May 15, 2019 by Greg Meckbach
Technology is making it easier for consumers and businesses to move money, but it can also create new liability risks, fraud experts warned Tuesday.
“Financial institutions really have to think about their position on liability,” said Jas Anand, senior manager for risk advisory at Deloitte Canada, alluding to a common scam that could cause your commercial client to lose money. In this type of scam, a criminal will send an e-mail to an employee in the finance or accounting department, the Canadian Bankers Association notes on its website. The criminal makes it look as if the e-mail – which instructs a financial worker to wire money to a third party – is coming from a company executive.
“It is very easy to be tricked by that,” Anand said Tuesday during a panel discussion at the Payments Canada Summit, which wraps up Thursday in Toronto.
“A lot of the time, businesses are on the hook for these payments,” Anand said during the panel, Payments and Fraud Prevention: A critical partnership in managing change.
“In the commercial space, organizations are increasingly going to look to financial institutions to protect them even if (the client is) at fault. Even if you downloaded the virus or even if you got a bad e-mail, what is the financial institution still doing to protect me?”
The panel discussed what payments and fraud detection should look like as consumers demand faster, easier payment methods and the trend towards open banking.
In the United States, there are threats of class action lawsuits against financial institutions from victims of fraud, Anand noted.
“Whether you are liable or not you should have the same skin in the game because from a criminal’s perspective, they don’t care. They still got the money.”
Liability and reputational risk was on the minds of speakers and attendees at a different summit session, Consumer Protection in the Age of Faster Payments.
One of the panelists alluded to a recent news report on a consumer who tried to send money to her friend by Interac e-transfer. But the recipient’s email account was hacked and the rightful recipient never got the money.
An audience member asked whether we need a new liability model to protect consumers’ email accounts or whether banks need to work somehow with email providers.
“That’s the million-dollar question behind open banking,” said lawyer Ana Badour, a partner with McCarthy Tétrault LLP’s fintech group.
“How do you make our current liability model work in the context of an increasingly complex spider web of different players? Different jurisdictions have taken different approaches. Some have been quite clear in how they allocate liability. I think if it’s vague, you’re going to get into trouble.”
A woman from Peterborough, Ont. tried to make an Interac e-transfer of $1,734 to reimburse a friend for a trip to Mexico, the Peterborough Examiner reported. The security question for the recipient was, “who is your favourite Beatle?” A hacker apparently correctly guessed the answer because there are only four possible answers. The Examiner reported that the thief was able to put the money into their account instead of the account of the intended recipient.
The woman who made the transfer looked to her bank for help and was told by the bank that it would refund half the money but that that ultimately, the bank was not at fault, the Examiner reported.
Financial institutions need to educate consumers on how to choose strong authentication methods, said Marilyn Mauritz, chief transformation and governance officer at Vancouver-based Central 1 Credit Union, during the Payments Canada Summit session on consumer protection in the age of faster payments.
“There are still a lot of people using 1234 as their password. And that’s where the consumer education needs to take place because they have to know that is a weak password,” said Mauritz.
“With all these payment options that are coming, the consumers are going to be looking to their financial institutions and saying, ‘keep me whole,’ but that isn’t going to be the case with the faster payments because it’s going to be irrevocable and the risk is going to be borne by the consumer unless the financial institution does a few other things to mitigate those issues,” Mauritz said.
“Beyond all the laws, what is the reputational impact that a financial institution could possibly have because it’s not educating its customers, it’s not investing in cyber security infrastructure and info security.”
The Payments Canada Summit, is taking place May 14 through 16 at the Beanfield Centre (the former Automotive Building) at the Canadian National Exhibition grounds in Toronto. It is hosted by Payments Canada, which operates the clearing and settlement systems used by dozens of Canadian financial institutions.