PIN security

The Electronic Funds Transfer Code of Conduct makes the cardholder liable for unauthorised transactions where the cardholder has contributed to the loss by failing to maintain PIN security according to the standards of the Code. In particular, the cardholder may be liable for unauthorised transactions where he or she has

“contributed to losses resulting from unauthorised transactions by ...keeping a record of the PIN (without making any reasonable attempt to disguise the PIN) wiwth any article carried with the card or liable to loss or theft simultaneously with the card...”.^²

The Australian Banking Industry Ombudsman has held that a PIN which is hidden is not “disguised” for the purposes of this section. So, for example, keeping the PIN in an electronic organiser in a password protected section of the organiser was not a ‘disguise’.^³ The Code itself is silent as to what an acceptable disguise might be.

The PIN/Signature analogy

Bankers often justify this requirement by drawing an analogy between the PIN and a signature. There is no doubt that the analogy is useful for some purposes. There seems, for example, little doubt that the effect of using a card and PIN at an ATM is in law the same as using the signature on a cheque, namely, that it acts as authorisation to the banker to make the payment ordered and to debit the customer’s account accordingly.^⁴

The analogy may be extended slightly to the case of a ‘theft’ of a person’s signature occurs. This is widely acknowledged where the signature is forged. In such a case the forged signature is, subject to certain exceptions that need not trouble us, a nullity for the purposes of negotiable instruments. A bank which pays on a forged drawer’s signature has no right to debit the account of the customer. The analogous case of card and PIN might be where the PIN is obtained by “shoulder surfing” and then later used with a stolen or forged card. Although the customer will have a difficult evidentiary burden, there is no liability since it is “clear that the customer has not contributed to such losses”.^⁵

“Theft of signature”

The analogy breaks down in other cases of signature “theft”. There are three cases of interest that correlate with the fact situation contemplated by the Code. The simplest is that the customer leaves his or her signature in a place where it might be easily found, say on a blank piece of paper or a partially finished letter. The next level is where the signature is on a blank cheque, but some or all of the other parts of the cheque remain blank. Finally, I will consider the case where the signature is on a cheque which is complete and regular in all respects.

The simple case

In the simple case the customer will have no liability where his or her signature is “stolen” and used as a basis for forgery. The only possible argument is that the customer has contributed to the loss by making a specimen signature available. In other words, the forgery can be a “good” one rather than a “bad” one. This argument fails because it assumes that the quality of the forgery is relevant.^⁶

Inchoate instruments

The situation becomes interesting where the customer has signed a bearer cheque form which is incomplete in some or all material particulars.^⁷ The Cheques and Payment Orders Act 1986 deals with these so-called inchoate instruments in section 18. This section is itself a rewriting of section 25 of the Bills of Exchange Act 1909 which applies to signatures on blank stamped paper. The primary purpose of these sections is to address the case where the paper is then handed to an agent in order that the cheque/bill should be completed.

But what happens if the paper is stolen and filled in by someone with no authority? The Bills of Exchange Act addresses the situation in a proviso to s25(3):

“Provided that, if any such instrument after completion is negotiated to a holder in due course, it shall be valid and effectual for all purposes in his hands, and he may enforce it as if it had been filled up within a reasonable time and strictly in accordance with the authority given.”

The Cheques and Payment Orders Act has reworded the section:

“An instrument of the kind referred to in subsection (1) that has been filled up as a complete cheque shall, as regards a holder in due course, be conclusively presumed --

(a) to have been delivered to another person in order that the instrument might be filled up as a complete cheque;

(b) to have been filled up within a reasonable time and strictly in accordance with the authority given.”

On a simple reading that would seem to settle the matter, but things are somewhat more complicated. By section 26 of the BEA and s25 of the CPOA, a contract on an instrument is incomplete and revocable until delivery of the instrument. Again, however, there are conclusive presumptions in both acts in favour of a holder in due course that an effective delivery has been made.

So, does that conclude the matter? The reader may have already guessed that it does not. In Smith v Prosser^⁸ the defendant was leaving the country to attend to overseas business. He left with an agent a signed lithographed form of promissory note which contained no other details. The agent was given instructions to hold the forms until notified by telegram or letter that they were to be issued for the purpose of raising funds. The agent fraudulently filled them in and sold them to the plaintiff.

A strong English Court of Appeal dealt with the case on general principles. Thus, Vaughan Williams LJ:

In my judgment it is of the very essence of the liability of a person signing a blank instrument that the instrument should have been handed to the person to whom it was in fact handed, as an agent for the purpose of being used as a negotiable instrument, and with the intention that it should be issued as such.

And Fletcher Moulton LJ:

They [the legislature] drew the line as regards the protection of third parties in the following very reasonable and intelligible way: if the signer intended it to become a bill, it was for him to see that it was issued in accordance with his intentions, and he did not do this, third parties would not be affected; on the other hand, if he did not intend it to become a bill, there would be no such duty incumbent upon him, and he would be in the same position as if he had merely signed it as an autograph.

Although the language of the CPOA is slightly different, it is not thought that the outcome would be different, a conclusion apparently shared by the Explanatory Memorandum.^⁹

What of a bank that collects or pays such an instrument? If the instrument is not a “cheque” (since it has not been issued) then the reasoning of Koster’s Premier Pottery Pty Ltd v Bank of Adelaide (1981) 28 SASR 355 might apply. There it was held that no action in conversion could lie where the “cheque” was forged. I have criticised elsewhere the reasoning in that case.^¹⁰ If, however, the reasoning is correct in the case of an unissued “cheque” then it follows that the paying bank may not debit the account of the “drawer” since it is only authorised to pay the “cheques” of the customer. It may be argued that the drawer is estopped from denying that the instrument is a cheque, but the decision in cases like Westpac Banking Corp v Metlej^¹¹ would make the argument a tenuous one.

Completed instruments

Suppose that the customer leaves a completed signed bearer cheque lying about where it is stolen by a rogue. In this case it is thought that the drawer would be liable to a holder in due course. There are, however, recent Canadian cases which have held that the Smith v Prosser principle applies in this case also. In National Bank of Canada v Tardivel Associates^¹² the cheque was drawn in order to fund a real estate venture. The drawer of the cheque had second thoughts and withdrew from the deal. The cheque was stolen and deposited with the plaintiff bank. Before presentment for payment the drawer stopped payment on the cheque and the plaintiff sued as holder in due course. At first instance the court held for the defendant on the basis of another Canadian precedent McKenty v Vanhorenback^¹³. On appeal to the Divisional Court, the Court held that the defendant should succeed since the “cheque” was never a cheque at all as it was never issued.

These decisions are not very satisfactory and cannot be supported in principle: see the critical discussion of the Canadian cases in Crawford.^¹⁴

Alan L Tyree Landerer Professor of Information Technology and Law University of Sydney↩︎
Electronic Funds Transfer Code of Conduct, s5.6.↩︎
Australian Banking Industry Ombudsman Limited, Annual Report 1993-1994, p25.↩︎
National Westminster Bank Ltd v Barclays Bank International Ltd [1975] QB 654↩︎
Electronic Funds Transfer Code of Conduct, s5.4.↩︎
There is no duty on the banker to recognise the signature of the customer. The function of the signature is one of authorisation not identification: see Kerr J in National Westminster Bank Ltd v Barclays Bank International Ltd [1975] QB 654 at 666.↩︎
It is usually only a bearer cheque which is of interest since it will be unusual for there to be a holder in due course of an order instrument. However, it is not impossible if the order instrument is stolen by the named payee: see National Bank of Canada v Tardivel Associates (1994) 109 DLR (4th) 126, discussed below.↩︎
[1907] 2 KB 735↩︎
See Paragraph 119 of the Explanatory Memorandum.↩︎
Tyree, Alan “The Liability of Banks Collecting Forged Cheques” (1983) 11 Aust Bus L Rev 236.↩︎
1. Aust Torts Rep 80-102.
↩︎
1. 109 DLR (4th) 126; see Crawford, Bradley “Is this a cheque I see Before Me?: National Bank v Tardivel and the Scope of the defence of non-delivery” (1994) 24 Canadian Business Law Journal 1 where this line of cases is criticised.
↩︎
1. 19 WLR 184
↩︎
Crawford, Bradley “Is this a cheque I see Before Me?: National Bank v Tardivel and the Scope of the defence of non-delivery” (1994) 24 Canadian Business Law Journal 1 where this line of cases is criticised.↩︎