Dangers of PIN disclosure
|
| Mr C complained to the bank in March 2006 about unauthorised electronic withdrawals from his accounts between December 2004 and June 2005 amounting to $114,000. Three accounts were involved: |
- a home loan account;
- a joint savings account with his wife, held in trust for his daughter; and
- a second savings account in his name only.
|
|
The web of transactions
|
Mr C had telephone banking access to all his bank accounts. He had set up a telephone banking password in June 2003, but had never made a telephone banking transaction himself. In mid-December 2004, someone changed the telephone banking password and increased the daily limit. Mr C said it was not him, and that he believed a family member had changed the password.
Between December 2004 and June 2005, about $114,000 was transferred from the home loan account to the joint savings account. From the joint savings account $25,000 was withdrawn in card and PIN transactions and $87,000 transferred in telephone BPay transactions to an account in Mr C’s name with another bank to which a family member had been granted access. Another $1,200 was transferred by BPay to pay the utility bills of a third party.
|
Mr C’s knowledge of the unauthorised transactions
|
Mr C said that he noticed that the balance of his home loan account was too high at the end of December 2004 but that he had no time to have a good look at the matter. A little while later he spoke to a family member, who, he says, admitted to making the withdrawals and promised to return the money by the end of February 2006.
Mr C acknowledged that he had given the card to the joint savings account to his daughter, so that she could access funds in the account. He wrote the PIN for the card on a piece of paper. As far as he knew, his daughter kept the card and PIN record together in her handbag. He believed that the family member had taken the card from his daughter’s handbag.
|
The bank’s allocation of liability
|
The bank recovered the $1,200 transferred by BPay to the utility companies, but could not recover any of the funds transferred by BPay to Mr C’s account with the bank and subsequently withdrawn.
The bank regarded Mr C as being liable under Electronic Funds Transfer (EFT) Code provisions for the unauthorised withdrawals because: |
- Mr C had breached the requirements of the EFT Code by voluntarily disclosing the PIN for Mr C’s access card to his daughter, who in turn had kept the card and a PIN record together in a way that apparently allowed the family member to gain possession of both; and
- Mr C unreasonably delayed in notifying the bank after he became aware of the theft of funds from his accounts.
|
|
 |
|
BFSO’s investigation
|
The focus of the investigation was on whether Mr C had contributed to the losses resulting from the unauthorised transactions in terms of the EFT Code, and whether there was any limitation on his overall liability.
Mr C could not be held responsible for the change to the telephone banking password - the bank was unable to confirm it was Mr C himself who changed the password on 17 December 2004; or the increase in the daily limit. The limit for Mr C’s card had been increased from $1,000 to $2,000 per day but the bank was unable to confirm when the limit was increased, or that it was Mr C himself who requested the increase.
In addition, Mr C did not receive the home loan statement for the six month period to the end of December 2004, because the mailing address had been changed to the family member’s address. However, the bank did contact Mr C on 24 January 2005 to advise that his home loan repayments were increasing in line with the increase in the account balance and the bank mailed three-monthly statements for the two savings accounts to Mr C‘s residential address on 28 February 2005.
Mr C, however, had not notified the bank as soon as he became aware that the unauthorised transactions were occurring. Mr C made a withdrawal from his home loan account at 2.45pm on 24 December 2004, after $25,000 of unauthorised withdrawals had been made. The bank said the teller would have told Mr C the balance of the home loan account after the withdrawals and Mr C should have noticed at that point that the unauthorised withdrawals were occurring.
|
Outcome of BFSO’s investigation
|
The case manager accepted that the telephone banking transfers from the home loan account were unauthorised. He also accepted that it was more probable than not that an unauthorised third party had changed the telephone banking password. But the case manager did consider that Mr C had become aware of the unauthorised transfers on the afternoon of 24 December 2004 when he made the withdrawal from his home loan account, and that this was the relevant time from which liability for unreasonable delay in notification commenced.
The case manager did not treat the unauthorised transfers from the home loan account as having caused a loss to Mr C, because the funds went to another of Mr C’s accounts. However, he did consider that the additional interest that Mr C had to pay on his home loan account constituted a loss to Mr C, and that Mr C should be compensated for interest charges on the amounts withdrawn prior to 2:45pm on 24 December 2004. The interest refund totalled $3,400.
As far as the card and PIN withdrawals from the joint savings account were concerned, the case manager considered that Mr C was liable because he voluntarily disclosed his PIN to his daughter and his daughter kept the card and PIN record together in her handbag. But Mr C was not liable for amounts that exceeded the usual daily limit of $1,000 because it was more probable than not that the unauthorised third party had initiated the increase to $2,000 per day. The overlimit amounts totalled $12,900.
As far as the BPay transfers from the two savings accounts were concerned, there was no information to indicate that Mr C disclosed his telephone banking password. In fact, it was more probable than not that it was the unauthorised third party who initiated the password change. The case manager considered that Mr C was not liable for an amount of $3,600 transferred on 24 December 2004, before he became aware of unauthorised withdrawals on the home loan account, but he was liable for all transfers after this date because of his unreasonable delay in notification.
|
BFSO’s finding
|
Of the total unauthorised withdrawals and transfers of about $114,000, the Finding requested that the bank refund $19,900. Both Mr C and the bank accepted the Finding and the dispute was closed.
|
|
|
