A recent US Court of Appeals decision has caused some concern in banking circles. Here is a blog description with a link to the case, Patco Construction v People's Bank. Essentially the court held that the business customer’s losses from online fraud had been caused by negligent security practices at the bank, so the bank was liable for them.
As the blog entry (by a noted electronic security expert) points out, while consumers have traditionally been protected in dealings with their banks (so the banks have devised a number of security measures to protect against loss), business clients have not had that protection; so banks may not have put in place equivalent security. This case may change that practice.
Is the situation the same in Canada with respect to the usual allocation of risk between bank and customer, whether consumer or business customer? Would a Canadian bank generally be liable in a situation like that of the Patco case?
I know that at least some Canadian banks use two-level authentication, at least for transactions from unknown computers (i.e. they ask a security question as well as for the password and card access number). Some provide extra security software that the customer can download. So even if the bank would ‘normally’ be liable for negligence towards a commercial customer, it may be that standard Canadian business banking practices would be thought not to be negligent.
An article in the July 2012 issue of American Banker expresses concern about the impact of the ruling on small banks that are said to be unable to afford good security. Besides wondering if they are then too small to deserve to stay in business in these days of online banking, one wonders if Canada has any banks that small. Perhaps not.
Is there a manageable way to express the appropriate balance of risks between a bank and its business customer? Both sides need to be careful. What’s the reasonable allocation? Does it matter which party is better able to (afford to) provide preventive measures?
To what extent is it fair to allow banks to allocate the risk to the customer by contract?
Will the picture change with mobile banking? Is there anything in the Canadian Payments Association mobile banking proposals of May 2012 that affects this balance? (The Globe and Mail yesterday had a prominent story on how mobile banking is coming to Canada this year.) Is the different level of security of smart phones (generally not as good as a desktop or even laptop, with the probable exception of the BlackBerry) going to affect banking or business practices, or their legal liabilities?
What will you tell your clients as a result of this case, or these banking developments, if anything?