financial industry in the United Kingdom recently reaffirmed a policy that holds online banking customers liable for losses if they fail to secure

The financial industry in the United Kingdom recently reaffirmed a policy that holds online banking customers liable for losses if they fail to secure their personal computers against data-stealing computer viruses. While this policy may seem surprising or even draconian to some Americans, the reality is that most U.S. consumers remain woefully uninformed as to their own security liabilities when banking online. News of the new U.K. banking codes comes via The Register, which reported that under the new regulations "banks will not be responsible for losses on online bank accounts if consumers do not have up-to-date anti-virus, anti-spyware and firewall software installed on their machines." The full text of the updated banking code is here (PDF). The relevant sections are 12.5 through 12.13.
This touches on a question Security Fix receives quite often from readers: "If my computer gets hacked and someone uses it to steal money from my online bank account, will I get that money back?" The answer is that beyond the protections afforded to consumers under the law, whether or not consumers are reimbursed for online banking losses due to computer intrusions is entirely at the discretion of the banks.
By law, U.S. consumers can get reimbursed for any funds fraudulently transferred out of their accounts if they notify their financial institution of the bogus debits within 60 days of the transaction first appearing on their bank statement. Provided victims alert their banks within that time frame, their liability is generally limited to $50 (this applies only to consumers; businesses typically aren't afforded anywhere near that amount of flexibility).Check the service agreement tied to nearly any U.S.-based online banking service and you will see roughly the same thing. Take this disclosure, from Bank of America's online banking agreement:
"If you do not notify us within these 60 days, you may not be reimbursed for subsequent transactions. Additionally, we will reverse or reimburse you for any bank or payee fees resulting from your loss. You should always guard your Online ID and Passcode from unauthorized use. If you share this information with someone, all transactions they initiate with the information are considered as authorized by you, even for transactions you did not intend for them to make."
It remains to be seen whether U.K. banks will enforce the tough new policy on consumer liability. But to be fair, most banks in the U.K. have taken concrete -- albeit hardly foolproof -- steps to employ true two-factor authentication methods for verifying that the person logging into a bank account online is in fact the owner of said account. The same is largely not true for financial institutions in the United States today, and this is principally due to the fact that U.S. banking regulators here haven't required such measures. Rather, they have left it up to the banks to determine their appropriate risk levels and which back-end and customer-facing anti-fraud technologies should be deployed.
According to APACS, the U.K. payments association that reports banking fraud and loss statistics for financial institutions there, stricter measures are helping to bring down the cost of online banking fraud. In March, APACS reported that online banking fraud losses totaled £22.6m in 2007 -- a 33 percent decrease from 2006 losses. Unfortunately, it's not possible to correlate that figure with fraud numbers from U.S. banks, because they're not required to report those numbers, and our government sadly does not publish much of the information it does have on the subject (save for the odd internal report that leaks out to the media once in a blue moon).If you think the U.K. rules are too strict, consider the recent actions by some banks in Brazil, a country that has a phenomenally active and organized cyber criminal element that produces some of the world's most advanced malware targeting online banking customers (mercifully, the Brazilian cyber crooks generally stick to picking on their own citizens). I spoke recently with Tony Reyes, founder of the New York-based ARC Group, a company that has set up a shop in Brazil to help at least one financial institution there investigate customers who have had their online accounts cleaned out as a result of cyber cime. Reyes, a former cyber cop for the NYPD, said some of Brazilian banks have taken to investigating the victims of online financial crime."Some of these Brazilian banks are hiring investigators to visit the customer's house and look at the security of their setup, and if [the customer] doesn't have software patches, a firewall and up-to-date anti-virus on his system, in a lot of cases the banks will turn around and say it was the consumer's fault, and [the banks] don't return the money," Reyes said.