Internet banking fraud
Alan L Tyree
R v Johnson [2006] QCA 362
The defendant was charged with and convicted of dishonestly applying to his own use a sum of money belonging to Suncorp Metway Ltd. His point on appeal to the Queensland Court of Appeal was that his account with Suncorp Metway had a credit balance of $9,715 and that withdrawing that sum could not amount to dishonestly applying Suncorp's property.
The money was deposited in the defendant's account by means of an Internet fraud. According to bank investigations, a person using a Chinese based internet service provider logged into the account of R Ltd on 11 November and transferred $9,715 to the defendant's account. The directors of R Ltd testified that they had not authorised the transfer, nor had they disclosed access information.
A little more than an hour after the transfer was made, the defendant logged into his Internet account and made a balance inquiry. The balance was $9747.25, up from $32.25 the day before. Evidence showed that the defendant's account received pension and social security payments since it had been opened in 2004. The balance was usually small, but there was one entry of $4,870 that had later been reversed.
The defendant withdrew various sums over the next week, reducing the account balance to $7.70.
Trojans
Suncorp determined that the customer's computer was infected with a "Trojan". As described to the court, a Trojan is a program that can record keystrokes and send information back to its home base. A Trojan, said Suncorp, may infect a computer through certain websites or via emails.
Although Suncorp did not mention it, the vulnerability of some computer systems is substantially higher than others.
The initial ASIC consultation paper on reviewing the EFT Code of practice noted that "some industry representatives" proposed that users should be liable for the full amount of losses from malicious code compromises unless they have minimum or adequate equipment security: ASIC consultation paper CP78, December 2006 at para 7.20.
The problem with that proposal is that there is no effective protection for most consumer level computers. An AusCERT study from 2006 found that 60% of "malware" are not detectable by anti-virus software at the time when the malware is discovered "in the wild": AusCert "2006 Australian Computer Crime and Security Survey" at page 22.
Financial institutions have chosen to implement electronic banking via web browsers on consumer grade equipment. This equipment is inevitably exposed to attack by Trojans and other forms of malware. ASIC rightfully rejected the attempt to throw losses caused by malware onto consumers.
Russian emails
The $4,780 transaction was also an Internet fraud. In October, the National Bank Internet Fraud Detection Team advised Suncorp that a fraudulent transfer was being made to the defendant's account from one of National's customer's accounts.
Because of internal procedures, this amount was credited to the defendant's account but with a "pledge" on the account. This meant that the defendant was unable to draw on the sum.
The defendant, when contacted, said that he understood what was happening. He had received emails from one "Lee Chusu", advising the defendant that a sum would be deposited to his account. He was asked to keep $70 for his trouble and pay the remaining $4800 to a Western Union account in the name of "David Rau" of St Petersburg, Russia.
Why did "Lee Chusu" send an email to the defendant? It seems that the defendant had replied to an offer of employment, apparently a "spam" email. In so doing, he had supplied details of his account with Suncorp Metway. An expert from Suncorp Metway testified that people such as the defendant were known as "mules", and the entire process was probably a money laundering operation.
Account confusion
What is the effect of a fraudulent or mistaken crediting of an account? The defendant argued that he was entitled to withdraw an amount standing to the credit of his account. The cases are not entirely consistent on the effect of altering an account, a matter that will be dealt with in a later note.
However, in this author's opinion, the Queensland Court of Appeal came to the correct decision, holding that (at para 31):
- a genuine chose in action is not extinguished by a fraudulently created debit entry; and
- a fraudulently created credit entry creates only the illusion of a chose in action.
In other words, the debt owed by the bank to the customer is not altered by a fraudulent alteration of the accounts. The Court also noted, wryly, that "Fraud gives a right of action to the victim, not the perpetrator."
EFT Code: Business vs consumer
The bank in R v Johnson was able to determine the reason for the unauthorised transfer from the R Ltd account, but suppose that it had not been able to do so and the origins of the transaction remained a mystery. Which party should bear the loss?
The answer, most unfortunately, depends on whether the EFT Code of Conduct, to be fashionably renamed the EPayments Code, applies. If the Code applies then an innocent victim is responsible for a portion of the loss. Under the existing Code and the proposed EPayments Code, the amount is $150. "Innocent" means that the customer has not contributed to the loss by behaviour identified by the Code.
If the Code does not apply, then it is necessary to consider common law rules. The basic principles are:
- a bank account is, in law, a debt owed by the bank to the customer: Foley v Hill (1848) 2 HL Cas 28; 9 ER 1002;
- the bank is claiming that the transfer is a payment made on behalf of the customer and that this results in a reduction of the debt owed to the customer;
- when repayment of a debt is disputed, it is up to the debtor to show, on balance of probabilities that the debt has been repaid: Young v Queensland Trustees Ltd [1956] HCA 51.
The High Court in Young held that an older Victorian case, Nelson v Campbell (1928) VLR 364 was wrongly decided. Nelson had held that the burden of proof was on the creditor.
Consequently, when a customer claims that a transaction is unauthorised, the burden of proof is on the bank to show that it was authorised or there is some other factor that entitles it to debit the account. We are assuming that the bank is unable to do this.
Because of intense opposition from certain "stakeholders", the ASIC draft Code does not apply to small businesses. Therefore, the Code would not apply to R Ltd, and they would be entitled to have the account re-credited for the full amount. Had they been "consumers" to which the Code applied, they would have been required to contribute $150.
To add consumer insult to consumer injury, note that the small business has access to the Financial Services Ombudsman in order to resolve the dispute between itself and the bank.
Why, it might be wondered, does the consumer protection of the EPayments Code reduce consumer protection? The answer is in the process followed by ASIC in drafting the Code. ASIC adopts a principle of negotiation between "stakeholders". In the process, each is expected, explicitly or implicitly, to give up something.
EFT providers have long known that they are liable for unattributable unauthorised transaction, but they have exercised their market power in order to ignore their obligations. In the ASIC procedures, they have agreed to do what they should have been doing all along, provided the consumers forego certain rights. The same process has been followed with respect to mistaken Internet payments: see (Hexter 2011)
The "consumer problem" is twofold:
- consumers don't have rights that they should have; and/or
- the costs of exercising existing rights is so high that the wrongdoer is effectively immune.
Legislation such as the Australian Consumer Law addresses the first problem, granting consumers rights such as non-excludable guarantees with respect to provided services and goods.
The second problem is addressed through the existence of consumer Tribunals such as the NSW Consumer, Trader & Tenancy Tribunal, or alternative dispute resolution bodies such as the Financial Ombudsman Service. Neither of these solutions require the consumer to negotiate away rights.
The bargaining model adopted by ASIC effectively compromises consumer rights in exchange for providing affordable remedies. When most of the "stakeholders" around the bargaining table are the people who refuse to honour their legal obligations, the results are not likely to be optimal from a consumer perspective.