code sets out standards of good practice against the industry and that is currently going through a review process. It gets reviewed every three years. We have just started the review process for the edition that will be current in 2008. I think it is fair to say that one of the aspects I expect we will get comments from stakeholders on is to tighten up some of the fraud guarantees provided within the Code. I think it is the level of awareness that we need to look at.

  Q124  Lord Young of Graffham: Can I just take that a bit further. If I lose my cheque book or somebody steals my cheque book and forges my signature, I get my money back from the bank?

  Mr Whittaker: You do.

  Q125  Lord Young of Graffham: If somebody takes my credit card and forges my signature the credit card company gives the money back. Are you saying that only in the case of on-line transactions the bank is not obligated to give me my money back?

  Ms Quinn: There is not an obligation in the Code. In both the other instances you suggest there is an obligation in the Code.

  Q126  Lord Young of Graffham: Do you think that is appropriate?

  Ms Quinn: I think it will be something looked at in the review process next year and it will be very interesting to see what the outcome of that is.

  Q127  Earl of Erroll: Do you think we should replicate something similar to the Bills of Exchange Act 1888?

  Ms Quinn: 1882.

  Earl of Erroll: It is my memory!

  Q128  Lord Mitchell: He was there for the third reading!

  Ms Quinn: I think one of the things that is changing is the rules about cheques. At the moment we have in the UK nothing about certainty of cheques, so if I give you a cheque and that turns out to be fraudulent, but in good faith you have banked it and you have withdrawn the funds, if it subsequently turned out to be fraudulent even two or three weeks later, your bank could take that money back off you even if you have spent it. What we have just published is a guarantee that as long as you have not been complicit in the fraud that is committed, six days after you have deposited that money that money will definitely be yours. That will be a change in the cheque arena. One of the things I would mention about the Banking Code is the key responsibility it places on the banking industry. The burden of proof lies with the industry to prove that a customer has been negligent and, as you can imagine, in terms of customer service you want always to be relating well to your customer and believing what they tell you.

  Q129  Earl of Erroll: And that is a change from the early days when banks refused to refund people who had had money withdrawn from ATMs, and that is going to stay that way?

  Ms Quinn: There is no doubt that that is not going to change.

  Q130  Lord Harris of Haringey: Could I address a question to Mr Littas. A week or two ago Visa contacted me—I am sure it happens to everybody—with a suspected fraud on my credit card and we sorted it out, and then they started selling me identity fraud protection insurance, which initially sounded quite a good idea, but I thought about it afterwards and I thought, "No, this is all wrong." It is the same issue that is coming up. There is a problem and they are trying to sell you insurance at the same time. Is this going on? Is this a general situation or just a Visa situation?

  Mr Littas: To start with, the company that contacted you was not Visa. We do not contact individual card holders so it must have been the bank that issued your particular credit card who did that.

  Q131  Lord Mitchell: Barclays.

  Mr Littas: They may have acted upon information that we provided of a suspect transaction, but that relationship of how a bank deals with its card holders is entirely the bank's responsibility. We do not deal with merchants or with card holders.

  Q132  Lord Mitchell: Alright, somebody contacted me.

  Mr Littas: And no doubt it was the bank that issued your credit card.

  Chairman: I think we must move on. Lord O'Neill?

  Q133  Lord O'Neill of Clackmannan: When on-line banking started and when IT was applied in the last five years, we were sold the idea in terms of increased efficiencies and things like that but also it was going to be cheaper, and to an extent that is reflected in the fact that if you have deposit accounts on-line they tend to afford a higher degree of interest. Do you think that there is a danger now that the public see on-line banking as something that affords a higher rate of interest and the banks themselves see it as a kind of cheap option? You do not have the branch infrastructure to worry about. You barely have, in most instances, even the call centres—God forbid—to worry about. Do you think that there ought to be an added dimension of the local branch so that you can go in there on occasion or would that destroy the economics? It has been suggested that if there was a branch dimension you could end phishing at a stroke.

  Ms Quinn: Not being a bank ourselves that is really a question for a specific bank to answer. One of the parallels I would draw is there has been a lot of discussion over the last two or three years about the diminution of free-to-use cash machines in areas of deprivation. There has been an announcement today where a number of banks have clubbed together and agreed to provide 600 more free-to-use cash machines, and that is an area that banks continually look at. The key drivers here are things like financial inclusion, making sure those people who need access to a bank branch have access to a bank branch, and that is a different issue I think to the Internet per se.

  Q134  Lord O'Neill of Clackmannan: I take the point about the social banking dimension and there are other pressures on the banking system to address that. It is really just this question that it would appear that a lot of the financial planning of banks in terms of service to customers has been based on the assumption that Internet banking could afford great savings but some of these savings have a security downside. Do you think that, for example, if the branch had a bigger role, phishing could be eliminated or, alternatively, maybe if branch marketing departments stopped sending emails then they would not be quite as vulnerable to phishing expeditions as they are at present.

  Ms Quinn: I think that last point is particularly valid in that there is a balance, is there not, between the marketing a bank wants to make of its services, and it wants to deliver those marketing messages through email or ways that it knows its customers reads its material, and the kind of information we receive through phishing emails. That is one of the reasons at industry level we have made some very clear messages such as your bank will never ask you to access your website through a link in an email. That is a very clear message we promote for exactly that reason. Unfortunately, there is a balance between marketing and security.

  Q135  Lord O'Neill of Clackmannan: One last point, you mentioned the Banking Code and you say it is a triennial review. Given the dynamic of your industry at the moment and the rate of change, do you think that three years is maybe too long a period to carry out this review and that it should be every 18 months or something like that because there seem to be changes happening so dramatically?

  Ms Quinn: I think that is a really fair point. What we have done is we have changed the Banking Code review period from two years to three years, but what we have is an interim review process so if there is something where customers are at a disadvantage there is a process in place where we can have an interim review specifically about one topic and then the change will become effective immediately.

  Q136  Lord Mitchell: We just wanted to know the level of international co-operation between financial institutions who are looking at eCrime.

  Mr Whittaker: It is quite profound. We are very fortunate to have established an excellent relationship with the Australian banks. They were the first banks who were attacked in a significant way. They developed a co-operative relationship dealing with these issues and we learnt a lot from them to start off and we formed a united front in discussion with international law enforcement as well. We have broadened that out recently to encompass some American banks, German banks, Dutch banks, Danish banks around the world who are suffering these sorts of attacks. Everyone is learning from the lessons of people who suffered the hardest knocks first, which unfortunately was Australia and the UK.

  Mr Littas: Of course Visa is all about international co-operation and part of that co-operation is to fight fraud. I think we have come a long way from a few years ago. Based on the fraud numbers which have been constantly on the decrease for the last 10 years, we have now record low fraud levels in Visa of five basis points, which is five pence on every £100 turnover, and that is thanks to that co-operation you asked about. We do co-operate better, we do things better, and we try to introduce standards and systems with global application.

  Q137  Chairman: Have there been any successful attempts to approach agreement with Eastern European countries or with Nigeria for example?

  Mr Pemble: There are a number of international co-operation agreements. Obviously it is relatively difficult for financial organisations—and it should be—to undertake law enforcement action themselves. Therefore it is dependent upon the financial organisations working with their local law enforcement who can then go through co-operation agreements with the international law enforcement authorities. Certainly the National High Tech Crime Unit, as was, had a number of successes in the former Soviet Union and the Met Police Operation Sterling team have done a considerable amount of work with the Nigerian authorities. There is considerable co-operation through organisations such as FIRST and the G8 Line Group and obviously Interpol and Europol, between the law enforcement bodies, bringing them together to establish relatively simple pathways for financial organisations and their customers to report fraud. Clearly, international legal co-operation can be slow. Mutual legal assistance treaties move at the speed of diplomacy not necessarily at Internet speed. I think it is an important question to be asked as to how from a legislative/international law point of view this can be improved. More research is needed and possibly along similar lines to the CTOSE[5] programme that was run by the European Union a couple of years ago, which as well as including European Union nations did include the United States National Institute of Standards and Technology as well as law enforcement organisations from around the world. There needs to be greater involvement from the commercial sector. ENISA, the European Network and Information Security Agency, might be an appropriate body to lead that or there maybe other organisations which can pick that cudgel up.

  Mr Littas: On international co-operation we were successful—and I mean by "we" the payment card industry—in working with Interpol on the problem of counterfeiting which has now very much reduced as a problem. I met Interpol only last week to try to get them involved on other types of fraud, in particular "card not present" fraud which is a growing type of fraud worldwide. We have certainly provided funding and training and support to Interpol on counterfeiting but our offer last week was we wanted to do the same thing with regard to card not present fraud because that is clearly something we want to tackle head on.

  Q138  Lord Harris of Haringey: In some US states there is a legal obligation on businesses to notify customers and others of security breaches. Should we have that sort of legislation here?

  Mr Pemble: It is an important question to consider but it is also important to note that there are considerable differences between the US state bills. The results have been far from uniformly positive. There are a relatively large number of potential breaches reported under the US rules primarily of things like laptop thefts, where there is a very, very low risk of subsequent identity compromise. Also there are a significant number of actual compromises that occur that are only noticed once the fraud starts taking place. There is also the point that the obvious reputational impact on an organisation that makes a report is likely to lead organisations to concentrate to a very great degree on the PR and media management of the incident which will detract resources from managing the problem. There is also a particular problem in the payment cards area, as was mentioned. It is difficult for the organisation that actually suffers the breach to have that direct relationship with the customers.

  Q139  Lord Harris of Haringey: Sorry, they are my details that are potentially being breached; should not the organisation holding them have an obligation to inform me of that possible breach?

  Mr Whittaker: There are implied obligations under the Data Protection Act 1998 which does call for data processors and data controllers to make that judgment call. However under UK law and under the Data Protection Act, it stresses throughout, when it comes to the control measures, the importance of making security and risk management decisions based on your understanding of the level of harm that could give to the data subject. That is the right and responsible way to go about the issue. Certainly when you talk to US commercial enterprises and institutions who are suffering these independent state legislations out there, there is some concern that as well-intentioned as the legislation is (which it is and everyone would applaud it) it does cause its own level of unintended consequences. One of those is to increase anxiety. Because the enterprises have got no ability to form a discretionary view on the level of harm that compromise might cause, and as you heard some compromises are trivial but you still have to let the consumer know, so consumers are being bombarded and in some cases are being warned up to five or six times when there has been a data compromise, and they cannot easily sort out themselves the impact that any one of those sorts of cases is going to cause them. Therefore there is a good argument for saying if you are going to do this thing, do it in a much more appropriate and responsible way, making informed decisions about the level of harm that could be incurred.