A mix of incorrect media reports and vendor hype has created the fiasco which forced the ABA to issue a strongly worded rebuttal yesterday.
The reports claim banks have been lobbying ASIC to make customers responsible for ensuring their PCs are secure and this includes making them liable for Internet fraud if they do not install minimal security measures.
Responding the claims, the ABA issued a statement that makes it clear the financial services industry hasn't been engaged in any ASIC lobbying and does not support moves to hand responsibility for Internet fraud over to the customer.
On Friday ASIC called for submissions to review the Electronic Funds Transfer Code of Conduct (EFT Code), specifically liability issues surrounding the growth and sophistication of Internet fraud and regulation of alternative payment outlets.
At the time ASIC consumer protection executive director, Greg Tanzer, said "whether account holders should be required to bear any liability for losses resulting from these types of fraud (malicious code and phishing) is one of the important issue to be addressed by the review, and the matter is discussed in detail in the consultation paper."
Media reports incorrectly stated that Australian banks, either independently or through lawyers, have been lobbying ASIC regarding the changes to liability in a bid to tackle Internet banking fraud.
Refuting the reports, ASIC came out in support of the ABA yesterday by publicly declaring it is unaware of any lobbying by the financial services industry.
There certainly hasn't been any submissions on this issue made to ASIC, according to ABA's Bell.
"I have spoken to ASIC today who say they are unaware of any ABA member lobbying them on this aspect of the EFT Code review," he said.
The Commonwealth Bank Group was even more direct, labelling the claims as "totally false."
A bank spokesperson said there has been no submissions or any support for a mandate to make users liable.
"We have a policy to protect our customers' funds by providing the best (updated) security," he said.
Adding to the furore, an IT security provider Symbiotic Technologies Pty Ltd.'s TrustDefender issued a press release on the back of the incorrect reports.
Not realizing the claims were inaccurate, the vendor went ahead and quoted the media report verbatim in a bid to promote its own products.
There is nothing new about IT security vendors relying on hype to push product, FUD (fear, uncertainty and doubt) has always been good for sales figures.
The vendor's co-founder Ted Egan admitted yesterday his company issued a press release based on a misreported article but didn't back down from his belief that banks have been downplaying online banking risks for years.
Egan said customers do need to work closely with banks to overcome fraud adding that users need to be included in the battle against cyber crime.
"It is a collaborative scenario," he added.
Further clarifying the confusion generated from the misleading reports, a spokesperson from the Westpac Banking Corp. confirmed there are "no plans whatsoever to mandate a minimum Internet security policy for customers."
Australian banks have been extremely vocal about end user responsibility when it comes to securing Internet banking sessions which has led to the creation of services available to users that are concerned about fraud.
For example, a National Australia Bank spokesperson said the bank offers good security at the transaction level through two-factor authentication.
"This is an excellent security option for consumers who need out-of-band authentication and we encourage all our customers to register for this free service," the spokesperson said.