secure online banking, a quest towards joint responsibilities
DESCRIPTION
Master thesis focusing on the quest towards joint responsibilities for secure online banking.TRANSCRIPT
Page | i
SSeeccuurree oonnlliinnee bbaannkkiinngg
AA qquueesstt ttoowwaarrddss jjooiinntt rreessppoonnssiibbiilliittiieess
TThheessiiss EEMMBBAA
PP..MM..WW..JJ.. ((PPaauull)) vvaann DDoommmmeelleenn
NNoovveemmbbeerr,, 22001133
NNyyeennrrooddee BBuussiinneessss UUnniivveerrssiitteeiitt
Page | ii
Page | iii
Title page
Title: Secure online banking, a quest towards joint responsibilities
Document: Final Thesis Executive MBA
Report status: Final version
Author: P.M.W.J. (Paul) van Dommelen
Thesis supervisor: Professor Dr. R.J.M. Jeurissen
Class: EMBA 10
Date: 08-11-2013
E-mail address: [email protected]
Nyenrode Business University
Straatweg 25
3620 AC Breukelen
Capgemini Nederland B.V.
Reykjavikplein 1
3543 KA Utrecht
Page | iv
Page | v
Preface
For the past two years I have been on a personal journey. A journey towards the completion of
my Executive MBA program. It has been fun, informative and above all a very challenging
experience. I’m grateful for all the knowledge and experiences that I have obtained. I have
enjoyed a lot of interesting, nice, intense and also relaxing moments with my classmates of the
EMBA10 class. Their personal views and experiences have made this MBA a truly unique and
rewarding experience.
I’m proud to present my master thesis, the final step towards completion of the EMBA program.
My master thesis focuses on joint responsibilities for secure online banking. This topic has been
the subject of intense debates, both in private as well as in public settings. These debates have
drawn my attention, both from a professional as well as a personal interest. I have devoted the
past 6 months to analyze this problem and to find opportunities to improve the current
situation. I became passionate about this research because of the complexity and importance of
the subject and feel personally committed in helping to resolve the current problems.
I would like to show my appreciation to my employer, Capgemini and more specific my manager
René Roest. They have provided me with the opportunity to enroll in this program. I would like
to thank my colleague Nienke van den Brink who has been my company supervisor for this
thesis. Next to my employer and colleagues, I would like to thank the Nyenrode Business
Universiteit, their professors, staff and partner universities. I would especially like to thank
Professor Dr. R.J.M. Jeurissen, who has been my faculty supervisor during this thesis. I’m
thankful for the guidance, knowledge and energy he has provided to me. I would also like to
thank the participants of the focus interviews as they have invested their personal time to allow
me to find answers to my questions.
Finally I would like to express my deepest gratitude and appreciation to my partner Beeshema
and our daughter Lakisha. They have been an incredible support during the difficult and
challenging moments. The dedication and amount of energy which they have had to invest to
keep our personal lives as normal as possible is truly remarkable. I couldn’t have been able to
achieve the obtained results without their love and support. I can only imagine how difficult it
must have been to always get the answer “next year” when a family activity was proposed. The
good news is: the next year is yet to come!
Page | vi
Page | vii
TABLE OF CONTENTS
Title page ................................................................................................................................................ iii
Preface ...................................................................................................................................................... v
1. Executive summary ........................................................................................................................... 1
2. Introduction ........................................................................................................................................ 5
3. Thesis focus ........................................................................................................................................ 7
3.1. History ......................................................................................................................................... 7
3.2. Types of customer targeted online banking fraud ................................................................. 9
3.2.1. Phishing ............................................................................................................................... 9
3.2.2. Pharming ............................................................................................................................. 9
3.2.3. Social engineering ............................................................................................................ 10
3.2.4. Malware ............................................................................................................................. 10
3.3. Management problem .............................................................................................................. 11
3.4. Reason for the research ........................................................................................................... 11
3.5. Scope of the research ............................................................................................................... 12
3.6. Research methodology ............................................................................................................ 12
3.7. The research problem .............................................................................................................. 12
3.8. Research goals ........................................................................................................................... 13
3.9. Abbreviations ............................................................................................................................ 13
4. Literature review .............................................................................................................................. 15
4.1. What is the impact of the problem? ...................................................................................... 15
4.1.1. Number of fraudulent occasions and hard costs ........................................................ 15
4.1.2. Soft costs for Financial Services Providers .................................................................. 18
4.1.3. Costs for impacted customers ........................................................................................ 19
4.1.4. Impact on society ............................................................................................................. 20
4.1.5. Conclusion ........................................................................................................................ 20
4.2. Legal framework ....................................................................................................................... 21
4.2.1. Legal responsibilities and liabilities ................................................................................ 21
4.2.2. How Financial Services Providers take care of their duty of care ............................ 22
4.2.3. Compensation policies of Financial Services Providers ............................................. 23
4.2.4. The customer’s responsibilities specified in the terms and conditions .................... 24
4.2.5. Liability .............................................................................................................................. 27
Page | viii
4.2.6. What is gross negligence? ............................................................................................... 27
4.2.7. Government...................................................................................................................... 29
4.2.8. Conclusion ........................................................................................................................ 31
4.3. The ethical point of view ........................................................................................................ 32
4.3.1. A power balance of responsibilities............................................................................... 32
4.3.2. Responsibility types ......................................................................................................... 35
4.3.3. Elements of responsibility .............................................................................................. 37
4.3.4. Moral consciousness ........................................................................................................ 37
4.3.5. Joint responsibility ........................................................................................................... 38
4.3.6. Who should be responsible? .......................................................................................... 39
4.3.7. Conclusion ........................................................................................................................ 40
4.4. View from market research ..................................................................................................... 41
4.4.1. The view on the customer’s abilities to detect ............................................................. 41
4.4.2. How customers currently secure themselves ............................................................... 44
4.4.3. The view on the Financial Services Provider’s duty of care ...................................... 44
4.4.4. Conclusion ........................................................................................................................ 47
5. Conceptual model ............................................................................................................................ 49
6. Customer research ........................................................................................................................... 51
6.1. Research type ............................................................................................................................ 51
6.2. Scope and limitations ............................................................................................................... 52
6.3. The sample ................................................................................................................................ 52
6.4. Data collection technique ........................................................................................................ 53
6.5. Interview questions design ...................................................................................................... 53
6.6. Variable measurement and validation ................................................................................... 54
7. Research results ................................................................................................................................ 55
7.1. Elements of responsibility....................................................................................................... 55
7.1.1. Perceived level of security............................................................................................... 55
7.1.2. Level of customer awareness per type of fraud ........................................................... 56
7.1.3. Level of knowledge about preventive measures .......................................................... 57
7.1.4. Power balance of responsibility ..................................................................................... 60
7.2. The moral standard .................................................................................................................. 62
7.2.1. Current customer’s responsibility and legal liability .................................................... 62
7.2.2. Online banking fraud compared to physical crime ..................................................... 64
Page | ix
7.2.3. Terms and conditions ...................................................................................................... 65
7.3. Future joint responsibilities and liabilities ............................................................................ 67
7.3.1. Future customer responsibility and liability ................................................................. 67
7.3.2. Activities and responsibility of the Financial Services Provider ............................... 67
8. Analyses and conclusions ............................................................................................................... 71
8.1. Answers to the research questions ........................................................................................ 71
8.1.1. What is the current impact of online banking fraud? ................................................. 71
8.1.2. What is the legal framework of the responsibilities and liabilities? .......................... 72
8.1.3. What is the ethical view on joint responsibility? ......................................................... 75
8.1.4. What is the known view on moral standards from market research? ...................... 77
8.1.5. What is the moral standard for the duty of care / due care of the Financial
Services Provider? ............................................................................................................................ 78
8.1.6. What is the moral standard for the customer’s behavior related to gross negligent
behavior? ........................................................................................................................................... 79
8.1.7. To what extent are the critical elements of responsibility fulfilled in the current
situation? ........................................................................................................................................... 80
8.1.8. What are potential future joint responsibilities, liabilities and measures for the
Financial Services Providers and their customers in the customer’s point of view? ............. 82
8.2. Answer to the main research problem .................................................................................. 83
8.3. Limitations................................................................................................................................. 84
8.4. Recommendations for future research .................................................................................. 85
9. recommendations............................................................................................................................. 87
9.1. Recommendations to Financial Services Providers and the NVB .................................... 87
9.2. Recommendations to online banking customers ................................................................ 88
9.3. Recommendation to the government and regulators ......................................................... 88
9.4. Recommendations to judges and Financial Compliant Institute (KiFid) ........................ 89
10. Bibliography .................................................................................................................................. 91
Appendices ................................................................................................................................................. 99
Appendix 1: demographics of focus interviews participants ....................................................... 101
Appendix 2: Focus interview questionnaire ................................................................................... 103
Page | x
Page | 1
1. EXECUTIVE SUMMARY
The phenomenon financial identity theft exists for decades, possibly even ages, and is perhaps
even as old as the introduction of identities itself. With the introduction of personal computers,
the World Wide Web and the Smartphone, a new form of financial identity theft emerged. This
paper focuses on high tech financial identity theft targeting online banking customers of Dutch
Financial Services Providers (FSPs) by means of phishing, pharming, social engineering and
malware. For the past couple of years, FSPs have increased their efforts in finding ways to
mitigate these threats by creating a variety of (technical) solutions. Despite these measures, FSPs
have been confronted with an increase in the impact and the costs over the past couple of years.
FSPs would like to involve their customers and join forces in order to mitigate the likelihood of
successful attacks on the customer’s online banking account. In order to do so, FSPs will have to
find a way to deal with the informative arrears, competences and skills of their customers. We
are currently confronted with cases in which some of the FSPs are not reimbursing the financial
losses of their customers, because these customers - according to the FSP - have acted in a gross
negligent way. As a result, current debates focus on what kind of responsibility distribution
amongst the FSP’s and their customers is correct and morally acceptable. This responsibility
distribution is the focus of this document. The main research problem of this research is: “how
can a Financial Services Provider create joint responsibilities for the prevention of customer
targeted online banking fraud - between themselves and their customers - in an ethical way?”
This research has been executed by combination of a literature review (desk research) and
customer focus interviews (field research). By using the literature review, some research
questions have been answered and the important gaps in the current literature were identified. In
order to fill these gaps, a field customer research was executed, using focus interviews with
groups of Dutch retail online banking customer.
One of the main problems in the current situation is the absence of a clear moral standard for
secure customer behavior and a clear moral standard for the FSP’s duty of care. On the one
hand, the duty of care for the FSP is not clearly defined by law or regulations, neither is it
publicly communicated what measures FSPs are taking to protect their customers. Therefore it’s
difficult to determine if FSP’s are protecting their customers in the best possible ways. On the
other hand, customers are being held responsible for measures that they are not necessarily
Page | 2
aware or capable of. Determining whether or not somebody has acted with gross negligence is
difficult if not impossible when moral customer standards are not determined and validated. The
research has indicated that different moral standards should apply amongst different groups of
customers. These moral standards should be based on the customers’ skills and knowledge, for
example mental capabilities and computer skills. The research has identified that the current
customer knowledge regarding the threats of online banking and protective means as well as
their current skills are low.
Despite the current level of skills and knowledge, from an ethical perspective it seems reasonable
to shift the current power balance of responsibilities and liabilities to joint responsibilities. The
past situation in which the FSP reimbursed the financial damages is leading to moral hazard and
moral unconsciousness amongst their customers. Shifting the power balance however doesn’t
mean that responsibilities are simply shifted from the FSP to the customer. Joint responsibilities
means that everyone receives a part of the total responsibility, in the condition that the total sum
of responsibilities increase. For example when a customer receives the responsibility to take
certain measures, the FSP will have to receive the responsibility to inform their customers about
their responsibility, the necessity, the means to take care of this responsibility and the potential
effects of not taking these measures. Overall, as a society we should improve the moral
consciousness of the threats and security measures related to the internet and more specific to
online banking. This is a joint responsibility for the NVB, FSPs, their customers and the
government. Shifting the power balance of responsibility to a due care model seems legitimate
once the necessary preconditions have been met. These preconditions have been grouped and
assessed into the following model:
Page | 3
All elements in this model will have to be fulfilled in order to achieve joint responsibilities. Based
on this assessment we can conclude that there are gaps (displayed in orange and red) between the
current state of fulfillment of the individual elements and the desired state. This research
indicates that the absence of clearly defined moral standards - for both the customer and the FSP
- and clear communication about preventive information from the FSPs to their customers are
the root causes to the missing elements. Solving these two root causes will have a positive effect
to all the (partly) unfulfilled elements. It’s recommended that FSP’s will take the lead in closing
these gaps. Besides the FSP’s, the NVB, customers, government, legislators, judges and the
KiFid will also have to take actions in order to close the gaps. This report therefore includes
recommendations to all these stakeholders.
The moral standards are vital parts in the quest towards joint responsibilities. This paper doesn’t
define the different moral standards. Therefore, a new research is required focusing on the
different moral standards of the customers.
Page | 4
Page | 5
2. INTRODUCTION
It was on a Friday morning when Mrs. de Vries (67 years of age), who lives in Amsterdam
received an e-mail from her Financial Services Provider (FSP). In the e-mail the FSP explained
that they would like to update the contact details of Mrs. de Vries in their database. Mrs. de Vries
was asked to click on a link in the e-mail in order to be redirected to the FSP’s website. On this
website she updated her mobile phone number. A couple of days later Mrs. de Vries received a
phone call from her FSP, the FSPs’ employee introduced herself as Laura Janssen, working for
the security department of the FSP. She informed Mrs. de Vries that she would like to verify that
the phone number indeed belongs to Mrs. de Vries. The employee tells Mrs. de Vries that she is
not allowed to disclose her personal pin code as a means of verification. The FSP’s employee
asked Mrs. de Vries to take her debit card and the online banking device. The FSP’s employee
provides Mrs. de Vries with a code (the so called challenge code) and asked her to disclose the
corresponding code on her banking device (the so called response code). The FSP’s employee
verified the code and asked Mrs. de Vries to go through the same procedure once again. After a
successful verification, the FSP’s employee thanked Mrs. de Vries for her understanding and
wished her a pleasant remainder of the day.
About three days ago, Mr. de Groot (32 years of age) who lives in Twente needed to transfer
money to his friend. He logged in to the FSP’s online banking website and entered the details of
the transaction. In order to approve the transaction, the FSP’s website instructed Mr. de Groot
to use his mobile phone as a means of verification and approval. He received a SMS from the
FSP with a code, entered the code and validated the transaction. The FSP’s website displayed a
screen informing Mr. de Groot that it’s currently busy on their website and instructed him to be
patient. After 20 seconds the website informed him that something went wrong with the
verification of the transaction. Mr. de Groot was instructed to request a new code, using his
mobile phone. He requested and received this new code. He then typed the code into the web
browser. Mr. de Groot received a confirmation of the request and logged off from the online
banking environment.
Although Mrs. de Vries and Mr. de Groot are not familiar with each other, they do have
something in common. Both of them received a phone call from their FSP informing them that
they had become victims of online banking fraud. Criminals had used the verification codes of
Mrs. de Vries and Mr. de Groot in order to transfer money from their online banking accounts
Page | 6
to a fraudulent account. After this phone call, both Mrs. de Vries and Mr. de Groot were asking
themselves the same questions: What has just happened to me? How could this happen? How
come I didn’t notice this? Is this real? Who is responsible? Who is liable for this? Will I receive a
reimbursement or compensation for the financial damages?
Two weeks later Mrs. de Vries received a letter from her FSP informing her that they were not
going to reimburse the financial damage, since Mrs. de Vries had shared her access codes which
is in violation with the FSP’s terms and conditions. Mr. de Groot also received a message from
his FSP (which is a different FSP) informing him that they were going to compensate him for his
financial losses.
While both had been the victims of online banking related fraud, the financial compensation
result differs. Is this right? Is this ethical? This thesis will focus on these questions and will guide
us on a quest towards joint responsibilities for the prevention of these types of crime.
Page | 7
3. THESIS FOCUS
3.1. History
The previously described types of crime are part of so-called identity theft. What do we mean
when we speak of identity theft, what is the definition? Koops & Leenes have studied the
definition of identity theft and came to the following conclusion: “Identity theft is often
perceived as one of the major upcoming threats in crime. However, there is no commonly
accepted definition of ‘identity theft’ or ‘identity fraud’, and it is impossible to study the real
threat of this phenomenon without conceptual clarity.” (Koops & Leenes, 2006). After studying
all relevant definitions, they came to the following definition which in my opinion is the most
accurate: “Identity ‘theft’ is fraud or another unlawful activity where the identity of an existing
person is used as a target or principal tool without that person’s consent.” There are many
different forms of identity fraud and not all of them take financial advantage of the target. In
their literature review about identity theft, Newman and McNally have identified seven different
types of identity theft (Newman & Mcnally, 2005). One of these types is defined as financial
scams or also called Financial Identity Theft. They define these Financial Scams as: “There is a
wide variety of scams that may be committed with the goal of obtaining from victims their
personal information. These types of identity theft are obviously also related to the exploiting of
specific technologies and information systems. Fraudsters place false “store fronts” on the web
that imitate well known web retailers, or send tricky email or pop-up solicitations ("phishing")
requesting financial and personal information. The majority of these types of fraud use relatively
tried and true old scams adapted to new technologies. They all essentially depend on tricking or
duping the victim”. Or in a shorter version as defined by Nicole S. van der Meulen (Meulen,
2011) : “Financial identity theft refers to the misuse of identity of another person in an effort to
unlawfully obtain financial benefits”.
The phenomenon financial identity theft exists for decades, possibly even ages, and is perhaps
even as old as the introduction of identities itself. While the problem has been around for a very
long time, the nature of the problem has changed. With the introduction of personal computers,
the World Wide Web (later on in this paper referred to as the internet or online) and the
Smartphone, a new form of financial identity theft emerged. This digital way of financial identity
theft is often referred to as a high tech method, online crime or cyber crime (Johnson, 2009).
Cybercrime is referred to as crime committed by means of computers or the internet (Dictionary,
Page | 8
2013). Cybercrime has become the most popular and widespread term. In this research we
should be careful using this term since it includes more types of crime than only financial identity
theft. It for example includes anything from illegally downloading music files to stealing millions
of dollars from online bank accounts. Cybercrime also includes non-monetary offenses, such as
creating and distributing viruses to other computers or posting confidential business information
on the Internet (Techterms, 2013).
These high tech methods are a variant on the low tech “old-fashioned” methods such as robbery
and pick pocketing. The examples described in the introduction of this paper are forms of these
high tech methods. This paper focuses on high tech financial identity theft targeting customers
of FSPs. In this research we will therefore use the term customer targeted online banking fraud.
The first forms of fraud with online banking were reported by the Dutch Central Bank (De
Nederlandsche Bank) in the annual reports of 2007 and 2008 (DNB, 2008)(DNB, 2009), figures
were however not disclosed. Hafkamp and Steenvoorden refer to this as “serious and
sophisticated attacks on online banking since the beginning of 2007” (Hafkamp & Steenvoorden,
2010). Thus while the first forms of high tech online crimes targeting online banking started in
2007 and rapidly emerged; the publicly available information about the real problem is vague.
Though, the year 2007 can be marked as the starting point of the online banking related identity
theft in the Netherlands.
FSPs jointly launched their first customer awareness campaign related to these new types of
crime during 2008 and have launched more awareness campaigns later on, for example the “drie
keer kloppen” (knocking three times) campaign and the most recent campaign “Veilig
Bankieren” (Secure Banking). Despite these campaigns and the joint efforts of the FSPs, Police
Force and the Ministry of Justice the impact of these high tech crimes has emerged (“Intensieve
samenwerking politie, justitie en banken tegen internetfraude -Nederlandse Vereniging van
Banken,” 2011).
Although the financial damages increased for the FSPs, this initially didn’t impact their
customers. Up until 2012, the FSPs had always reimbursed their customer the financial losses
due to these types of crime. In the beginning of 2012 the situation changed as some of the FSPs
decided not to compensate their customers because they had violated the general terms and
conditions of online banking (Kassa, 2012). This new policy of some of the FSPs resulted in a
media debate as well as debates in the ministry of Finance and Dutch government about the
Page | 9
justifications of this standpoint and the way forward (Dijsselbloem, 2012). The scope of this
debate is focused on the different responsibilities and liabilities of all parties involved. Since the
points of view of various stakeholders are different and conflicting this topic is likely to remain a
debate in the near future.
3.2. Types of customer targeted online banking fraud
There are a number of high tech methods which are currently targeting the FSPs and their
customers. It’s important to understand the different methods that criminals use to commit
these forms of crime, as these types of crimes will be referred to in this research.
3.2.1. Phishing
Phishing is referred to as the attempt to acquire personal information in order to abuse this
information for identity theft. Criminals are trying to obtain the customer’s personal data such as
usernames, passwords, pin codes, debit cards and other private information. A well known form
of phishing is the distribution of fake e-mails. Criminals send out e-mails that appear to come
from a legitimate source such as a FSP in which they ask the customer to visit a website (which
has the same layout as the website of the FSP) in order to check their credentials, to reply to the
e-mail or to open an attachment(“Phishing Definition,” 2013). The intent of the criminal is
either to receive the customer’s details or to install malware on the customer’s personal device.
When the criminal wants to obtain the customer’s personal data, the e-mail or website for
example instruct the customer to update their private information and ask for the username,
passwords and / or response codes of the FSP. When the criminal wants to install malware, the
e-mail will request the customer to open an attachment. When the customer opens the
attachment the malware will automatically be installed without the knowledge of the customer.
The e-mail could also request the customer to visit a website which is infected by malware. Once
the customer visits the website malware will automatically be installed without the customer’s
knowledge. Criminals will use the obtained data in order to abuse the customer’s identity. They
will use this information to log-in to the customers online banking account. Then they will
transfer the money from the victim’s bank accounts.
3.2.2. Pharming
Pharming is yet another way hackers attempt to manipulate users on the Internet. While phishing
attempts to capture personal information by getting users to visit a fake website, pharming
redirects users to false websites (“Pharming Definition,” 2013). The criminal for example posts a
fake website in a search engine giving the search result the name of the FSP’s website or
Page | 10
retransfers the customer to the fake website when the customer types in the FSP’s website in
their internet browser or when they click on the bookmark in their favorites (the criminal might
have used malware to change the bookmark into the fake website). The fake website has the
same look and feel as the original website. When a customer enters their online banking
credentials the information is stored in the criminal’s database and reused for financial identity
theft (Faber, 2011).
3.2.3. Social engineering
Social engineering is a method in which the criminal uses human interaction in order to obtain
personal information(“Social engineering attack definition,” 2013). A well-known way of social
engineering is a criminal who pretends to be an employee of the FSP. The so called employee
will inform the customer that something is wrong with their internet bank account and will
request the customer to verify their credentials by means of sharing their online banking
credentials or to visit an online website and follow the security procedure. The so-called
employee will assist the customer in performing the necessary activities. During the conversation
the criminal will harvest the necessary information such as the response codes of the online
banking devices or the pin code. The obtained information will be used for financial identity
theft.
3.2.4. Malware
Malware is the abbreviation of malicious software. Malware refers to a software program
designed to damage or do unwanted actions on a computer system. Common examples of
malware include viruses, Trojan horses, and spyware (“Malware Definition,” 2013). Malware can
gather data from a user's system without the user’s knowledge. This can include anything from
the Web pages a user visits to personal information, such as passwords. Furthermore, it can
interfere in the communication between a website and the customer’s personal device, for
example by changing the website without the knowledge of the customer. Changing a website
can for example be used to add an additional payment while the customer is performing a
transaction or to change the account number of the beneficiary of the original payment. A
customer’s personal computer usually becomes infected when a customer visits a website that
abuses security weaknesses in software on their device to install malware (also called drive-by
download). Drive-by downloads can also be initiated by advertisements (“‘Criminelen dol op
verspreiden malware via advertenties’ | nu.nl/binnenland | Het laatste nieuws het eerst op
nu.nl,” 2013). This has for example happened to the Dutch news website www.nu.nl
(“Gevaarlijke malware verspreid via NU.nl - Security.NL,” 2013) and the website of Toyota
Page | 11
(“Website Toyota verspreidt week lang malware - Security.NL,” 2013). According to Chengyu
Song et al., drive-by downloads are currently one of the most severe threats for users on the
internet (Meulen, 2011). Other potential ways to infect a device is by installing software that is
not obtained from the original manufacturer or opening email attachments from unknown
sources. Another form of being infected by malware is by using an infected device of a third
party that for example is infected on purpose, for example in a malicious internet café.
3.3. Management problem
The Dutch FSPs have designed their online banking platform based on strong security measures
such as strong authentication methods. FSPs have increased their efforts in finding ways to
mitigate the threat of unauthorized money transfers by creating a variety of technical solutions.
Despite these measures FSPs have been confronted with an increase in the financial losses over
the past couple of years.
The FSPs would like to involve and join forces with their customers, in order to mitigate the
likelihood of successful attacks on the customer’s online banking account. Customers are
however not necessarily aware and knowledgeable of the current threats and required security
measures. There seems to be a different level of playing field between the capabilities and
knowledge of the FSPs and their customers. Even within the group of customers different levels
of capabilities and knowledge exist. FSPs will have to find a way to deal with the informative
arrears, competences and skills of their customers. The nature of this management problem is
the distribution of responsibilities.
3.4. Reason for the research
The current media debates are focused on the kind of distribution of responsibility that is correct
and morally acceptable rather than what is legally correct. There is however no clear definition or
agreement in this matter. FSPs would benefit from clarity in these debates. This would provide
guidance in the ongoing attempts to maintain and further increase the security of online banking
in collaboration with their customers.
In order to be able to join forces, all stakeholders should first agree on the best way forward.
This requires an investigation into what is morally and ethical right according to the perspectives
of all relevant stakeholders. In addition, there are little insights in the awareness, the customers’
opinion and their acceptance rates towards increased security measures.
Page | 12
The main academic area of this research is ethics. This research will provide answers to the
necessary elements of joint responsibility and to what extent these elements are present in the
current situation.
3.5. Scope of the research
The focus of this research is about joint responsibilities for secure online banking. Hence, the
mitigation of financial losses due to financial identity theft. The types of crime that are in scope
of this research are: phishing, pharming, social engineering and malware. The geographical
scope of this research is limited to Dutch FSPs who provide online banking facilities and to the
customers of these FSPs.
3.6. Research methodology
The first part of this research is the literature review (described in chapter 4). This literature
review has been executed using desk research. By using desk research all currently available
materials to this research have been studied and combined into the literature review. After the
literature review the important gaps in the current literature for this research were identified. In
order to fill these gaps, a field customer research was executed, using focus interviews (described
in chapter 6).
3.7. The research problem
This research focuses on the following main research problem: how can a Financial Services
Provider create joint responsibilities for the prevention of customer targeted online banking
fraud - between themselves and their customers - in an ethical way?
In order to answer this main research problem, the following sub questions will be answered by
means of a desk research literate review (chapter 4):
1. What is the current impact of online banking fraud?
2. What is the legal framework of the responsibilities and liabilities of the Financial
Services Provider and their customers?
3. What is the ethical view on joint responsibility?
4. What is the known view on moral standards from market research?
5. What is the moral standard for the duty of care / due care of the Financial Services
Provider?
Page | 13
The following sub question will be answered by means of a combination of a desk research
literature review (chapter 4) and interview field research (chapter 6 and chapter 7):
6. What is the moral standard for the customer’s behavior related to gross negligent
behavior?
And the following sub questions will be answered by means of interview field research (chapter 6
and chapter 7):
7. To what extent are the critical elements of responsibility fulfilled in the current
situation?
8. What are potential future joint responsibilities, liabilities and measures for the
Financial Services Providers and their customers in the customer’s point of view?
The main research question and sub questions will be answered in paragraph 8.1.
3.8. Research goals
The objective of this research is to provide answers to the questions stated in paragraph 3.7. In
order to answer these questions the research has been executed in a staged approach and this
report has been structured accordingly.
Execute literature review (chapter 4)
o Define the impact of the problem (paragraph 4.1)
o Define the legal context of the problem (paragraph 4.2)
o Define current measures towards the problem (paragraph 4.2.2)
o Define necessary elements for liability (paragraph 4.2.5)
o Define necessary elements for responsibility (paragraph 4.3.3)
o Define known points of view from market research (paragraph 4.4)
Design conceptual model (chapter 5)
Execute qualitative research; perform customer focus interviews (chapter 6)
Describe results of customer focus interviews (chapter 7)
Analyze all information retrieved from interviews and research (chapter 8)
Recommendations (chapter 9)
3.9. Abbreviations
FSP Financial Services Providers
Personal device Computer, Laptop, Smartphone, Tablet, Smart TV
Page | 14
Page | 15
4. LITERATURE REVIEW
This literature review will provide insights and answers to the first six sub research questions
(paragraph 3.7). In this chapter, each of these sub research questions will be covered in a
separate paragraph.
4.1. What is the impact of the problem?
The impact of phishing, social engineering, pharming and malware can be measured in various
ways. When the Dutch media reports about the impact of these types of crime, we usually find
information relating to the number of fraudulent occasions and information relating to the
amount of financial losses for the FSPs. This information is disclosed by “Nederlandse
Vereniging van Banken” (The Dutch Banking Association) also called the NVB. The impact is
however bigger than just the financial impact on the FSPs since there are more stakeholders
involved. Newman & Mcnally explain that these types of crime are dual crimes, which affects the
individual whose identity was stolen as well as the business whose service was stolen (Newman
& Mcnally, 2005). In their research Newman & Mcnally point out that we should not only think
about costs as a figure for financial losses (defined as hard costs) but also for costs related to
prevention, investigation and conviction (defined as soft costs). These soft costs impact more
stakeholders than only the FSP and their customers; they have an impact on the society as a
whole. This paragraph will explore the hard costs as well as the soft costs for the involved
stakeholders.
4.1.1. Number of fraudulent occasions and hard costs
In the Netherlands, the facts and figures related to the costs and occasions of phishing, social
engineering, pharming and malware are published by the NVB. These figures are reported on a
voluntary base. The NVB claims that these figures are undisputed since FSPs jointly agreed to be
transparent about the fraudulent occasions. It’s important to notify that this is an agreement
without any legal obligation. Specialized companies in the field of cyber security such as McAfee,
Versafe and Checkpoint question the legitimacy of the reported figures. Those companies have
reported fraudulent occasions which have not been reported by the NVB (“Internetbankieren
ligt zwaarder onder vuur - Follow the Money,” 2012). Those companies however have
commercial interest to report fraudulent occasions since preventing these occasions is their main
commercial activity. It’s therefore also questionable if these reports are legitimate. In her
research Van der Meulen mentioned the unavailability of empirical information related to this
Page | 16
topic as on the main limitations of her research (Meulen, 2011). Van der Meulen refers to this
as: “Due to the lack of empirical information, especially in the Netherlands, about cases of
financial identity theft, much of the research remains in the hypothetical area”. Thus it remains
unclear whether or not the presented figures by the NVB are indeed legitimate. There is no
academic proof to claim that these figures are not legitimate nor is there academic proof to
support the statement of the NVB. The figures presented by the NVB can therefore best be seen
as minimum figures. It’s important to highlight that the numbers published by the NVB only
specify the losses for the FSPs. The fraudulent losses of customers who have not received a
reimbursement are not included in these figures. Furthermore, this is only a report on the
number of successful attempts. The NVB doesn’t publish specified figures related to the
unsuccessful attempts. In their reports they state that the number of unsuccessful attempts is
undoubtedly bigger than the reported number of successful attempts (NVB, 2011). A recent
research indicated that almost 35% of the Dutch online banking users have at least received one
phishing e-mail (“Nederlanders massaal benaderd door internetcriminelen - Emerce,” 2013).
As displayed in figure 1, the financial losses on online banking platforms related to phishing,
social engineering, pharming and malware have increased from 2.1 million euro in 2008 to 34.8
million euro in 2012 (“Fraude internetbankieren stijgt eerste half jaar met 14% -Nederlandse
Vereniging van Banken,” 2012) and have declined to 4.2 million euro in the first half of 2013.
The increase up until 2012 was very substantial. Back in 2012 the NVB has indicated this trend
as worrisome (“Steeds meer slachtoffers bankfraude - Nieuwsuur.nl,” 2012). The historic trend
showed a continuous cycle of increasing financial damages. In 2013 the NVB reported the first
decrease in financial damages, not on a year by year basis but on a six months bases (NVB,
2013).
Figure 1: Financial losses Online Banking 2008 - Q1 – Q2 2013
Page | 17
Figure 3: total number of fraudulent occasions 2010 - 2012
This decrease has continued during the
first half year of 2013. As displayed in
figure 2, the financial losses over the
second half of the year had decreased
from 24.8 million euro during the first 6
months of 2012 to 10 million euro during
the second 6 months of 2012 and to 4.2
million euro during the first 6 months of
2013. According to the NVB this decrease
is the result of the increasing efforts of FSPs on prevention and detection of fraudulent patters
and behavior as well as due to an increasing effort of the Electronic Crimes Task Force (NVB,
2013). The NVB also reports an increase in the customers’ awareness. There is however no
statistical data or other empirical information that supports their statements. Furthermore, we
don’t know if this will continue in the future. The NVB states in her press release on the 2013
figures that “the current decrease doesn’t mean that we can rest assured as criminals are likely to
continue to find new ways to commit these types of fraud. Therefore FSPs have a maximum
focus to mitigate fraud and to inform their customers” (NVB, 2013). The Dutch police force
expects an ongoing increase in the number of frauds on online banking because the criminals are
getting better organized, which will result in larger and more effective attacks. According to their
research, the increasing usage of mobile devices for online banking will also increase the level of
attacks because it will create a new platform with opportunities for fraudsters (IPOL, 2012).
Despite the financial losses, the NVB
claims that online banking is safe
(NVB, 2012). The question whether or
not this is a true statement can best be
answered by a comparison between the
number of fraudulent occasions (as
displayed in figure 3) and the total
number of online banking users.
Between 2010 and 2012 the number of
fraudulent occasion had increased from
1.383 occasions to 10.900 occasions (there are currently no publicly available figures about the
Figure 2: Financial losses Online Banking 2012 + Q1 –
Q2 2013
Page | 18
number of occasions during the first
6 months of 2013). In the same
period the Dutch Central Statistical
Bureau (CBS) reported an increase of
online banking users from 10 million
in 2010 to 13,2 million in 2012. As
displayed in figure 4 this means that
the total percentage of fraudulent
occasions on a yearly basis related to
the total amount of online banking users has increased from 0,014% to 0,0828% (CBS, 2012).
Although this is an increase of 499,57 % during the period the odds of being impacted as an
individual user is indeed very small; this seems to supports the statement of the NVB that from a
collective user perspective online banking is safe.
4.1.2. Soft costs for Financial Services Providers
A part of the impact is the effort that the FSPs are undertaking in order to battle crime. These
categories of costs have been explored in an earlier research by the Cambridge University
(Anderson et al., 2012). In this research different cost categories have been indicated. This
includes costs that can be quantified as crime prevention, detection, handling fraudulent cases
and coordination. On the aspect of prevention, FSPs are confronted with costs for creating
awareness amongst their customers using campaigns and promotional material and security
related preventive measures on the FSP’s system application landscape and employees (for
example security training). Costs related to crime detection are for example costs for forensics
tools and employees that analyze the payments in order to detect fraudulent behavior. Handling
costs are costs related to working on fraudulent cases and reimbursements. Coordination costs
are related to management and time spent on working with stakeholders such as the diverse
cyber crime taskforces. Although FSPs are able to calculate these costs, there is no (public) data
available about these costs. The NVB has stated that FSPs have increased their efforts towards
cyber crime prevention (NVB, 2013). No specifications or costs are however mentioned. In their
research, the Cambridge University estimated the total global costs of countermeasures for FSPs
(direct costs which are specified as defense cost) at 1 billion dollar per year (Anderson et al.,
2012).
Another important aspects of costs indicated in the research of the Cambridge University are the
more indirect costs, for example costs related to opportunity costs, potentially missed business,
Figure 4: percentage of impacted users 2010 - 2012
Page | 19
image and customer satisfaction. Opportunity costs are the missed opportunities for other
investments, money spent on security cannot be used to spend on other activities that might
have had a positive effect on the FSP’s revenue. Furthermore, negative media coverage and
perception of the safety of the online banking channel might have a negative effect on the image
of the online banking channel or the FSP. This might result in a lower customer satisfaction and
potentially in missed business. Although it’s difficult to calculate these costs, the importance of
these costs should not be neglected. The research of the Cambridge University has specified the
indirect losses related to the loss of customers confidence for card related fraud (such as
skimming as a factor 2,3 of the direct losses (hard costs) (Anderson et al., 2012). Unfortunately,
there hasn’t been any (public) research executed focusing on the indirect costs of online banking
fraud in general.
4.1.3. Costs for impacted customers
Just like the FSPs, customers are confronted with costs when they become a victim of fraud.
Whether or not these costs include hard costs as well as soft costs depends on the compensation
policy of the FSP that will be discussed in paragraph 4.2.3. The Cambridge University has not
specified the hard costs and soft costs for the customer in their research (Anderson et al., 2012),
nor has other (public) research related to this topic been executed. Therefore, there are no
figures available that identify the total impact.
Newman & Mcnally have specified the types of soft costs customers who become a victim will
incur (Newman & Mcnally, 2005). They refer to these costs as “human costs”. These costs
include the time and effort required to resolve various problems created by the theft, such as
contacting the FSP and the police force as well as waiting until the losses have been
compensated. Especially when the victim lives paycheck to paycheck (Meulen, 2011). Another
aspect of these costs are the shock of discovery and the feeling of being a victim that might have
an emotional or psychological impact (Meulen, 2011). Finally, an important cost is the costs of
the decrease in the perception of security. The security perception of the customer is intertwined
with the indirect soft costs of the FSPs, as described in paragraph 4.1.2.
Although the costs for the customer are not clear and the chance of becoming a victim as a
customer is currently 0,0828 % (as described in paragraph 4.1.1), it’s important to recognize
these costs. Since, for an impacted customer, the chance of being a victim is not 0,0828 % but
100 %. Hence, for impacted customers the statistical data are not relevant. Social media tools are
increasing the importance of taking these customers into account since every individual customer
Page | 20
can use these tools to communicate their story and potentially impact the feelings and thoughts
of other customers. This has resulted in negative media coverage in consumer programs such as
Nieuwsuur.nl (“Steeds meer slachtoffers bankfraude - Nieuwsuur.nl,” 2012) and Kassa (Kassa,
2012).
4.1.4. Impact on society
Online banking fraud is impacting more stakeholders than only the FSPs and their customers.
Those stakeholders are for example, the government, ministers and public bodies such as the
NCTB, the police force and the criminal justice system (Newman & Mcnally, 2005). The costs to
society have not been researched and researching the total amount of costs to society might be
impossible. According to Newman and Mcnally, a part of the costs to society is impossible to
calculate. These costs include costs related to the (feeling of) public safety risks / threats,
burdens created by FSPs, higher premiums, other costs passed on by FSPs to customers,
increased paranoia which may result in financial costs and an overall decreased confidence in the
promised benefits of the information age (for example the online banking platform) (Newman &
Mcnally, 2005).
4.1.5. Conclusion
It’s difficult to define the exact impact of the problem. A part of the problem has been
converted to financial impact but the validity of these figures cannot be claimed from an
academic perspective. Other parts of the problem have not been converted into financial impact
or are very difficult to convert to financial impact at all. The costs of online banking related
crime are higher than only the reported losses by the NVB. Furthermore, the impact is bigger
than just the impact on the targeted FSPs and directly impacted customers. In the end, the entire
society is impacted because of perception of security as well as costs that are made by the
government, for example for conviction of the criminal. Although it’s not possible to determine
the exact impact of the entire problem, we can at least conclude that there is a problem and that
the impact of the problem has increased over the past five years.
Page | 21
4.2. Legal framework
The responsibilities and liabilities of the FSPs and their customers are arranged by Dutch laws.
This chapter will explore the applicable legal framework and the connecting responsibilities and
liabilities.
4.2.1. Legal responsibilities and liabilities
The legal responsibilities of the FSPs are arranged in the Dutch Civil Code book 6 and 7. The
Dutch FSPs have also confirmed themselves and their customers to additional legal
responsibilities in their own (product) terms and conditions.
The first relevant element relates to duty of care, arranged in article 6:248 BW (BW:6, 2013). This
article relates to the generic duty of care of contracts and agreements. This article states that an
agreement does not only have the - between the two parties agreed legal affects - but also those
related to habits of reasonableness and fairness. Another connected article is article 7:401 BW
(BW:7, 2013) which states that, the contractor during the contract has to take the care of a good
contractor.
The second relevant element is related to the use of the personalized safety attributes (the
mechanisms that customers can use to identify themselves and perform transactions, such as
codes, passwords, the card reader and the card). The Dutch Civil Code book 7B provides more
specified articles connected to payment transactions. Article 7.525 BW (BW:7b, 2013) states that
a FSP has to ensure that the personalized safety attributes of the customer’s payment instrument
will not be accessible for third parties. Article 7:524 BW (BW:7b, 2013) states that the user of the
payment instrument has to apply to the products term and conditions. This article also states that
the customer has to take all reasonable measures in order to guarantee the security of the
personalized safety attributes.
The third relevant element relates to the law in cases of wrong or fraudulent transactions. Article
7:526 BW (BW:7b, 2013) arranges the notification period for the customer. According to this
article the customer has to notify the FSP within 13 months after the date of the wrong
transaction. Article 7:528 BW (BW:7b, 2013) states that if the customer applies the notification
period the FSP will have to reimburse the transacted amount immediately if the transaction was
indeed not authorized by the customer. The FSP is however allowed to deduct an amount of
maximum € 150,- on the reimbursement when unauthorized transaction is initiated by the use of
Page | 22
a lost or stolen payment instrument, as arranged in article 7:529 BW (BW:7b, 2013). It’s
important to notice that the FSP is legally allowed to deduct this € 150,- in case of any
unauthorized transaction initiated by the use of a lost or stolen payment instrument. Thus
irrespective if this had happened due to negligent behavior of the customer.
This article also states that the FSP - according to the product terms and responsibilities, as
stated in article 7:524 BW (BW:7b, 2013) - will not have to reimburse any money if the customer
has acted fraudulent, intentional or with gross negligence (“grove nalatigheid”). The FSP has to
prove that the customer has indeed acted with gross negligence (and not the other way around).
Besides the law, the FSPs have to comply with all the obligations that they have specified in their
(product) terms and conditions. FSPs have for example specified that they will inform their
customers on topics such as security and that they will provide the customer with possibilities to
check the transaction on their accounts, for example using (digital) statements.
4.2.2. How Financial Services Providers take care of their duty of care
Within the limitations of the above described law, FSPs are free to create their own policies
about their duty of care. FSPs do not disclose all the efforts they are performing to take care of
their duty of care. Therefore, this paragraph is not limitative and is only describing the publicly
known aspects. In general, the policies of the FSPs can be divided into four topics: secure the
channel, educate the customer, monitor transactions and clean the internet (Hafkamp &
Steenvoorden, 2010). Securing the channel and educating customers are forms of so called target
hardening. This refers to measures that are introduced to increase the efforts of successfully
obtaining the target (Meulen, 2011). In this case there are two targets: the customer and the
FSPs.
FSPs have introduced variations on the existing authentication mechanisms, for example by
introducing new authentication mechanisms or changes in the dialogue (Hafkamp &
Steenvoorden, 2010). Dutch FSPs have chosen to implement authentication mechanisms based
on at least “two factor authentication”. Two factor authentication refers to the usage of at least
two of the following available factors:
knowledge (something the customer knows), for example a code or username;
possession (something the customer has), for example a token, card or phone;
Page | 23
Personal attributes (something or somewhere the customer is), for example biometrics,
geographical locations or customer profiling.
Next to those authentication mechanisms, FSPs are securing their online banking channels in
other ways, for example by detecting malicious behavior in the browser.
FSPs try to educate their customers by means of providing security related information,
brochures and awareness campaigns. Customer security related duties are specified in the
(product) terms and conditions and on the websites of the FSPs. Awareness campaigns are
executed in collaboration with the NVB. Those campaigns inform the customers of the potential
threats by means of commercials on television, radio and the internet for example on
www.veiligbankieren.nl. In those commercials, customers are asked to be aware, to check the
URL of the website, the entered payment and the security of their computer. The Dutch ING
bank is taking the awareness and customer target hardening one step further, they offer the
customer free security software for their personal computers (“Beveilig uw computer - ING -
Veilig bankieren,” 2013).
The third aspect, monitoring transactions means that the FSP monitors the initiated payments
and checks those payments for deviant patterns. Those deviant patterns can be based on the
customer profile or generic malicious behavior such as cash out points or account numbers.
When deviant patterns are spotted, the FSP will hold and investigate the payment. FSPs are not
transparent about their monitoring activities since this is sensitive information. It’s therefore not
clear to what extent the Dutch FSPs are performing these monitoring activities.
The final aspect is cleaning the internet. FSPs have joined their forces with the police force and
other public bodies in order to notice, take down and trace the criminals and their websites and
servers. This include activities such as elimination malicious websites, for example phishing
website or servers that collect the information from infected computers (Meulen, 2011).
4.2.3. Compensation policies of Financial Services Providers
As discussed in paragraph 4.2.1, FSPs are allowed to deduct 150 euro on every financial
compensation. They also have the ability to refuse any compensation if the customer has acted
gross negligent. Up until today, no signals are available that FSPs are deducting the legally
possible 150 euro on each compensation. It seems that, FSPs choose not to penalize their
customers if they have not acted in a negligent way. Thus, FSPs are accepting more liabilities
Page | 24
than they should do from a legal perspective. Up until 2012 there had not been any signals in the
media or court of FSPs that didn’t compensate private customers for their full hard costs
(including the 150 euro) of fraudulent cases on online banking. This means that FSPs
compensated their customers for their hard costs (the financial losses) but not for their soft costs
(as described in paragraph 4.1.3). During 2012, the first signals of private customers that didn’t
receive any compensation or only a partial compensation, came to the media’s attention. These
cases are based on situations where, the FSPs are of the opinion that the customer has acted in
gross negligent way. FSPs have thus changed their policies of compensations in cases of gross
negligence or, their opinions on what should be indicated as gross negligent behavior. This
means that in the current situation, customers are only compensated for their hard costs when
they have not acted in a gross negligent way, soft costs are never compensated.
4.2.4. The customer’s responsibilities specified in the terms and conditions
As discussed in paragraph 4.2.1, the customer legally has to apply to the product’s terms and
conditions, guarantee the security of the personalized safety attributes and should not act in a
gross negligent way. These law statements do not provide the customer with full clarity on their
responsibilities. In order to find more specific information, the customer will have to read the
FSP’s product terms and conditions. All FSPs are free to create their own terms and conditions
within the limits of the Dutch law. FSPs have taken this freedom and created their own specific
terms and conditions. This makes it difficult to provide a generic overview of all the customer’s
responsibilities. For this paragraph, the terms and conditions of the three large Dutch FSPs have
been studied: ING, Rabobank and ABN AMRO. Both ING (ING, 2013) and Rabobank
(Rabobank, 2013) have specified the terms and conditions in one document, ABN AMRO uses
four different documents: the general terms and conditions (AMRO, 2010), the general
conditions access ABN AMRO (AMRO, 2007), payment services retail customers (AMRO,
2013) and the glossary document payment services retail customers (AMRO, 2012).
The first notable aspect is that, all the FSPs have updated their online banking related terms and
conditions. In these updated terms and conditions, the safety measures that the customer has to
take are expanded and described at more length. On the one hand this provides the customers
with more clarity about their responsibilities. On the other hand this mandates more
responsibilities from the customers than in previous versions, a shift in responsibilities.
Customers do have to comply with these measures and if they don’t apply these measures it
could be seen as an act of gross negligent behavior and thus liability. The second notable aspect
is that, the FSPs seem to be more in agreement about the responsibilities of their customers. In
Page | 25
fact, the mandatory measures with regards to the protection against online fraud are more or less
the same for the studied FSPs.
The most important online banking related terms and conditions related to customer
responsibilities can be divided in prevention, detection and notification. The below provides an
overview of the most important measures the customer has to take:
The customer should make sure that the device, software and internet connection are
secure, irrespective if a customer uses its own device, software or (wireless) internet
connection or those of a third party.
The customer has to use security software for the device, software and (wireless) internet
connection. This security software should protect against unwanted actions / access or
computer viruses. The minimum aspects are a legal and up-to-date version of the
operating system, browser and security software that should at least include a virus
scanner and a firewall.
The plug-ins, such as Adobe Reader, Adobe Flash and Java should regularly be updated
(ABN AMRO specific condition).
The device and software should have an access control, for example using an unlock
code.
The device should comply with the minimum technical and system requirements,
specified on the website of the FSP.
Security and authentication codes (included challenge and response codes generated by
the security token or the FSP’s website) are personal codes and should never be shared
with a third party (for example on the phone or a website that doesn’t belong to the
FSP). The customer has to take all reasonable measures to prevent the use of these
aspects by third parties. What measures are reasonable is depending on the
circumstances.
The FSP can give additional security related directions on their websites; the customer
has to apply to these directions.
When browsing on the website, the customer should continuously verify if the website is
still secure. The customer has to make sure that the URL starts with https:// and that the
security lock in the URL bar is displayed. Furthermore the customer should verify that
the entered URL is correct and that the websites certificate is validated by the FSP.
Page | 26
The customer should verify if the behavior of the website for authentication and the
verification of the transaction is conform the FSPs’ standards. (ABN AMRO specific
condition).
The detection and notification related terms and conditions are:
The customer should always verify their online banking transaction history after they
have initiated an online transaction, in order to make sure that the transaction has been
executed according to the customer’s specifications. If the customer identifies any
differences, the customer should immediately contact the FSP.
In case a customer suspects fraud, the FSP should immediately be notified by the
customer.
The customer should notify the FSP at least within 14 days after the fraudulent
transaction became visible in the online banking platform. These 14 days are limited in
cases of an occasion that required immediate attention. (ING specific condition).
Although the FSPs have updated their terms and conditions and specified the customer’s
responsibilities, it is still questionable if this is sufficient. The terms and conditions are still not
very specific. For example it is still questionable what should be defined as a secure environment,
what up-to-date means and what the FSP defines as a virus scanner and which virus scanners are
accepted. There are for example virus scanners on the internet that pretend to be a virus scanner
but are in fact malware. And there is also malware that pretends to be a free (trail) version of a
trustworthy brand, such as AVG, known as “shareware” (“Malware vermomd als gratis antivirus
AVG - Computerworld,” 2011). This software has the same look and feel as the real virus
scanner and seems very legitimate for an ordinary user.
Although the terms and conditions do also inform the customer about their legal liability in the
event of gross negligence, it doesn’t specify what gross negligence is. It is thus questionable
whether or not these terms and conditions provide the customers with sufficient information to
act in a responsible way. We could argue if the average customer will read the lengthy terms and
conditions, is able to understand what is expected and is able to take all these measures. The
NVB has recently announced that FSPs are going to standardize their terms and conditions
(“Banken krijgen uniforme veiligheidseisen | nu.nl/tech | Het laatste nieuws het eerst op nu.nl,”
2013). Finally, the terms and conditions of the FSPs provide very limited information related to
Page | 27
what the customer can expect as a duty of care. This will make it very difficult for a consumer to
know what to expect from the FSP.
4.2.5. Liability
Being responsible or acting in a negligent way on itself is not sufficient to be liable for
something. Bovens described three generic categories that should be met in order to be liable:
culpability, causal relationship and negligence (Bovens, 1990). Culpability means that somebody
should be guilty of the offense of a standard. This means that there should be human behavior,
an act or the omission that seems to have contributed to a situation. The standard refers to the
standard of behavior that can reasonably be expected. Causal relationship means that there
should be a causal relationship between the behavior and the act of a person and the resulting
situation / damage. Somebody will only be liable when there is a causal relation between the act
or the negligence of the person and the resulting situation. According to Bovens, it’s not only
important to determine if somebody - due its act - has contributed to the situation, the person
should also be blameworthy for the act (negligent). This means that the person should have had
real possibilities to act in a different way. All these three categories should be met in order to be
liable.
4.2.6. What is gross negligence?
The Dutch civil law as well as the terms and conditions of the FSPs do not provide a generic
answer to what gross negligence is. In her book about computer ethics Johnson defines
negligence as: “to be a failure to do something that a reasonable and prudent person would have
done. In common law it is assumed that individuals who engage in certain activities owe a duty
of care; negligence is a failure to fulfill that duty”. Thus negligence presumes a standard of
behavior that can reasonably be expected of an individual engaged in a particular activity
(Johnson, 2001). In his book about responsibility and liability for FSPs and their customers, M.R.
Mok argues that it’s difficult to decide what gross negligence is (Mok, 2005). Mok identifies two
potential solutions. The first solution is that the FSP should always have to compensate the
losses since the online banking platform is also providing them benefits in terms of costs
savings. The second solution is to accept that becoming the victim of theft is a fact of life that is
the risk of the consumer. He claims that both solutions have their benefits and that the real
question is where we should set the borders. According to Mok, the problem is however the
translation towards legislation. He states that “we should be aware that legislation in many cases
is nothing more than a fig leaf in order to mask the insolubility of a problem” (Mok, 2005).
Page | 28
The final judgment about the act of gross negligence is to be filed by the financial affairs
complaints institute (KiFid) or the judge. Because FSPs in the past have always compensated
their customer for online banking related fraudulent losses, it’s difficult to create a clear point of
view based on jurisdiction, especially for malware and pharming related frauds because these
cases have not yet been subjected to official complaints or lawsuits. For phishing and social
engineering related frauds there are only a very limited number of judgments available. The three
most recent cases have been studied. In a compliant case on 30-01-2012, a customer that
provided the security codes to the fraudster on the phone, was only held partly liable for the
phishing damage. Because the FSP had not contradicted a claim of the NVB that the FSPs will
always compensate their customers (a statement being made by the NVB during 2010). The
KiFid was of the opinion that the losses should be shared, resulting in a loss of €_17.000,- each
(KiFid, 2012). On 16-4-2013 the KiFid handled a case with the same fraudulent situation.
However, in this case the KiFid’s opinion was that the FSP had been clear in their
communications (and that the NVB has changed their statements related to compensations
policies) and declines the claim of the customer, resulting in a customer loss of €_26.111,- for
the committed fraud, excluding the costs of the lawyer (KiFid, 2013a). In another compliant case
on 23-6-13, a customer is also held liable because of phishing related losses. In this case the
KiFid even adds the following statement to their judgment: “the FSP, in principle can be
confident that fraud is impossible when the customer is acting according to the safety
regulations” (KiFid, 2013b). No substantiation or proof has however been added to this
statement. In a lawsuit related to phishing and the same modus operandi as in the previous two
cases the judge support the point of view of the KiFid (Rechtspraak, 2012). Thus in the case of
phishing the KiFid and the judge claim that a customer is acting gross negligent when the
customer violates the terms and conditions of the FSPs. Because the FSPs have expanded their
terms and conditions (as discussed in paragraph 4.2.4), it will likely become more difficult for a
customer to prove to opposite.
When the arguments of the KiFid and the judge are being studied, it’s questionable if there is a
clear notion of the standard of behavior that can reasonably be expected of an individual
engaged in online banking activities. At least, there is no reference being made to such standards.
Johnson also claims, the legislators, lawyers and judges will have to completely understand
computer and information technology to respond appropriately to these cases (Johnson, 2001).
Giving the reasoning and the question being asked in the above described cases, it’s questionable
whether or not those requirements are being fulfilled. Apparently no arguments have been made
Page | 29
by the customer related to the duty of care of the FSP. We could for example argue that, the FSP
should have the potential ability to recognize suspicious payments patterns or at least deviating
behavior. We could also argue that transferring the entire savings balance to a domestic account
should be recognized by the FSPs and that they have a duty of care to protect the customer and
that not protecting is negligent. This view is supported by Dr. M.J.G van Eeten, a Dutch
professor who focuses on the Governance of Cyber security. In the Dutch consumer program
Kassa (Kassa, 2013), Mr. van Eeten has claimed that FSPs should be able to detect deviations in
the customer’s payment behavior. Unfortunately, the standard is also unclear in this case, there is
very little knowledge and agreement about the moral standard of behavior for the FSPs, thus it’s
difficult to determine whether or not the duty of care has been violated. As a final aspect, we
notice that the judge as well as the KiFid is requesting that customers prove that they haven’t
acted in a gross negligent way. This is however conflicting with the European guidelines and
Dutch law. As described by van Raaij, the onus of proof is reverse, the FSP has to prove their
innocence to what they have been charged for by the consumers (Raaij, 1997).
4.2.7. Government
From a legal point of view, it’s also interesting to explore the current points of view from the
government or political debates. Because, the points of view of the government might potentially
lead to future legislation.
The general point of view of the Dutch government is that they only have a limited task in the
area of business to consumer, in the sense of legal regulation. The government is only willing to
impose legal laws and regulations in cases of serious physical or financial risks for the customer.
The majority of tasks related to consumer protection is normally delegated to the deliberation
between the consumer organizations and the producers (Raaij, 1997).
In the Dutch House of Representatives (de Tweede Kamer), official questions have been raised
related to the power balance shift of responsibility. Based on the answers from the minister of
Finance we can conclude that, the government is aware of the power shift but has no current
considerations as long as it occurs within the law. According to the minister of Finance, there are
no signals that FSPs do not comply to those laws (Dijsselbloem, 2012) (Dijsselbloem, 2013). The
opposition questions if the current power shift is indeed correct from an ethical perspective.
Some of the political parties are of the opinion that FSPs should always compensate their
customers for their losses (“‘Altijd geld terug bij internetcrime’ - AD.nl,” 2013) other parties are
of the opinion that some of the terms and conditions of the FSPs are asking too much from
Page | 30
their customers on the detection measures of fraudulent activities (“SP: verplicht
internetbankieren op vakantie is zot - Security.NL,” 2013). Recently, the reimbursement policies
of the Dutch FSPs have been discussed for voting in the Dutch House of Representatives. The
house of representatives have adapted a resolution of Nijboer and Merkies stating that FSPs
should compensate customers for their direct financial losses in cases of phishing or malware
(“Kamer: bank moet schade phishing vergoeden - BNR Nieuwsradio,” 2013). Although this
resolution has been adapted, this doesn’t change the obligations of the FSPs, nor does it provide
any more clarity. This is due to the fact that the resolution includes the disclaimer that the
customer should not have acted in a gross negligent way. Unfortunately, the resolution does not
specify what the moral standard for gross negligent behavior should be, nor does it specify how
FSPs should fulfill their duty of care. Although the duty of care and gross negligent behavior
have been questioned and discussed, this doesn’t result in any agreements, consensus or clarity
from a governmental perspective.
The Dutch government is in favor of a more digital community, as this creates important
benefits for the Dutch country, their citizens and Dutch companies. To be more specific to the
thesis subject: the Dutch government is in favor of the online banking channel because it
provides attractive benefits for society. In general, one of the main responsibilities of the
government is to protect its citizens and to take measures that protect or enhance their safety
(Raaij, 1997). The digital economy brings new knowledge, risks and responsibilities of which
secure online banking is one. The government is thus also one of the stakeholders who should
take responsibility for the education of Dutch consumers and should not simply delegate this
responsibility to only the FSPs. The government could for example enforce the creation of
information packages and campaigns as well as educational components, for example in the
educational system. Within the cyber security strategy document, the Dutch government states
that security is a core task of the government, also in the cyber domain. They also state that the
government has a responsibility to enhance the online security and privacy of their citizens. The
Dutch government commits itself to increase the cyber security awareness of their citizens,
companies and governments, to counter cyber criminals and to prevent social dislocation due to
cyber incidents. If necessary, the government will impose rules, regulations and standards
(NCTV, 2013).
Page | 31
4.2.8. Conclusion
The liability enforcement is clearly arranged by law. The responsibilities of the customer and the
FSPs are only defined on a high level; the law doesn’t provide the moral standards. The terms
and conditions of the FSPs describe the responsibilities and liabilities of especially the customer.
The responsibilities of the FSPs are not clearly defined. Although the FSPs have a duty of care
that is arranged by law, it’s has not been specified what this duty of care implies. FSPs are
relatively free to define how to apply their own duty of care. Although FSPs have created more
specific terms and conditions and have invested in information campaigns, it’s still not
completely clear what is expected from the customer and if we can expect the customer to read,
understand and execute the expected (moral standards).
Despite the duty of care and investments in securing the channel, educating the customer, the
monitoring of transactions and the cleaning of the internet, fraud is still being applied. Since
2012 Financial Service Providers have claimed that customers have handled in a gross negligent
way in cases when the customer deviated from the terms and agreements. Both the financial
affairs complaints institute and the judge have (partly) supported the FSPs in their point of view
in specific cases. This support is however questionable since it’s not clear if the duty of care from
the FSPs is taken into account in the correct way in these cases. Neither is it clear if a moral
standard has been defined and if it’s feasible to expect the average customer to comply with this
standard. We should be careful in considering the law as a solution towards this problem,
especially since it’s difficult to determine what the standard of reasonably expected behavior
should be for all parties involved. Determining whether or not somebody has acted with gross
negligence is difficult if not impossible when these standards are not determined and validated.
We should first determine and communicate the standard and specifications of gross negligent
behavior and duty of care from a moral and ethical perspective before the law should use it as a
standard to which we judge. Furthermore, it’s important to conclude that by law the FSPs has to
prove that the customer has acted in gross negligent way; it’s not up to the customer to prove
the opposite.
Besides the responsibility of the FSP’s and their customers there is a responsibility for the
government to enhance the cyber security and the cyber security awareness.
Page | 32
4.3. The ethical point of view
In her book “Computer Ethics” Deborah G. Johnson asks the question how these ethical issues
should be solved. Johnson explains: “to say that computer ethical issues arise because there is a
vacuum of policies, leaves open whether the vacuum should be filled with laws or with
something else. It is quite possible that vacuums are better left to personal choices, institutional
policies or social conventions rather than to the imposition of law. It is also important to
remember that this doesn’t need to be an either / or matter. In a wide variety of cases, what
seems to be needed, is a multiplicity of approaches” (Johnson, 2001). Johnson also states that,
“simply handling online crime as a normal crime could potentially cause issues because the
danger is that we may be so taken with the similarities of the cases that we fail to recognize
important differences”. Johnson draws a distinction between new versions of old crime and
crimes that couldn’t exist without computer. “When a new version of an old crime is executed
it’s tempting to think of this new version of crime as morally equivalent of the old crime. This
however ignores relevant aspects, such as different instruments being used and it are these
different instruments that seem to affect the moral character of a crime. The online crime issue
can therefore best be understood as new species of generic moral issues” (Johnson, 2009). This
means that we cannot simply apply our existing standard in the “offline world” towards the
“online world” in order to reach the moral standard for normal behavior. We should thus
explore in this paragraph the ethicality of the different aspects. It’s important to recognize that
there are functional differences between law and ethics. As Jeurissen describes in his book “the
difference between law en ethics lies in the motivation to adhere to standards. Ethics always
require inner motivation: people must urge themselves to behave morally, from an inner
agreement with a moral principle. And they must be free to do so. Law does not require the
inner agreement, but is based on external compulsion”. Jeurissen further explains that ethics and
law can best be seen as complementary and that the ethics is sometimes ahead on the law since it
often takes a number of years for a law to get passed (Jeurissen, 2007).
4.3.1. A power balance of responsibilities
In order to understand the situation from an ethical perspective, we will first explore the more
generic aspects of ethics in relation to a consumer / professional relationship. As described in
the earlier paragraphs, it seems that there is shift in the balance of responsibilities for secure
online banking. Manuel G. Velasquez described three views about the relationship of business
towards consumers. To him it is clear that part of the responsibility for consumer’s damages
must rest on the consumer themselves since individuals are often careless in their use of
Page | 33
products. The real question is where the consumer’s duty to protect its interest ends, and where
the businesses’ duty to protect the consumers’ interest begins (Velasquez, 1998). Velasquez
described three different theories in this regard: the contract view, the due care view and the
social costs view. 1
“According to the contract view, the relationship between a business firm and its customers is
essentially a contractual relationship, and the firm’s moral duties to the customer are those
created by this contractual relationship. When a consumer buys a product, this view holds that
the consumer voluntarily enters into a ‘sales contract’ with the business firm. The act of entering
into a contract is subject to several secondary moral constraints:
both parties of the contract must have full knowledge of the nature of the agreement
they are entering;
neither party of a contract must intentionally misrepresent the facts of the contractual
situation to the other party;
neither party of a contract must be forced to enter the contract under duress or undue
influence.
Full knowledge implies that the seller has the duty to disclose exactly what the customer is
buying and what the terms of the sale are. At a minimum, this means that the seller has a duty to
inform the buyer of any facts about the product that would affect the customer’s decision to
purchase the product. For example if a defect that poses a security risk exists, then the customer
should be informed” (Velasquez, 1998). Thus this view means that the Financial Service Provider
has to explain all the defects, weaknesses and threats of the online banking platform to their
customers. The contract view is however not applicable to this situation since the customer
doesn’t have full knowledge of the nature of the product and its potential security flaws. FSPs
and customers do not share the same information and are not equally skilled in this matter.
Customers therefore have to rely on the judgment of the FSP.
“The due care theory of the business’ duties to consumers is based on the idea, that consumers
and sellers do not meet as equals and that the consumers’ interest are particularly vulnerable to
being harmed by the business who has a knowledge and an expertise that the consumer does not
have. Because businesses are in a more advantage position, they have a duty to take special care
to ensure that consumers’ interests are not harmed by the products that they offer them. The
1 The following explanations of these three views are quotes from his book when placed between quotation marks.
Page | 34
business violates this duty and is negligent when, there is a failure to exercise the care that a
reasonable person could have foreseen would be necessary to prevent others from being harmed
by use of the product. A business is not morally negligent when, others are harmed by a product
and the harm was not one that the manufacturer could possibly have foreseen or prevented. Nor
is the business morally negligent after having taken all reasonably steps to protect the customer
and to ensure that the consumer is informed of any irremovable risks that might still attend the
use of the product. For example, a business cannot be said to be negligent when the customer is
acting careless or misusing the product. In determining the safeguard that should be built into a
product, the business must also take into consideration the capacities of the persons who will use
the product. If the business anticipates that a product will be used by persons that are too
inexperienced to be aware of the dangers attendant on the use of the product, then the business
owes them a greater degree of care than if the anticipated users where of ordinary intelligence
and prudence. The difficulty with this view is that there is no clear method for determining
when one has exercised enough due care, there is no hard and fast rule. A second difficulty is
that it assumes that the business can discover the risk before the consumer buys and uses it”
(Velasquez, 1998). For the FSPs, this second difficulty can however be eliminated. FSPs have the
possibility to inform their customer on new discovered risks during the contract since they know
who their customers are and because they have the ability to communicate with them directly.
The problem is thus to determine when enough due care has been executed (as discussed in
paragraph 4.2.8).
“The social cost view holds that a business should pay the costs of any damages sustained
through any defects in the products. Even when the business exercised all due care in the design
and build of the product and has taken all reasonable precautions to warn customers of every
foreseen danger. This theory is a very strong version of the doctrine of ‘caveat vendor’: let the
seller take care. By having the business bear all the external costs that result from damages as
well as the ordinary internal costs of design and build, all costs will be internalized and added on
as part of the price of the product at the initial sales. Hence, informing the customer of the total
costs at the sale. Second, since manufacturers have to pay the costs of damages, they will be
motivated to exercise greater care and therefore to reduce the number of incidents. A criticism to
this view is that passing the costs of damages on to all consumers (socializing the costs in the
form of higher prices), consumers are also being treated unfairly. A second criticism of this
theory attacks the assumption that passing the costs of all damages on the businesses will reduce
the number of accidents. On the contrary, critics’ claim, by relieving consumers of the
Page | 35
responsibility of paying for their own injuries, the social costs theory will encourage carelessness
in consumers. An increase in consumer carelessness will lead to an increase in consumer
damages” (Velasquez, 1998). This theory is thus leading to moral hazard amongst consumers.
We have seen that in the past, FSPs have used the social costs view in cases of fraudulent losses
on online banking. During 2012, FSPs have started to apply the contract view in at least some of
the cases. This means that responsibilities are shifting from a phase in which the FSP took full
responsibilities to a phase where the responsibilities will be divided and shared between the FSPs
and their customers. Because of the equality in knowledge and positions between the customer
and the FSPs and the fact that the customer doesn’t have full knowledge, it however seems
better to transfer to the due care theory instead of the contract view. The Dutch Government
seems to support this claim. They state that “we can’t expect our citizens to completely
understand and assess the security and privacy aspects of the increasing complex ICT services
and products offered by large international companies. Therefore there is a clear responsibility
for these companies to care of the customer’s security and privacy. They need to be transparent
about their efforts and measures for enhanced cyber security (NCTV, 2013).
4.3.2. Responsibility types
In order to completely understand responsibility, we will have to define responsibility.
Responsibility in this research is defined as: “responsible is the person or authority which can be
regarded as the cause or one of the causes of the effect of an action, or has a role, position or
function that involves accountability” (Jeurissen, 2007). The second aspect we will have to do is
to define what type of responsibility is actually shifting. In his book Bovens describes five types
of responsibilities of which four have initially been defined by the English legal philosopher Hart
(Bovens, 1990).
The first type is responsibility as a cause; this means having caused a specific situation. In the
situation of fraud of online banking we could argue that the FSP, the customer as well as the
fraudster are part of the cause since the customer and the FSP have provided the fraudster with
the opportunity to commit the fraud. If we define the cause in more strict terms as the one who
has committed the fraud then the fraudster is the only responsible person. Within the context of
this research we will use the strict definition of being responsible as a cause, thus the fraudster is
the responsible person.
Page | 36
The second type is responsibility as ability. This means that in order to be responsible, a person
should have had the ability to execute the responsibility. Whether or not a customer has the
ability to execute the responsibility of secure behavior depends for example on the mental ability
as well as security related knowledge of the individual. Second, the question whether or not the
customer or the FSP has the ability to detect and prevent the fraud, depends on the modus
operandi and the target of the fraud. This responsibility type thus applies to both the customer
and the FSP.
The third type is responsibility as a duty. The FSP has the duty of care against the customer. The
customer has the duty not to act in a gross negligent way. We have already seen these duties in
previous paragraphs of this research.
The fourth type is defined as responsibility as a liability. In terms of liability again all three
stakeholders can be held liable (though the real responsible and liable person should be the
fraudster). In case when it’s impossible to catch the fraudster, somebody else should be held
liable since somebody has to take ownership of the losses. It depends on situation to situation if
the FSP, the customer or both will be held liable. This depends on the duty of care and moral
customer standard. In order to be responsible in the sense of liability, the second and third type
of responsibility should at least be applicable and preferably also the first type.
The fifth and final type is responsibility as a virtue. This is the positive variant of a responsibility.
The customer could see it as a virtue to act in a responsible way and helping to prevent
fraudulent behavior. For the FSP it seems mandatory to take responsibility as a virtue since they
offer a service to their customers for which their customer pay.
Bovens also refers to responsibility as active and passive. Active responsibility refers to being
responsible during the act (responsible behavior) where passive responsibility refers to being held
responsible after the act (Bovens, 1990). In this research responsibility will be referred to as
primarily active responsibility in the sense of responsibility as ability and duty. This primarily
aspect might result in passive responsibility in the sense of liability.
Page | 37
4.3.3. Elements of responsibility
As earlier indicated, the current issues are related to the due care of the FSPs and gross negligent
behavior. We have also determined that there should be a moral standard to which we can judge
behavior in order to determine if someone is negligent or not. This moral standard can be seen
in the light of a moral responsibility to act in an ethical way (ethical behavior). In this research
ethical behavior is defined as: “Acting ethically is acting in accordance with the values and norms
which we consider binding for ourselves and others, within reason” (Jeurissen, 2007). In his
book Jeurissen describes five aspects to which we can determine if a customer can be held
responsible:
Duty: is there an obvious moral obligation or standard that applies in the situation or that
goes with the job or person we assess?
Knowledge: was the person we assess aware of this obligation, standard or value, or
should the person, within reason, have been aware of it?
Volition: was the person we assess legally capable to make the decision and was there no
(external) coercion?
Ability: was the person we assess (mental) able to act and were there alternatives?
Intention: was the person able to calculate the consequences of its action and has the
mental capacity to consider different alternatives?
All the above elements should be in place before we can conclude that someone is morally
responsible for an act and the result of this act and can potentially be held liable. Although the
above criteria are less important in the strict law perspective than in the ethical perspective
(Bovens, 1990), we should include the criteria of both perspectives when trying to find an answer
to main question of this research (paragraph 3.7). Thus, when we assess whether or not a
customer should be responsible for the financial damage of a fraud, we shouldn’t only use the
criteria of liability (paragraph 4.2.5) but also the above criteria for moral responsibility.
4.3.4. Moral consciousness
According to the law and FSPs’ terms and conditions, customers have the duty to act in a
responsible way. The next question is whether or not customers are aware of this responsibility.
In his research paper, Brinkmann refers to this as “moral awareness” (Brinkmann, 2004). In
another research executed by McGregor, the customer’s responsibility awareness is referred to as
“moral consciousness” (McGregor, 2006). In this paper McGregor answers the question to why
people in their consumer role do not have a well-developed moral conscience. In this paper
McGregor described a phenomenon, which he calls consumer immaturity. McGregor refers to a
Page | 38
research of Whitbeck that gives an answer to why consumer are immature: “we now live in a
society that is changing so rapidly, especially technologically, that we are presented with
consumption decisions that have no correlates in the experience of previous generations.
Therefore, constructing good responses to moral problems takes great effort and attention.
Consumers have to learn how to avoid pitfalls that leave them open to corruption or neglect of
their responsibilities” (Whithbeck, 1998). McGregor argues that, “many consumers are operating
at a very immature level of moral development, relative to their role as consumers. Their sense of
moral rightness comes from accepting the rules and standards of the collective consumer group.
And, this group is not in good moral standing. To further develop their moral conscience,
consumers need guidance creating the moral context within which they exercise their moral
responsibilities and they would need to have full information”. Thus if FSPs want to hold their
customer responsible they need to help their customers to improve their moral consciousness.
This is however not only the responsibility of the FSPs. Improving the moral consciousness for
internet security (of which online banking is a part) is a duty of the entire society, including the
customer themselves.
4.3.5. Joint responsibility
The due care responsibility theory (paragraph 4.3.1) represents a joint responsibility between
multiple stakeholders. There are a number of different stakeholders in the responsibility chain of
secure online banking who all carry different responsibilities. All these stakeholders together
share the total responsibility of secure online banking, each on their own manner. The FSP for
example has the responsibility to secure the online banking platform and to inform their
customers about the necessary and mandatory security measures the customer has to take. The
customer for example has the responsibility to comply with these mandatory security measures.
Another stakeholder with responsibility is the government, for example by imposing new laws
and regulations or improving the level of awareness of their citizens (as discussed in paragraph
4.2.7). Outside the scope of this research, we might be able to identify even more stakeholders.
Joint responsibility is thus a matter of sharing responsibilities. The power balance shift of
responsibility needs to be more than just a simple shift of a part of the responsibility to another
stakeholder or just increasing the responsibility of one stakeholder without impacting the
responsibilities of the other stakeholders. Van Luijk and Schilder describe what they call a moral
elementary truth: “in cases where responsibilities are being shared, the total responsibility
increases” (Luijk & Schilder, 1998). In other words, the total pie of responsibilities will grow
when the pie is divided into more pieces. Thus, the current power balance isn’t only increasing
the responsibility of the customer (to comply with the mandatory security measures) but will also
Page | 39
increase the responsibilities of the other stakeholders, for example by improving communication,
education and also by increasing the current duty of care of the FSPs. Joint responsibility is thus
more than dividing or distributing responsibilities, “joint responsibility is about how to organize
responsibilities in such a way that a surplus of effective responsibility will be created” (Luijk &
Schilder, 1998).
4.3.6. Who should be responsible?
Given the very low chances of becoming a victim to online banking fraud (paragraph 4.1.1); we
could argue that becoming a victim is just a matter of bad “moral luck”. As Witteveen describes
in his book “we speak about moral luck when the fact that a person handles in a better (or
worse) way is due to a fortuitous circumstance instead of due to the fact that a person has
deliberately handled a situation in a better way” (Witteveen, 1989). For the chances of becoming
a victim of - especially the malware related crime - we could support this view since it’s very
difficult for a customer to spot malicious behavior (as will be discussed in paragraph 4.4.1).
However when we look at the chances of becoming a victim from a preventive perspective, for
example by means of complying to the FSPs’ terms and conditions (paragraph 4.2.4), this view
can be rejected since taking these measures is more than just moral luck. Based on the arguments
of Witteveen, we should ask ourselves a second question: are we asking too much from the FSPs
in terms of duty of care or the customer in terms of not acting in a gross negligent way. This
happens “when we keep somebody accountable for more than the power of control of the
person” (Witteveen, 1989). And this is exactly the question in our quest towards the span of the
duty of care and negligent behavior. In terms of online banking related fraud and prevention this
questions cannot be answered by available literature. Johnson explains that, “when security is
breached, questions of blame and accountability are raised. Although the intruder is obviously at
fault, attention may also turn to those who were responsible for security. This is a complicated
dilemma, device owners (customers) and website / system providers (FSPs) choose whether they
want to invest (time, money) in security or not. The question is: if someone chooses not to take
steps to protect a system from intruders, are they, partially at least to blame when an intruder
breaks in. We might even say it’s foolish not to protect your system. Nevertheless, it seems
wrong to blame those who don’t install security, “because we don’t know the details of their
circumstances”. Johnson has the following conclusion to this dilemma: “In the IT-configured
society of today, it seems difficult to defend the idea that a user with means has no responsibility
for trying to secure a computer on the internet, if only because of the illicit uses for which the
machine might be used for fraudulent activities. We expect people who own guns to have trigger
locks on the guns; perhaps we are now at the point that we should expect people who have
Page | 40
computers on the internet to use strong passwords” (Johnson, 2009). Personally I would like to
change the last part of this phrase “to use strong passwords” to “to take preventive actions”
since there are more measures a customer can take than just a strong password (for example the
measures described in paragraph 4.2.4).
4.3.7. Conclusion
In cases of online banking related fraud, the fraudster abuses the customers or the personal
computer of the customer. Based on the above statements it’s difficult to defend that the
customer has no responsibility at all. When being held responsible, it’s however important that
all the elements of responsibility are present. Furthermore we have identified that joint
responsibility implies an increase in responsibility for all involved stakeholders and not just a
shift from the one to the other.
Firstly, this means that the customers should know and understand their responsibilities.
Communicating and understanding those responsibility is a joint responsibility on itself. The
FSPs should undertake sufficient efforts to help their customers to understand their
responsibilities and to help them to take preventive actions. The customers and the society do
have the responsibility to take this matter serious and to try to understand what is required; they
should improve their moral consciousness in this matter. It’s impossible to improve moral
consciousness when FSPs and society are not providing the necessary information but it’s also
impossible when the customer is not willing or able to understand.
Secondly, this means that the customer needs to have the volition and ability to act according to
these responsibilities. Customers should also understand the consequences of their actions,
especially the consequences of not taking the required security measures.
Thirdly, this means that the entire duty of care of the FSPs will increase and that communication
on itself will not be enough.
Based on the ethical theories the responsibility power balance should shift towards the due care
theory. This is however legitimate if all stakeholders succeed in taking care of all the elements of
responsibility and when we have developed moral standards. In the absence of clear knowledge
on the availability of the necessary responsibility elements and agreement on the moral standards,
the remainder of this research will focus on obtaining answers to the following research
questions:
Page | 41
To what extent are the critical elements of responsibility fulfilled in the current situation?
What is the moral standard for the duty of care / due care of the Financial Services
Provider?
What is the moral standard for the customer’s behavior related to gross negligent
behavior?
What are potential future joint responsibilities, liabilities and measures for the Financial
Services Providers and their customers in the customer’s point of view?
4.4. View from market research
The above formulated remaining questions could not be answered looking from the perspective
of the law or the ethical perspective. In this paragraph we will explore if the available market
research can help to identify the answers to those questions. This will be done be exploring the
known view of experts and the customer.
4.4.1. The view on the customer’s abilities to detect
“In the absence of a utopian world, it seems necessary that we must strive to improve our
computer systems and communications, our standards, our expectations of education and our
world as a whole. Overall awareness of computer system vulnerabilities and security
countermeasures is greater than it was a few years ago. The potential opportunities and gains
from misuse seem to be increasing. However, our society does not seem to be getting
significantly more moral on the whole, despite some determined efforts on the part of a few
individual and groups” (Rogerson, 2004). According to David S. Wall there is an overall lack of
public knowledge about the real risks of cybercrime. And according to David S. Wall “those who
are not discouraged from going online often are unable to make informed choices about the risks
that they may face, especially where the threat is new” (Wall, 2008). Hence, according to experts
the awareness and therefore the ability to detect (or perhaps even protect) is low. When
awareness is low we can at least conclude that an important element of moral responsibility is
missing.
The government is of the opinion that “we could expect a certain level of basic cyber hygiene
and ability of citizens using IT devices. For example being careful with personal information,
taking care of software updates and using strong passwords” (NCTV, 2013). Accord to
governmental research, the awareness of cyber security amongst citizens has increased. However,
despite this increase, the risk perception amongst ICT users is still limited and there is a large risk
Page | 42
related to overconfidence. Dutch citizens rank their cyber security skills as a 7, which according
to this research is overrated. For example 66% of respondents didn’t know how their device
could be used for malicious activities and passwords most often do not comply to the advices
security standards (“Alert Online stimuleert veilig online gedrag | Nieuwsbericht |
Rijksoverheid.nl,” 2013).
Experts are questioning whether or not well-informed customers could be able to detect and
protect themselves against the risk of fraud. H. Cate is of the opinion that the most basic
protection is personal judgment and that this can play a vital role in protection “the actions of
individuals may provide the best defense against identity theft” (Meulen, 2011). Other experts
such as Solove are of the opinion that the role of the consumer is very minimal, if existing at all.
Marron, another expert states: “the problem becomes pitched not as one of systemic institutional
culpability, but as lack of awareness on the part of individuals”. These experts claim that, the best
phishing websites manage to fool 90% of participants (Meulen, 2011). The Dutch National
Cyber Security Centre claims that a success ratio of 30% should be attainable for phishing
websites (NCSC, 2012). Drive-by downloads are even more dangerous because they are
extremely difficult to detect for consumers. (Provos, Mcnamee, Mavrommatis, Wang, &
Modadugu, 2008). Although these forms of fraud might be difficult to detect this doesn’t mean
that there is nothing the customer can do. Drive-by downloads for example, are usually abusing
insecure old versions of web browsers and can only be detected by the right and up-to-date virus
scanner. And although phishing website or social engineering is executed in a very professional
way, the customers have been informed by their FSPs that they always have o check the URL,
the certificate and that they will never ask for codes by means of a phone call. Experts seem to
agree that it’s too much to ask a customer to detect malicious behavior but do not provide a
general point of view related to prevention. Hence by using and combing the points of view of
the experts we will not be able to create a generic moral standard for customer behavior.
To answer whether or not the necessary the elements of responsibility are present, we need to
find out whether or not the online banking customers are willing, knowledgeable and capable of
executing their responsibilities and are willing to accept the potential consequences.
Unfortunately, there is no complete research available that provides insights in the willingness,
knowledge and ability of customers to prevent and detect. Capgemini has recently conducted a
research (executed by TNS NIPO) amongst Dutch consumers and their awareness of aspects
such a cybercrime, viruses, phishing and fake website. This research indicates that 14% of the
Page | 43
consumers rank themselves as very knowledgably about these threats and 52% of the consumers
rank their knowledge as reasonably well (Capgemini, 2013). Unfortunately, this research doesn’t
shed any light on whether or not these customers really are aware of the threats or that they only
think to be aware. Nor does it provide insights in the knowledge of customers and their ability to
take preventive measures. Another research executed by the Lieberman Research Group and the
company Unisys, identifies that only 18% of Dutch consumers are seriously concerned about
computer security in relation to viruses or spam and only 10% of Dutch consumers are seriously
concerned about the security of online banking (Unisys, 2013a). Also this research doesn’t
provide more details or answers about the knowledge and ability of the Dutch consumer. In
another research, Unisys compares the outcome of the Netherlands to eleven other countries
(Unisys, 2013b). This comparison gives some perspective of the score of the Netherlands. Dutch
consumers are by far the least concerned about internet security. The level of concern in
countries such as the United States (the least concerned country after the Netherlands) and Spain
is about 50% higher and the level of concern in Germany is about 100% higher than in the
Netherlands. Although we are all on the same World Wide Web and generally exposed to the
same risks, there is a significant difference in the Dutch concern level. According to the Dutch
National Cyber Security Centre (NCSC), the ability of the average Dutch internet user is not very
high. They claim that the average internet user doesn’t have sufficient knowledge and skills in
order to protect them from digital risks. They are very much afraid that the ongoing
digitalization will increase the arrears. The NCSC assesses the average Dutch online consumer as
very vulnerable (NCSC, 2012). This is especially true for the group of consumers that are
classified as illiterate (“digibeet”). According to a research from Yvette Bommeljé 1.5 million
Dutch consumers that use the internet can be classified as illiterate. She explains that 9% of the
Dutch consumers don’t have any computer skills and 18% of the Dutch consumers’ computer
skills can be classified as very low. This means that at least 27% of the Dutch online consumers
do not have the necessary skills to operate their computers. Another 21% of the Dutch
consumers is classified as having little computer skills. 48% of the Dutch consumers do not
master their computer skills on a sufficient level. The same research indicated that of these
consumers 82% used their computer in order to perform online banking activities (Bommeljé,
2013).
Page | 44
4.4.2. How customers currently secure themselves
It might be possible to define the moral standard of behavior based on current measures
customers are taking. There is no research available related to the customers current measures
against phishing and social engineering. For malware and pharming related measures there is a
research executed focusing on measures Dutch consumers are taking in order to secure their
computer (Van Deursen, 2012). According to this research, 87% of the consumers have installed
a virus scanner, 72% has installed a firewall and 59% of the consumers keep track of automated
updates. Only 10% of the respondents doesn’t take any safety measures or doesn’t know if they
take any measures. This research shows that there is a certain variance between the different age
groups, gender, level of education and profession. Students and individuals between 16 and 35
years of age take less security measures than other respondents. Also, the research indicates that
men on average take more security measures than women and medium to higher educated
respondents seem to take more security measures than the lower educated counterparts. The
majority of respondents in all different groups seem to take care of a virus scanner, firewall and
automatic updates. Thus, we can argue that not taking care of these three measures can be
identified a deviation from the moral standard. These measures can best be seen as the absolute
set of minimum security requirements (NCSC, 2012). Customers that only take these security
measures do not comply with the terms and conditions of the FSPs (as specified in paragraph
4.2.4).
Unfortunately, there is no research available on the awareness and current level of compliance of
the customer related to the other measures mandated by terms and conditions. Based on
literature we therefore cannot create a standard for moral behavior related to the entire set of
demanded measures.
4.4.3. The view on the Financial Services Provider’s duty of care
The European Central Bank has recently finished a report focusing on recommendations for the
security of internet payments. The European Central Bank commences this report with the
following statement “given the current experience of regulators, legislators, FSPs and the general
public that payments made over the internet are subject to higher rates of fraud than traditional
payment methods the Forum decided to develop recommendations for the security of internet
payments. These reflect the experience of overseers and supervisors in their home countries and
take into account the feedback obtained in a public consultation. Furthermore the report
includes some best practices” (ECB, 2013). Although the report of the European Central Bank
Page | 45
only provides recommendations it seems like a solid first attempt to identify what a FSP should
have to take care in order to fulfill their duty of care.
According to this report FSPs should take care of the following high-level aspects:
Strong customer authentication (at least two factor)
Implement effective processes for authorizing payments as well as for monitoring
transactions and systems in order to identify abnormal customer payment patters and
prevent fraud.
Engage in customer awareness and education on security issues with a view to enable
their customers to use such services safely and efficient.
Furthermore, the report provides the following (for this research relevant) detailed
recommendations:
FSPs could provide security tools (e.g. devices and/or customized browsers, properly
secured) to protect the customer interface against unlawful use or attacks (e.g. “man in
the browser” attacks).
FSPs should ensure that the prior information supplied to the customer contains specific
details relating to the internet payment services. These should include, as appropriate:
o clear information on any requirements in terms of customer equipment, software
or other necessary tools (e.g. antivirus software, firewalls);
o a step-by-step description of the procedure for the customer to submit and
authorize a payment transaction and/or obtain information, including the
consequences of each action;
o guidelines for the proper and secure use of all hardware and software provided to
the customer;
o description of the responsibilities and liabilities of the FSPs and the customer
respectively with regard to the use of the internet payment service.
FSPs should use fraud detection and prevention systems to identify suspicious
transactions, before the FSP’s finally authorizes transactions or e-mandates. Such systems
should be based, for example, on parameterized rules (such as black lists of
compromised or stolen card data), and monitor abnormal behavior patterns of the
customer or the customer’s access device (such as a change of Internet Protocol (IP)
address identified by geo-location IP checks, or IP range during the internet payment
services session, sometimes atypical e-merchant categories for a specific customer or
Page | 46
abnormal transaction data, etc.). Such systems should also be able to detect signs of
malware infection in the session (e.g. via script versus human validation) and known
fraud scenarios. The extent, complexity and adaptability of the monitoring solutions,
while complying with the relevant data protection legislation, should be commensurate
with the outcome of the risk assessment.
FSPs should provide assistance and guidance to customers, where needed, with regard to
the secure use of the internet payment services. FSPs should communicate with their
customers in such a way as to reassure them of the authenticity of the messages received.
FSPs should set limits for internet payment services and could provide their customers
with options for further risk limitation within these limits. They may also provide alert
and customer profile management services.
Within the set limits, FSPs could provide their customers with the facility to manage
limits for internet payment services in a safe and trusted environment.
FSPs could enable customers to specify general, personalized rules as parameters for
their behavior with regard to internet payments and related services, e.g. that they will
only initiate payments from certain specific countries and that payments initiated from
elsewhere should be blocked, or that they may include specific payees in white or black
lists.
Next to these recommendations of the European Central Bank, experts have identified how
customers differ in their level of skills, awareness and vulnerability. FSPs (and their customers)
could therefore benefit when they don’t apply a one-size-fits-all policy to the above
recommendations but to apply specific customer profiles.
In terms of expected duty of care of the FSP, the customers’ opinions have not been researched.
On their website, the Dutch Consumers union (Consumentenbond) state that, “when FSPs are
increasing the measures a customer has to take it becomes easier for the FSPs to blame their
customer for gross negligent behavior”. They are of the opinion that certain aspects of the
FSPs’ terms and conditions are too strict in order to be practical executable for their consumers,
for example the requirement to check their electronic statements every two weeks
(Consumentenbond, 2013).
Page | 47
4.4.4. Conclusion
By using the recommendations of the European Central Bank we seem to have a solid moral
standard for the FSP’s duty of care. We have identified that the majority of customers at least
keep track of their virus scanner, firewall and automatic updates. Therefore we can argue that
customers should at least take these preventive measures in order to behave in a moral way.
Since no research related to the other demanded measures from the FSP’s terms and agreements
is available we cannot identify a complete set of moral behavior.
Unfortunately, the known views of the market don’t provide us with a complete answer to the
remaining questions of this research:
To what extent are the critical elements of responsibility fulfilled in the current situation?
What is the moral standard for the customer’s behavior related to gross negligent
behavior?
What are potential joint future responsibilities, liabilities and measures for the Financial
Services Providers and their customers in the customer’s point of view?
In order to answer these three remaining questions, a new research needs to be executed
amongst customers of Dutch FSPs. This customer research will be executed within the scope of
this research and will be introduced in chapter 6.
Page | 48
Page | 49
5. CONCEPTUAL MODEL
In the previous chapter, the quest towards joint responsibilities started and the elements for joint
responsibilities were identified. All these elements together can be grouped in a conceptual
model, as displayed in figure 5. On the highest level, five different building blocks can be
identified: ethical customer responsibility, ethical FSF responsibility, joint responsibility,
effectuation and liability. Joint responsibility is the center of this model. The arrows represent the
preconditions to joint responsibility and all the different building blocks are necessary input
elements to joint responsibility. The necessary elements are preconditions in the normative
sense. The arrows are thus no prevailed relations in the empirical sense. The result of this model
is that, all the different elements (arrowed towards joint responsibility) need to be present in
order to be able to implement joint responsibilities and liabilities. Responsibility in this
perspective can best be seen as the responsibility to prevent. Responsibility is supported and
enforced by the elements of effectuation. When individual responsibilities have been identified,
the FSPs and their customers together can create joint responsibilities. In the unfortunate
occasion where these joint responsibilities fail to prevent fraud on the online banking platform,
liability will come into play. Whether or not a customer is liable, will eventually have to be
decided by a judge. The judge should determine whether or not all elements of this conceptual
model have been fulfilled. Only when all elements have been fulfilled can the judge decide that
the customer is liable.
Figure 5: conceptual model
Page | 50
The element of the first building block ethical responsibility is divided into two main elements.
The responsibilities of the customer (paragraph 4.3.3) and the responsibility of the FSP: due care
(paragraph 4.3.1) and duty of care (paragraphs 4.2.1, 4.2.2 and 4.4.3). Joint responsibilities have
not yet been identified. Joint responsibilities will be the outcome of the quest of this research
and recommendations to achieve joint responsibilities will be described in chapter 9. The
elements of effectuation have been described in paragraph 4.2.1. The elements of the final
building block, liability have been identified in paragraph 4.2.5.
Page | 51
6. CUSTOMER RESEARCH
In the literature review (chapter 4) some gaps are defined that are related to the customer’s
perception, knowledge and abilities (paragraph 4.4.4). These gaps have to be closed in order to
provide answers to this quest for joint responsibilities. Up until this point, the research didn’t
clarify whether or not the necessary elements for moral customer responsibility are present.
Neither did the research provide a moral standard for customer behavior. The three unanswered
research questions are:
To what extent are the critical elements of responsibility fulfilled in the current situation?
What is the moral standard for the customer’s behavior related to gross negligent
behavior?
What are potential joint future responsibilities, liabilities and measures for the Financial
Services Providers and their customers in the customer’s point of view?
6.1. Research type
Customer research can be executed in two possible ways, either in a quantitative approach
(summarized as ‘counting’) or a qualitative approach (summarized as ‘understanding’). There is
no previous research available on the subject of this research. We do not yet know the opinion
or the abilities of the customers. As a starting point for the interviews, I expected responsibility
for online security to be a difficult topic for customers, since it’s an aspect the average customer
don’t usually has to think about. Providing sound insights for this research means that customers
have to provide more detailed answers than simply a yes / no, or to rate a scale (like it’s usually
being done in the quantitative approach). In order to be able to draw proper conclusions, it’s
important to find the underlying reasons and motivations of the given answer. It are those
arguments and inner perspectives of the customer that are most valuable. Qualitative research
provides insight into how customers perceive this specific topic instead of just how many
customers share a specific opinion. In order to gain an understanding of the customers’
thoughts, I have opted for a qualitative research
The qualitative research has been executed by means of group focus interviews. “Focus groups
are used to get insights in differences in opinion between people about a certain topic. In a focus
group, it is easier for the participants to feel more comfortable as opposed to in one on one
interview. In a one on one interview, the participant might not feel free to express his or her
Page | 52
opinion because of maybe it being used against them” (Krueger, 2009). According to Slocum
(Slocum, 2003), “focus groups are useful to:
gauge the nature and intensity of stakeholders’ concerns and values about the issues;
obtain a snapshot of public opinion when time constraints or finances do not allow a full
review or survey;
obtain input from individuals as well as interest groups;
obtain detailed reaction and input from a stakeholder or client group to preliminary
proposals or options;
collect information on the needs of stakeholders surrounding a particular issue or
concept;
determine what additional information or modification may be needed to develop
consultation issues or proposals further.”
6.2. Scope and limitations
The interview population for this research is retail online banking users of Dutch FSPs. The
usage of this interview therefore, is firstly limited to the retail segment. Secondly, these
interviews will primarily be useful for Dutch FSPs. Customer of foreign FSPs might have
different opinions; therefore the outcome of this research cannot directly be applied to foreign
markets. As a final limitation, this qualitative research will provide insight into how customers
think and not necessarily about how many customers support an opinion.
6.3. The sample
Due to the nature of qualitative research the number of participants has been limited compared
to quantitative research. A total of five focus interviews have been conducted. Each interview
included five to six customers, with a total of 26 customers. I have created convenience samples.
Per focus interview I have asked one person in my network to select another person and to
those selected person, to ask another person to be involved in the interview. I have based my
initial pick of the five people on their age, educational level, living area and nationality. Each
individual received the instruction to select another Dutch online banking retail banking
customer whom they knew but who they didn’t know too well. By using this approach, I tried to
create as much randomness as possible in the sample. After identifying the candidates, I checked
if different ages, educational levels, living areas and nationalities had been selected in order to
create a representative sample of Dutch customers. The demographics of the participants are
displayed in appendix 1.
Page | 53
6.4. Data collection technique
Before commencing the interviews, I had composed a list of questions based on the findings in
the literature review (chapter 4). I built in a sequence in the questionnaire, which I followed
during the interviews. The details of the questions are included in appendix 2. I didn’t share the
questionnaire with the participants and had only used the questionnaire as a reference and
guideline to structure the interviews. I did not provide the participants with more information
than only the subject of my thesis before the start of the interviews. At the start of the interview,
I invited the participants to respond to each other’s answers and to be involved in a discussion
between the different participants whenever different points of view were voiced. I informed the
participants that the answers to the questions where not a matter of right or wrong. I also
informed them that they were allowed to withhold their opinion or change their opinion after
arguments of other participants.
6.5. Interview questions design
In paragraph 4.3.3 of the literature review, the elements of moral responsibility have been
defined. In this paragraph we concluded that all the necessary elements need to be present in
order to be able to hold the customer responsible from an ethical perspective. In paragraph 4.4.4
of the literature review, we identified an absence of a clear moral standard. The first part of the
research is designed in order to identify whether or not the necessary elements are present
amongst the population of customers in this research. Furthermore these questions are designed
to identify the current security related activities and capabilities of the population. Knowing their
activities and capabilities is expected to be important input for drafting the moral standard. The
answers to these questions are described in chapter 7. The general interview topics are:
1. Perceived level of security on online banking
2. Level of customer awareness per type of fraud
3. Level of moral hazard
4. Level of knowledge about means of prevention per type of fraud
5. Current legal liability
6. Activities, responsibilities & liabilities of the Financial Services Provider
7. Cyber crime related to physical crime
The final goal of this research is to be of assistance to the FSPs in creating policies and to
implement and execute these policies, including future responsibilities and liabilities. In the
literature review the power balance shift and connected responsibilities have been discussed
Page | 54
(paragraph 4.3.1 and paragraph 4.3.5). Unfortunately, this doesn’t provide sufficient assistance
towards the FSPs. As Professor Dr R.J.M. Jeurissen explained to me: “Responsibility is a social
constructed concept. The concept of joint responsibility originates and will be settled in a
negotiation between all relevant stakeholders in which ones responsibilities will be defined. This
is an arguing / bargaining process”. The second part of the interview will explore the ethically
relevant stakes of the customer in this negotiation. The answers to these questions will provide
insights regarding what kinds of responsibilities and liabilities customers find morally plausible
for themselves and for the FSPs. The answers to these questions are described in chapter 7. The
general interview topics are:
1. Acceptable mandatory future customer responsibilities
2. Acceptable mandatory future customer liabilities
3. Future activities, responsibilities & liabilities for the FSP
The objective is that the customers’ answers combined with the obtained knowledge in the
literature review, will result in guidelines and answers in the quest towards joint responsibilities.
This will allow FSPs to compare their policies and points of view with the points of view of their
customers in order to find commonalities and gaps.
6.6. Variable measurement and validation
Each interview has been digitally recorded, memorized and structured per interview question by
means of a matrix structure (preserved by the author) (Groenland, 2010). Firstly, the interviews
were analyzed on a stand-alone basis to cross check the answers of the participants on
consistency. Secondly, the analyses of the different interviews were combined and analyzed
again. The qualitative analyses were executed using the guidelines of Hennie Boeije (Boeije,
2012). These analyses were then compared to the conceptual model and the literature review of
this report.
Page | 55
7. RESEARCH RESULTS
In this chapter the outcome of the focus interviews will be presented as an objective description
of the inputs of all five interviews combined. This chapter is structured in the three main topics
of the interview: elements of responsibility, the moral standard and future joint responsibilities
and liabilities.
7.1. Elements of responsibility
In chapter 4.3.3 of the literature review, the necessary elements of ethical responsibility have
been described. In order to be responsible from an ethical perspective a customer should have
the duty, knowledge, volition, ability and intention to act in secure way. These elements are a key
cornerstone for responsibility. This part of the interview has been structured in order to generate
inputs for the answer to the following research question: to what extent are the critical elements
of responsibility fulfilled in the current situation?
7.1.1. Perceived level of security
Some participants explained that they had been hesitant in using the online banking technology
during the introduction phase, about a decade ago. Due to experience and improvements of the
online banking channel these considerations have vanished away. Nowadays all participants feel
secure while using online banking. According to the participants, the Financial Service Provider
is taking care of their security, for example by means of passwords and tokens. This provides
participants with a comfortable feeling. Security is not on top of participant’s mind during online
banking activities. Participants also feel that their payment data is secure while using iDEAL.
Despite this trust, some of the participants are still reserved to use iDEAL while buying goods
from web shops because they find it difficult to determine whether or not the web shop is legit.
For mobile banking there were a couple of participants who were hesitant in using mobile
banking. They were not sure whether it is as secure as a personal computer due to the lack of
security measures such as a virus scanner and code generation tokens. Those participants have
decided not to make use of mobile banking at all.
Page | 56
7.1.2. Level of customer awareness per type of fraud
When asked about the awareness of types of fraud, most participants answered they are aware of
frauds applied on online banking. It was only the group of students who initially answered not to
be aware of any online fraud. None of the participants had personally been impacted by any
means of online banking fraud.
Phishing / Pharming
When asked about the types of fraud, all participants are aware of the phishing frauds,
particularly by means of spam mails. Almost all participants have received at least one phishing
mail in the past. Participants are also aware that they should never fill-in the requested
information in these mails. The FSPs have informed the participants that they would never ask
for that kind of information by means of mail. Participants however seem to be less aware of the
fact that these mails can also redirect customers to a website containing a fake log-in screen or a
malware virus sample. Participants have never seen this kind of act. Only one participant is of
the opinion that he might become a victim of a phishing mail. The participant explains that he is
concerned that criminal organizations are becoming more and more sophisticated and it might
therefore become more difficult to spot fake mails, for example because of lay-out or sender
verification. Furthermore, the participant claims that it’s confusing that the FSPs are sending him
mails as well. According to this participant the Financial Services should never send any mails at
all, this would make it easier for him to know that a mail is always fake. Within the focus group
of this participant the other participants changed their opinions after this statement. They agree
that in the future the odds of becoming a victim could potentially increase. Without any
exception, participants add that the group of customer that have low computer skilled, a low I.Q
or belong to the group of elderly would face higher odds of becoming a victim.
Social engineering
Participants are less aware of the existence and threats of social engineering types of fraud.
Almost none of the participants identified social engineering as a potential fraud. When asked
about, half of the participants explain that they have vaguely heard of social engineering phone
calls, especially targeting elderly people. These participants are aware that fraudsters are trying to
obtain the pin code of these victims but apart from that there is little to no knowledge about
how social engineering is being applied amongst the participants. The other half of the
participants does not know about this type of fraud. After the interviewer explained how social
engineering is being applied participants were asked if they think they could become a victim of
Page | 57
this type of fraud. The answer to this question varies. The vast majority of the participants,
answered that they would never become a victim of this type of fraud. These participants say,
they would either disconnect or ask for a physical appointment. The other participants are not
sure about their odds of becoming a victim. If the scam is executed in a very sophisticated and
convincing way, they are afraid that they might be caught by this type of fraud. This could be,
because the fraudster is tapping into the customer’s curiosity or because of a moment of
inattentiveness.
Malware
Only two participants spontaneously come up with malware as a potential way to commit fraud.
After the interviewer informed the participants about the existence of malware, about a quarter
of the participants seem to know of the existence. The knowledge about how it’s been applied is
very limited. Only two participants know that malware can be installed and can corrupt the
secure browser session. These participants however do not know how they can spot malicious
behavior on their computer other than installing a virus scanner. A limited number of
participants think they would spot deviant behavior on their FSPs website, for example a
different sequence of screens. These participants however, do not really know what they need to
do in case this happens. All participants agree that the odds of becoming a victim of this type of
fraud are higher than for the other types of fraud. The odds differ per participants and range
from everything between unknown and 70%. Participants explain that they do not know how to
prevent and detect fraud apart from using a virus scanner. They are also not sure if this virus
scanner would provide them with 100% protection. They identify this type of fraud as being too
sophisticated to detect. The group of students state that although they won’t be able to indentify
if their computer has been impacted, they would more likely be able to prevent the virus from
infecting the computer. They have been raised with the internet and therefore claim they know
better what to and not do.
7.1.3. Level of knowledge about preventive measures
Participants received multiple questions related to their current knowledge about preventive
measures as well as about the measures they take.
Known measures
Participants were asked what kind of measures the FSP requires them to take. All participants
know that they should not share their pin code, passwords or other identification codes with
others. Participants also know that they have to prevent individuals from looking over their
Page | 58
shoulder when performing banking activities and they are not allowed to store their pin code and
debit card in the same location. For the majority of participants this is common knowledge.
Some of the participants are aware of these measures because of the awareness campaigns. For
the vast majority of participants this is everything they know. A couple of participants divided
over the different groups, know that they have to take additional measures. These customers
know that they have to check the websites’ URL and if the lock icon in the address bar is
present. Some participants also know that they have to change their password on a regular basis
and to log-off at the end of each session. As soon as these participants shared this knowledge in
their groups some of the other participants agree that they indeed have to take these measures,
others remain unaware. There were two participants who knew that they have to arrange an up-
to-date virus scanner, firewall and software. The other participants were not aware of these
requirements.
When participants were asked about their opinion on these measures, they all responded that the
measures are normal and very reasonable. There was only one group of participants who
questioned themselves whether or not this indeed is everything they have to do (focus group 1).
After being asked, none of the participants were aware of the content of the FSP’s terms and
conditions. All participants responded in the same way: I will not read the terms and conditions,
this is not feasible because it’s such a difficult and lengthy document. And the FSPs should know
that we don’t read these terms and conditions.
Executed measures
There is a potential gap between the measures participants know they have to take and what
measures they are actually taking. Therefore, participants were asked how they currently protect
themselves and what kind of activities they perform while transferring money. All participants
explain that they perform the activities they know they have to perform. When asked about an
up to date virus scanner, not all participants were aware if they have a virus scanner installed and
whether or not it’s up to date. The majority of participants have a free of charge virus scanner
installed, which they have downloaded from the internet. A limited group of participants makes
use of a firewall, up to date browsers and operating systems. The other participants do not know
if they comply with these measures, as they explained not to understand these kinds of
technicalities.
Page | 59
When logging-in to the online banking platform, only some of the participants explain that they
do not perform any control activities. About 50% of the participants check if the address starts
with “https://” and if the address is correct. Some of these participants also check the lock icon
but nobody checks the certificate. While initiating a transaction, all participants check if they
have keyed-in the correct account number and amount. During the moment of signing of the
transaction, participants usually check if the amount is still correct. After the transaction has
been signed, the majority of the participants also check if the account balance has been adjusted.
Only a very limited group of participants will check the details of the transaction history screen.
Some of the participants of mobile banking do not perform mobile banking activities on a non
secured network, such as a free wifi hotspot. They also do not use mobile banking in public
locations where people can easily read their screens.
Information provided by the Financial Services Provider
All participants find that the FSP should do a better job in informing their customer about the
required measures, the reasons for these measures and how fraud is applied. The majority of the
participants find the current information very lacking. Some say the FSPs do not provide them
with any information at all, or that the information is limited. They have received or might have
received some messages, but these where either difficult to read or hidden between all kinds of
commercial messages. The provided information is not tailored to the personal situation, for
example elderly, kids or non Dutch speaking citizens.
Some participants are aware of the information campaigns such as “driekeerkloppen” and
“veiligbankieren” but the content has long been forgotten. According to these participants, these
campaigns only create a limited awareness and only for a limited amount of time. The majority of
participants receive “bankmail” from their FSP (mail messages in the online banking
environment). Almost none of the participants have read these messages since they usually
contain unwanted commercial information. Some participants think they have never received any
kind of information and others don’t know if they have received this kind of information during
the initial sale of the product. The vast majority of participants would like to receive readable and
understandable communication from their FSP regarding the measures they have to take, why
they have to take these measures, what kind measures the FSPs are taking and examples about
how fraud is being applied.
Page | 60
7.1.4. Power balance of responsibility
Who is responsible?
When participants were asked who in their opinion is responsible for the safety of online
banking, three different responses can be distinguished, distributed between the different focus
groups. There is a group who holds the FSP responsible for secure online banking. According to
them the FSPs offer the product and should therefore be responsible. Second, these participants
argue that Financial Service Providers are forcing their customers to use the online channels and
therefore should be responsible. Third, these participants argue that the FSPs are the experts.
According to this group, the fraudulent scams are impossible to detect for a customer. Therefore
the FSPs have to make sure that they prevent these types of crime in any possible way.
Another group of customers find themselves and the FSP responsible. According to this group
the primary responsibility is at the FSP’s side. According to this group, the customer has the
responsibility to act in a secure way and to follow the guidelines provided by the FSP. For
example not to disclose personal login credentials. This group of participants adds that,
customers should act as secure as possible but that a customer can never completely prevent
fraud from happening, thus there is a limit to the responsibility of the customer. For example
when social engineering or malware is being applied in a very sophisticated way they do not find
it fair to hold the customer responsible. In case of malware these participants will hold the FSP
responsible. In case of social engineering these participants don’t know who should be held
responsible since it’s neither due to the customer or the FSP.
The third group of participants is only a limited group. This group primarily holds the
government and the central bank responsible. They have to audit the FSPs and have the
responsibility to control the police force that should arrest these criminals. There is also a
participant in this group that holds the government and the internet service provider responsible.
According to this participant they have to filter and control the internet and make sure that spam
and malware doesn’t exist or at least will be contested.
During each of the interviews, participants started debates on whether or not the customer has a
responsibility. Defenders of the joint responsibility argue that there are limits to what a FSP can
do and that eventually the customer has the responsibility to follow the guidelines. The group of
participants that defend a full FSPs responsibility argues that the FSPs are already forcing their
customers to use these online channels by closing all the physical branches. To them, it would be
Page | 61
a bridge too far if the FSPs would also force the customer to take responsibility. The defenders
of the government’s responsibility agreed to a dual responsibility between the FSPs and the
government. The participants didn’t reach a consensus as a group and only a limited number of
participants changed their initial opinion (in mutual ways) after this debate.
Who is liable?
Participants were asked who should absorb the costs in case of fraudulent activities. All
participants agree that as a default the FSP should be liable. After this initial reaction in every
group there were participants who started to debate that there are also cases in which the
customer could be liable. According to these participants a customer should be liable when the
customer has acted in “foolish” way (negligent). The participants that support this view find it
difficult to define clear situations or borders to define who is responsible under what
circumstances. They think there is a large grey area and some are of the opinion that the liability
should be judged for every unique situation. Some of these participants would like to introduce a
yellow card system. In the first occasion the customer shouldn’t be liable, the second time the
customer should be liable up to a certain percentage. The reason for this yellow card system is
the fact that everybody can make a mistake. Making a mistake once is human, according to them.
After these statements, the other smaller group of participants remains of the opinion that the
customers should never be liable. There is a strong disagreement between the different
participants.
For phishing related fraud there is group of participants who hold the FSP liable in any case.
There is also a group that is of the opinion that this should be judged from time to time,
primarily based on how obvious the phishing has been. For example, when it’s well designed,
this would mean no liability or a maximum liability of 50% of the damage for the customer.
When the phishing mail was too obvious, this would result in a 100% liability for the customer.
All groups reached a consensus between one of these two points of view after their debates.
For social engineering types of fraud, all participants except the group of lower educated
participants of 50 years and older, answer that the customer should be 100% liable once pin
codes or other log-in credentials were shared (when no violence was being used). The majority of
participants in the group of lower educated participants of 50 years and older answered that the
FSPs should always be liable because they are the ones who should secure the deposits.
Page | 62
For malware types of fraud, all participants except one, holds the FSP liable for the losses.
According to the participants the FSP should always make sure the website is secure, since it’s
impossible for the customer to detect.
Again all participants explained that there is special group that should be better protected and
therefore cannot be held liable or should only become liable after very intense education.
Participants make this special exception for all types of fraud. Participants also add that the FSP
should prove that the customer has acted in a gross negligent way.
7.2. The moral standard
In both the law (paragraph 4.2.1) and ethics (paragraph 4.3) the moral standard is used in order
to define if a customer has acted in a gross negligent way. Identifying the moral standard is thus
an important aspect in our quest towards joint responsibilities and liabilities. In paragraph 4.4.4
of the literature review we have identified the absence of a clear moral standard. As indicated in
paragraph 4.4.1, experts disagree on the customers’ ability to detect and prevent online banking
fraud. In paragraph 4.4.2, only a limited set of current customer preventive activities were
identified. From previous research it’s not clear if the customer is taking more measures and
what customers perceive as their current responsibilities and liabilities. Neither is it clear what
customers would define as course negligent behavior. This part of the interview has been
structured in order to generate inputs for the answer to following research question: what is the
moral standard for the customer’s behavior related to gross negligent behavior?
7.2.1. Current customer’s responsibility and legal liability
Participants were asked what they find to be their current responsibilities to prevent fraudulent
activities. Participants answered that they feel responsible for taking the measures as indicated in
paragraph 7.1.3.
Level of moral hazard
Participants were also asked if they feel morally responsible for secure behavior. In three out of
five group interviews all participants answered that they feel a moral responsibility. Though, they
also answered that they are not really aware of this responsibility on a day-to-day basis. The
group of higher educated participants between the age of 18 and 34 collectively answered that
they didn’t feel morally responsible for secure behavior. This is in connection with their answers
to the responsible stakeholders, 4 out of 5 members of this group defended the opinion that they
didn’t have any responsibility. In the other groups, participants defended the statement that the
Page | 63
customer doesn’t have any responsibility but there were also participants who felt morally
responsible for secure behavior.
Participants were asked if they care about the financial losses that currently occur due to these
types of crime. Only one of the participants was aware of the amount of annual financial losses.
The two groups of highly educated participants answered that they would have to care about the
financial losses, as eventually they would have to pay the losses themselves by means of
increasing commercial rates of the FSPs. However, since the commercial rates haven’t really
changed over the past couple of years, they don’t really care. Neither do they care that they
currently have to pay a limited amount per person for these losses. The other groups answered
that they didn’t really care about the losses. All groups of participants however answered that
they would care about the financial losses if these losses were so high that it would impose a
threat for the future existence of the FSP or their own savings and deposits.
Legal liability
Participants were asked if they are aware of the legal arrangements regarding liability. None of
the participants was aware of the legal liabilities. When asked if the participants knew that they
legally have an excess risk (“eigen risico”), participants weren’t aware this is arranged by law or
either thought there could be some kind of excess risk but didn’t know for what amount.
Gross negligent behavior
Participants were asked what they would describe as gross negligent behavior. In all groups of
participants gross negligent behavior is defined as deviating from the rules on purpose. For the
participants this means: acting in a certain way while knowing that an act is wrong and deviates
from the rules and would lead to negative consequences. Participants added that this wrong
doing must be a free choice without compulsion. Participants explain that being aware of the
consequences is important to their definition. Participants define certain groups such as elderly,
kids and persons with a lower I.Q. as being potential groups who are not aware of the
consequences of an act.
When asked about an example of an act of gross negligent behavior, all participants explain that
in general, deliberately sharing a pin code without any force is gross negligent behavior. The
majority of the participants also defined sharing other log-in credentials such as TAN and
response codes as gross negligent behavior. Participants were specifically asked if deviating from
Page | 64
the FSP’s terms and conditions is an act of gross negligent behavior. None of the participants
defined this as gross negligent behavior. Participants explained that these terms and conditions
are impossible to read and understand for an average consumer. Some of the participants
explained deviating might be negligent but definitely not gross negligent. The group of students
defined this deviation only as gross negligent if the customer deviates from all the separate
contents of the terms and conditions and if the terms and conditions would be readable and
understandable for each customer. According to this group, customers should comply with a
certain limit of measures, for example at least 75% in order to receive a reimbursement of 100%.
The group of students was also specific in their opinion on the need for computer security.
According to this group, not having a virus scanner is negligent, but cannot be defined as gross
negligent.
According to some of the participants, the FSPs should provide clarity in what exactly gross
negligent behavior means to them. Participants do not see a need for a single uniform definition
amongst all FSPs as long as it’s clear to customers what the differences are. This would allow
their customers to choose between FSPs based on these conditions.
7.2.2. Online banking fraud compared to physical crime
In the quest towards joint responsibilities it’s important to find out if FSPs can leverage the
existing knowledge of insurance providers about the power balance of physical crime.
Participants were therefore asked if and how they relate online banking fraud to physical crime.
The participants’ answers can be divided into two groups. There is a group of participants that
completely relates cyber crime to physical crime. According to this group, it’s just a form of
digital crime. Both types of crime try to steal your money. The other group of customers doesn’t
relate these types of crime since the one crime is physical and personal and directly connected.
While online crimes are more distant and more difficult to spot.
Participants were asked if they have any type of insurance policy against physical crime and if
they have accepted the terms and conditions in this insurance policy. Almost all participants have
an insurance policy and accepted the terms and conditions of their insurance policy. Almost
none of the participants know the exact contents of these terms and conditions but they assume
that it would include explanation on what kind of measures the customer has to take. Almost all
of these participants would also accept the fact that a deviation from these terms and conditions
might result in a lower to no reimbursement of their damages. There are only two participants
who wouldn’t expect their insurance provider to reimburse no or only a part of the damage if
Page | 65
they had deviated from the terms and conditions. They claim that everybody can make a mistake,
for example forgetting to lock the door when leaving the house in a real hurry. In these cases, the
insurance provider should reimburse the losses despite the fact that the terms and conditions
require the customer to always lock the door. All participants would accept that they have to
invest in certain measures, such as a lock on the door as long as these measures are according to
market standards and as long as these measures do not change all the time. Furthermore, these
measures should preferably be free of charge (paid by the FSP) or either heavily discounted. It’s
important to note that none of the participants who are ING customers have installed the free
virus scanner that ING provides to them. Participants don’t remember whether or not ING has
provided them with information about this offer.
With this perspective in mind, participants were asked to what extent they would accept
mandatory measures for online banking related fraud. The majority of participants would not
close an insurance policy to prevent the losses of these types of fraud. The FSPs is already
charging fees for taking care of the customer’s money; therefore if necessary the FSP should take
care of this insurance according to these participants. There is a small group who would like to
purchase such insurance as long as the insurance premium is very low (a couple of euro’s per
month).
7.2.3. Terms and conditions
As previously described, participants were not aware of the required measures, for example
indicated in the terms and conditions. Participants do not see it as their responsibility to read the
terms and conditions in relation to fraud prevention. Participants find that the FSP should
inform their customers with separate communication. This communication should be easy to
understand and short. Customers would also like to receive this information using multiple
media, such as brochure, online, radio and television. Furthermore, participants find that the
FSPs will need to offer a helpdesk function, for example on the phone or in the branch.
Customers should be actively informed about these helpdesk. These helpdesks should for
example help the customer to understand and take all the required technical measures.
Participants also want the FSPs and the government to create educational material, for example
in schools and during the integration courses. Participants argued that the FSP should explain
why these measures are important. Understanding the importance and consequences would
improve their awareness and willingness to take more measures. Participants also state that the
Financial Service Providers will have to verify that the customer has obtained the required
knowledge.
Page | 66
As part of the interview, I had informed the participants about the required security measures
they have to take according to these terms and conditions. All participants were very negatively
surprised by this information and called this a very extensive way of the FSPs to hedge and
transfer a very large portion of the risk towards the customer. Participants didn’t agree that
deviating from these measures could be defined as gross negligent behavior. According to all
participants, the FSPs are over asking on the capabilities and possibilities of the customer.
Participants also indicate that this list of required measures is way more extensive as
communicated in the “driekeerkloppen” and “veiligbankieren” campaigns. This information
should be universal. All participants said they do not fully comply with all these required
measures. Participants find that it’s impossible to ask customers to always use up to date
software. They find that the FSP should at least allow their customers to use the most previous
version of the software. Participants would also like to receive a list of what kind of virus
scanners are certified by the FSP.
When the Financial Service Providers takes care of the necessary information, support and
allows the most previous software version, the vast majority of participants said they would
accept a required virus scanner, firewall, internet browser, verification of IP address / personal
computer and software updates. Although the participants would accept these measures they do
not agree that deviating from these measures would imply gross negligent behavior. Other
requirements such as checking the debit card every day, checking the transaction history every
two weeks, checking the websites certificate and updating plug-ins and Java are too much to ask
for according to the participants. Participants indicate that it’s also impossible to check all these
requirements on the personal computer of a third party. They understand that they have to be
careful when using online banking facilities, for example in internet café’s. But a personal
computer of a friend, family member or work should be trustworthy enough. Participants argue
that if they have to check these computers the FSP could better restrict the usage of online
banking to only their personal computers.
Page | 67
7.3. Future joint responsibilities and liabilities
In the literature review the power balance shift and connected responsibilities have been
discussed (chapter 4.3.1 and chapter 4.3.5). In the literature review no research to future
responsibilities and liabilities between FSPs and their customers has been identified (paragraph
6.5). This part of the interview is structured in order to generate inputs for the answer to
following research question: what are potential future responsibilities, liabilities and measures for
the FSPs and their customers in the customer’s point of view?
7.3.1. Future customer responsibility and liability
When asked if participants could think of any other kind of future responsibility they answered
they couldn’t think of additional measures other than described in paragraph 7.2.1. Participants
however indicated that if the FSPs would improve their communications, they would have the
responsibility to read and understand the communication. If the communication is not clear the
participants would have the responsibility to reach out to the helpdesk of the FSP.
Participants were asked what kind of customer liability would be acceptable to them based on
the assumption that the FSP would take care of all requirements previously indicated by the
participants. Participants answered that they would like to eliminate the standard excess risk.
Excess risk should only be charged when a customer is negligent. Participants indicate this as the
category “foolish”. For their own liability in the event of not being negligent at all or being gross
negligent, participants stick to their opinions as presented in paragraph 7.1.4.
7.3.2. Activities and responsibility of the Financial Services Provider
Participants were asked what kind of activities they think their FSPs are taking to prevent fraud.
Participants explain that they only know the measures they see, such a randomization devices,
pin codes, passwords and app updates. Participants assume that the FSPs are securing their
websites. They think the FSPs are performing a lot of other activities too, but they don’t know
for sure. Some participants would like to receive more information from the FSP. They would
like to know how their FSP is securing their money and how secure their FSP actually is. Some
participants would like to have a third party who would control and certify the FSP’s efforts and
measures and publish the results. This would allow them to choose for the most secure provider.
Page | 68
Communication
Participants were asked what kind of additional activities their FSP should execute in the future.
Participants strongly hold their FSPs responsible for information, education and awareness
campaigns to their customers. They would like to receive more information about the level of
security of their provider, the threats the customers are facing, the ways fraud is applied, the
potential security measures and the consequences of deviating from these measures.
Not only should they intensify and improve their communications. The FSPs should also verify
that the customer has read and understood the measures. According to the participants, this
information should be send on a regular reoccurring basis. Participants again state that they
would also like be informed about the need and consequences and about the way these types of
fraud are applied.
Customer profiling
Participants were asked if the FSPs are allowed to use their transaction data for profiling
purposes. In all interview groups there were two reactions, one group of participants
immediately would allow the FSPs to use this data and the other group wouldn’t allow the FSP
to use this data. Participants that wouldn’t allow profiling explain that they are very much
concerned about their privacy. In all groups participants started to debate whether or not this
would be a breach in privacy. All groups eventually reach the same conclusion: the FSP is
allowed to use this data but only when the following requirements are met:
customers should be informed about this activity;
profiling data can only be used for fraud mitigating activities and not for commercial
activities;
profiling should be executed automatically and not by a human being, neither accessible
by a human being;
customers should have an opt-out possibility.
Participants were also asked if the FSPs are allowed to block a transaction when the transaction
deviates from the customer’s payment profile. All participants are of the opinion that the FSPs
should hold the payment and then verify the payment with the customer. Only when the
customer confirms a fraud or when the customer cannot be reached after a predetermined
period the FSP is allowed to block the transaction.
Page | 69
Malware detection
Participants were asked if the FSP is allowed to monitor the information being sent between the
customer’s personal computer and the online banking platform (monitoring the session) for
malicious behavior. Almost all participants allow the FSP to monitor this to a certain extent. The
FSP is not allowed to breach the privacy of the customer and for example not scan the
customer’s personal computer. Only in the group of medium educated customers between 50
and 99 some participants would not allow the FSP to do this at any time.
Participants were asked if the FSP is allowed to block the access to the online banking
environment when malicious behavior is detected. The group of students and the group of
higher educated participants between the age of 18 and 34 would allow the FSP to block their
access at any time. The FSP should however provide feedback on their website about what is
wrong and how the matter can be resolved. The other groups would not allow the FSP to block
the access immediately. The FSP should provide information about the matter and the risk on
the online banking platform. Though, the customer should still have the possibility to continue
and perform a transaction. Participants explain that they are aware that this would transfer all the
risk to the customer; they accept the risk after being informed. Only after a certain period of
time, the FSP is allowed to block the access.
Participants would also like to receive feedback on the website about the condition of their
browser, plug-ins and software. This should however not restrict their access to the online
banking environment. When an extreme risk is being detected, the FSP should notify the
customer and explain the risk, though the customer should again have the possibility to accept
the risk and proceed.
Functionality restriction
Participants were asked if they would allow their FSP to limit their functionality based on their
risk profile. Participants are in favor of such restrictions if they are being applied to protect the
customer. Furthermore, the customer’s risk profile should be determined in close cooperation
with the customer, for example by using a questionnaire. The majority of the participants
however find that this risk profile should only be an advice. The customer should always be able
to deviate from this profile and for example increase the functionality. The FSPs should however
inform the customer of the risks that are connected to this deviating and should ask the
Page | 70
customer to accept the risk. This risk profiling should reoccur every x period or on the
customer’s request.
Participants were asked if they would like to have options to limit the functionality of the online
banking platform themselves. All participants would like to have these options as long as they are
easy to understand and always adjustable by the customer.
Page | 71
8. ANALYSES AND CONCLUSIONS
This chapter analyzes the individual research questions and the central research problem. Based
on these analyses, the conclusions, limitations and recommendations for future research will be
presented.
8.1. Answers to the research questions
In this paragraph the sub research questions (paragraph 3.7) will be answered. These questions
will be analyzed based on the findings in the literature review (chapter 4) and / or the outcome
of the customer research (chapter 7). After the analyses, the conclusion to each research question
will be presented.
8.1.1. What is the current impact of online banking fraud?
The impact of customer targeted online banking related fraud has been specified within
paragraph 4.1. The impact can be defined in terms of the number of attempts and costs. The
total number of fraudulent attempts is not (publicly) available. Based on research we know that
at least 35% of the Dutch online banking users have been approached by a fraudster. We also
know that the number of successful attempts increased to 10.900 in the year 2012. Compared to
the number of online banking users, this means that in the year 2012 the chances of becoming a
victim were 0,0828%.
In terms of costs the impact can be subdivided into hard costs and the soft costs. These two
groups can again be subdivided into the hard and soft costs for the FSP, the customer and
society.
The hard costs for the FSP are reported by the NVB. The figures in paragraph 4.1.1 indicate an
increase of the hard costs to 34.8 million euro in the year 2012. Starting in the second half of
2012 we see a decrease of the hard costs to 4.2 million euro on a 6 months base. Hard costs for
customers occur when the FSP choose not to reimburse the fraudulent losses of their customer.
The total amount of hard costs is not (publicly) reported and it’s therefore not possible to define
the impact in terms of hard costs for the customer.
Soft costs for the FSP are costs related to the prevention, detection, handling and coordination
of fraudulent activities (paragraph 4.1.2). Soft costs for the customers are related to the time and
Page | 72
effort spend to resolve the problem, the emotional and psychological impact and the perception
of security of the online banking channel (paragraph 4.1.3). The soft costs for society are related
to costs made by the government in terms of prevention, detection and conviction of the fraud
and fraudsters (paragraph 4.1.4). No figures are available on the total soft costs for the
stakeholders.
Conclusion
Based on the hard costs for the FSPs we can conclude that the problem has increased up until
the first 6 months of 2012 and decreased afterwards. Although we have seen a decrease of these
losses in the past 12 months, it would be too early to conclude that the problem is being
contained as the number of reported attempts, are still increasing. The current amount of hard
costs is still significant. When discussing the total problem, we should keep in mind that soft
costs are likely to account for a large part of the total costs and these costs are currently not
specified at all.
8.1.2. What is the legal framework of the responsibilities and liabilities?
The legal framework of responsibilities and liabilities is described in the Dutch law (paragraph
4.2.1). Within the conceptual model this is subdivided into effectuation and liability (chapter 5).
Effectuation is subdivided into law, moral standards and enforcement. According to the Dutch
law, both parties have to comply with a contract as well as the related habits of reasonableness
and fairness (moral standards). The FSPs have to take care of their duty of care and the customer
has the obligation not to act in a gross negligent way. The law states, the FSPs have to reimburse
the financial losses of their customers with a maximum deduction of €150, - if the customer has
not acted in a gross negligent way. Thus, the FSP has the primary liability. If the customer has
acted in a gross negligent way the customer is then fully liable for the direct losses. The FSP
however has to prove that the customer has acted in a gross negligent way. The law also states
that gross negligent behavior is a failure to fulfill a duty. The law itself is thus clearly described
and enforcement is arranged.
Without clear definitions of moral standards, there is however little value in the law and
enforcement. The moral standard of the FSP is intertwined with the duty of care. The duty of
care for preventing customers from becoming a victim of online banking fraud is not specified in
the general law. Neither has it been questioned by the judges in recent court cases. It’s unclear
what the exact responsibilities of the FSPs are. FSPs have however managed to connect their
desired moral customer standard to the law. They have specified the customer’s responsibilities
Page | 73
within the products terms and conditions, which are part of the contract between the FSP and
their customers. FSPs are of the opinion that deviating from these terms and conditions is an act
of gross negligent behavior and should result in non-reimbursement for financial losses. The
judges and KiFid have recently supported the FSPs in their opinions. Even though, at first, this
seems in order, it’s questionable if the claim of the FSP is indeed correct. While analyzing the
terms and conditions (paragraph 4.2.4), we have identified that some of the requirements are
vague. Neither the terms nor conditions are specific in what is defined as gross negligent
behavior. Gross negligence presumes a standard of behavior that can reasonably be expected of
an individual engaged in a particular activity. The terms and conditions are however not
necessarily connected to the moral standard. Does the customer for example have the necessary
knowledge and capabilities to take care of these measures? And perhaps as important: is it
plausible to assume that an average customer will be able to read and understand the terms and
conditions? Based on research it’s not clear if FSPs can demand these measures from their
customers. And what about the FSP? Did the FSP take care of their duty of care? What can we
reasonably expect a FSP to do to protect their customers?
Even with responsibilities, the moral standard and liabilities properly defined, being responsible
or acting in a gross negligent way is not sufficient to become liable. If the FSP chooses to hold
their customer liable this would mean that the requirements of culpability, causal relationship and
negligence have to be met (paragraph 4.2.5). These three aspects have to be assessed in every
individual situation by the judge or the KiFid. They will also have to assess if the FSP’s have
taken care of their duty of care and whether or not the moral standard is correct (paragraph
4.2.8).
The participants of the interview were questioned about their opinion on responsibility and
liability (paragraph 7.1.4). The answers related to their responsibilities will be analyzed in
paragraph 8.1.3. In general all participants agree that as a default, the FSP should be liable.
Participants do not accept the standard possibility of the 150 euro deduction on reimbursements.
According to the majority of the participants, this should only be deducted in cases of negligent
behavior of the customer. Some participants would never accept any liability at all, because it’s
the FSP who offers (according to some participants even forced) the product to the customer.
The majority of the participants however agree that, in cases of gross negligent behavior the
customer could be (partially) liable. What can be defined as gross negligent behavior according to
the participants cannot be defined in a generic way. This is different from customer to customer,
Page | 74
for example based on the age and personal (computer) skills and per type of fraud. In their view,
for phishing types of fraud, the liability should differ based on the level of sophistication of the
phishing mail. For social engineering the customer should always be liable and for malware the
participants are of the opinion that the customer should never be liable because the FSPs should
be hold responsible for taking care of the security of their website. Regarding the terms and
conditions (paragraph 7.2.3), participants are of the opinion that the current demanded measures
are a very extensive way of the FSP to hedge and transfer the risk towards the customer.
Participants feel that the FSPs are asking too much of the customers’ capabilities (also defined in
paragraph 4.3.6 of the literature review). Participants define gross negligent behavior as: acting in
a certain way while knowing that an act is wrong and deviates from the rules and would lead to
negative consequences. Deviating from the terms and conditions should - according to the
participants - not be seen as an act of gross negligent behavior. None of the participants
complies with the current measures described in the terms and conditions, simply because they
do not know the contents. Participants feel that the FSPs are currently not taking care of their
informative responsibility. Participants explain that the information flow about the
responsibilities, the ways to act responsible and the consequences of not complying is very
limited if even existing. Therefore, according to the participants the FSPs are not complying with
their duty of care.
The government clearly states that they have a responsibility to increase the cyber awareness of
their citizens and that security as well as cyber security is a core activity and responsibility of the
government. For example by imposing law, standards and regulations (paragraph 4.2.7). This
means that the government is one of the responsible stakeholders.
Conclusion
The moral standards for the duty of care of the FSP as well as moral behavior of the customers
are not clearly defined. Based on the current descriptions we cannot judge whether or not FSPs
have acted in accordance with their duty of care. Duty of care should be univocal between the
different FSPs. The government or regulator should together with the FSP’s and the NVB create
regulations that describe the duty of care and should assess whether or not the FSPs are
complying with these regulations. The moral standard of customer behavior cannot simply be
mandated by the FSPs in their terms and conditions. FSPs should first determine the standard of
behavior and acceptable measures together with their customers. FSPs should take into account
that these standards might be different from customer to customer, for example based on their
Page | 75
knowledge and (computer) skills. The regulator should make sure that the correct standards are
determined. FSPs should also ensure a way of communication that is reasonable. Given the fact
that none of the research participants were aware of the contents of the terms and conditions it’s
safe to conclude that the current way of communication is not sufficient. The opinion of the
FSPs about the customers’ liability is conflicting with the opinion of the customer on their
liability. This is likely connected with the expected moral standard. FSPs, the NVB and
regulators should thus not only define clear moral standards but also make sure to connect the
correct liabilities. In case of a trail or a complaint, the judge or the KiFid should determine if the
duty of care has been taken into account and if the expected measures are according to the moral
customer standard. Non compliance could mean that a customer is not liable.
8.1.3. What is the ethical view on joint responsibility?
The question in this case is where the duty of the customers starts and where it ends. In the past
we have seen behavior related to the social cost view (paragraph 4.3.1). The FSP always
reimbursed the financial losses. As previously described, there are interview participants that still
support this compensation policy and who would like to continue in this way in the future
(paragraph 7.1.4). A disadvantage of this view is however the effect of moral hazard. Participants
were asked if they feel morally responsible for secure behavior (paragraph 7.2.1); three out of
five groups of participants indicated that they do feel morally responsible for secure behavior.
Despite this feeling, they are not really aware of this moral responsibility and their behavior on a
day-to-day basis. The other two groups didn’t feel morally responsible for secure behavior.
Participants indicated that they do not really care about the losses, as long as losses are not so
high that it would impact their existing savings at their FSP. This underlines the statements in the
literate that moral hazard is indeed present in the current situation. This lack of moral
consciousness has also been defined within the literature review (paragraph 4.3.4). This is
because we are confronted with issues that have no correlation with issues or experiences of
previous generations. Customers will need guidance and full information in order to improve
their moral consciousness. Improving the moral consciousness is not only the responsibility of
the FSP. The government also has a clear responsibility to improve the moral consciousness of
their citizens (paragraph 4.2.7). Improving the moral consciousness is thus a task that the FSP’s
should fulfill together with the government and customers / citizens.
The law is designed according to the contract view (paragraph 4.3.1). This view holds that both
parties enter into a voluntary contract and that the duties of the involved parties are those
created by the contractual relationship. Recently, we have noticed that FSPs are adapting to this
Page | 76
view in their reimbursement policies. This view implies that all parties have full information. The
customer however doesn’t have full information, for example about the security level and flaws
of the FSPs system. Embracing this view is thus not correct from an academic perspective.
According to the FSPs, the government and some researchers, we have reached a point where
we should expect customers to take certain preventive actions. In the IT-configured society of
today, it seems impossible to defend that the customer has no responsibility at all. Neither is it
impossible to defend that the FSP and their customers are equal. Therefore, it would be better to
embrace the due care theory (paragraph 4.3.1). The due care theory is based on the idea that
FSPs and their customers do not meet as equals and therefore FSPs will have to take special care,
due care, to protect their customers. FSPs would have to fully inform their customers about the
irremovable risks of the product or accept full liability for undisclosed risks or defects. When the
customer accepts these or the customer acts in a gross negligent way, the customer would
become liable. In case of due care, we can speak about joint responsibilities. It’s important to
understand that joint responsibility is not just a matter of splitting the responsibilities between
the stakeholders. In the literature review (paragraph 4.3.5) we have identified that where
responsibilities are being shared, the total responsibility increases. In this specific case, it means
that where the customer receives the responsibility to take certain measures, it becomes the
responsibility of the FSP to ensure that the customer is able to understand and take these
measures.
When being held responsible, it’s important that all the elements of responsibility are in place.
The first customer element is duty. The question of duty is whether or not there is an obvious
moral obligation or standard that applies in the situation? The second customer element is
knowledge. Knowledge addresses the question if the person was aware of the obligation and
standards or if they reasonably should have been aware. The third customer element is volition.
Volition addresses the question if the customer is legally capable to make the decision and
defines if there wasn’t any (external) coercion? The fourth customer element is ability. Ability
refers to whether or not the customers are able to act and if there are alternatives. The fifth and
final customer element is intention. Intention refers to whether or not the customer is able to
calculate the consequences of the action and has the mental capacity to consider the alternatives.
When one of these elements is not in place, we cannot state that someone is fully responsible
from an ethical perspective. Whether or not the necessary elements are fulfilled will be analyzed
in paragraph 8.1.7.
Page | 77
Conclusion
We have identified that the past policies of always reimbursing the customers’ losses is causing
moral hazard amongst customers. FSP’s should however not switch their new reimbursement
policies to the contract view as they are currently doing. FSP’s should instead switch their
reimbursement policies towards the due care view. Switching responsibilities will increase the
total pie of responsibilities. Customers for example will have to receive the responsibility to act
in accordance with the moral standard and FSPs will have to receive the responsibility to protect,
inform, educate and support their customers in the best possible way. Overall, as a society we
should improve our moral consciousness on the threats and security measures related to the
internet and more specific online banking. This is a joint responsibility for the NVB, FSPs, their
customers and the government.
8.1.4. What is the known view on moral standards from market research?
The view from market research has been described in paragraph 4.4. According to known
research, the awareness of customers and therefore their availability to detect customer targeted
online banking fraud is low. The average Dutch consumer doesn’t have sufficient knowledge and
skills to protect themselves from digital risks. The average customers is also overestimating their
skills (paragraph 4.4.1) Experts seem to agree, that in general, it’s too much to ask a customer to
identify malicious behavior on their devices. This is especially true for the group of illiterate
users. Research has indicated that the vast majority of users however takes care of a virus
scanner, firewall and software updates. The moral standards for the duty of care related to online
banking have not been specified in the law. The European Central Bank created a report
focusing on recommendations for the security of internet payments (paragraph 4.4.3). Although
this report only includes recommendations it seems to be a solid guideline for a moral standard.
Conclusion
Research indicates that consumers posses different internet skills; this underlines the previous
conclusion of different moral standards amongst online banking customers. FSP should be
aware of the skills of their customers and should connect the mandatory measures to these skills.
Based on the literature, we cannot define a complete moral standard for customer behavior. The
payment recommendations of the European Central Bank should be included in the moral
standard for duty of care. FSPs should be assessed on their compliance towards these standards
by regulators and by the judge or KiFid in case of a trail or complaint. Online banking customers
should at least install a virus scanner, firewall and take care of software updates.
Page | 78
8.1.5. What is the moral standard for the duty of care / due care of the Financial
Services Provider?
A part of this question has already been answered in the market view on moral standards for the
FSP (paragraph 8.1.4). We have concluded that in order to take care of their duty of care, FSPs
should comply with the payment recommendations of the European Central Bank (paragraph
4.4.3).
Due care should also be added to the moral standard (paragraph 4.3.7). FSPs will have to take all
reasonable steps to protect the customer and to ensure that the customer is informed of any
irremovable risks. This connects to the findings of the focus interviews. The provided
information should be short, easy to read, presented into multiple ways (not only on one media
type), connected to the capabilities and risk profile of the customers and should be send on a
reoccurring basis (paragraph 7.1.3 and paragraph 7.2.3). Participants have explained that
understanding the necessity of these measures, would most likely improve their awareness and
willingness to take the required measures. Participants also indicated that the FSP should verify
that their customers have obtained the required knowledge and support them if necessary with a
helpdesk facility (paragraph 7.3.2). If the FSPs anticipates (or should anticipate) that some of
their customers are too inexperienced or unskilled to be aware of the risks, the FSP owes them a
greater degree of care compared to customers that are of ordinary intelligence and prudence
(paragraph 4.3.1 and paragraph 7.1.3).
Conclusion
FSPs should comply with the payment recommendations of the European Central Bank and due
care responsibilities as part of their duty of care. Regulators should audit and certify whether or
not FSPs are complying with their duty of care. The due care of the FSPs should also be
included in the audit and certification. The judge or KiFid should in case of a trail or complaint
assess if the FSP’s has taken care of the duty of care. FSPs will have to improve their
communications and should tailor the communications and duty of care towards the knowledge
and skills of the customer. Communications and duty of care is thus not a one-size-fits-all
solution. Because of the importance of the measures, FSPs should support their customers in
taking those measures, for example with helpdesk facilities. Furthermore, FSPs should verify that
the customer has indeed received and understood the provided information. Because we cannot
completely define to what extent FSPs are taking care of their duty of care and because due care
is a new element, we cannot determine to what extent FSPs are satisfying the duty of care and
Page | 79
due care elements. However, giving the fact that customers indicate that the provided
information is poor we can conclude that these two elements are not completely fulfilled because
information is part of the duty of care and due care.
8.1.6. What is the moral standard for the customer’s behavior related to gross negligent
behavior?
According to the law and the due care view, customers have the responsibility to act according to
the moral standard and not to act in a gross negligent way. According to FSP’s this means
complying with their terms and conditions (paragraph 4.2.1 and paragraph 4.3.1). In the focus
interviews, participants indicated that they do not comply with all the measures in the terms and
conditions. They have also indicated that FSPs are over asking on their capabilities (paragraph
7.2.3). This participant statement is even more interesting when we take note of the outcome of
the governmental research about the customers’ knowledge and abilities in which they state that
customers are overconfident about their cyber security skills (paragraph 4.4.1). Because
participants are currently not aware of all the measures and do not understand the importance of
these measures, they find it difficult to come up with a new moral standard. The literature and
interviews have indicated that multiple moral standards should be created (paragraph 4.4.4 and
paragraph 7.2). Based on the literature, we can state that having a virus scanner, firewall en
recently updated software (for example the most previous one) can be included in the moral
standard for the majority of customers (paragraph 8.1.4). Participants agree that these are
reasonable measures (paragraph 7.2.3). Participants also agree that according to the moral
standard, they should not share their private access codes.
Conclusion
The research has indicated that different groups of customers should have different moral
standards, based on the knowledge and skills of the customer. Based on the current information
we cannot define the different moral standards. In order to define the different moral standards,
FSPs together with their customers will first have to define the different groups of customers
and then define the generic skills and knowledge of each group. The customers’ responsibility to
improve their moral consciousness and their awareness of online fraud should also be included
in the moral standard. It’s about time customers take their own online security serious.
Page | 80
8.1.7. To what extent are the critical elements of responsibility fulfilled in the current
situation?
Elements of responsibility
The elements of responsibility have been defined in paragraph 4.3.3 and are presented in the
conceptual model in chapter 5.
The first customer element is duty. In the literature review we have identified that customers do
have a moral duty to act in a careful way (paragraph 4.2.1). According to the FSPs, customers
also have the duty to act in accordance with the product terms and agreements (paragraph 4.2.4).
Based on the outcomes of the focus interviews, we can conclude that customers are not aware of
their duty. From the viewpoint of the customer the duty is not completely defined. This element
is thus only partially fulfilled.
The second customer element is knowledge. The knowledge and awareness of the obligation is
very limited amongst all participants (paragraph 7.1.3). The knowledge about the preventive
measures is very limited. None of the participants are aware of the measures they have to take
according to the terms and conditions. Participants are of the opinion that it’s not reasonable to
expect them to be aware since using the terms and conditions for this kind of information are
not sufficient (paragraph 7.2.3). This element is thus not fulfilled.
The third customer element is volition. Online banking customers are either 18 years and older
or are under supervision from their parents or another legal representative. By law these persons
or their supervisors should have the legal capabilities to make the decision to become an online
banking customer. The types of fraud in scope of this research do in general not use any
coercion. This element is thus fulfilled.
The fourth customer element is ability. In general participants have answered that they are not
capable of taking all the measures that are required by the FSPs. Some measures seem impossible
to execute because of the skills of the participants (for example IT skills), others are impossible
to execute because of the willingness of the customer (for example check the debit card every
day). Participants have also argued that the abilities are different from individual to individual.
Especially the group of elderly and lower (computer) skilled customers seems to have a lower
ability to meet the demands (paragraph 7.1.3 and paragraph 7.2.3). Participants do still have
alternatives other than online banking, for example on the branch office. These options are
Page | 81
however decreasing. FSPs are closing more and more branches, which makes it more difficult for
customers to use alternatives. The element of ability is thus only partially fulfilled.
The fifth and final customer element is intention. Participants have indicated that they do not
know the modus operandi of most fraudulent practices. Participants are particularly not aware of
malware (paragraph 7.1.2). Therefore it’s not likely that the participants will be able to calculate
the consequences of for example visiting unsecure websites and not taking care of all computer
related security measures. The majority of participants are not aware that FSPs don’t always
reimburse their customers losses. Participants are thus not completely aware of the consequences
of incorrect actions (paragraph 7.1.4). Legally we can argue that customers have the mental
capacity to consider alternatives since they are 18 years and older or supervised. From a moral
perspective this depends on the skills of the customer. Customers with low (computer) skills
might have lower skills to consider the alternatives, especially when the FSP is promoting the
usage of online banking. Overall the element of ability is only partially fulfilled.
Conclusion
In the interview population, only one of the five elements of responsibility is completely present.
This means that, from an ethical perspective, we can conclude that a customer currently cannot
be held responsible for the losses due to customer targeted online banking fraud. It doesn’t seem
morally right to claim that a customer is acting in a gross negligent way when the customer
doesn’t comply with the contents of the terms and regulations. The FSPs, the customer and
potentially the government have a joined duty to increase the customers’ awareness on their
duty, the preventive measures, the knowledge of the threats and the consequences of these
threats. FSPs should also ensure (and regulators should assess) that the required customer
measures are aligned with the customer capabilities. These capabilities differ from customer to
customer. FSPs should therefore have to decide to either create generic required measures on a
very low level, in order to make sure that all customers are able to comply, or they should create
different required measures per customer group (where groups are defined based on the
customers’ capacity and skills).
Page | 82
8.1.8. What are potential future joint responsibilities, liabilities and measures for the
Financial Services Providers and their customers in the customer’s point of view?
Participants of the focus interviews indicated that FSPs will firstly have to improve their
communications and create measures that are connected to the skills and capabilities of their
customers (as already concluded in paragraph 8.1.5 and paragraph 8.1.7). Participants added that
if this is all well arranged, they would have the responsibility to read and understand the
information and take the required measures and if necessary, to reach out the helpdesk of the
FSP for support (paragraph 7.3.1). The interview participants indicated that the 150 euro excess
risk should only be deducted in case of negligent behavior, meaning that the customer has acted
“foolish” but not gross negligent. Other than that, participants stick to their opinions about their
earlier presented opinion about their liability (presented in paragraph 8.1.2).
In terms of additional responsibilities for the FSP, participants have indicated that their FSPs are
allowed to monitor their payments (customer profiling) (paragraph 7.3.2). The majority of
participants would like their FSP to monitor their online banking session for malicious behavior
and generate feedback on their websites (paragraph 7.3.2). The focus interview participants are
of the opinion that online banking should no longer be a one-size-fits-all solution. FSPs should
together with their customers create a risk profile of the customer. This risk profile should be
connected to the different customer groups in terms of moral standards. When a customer has a
high risk profile, the functionality of online banking should be restricted. Participants state that
this risk profile should be an advice. The customer should always be able to deviate from this
risk profile, though this would mean that the FSP clearly states the risk of the deviation and that
the customer would accept the connected risks and liabilities. Within the limits of the risk profile,
participants have indicated that they would like to have the ability to set their own security
measures, for example limited payment amounts as long as this is adjustable for the customer in
an easy way. The risk profiling scoring should reoccur every “x” period (paragraph 7.3.2).
Conclusion
The participants indicated that they would like to have browser based feedback about the
security of their online banking session. This feedback should include potential security risks
such as outdated browsers or malicious behavior. The participants also indicated that they would
accept a certain set of required measures and liabilities if the FSPs have taken enough due care.
Customers indicated additional possibilities (next to the recommendations of the European
Central Bank) for the FSP to protect their customers. The participants would accept a limited
Page | 83
Figure 6: Conceptual model assessed
functionality of online banking as long as this is connected to their risk profile (tailored online
banking environment). Creating a risk profile would allow the FSP to place their customers
within the different customer groups, based on knowledge and skills. The regulator should
determine if the correct generic risk profiles have been created. If each of these groups is
connected to a moral standard it would be easier to determine what the FSP as well as the judge
can expect from the customer, the judge and the KiFid should assess this in case of a trail /
complaint. Both the FSP and the customer will have the responsibility to create this risk profile.
8.2. Answer to the main research problem
The sub research questions in this chapter have provided answers to the current gaps and future
possibilities for joint responsibilities and liabilities. Based on these answers, we can conclude that
there is willingness for joint responsibilities among the vast majority of interviewed participants.
They are willing to join the FSPs in their quest towards secure online banking.
The main research problem of this report is: “How can a Financial Services Provider create joint
responsibilities for the prevention of customer targeted online banking fraud - between
themselves and their customers - in an ethical way”?
In chapter 5 we concluded that all elements in the conceptual model will have to be fulfilled in
order to achieve joint responsibilities. Figure 6 represents the assessed availability of the elements
in the conceptual model.
Page | 84
Based on this assessment we can conclude that there are gaps (displayed in orange and red)
between the current state of fulfillment of the individual elements and the desired state. In order
to be able to achieve joint responsibilities between, these gaps will have to be closed. FSP’s will
have to take the lead closing these gaps. As concluded in the sub research questions it will
however not only be the FSPs that have to take action. The NVB, customers, government,
legislators, judges and the KiFiD will also have to take appropriate actions in order to close the
gaps. These actions will be described in chapter 9.
Blue elements (culpability, casual relationship and negligence) cannot be assessed on a generic
level. These elements need to be assessed by the judge or the KiFid on an individual level for
every individual case of fraud. Elements that are green (volition, law and enforcement) are
completely fulfilled and will not require attention. The orange elements (duty, ability, intention,
duty of care and due care) are only partially fulfilled. The red elements (knowledge and moral
standards) are not fulfilled. From an ethical perspective the gaps will need to be closed in order
to be able to achieve joint responsibilities.
At first sight this assessment might seem overwhelming and one might conclude that FSPs are
doing a bad job in the protection of their customer. It’s therefore important to highlight that
FSPs are already taking different measures in protecting their customers (paragraph 4.2.2).
Though, in spite of all the current efforts, there are clear aspects for improvement. When the
outcomes of the different conclusions in this chapter are analyzed, we find that the absence of
clearly defined moral standards - for both the customer and the FSP - and clear communication
about preventive information from the FSPs to their customers are the root causes to the
missing elements. Solving these two root causes will have a positive effect to all the (partly)
unfulfilled elements. And as already mentioned, it are not only the FSPs, but also the NVB, the
customers, the government, legislators (paragraph 4.2.8), judges and the KiFid that will have to
perform efforts in order to achieve a joint responsibility.
8.3. Limitations
The known limitations prior to this research have been presented in paragraph 6.2. There are
two important limitations that we need to add. This research has not succeeded in creating the
moral customer standards. Neither has it been able to assess to what extent FSPs are complying
with their own moral standards or the moral standards we could reasonably expect. Another
important limitation is the fact that the due care is currently not enforced by any law or
Page | 85
regulations. Regulators therefore have to impose these new rules and regulations in order to give
a legal status towards these recommendations. Without the legal status we can only hold FSPs
morally responsible and liable. Without legal enforcement there would be little possibilities for
customers to defend these statements in court.
8.4. Recommendations for future research
The moral standards are vital parts in the quest towards joint responsibilities. Therefore, a new
research is required focusing on the different moral standards of the customers. The research
should identify the different knowledge and skills groups amongst the customers and should
create a generic moral standard for every different group. Future research could also be executed
to determine the total hard and soft costs of customer targeted online banking fraud.
Page | 86
Page | 87
9. RECOMMENDATIONS
The general recommendation is to transfer the view on responsibility and liability to the due care
view (based on paragraph 8.1.3) and to create joint responsibilities. In order to achieve ethical
joint responsibilities, all elements of the conceptual model as represented in paragraph 8.2 should
be completely fulfilled. To fulfill all elements, all involved stakeholders will have to take action.
All actions are part of the joint responsibilities of the stakeholders. Some of these actions will
have to be executed in collaboration, while other actions can be executed in isolation (paragraph
8.2). The different recommendations are grouped per stakeholder for readability purpose. In
general, it is recommended that the FSPs and the NVB will take the lead. Al recommendations
are based on the conclusions made in chapter 8.
9.1. Recommendations to Financial Services Providers and the NVB
The FSPs are recommended to:
1. in collaboration with their customers and the regulator, identify the different generic
moral customer standards. This should results in generic risk profiles with connected
responsibilities, liabilities and functionalities; based on the specific capabilities of the
customer group (based on paragraphs 8.1.2, 8.1.4, 8.1.5 and 8.1.6). In case FSPs are not
willing to create different moral customer standards; they are recommended to create a
general moral standard based on the customers that posses the lowest knowledge and
skills in order avoid over asking on the customer’s capabilities and skills (based on
paragraph 8.1.7);
2. in case FSPs are implementing different risk profiles, FSP’s should in collaboration with
their customers, define the risk profile of all individual customers and connect the
required measures and liabilities towards these risk profiles (based on paragraph 8.1.7 and
paragraph 8.1.8);
3. in collaboration with the government, improve the moral consciousness of their
customers about the threats of online banking fraud (based on paragraph 8.1.3 and
paragraph 8.1.7);
4. improve the communication towards their customers and tailor the information based on
the skills and knowledge of the specific customer. This information needs to be clear and
understandable and communicate via separate channels. The communication should
include the customers’ responsibilities, required measures, the necessity of these
Page | 88
measures, the way fraud is currently applied and the potential consequences of becoming
a victim (based on paragraphs 8.1.2, 8.1.3 and 8.1.5);
5. verify that their customers have read and understood the communications (based on
paragraph 8.1.5);
6. support their customers in taking the required security measures, for example by creating
help desk facilities (based on paragraph 8.1.5);
7. implement the online payment recommendations of the European Central Bank (based
on paragraph 8.1.4) and take care of due care responsibilities (based on paragraph 8.1.3
and paragraph 8.1.5);
8. terminate the “one-size-fits-all solution” of online banking and instead tailor the
functionalities of online banking based on the customers’ risk profile (based on
paragraph 8.1.8);
9. provide their customers with possibilities to limit their own online banking functionalities
and limits (based on paragraph 8.1.8);
10. create browser based feedback for their customers about the security of their online
banking session (based on paragraph 8.1.8).
9.2. Recommendations to online banking customers
Customers are recommended to:
1. take notice of the (to be created) required moral standard, act accordingly and reach out
for assistance if necessary (based on paragraph 8.1.3);
2. in collaboration with their FSP, define their personal risk profile and take appropriate
action (based on paragraph 8.1.8);
3. improve their moral consciousness about the threats of customer targeted online banking
related fraud (based on paragraphs 8.1.3, 8.1.6 and 8.1.7);
4. protect their personal devices against the risk of malicious software. At least by installing
a virus scanner, firewall and by taking care of the required software updates (based on
paragraph 8.1.4).
9.3. Recommendation to the government and regulators
The government and their regulators are recommended to
1. in collaboration with the FSPs, create regulations that should describe the duty of care of
the FSPs including their due care responsibilities (based on paragraphs 8.1.2, 8.1.5,
8.1.7and 8.1.8);
Page | 89
2. include the online payment recommendation of the European Central Bank in the
required duty of care and due care regulations (based on paragraph 8.1.4 and paragraph
8.1.5);
3. assess whether or not FSPs are complying with the new regulations. These assessments
should be available for regulators, judges and the KiFid (based on paragraph 8.1.2 and
paragraph 8.1.5);
4. in collaboration with the FSPs and their customers, assess if the different moral
customers standards and the connected responsibilities and liabilities are legitimate
(based on paragraphs 8.1.2, 8.1.7 and 8.1.8);
5. in collaboration with the FSPs and their customers, improve the moral consciousness of
their citizens about the threats of online banking fraud, for example by means of
educational programs and repeating awareness campaigns (based on paragraph 8.1.3 and
paragraph 8.1.7).
9.4. Recommendations to judges and Financial Compliant Institute (KiFid)
In case of a legal complaint or court case the judge and the KiFid are recommended to:
1. assess whether or not the FSPs have acted in compliance with their duty of care and due
care (based on paragraph 8.1.2 and paragraph 8.1.5);
in case of a FSP not complying with these regulations, the judge or KiFid is
recommended to assess if this non compliance has negatively impacted the
security of the customer in that specific case. Non compliancy could mean that a
customer is not liable;
2. assess whether or not the expected measures are according to the to be expected moral
customer standard (based on paragraph 8.1.2);
3. (if FSPs choose to implement customer risk profiles) determine if the customer’s risk
profile has been defined and assessed correctly (based on paragraph 8.1.8);
in case a FSP and the customers have not defined the correct risk profile, the
judge or KiFid is recommended to assess who is at blame and if this non
compliance has negatively impacted the security of the customer in that specific
case. Non-compliancy could mean that a customer is not liable.
Page | 90
Page | 91
10. BIBLIOGRAPHY
Alert Online stimuleert veilig online gedrag | Nieuwsbericht | Rijksoverheid.nl. (2013).
Retrieved November 02, 2013, from
http://www.rijksoverheid.nl/ministeries/venj/nieuws/2013/10/28/alert-online-stimuleert-
veilig-online-gedrag.html
“Altijd geld terug bij internetcrime” - AD.nl. (2013). Retrieved May 30, 2013, from
http://www.ad.nl/ad/nl/5595/Digitaal/article/detail/3449321/2013/05/30/Altijd-geld-
terug-bij-internetcrime.dhtml
AMRO, A. (2007). Algemene Voorwaarden Toegang ABN AMRO, (34334259), 4–7.
Retrieved from https://www.abnamro.nl/nl/prive/betalen/internet-
bankieren/kenmerken.html
AMRO, A. (2010). Algemene Voorwaarden ABN AMRO Bank N.V. Retrieved from
https://www.abnamro.nl/nl/prive/abnamro/productvoorwaarden.html
AMRO, A. (2012). Voorwaarden Betaaldiensten Particulieren Begrippenlijst, 1–7. Retrieved
from https://www.abnamro.nl/nl/prive/abnamro/productvoorwaarden.html
AMRO, A. (2013). Betaaldiensten Particulieren. Retrieved from
https://www.abnamro.nl/nl/prive/abnamro/productvoorwaarden.html
Anderson, R., Barton, C., Rainer, B., Clayton, R., Eeten, M. J. G. Van, Levi, M., … Savage,
S. (2012). Measuring the Cost of Cybercrime (pp. 1–31). Retrieved from
http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf
Banken krijgen uniforme veiligheidseisen | nu.nl/tech | Het laatste nieuws het eerst op nu.nl.
(2013). Retrieved June 16, 2013, from http://www.nu.nl/tech/3476952/banken-krijgen-
uniforme-veiligheidseisen.html
Beveilig uw computer - ING - Veilig bankieren. (2013). Retrieved July 04, 2013, from
http://www.ing.nl/de-ing/veilig-bankieren/veilig-internetbankieren/beveilig-uw-
computer/index.aspx
Page | 92
Boeije, H. (2012). Analyseren in kwalitatief onderzoek (pp. 1–179). Den Haag: Boom Lemma
uitgevers.
Bommeljé, Y. (2013). De burger kan het niet alleen (pp. 1–76). Sdu Uitgevers. Retrieved
from http://www.pblq.nl/publicaties/2013/pblqatie-41-de-burger-kan-het-niet-alleen
Bovens, M. A. P. (1990). Verantwoordelijkheid en organisatie (1st ed., pp. 1 – 348). Zwolle:
W.E.J. Tjeen Willink.
Brinkmann, J. (2004). Looking at Consumer Behavior in a Moral Perspective. Journal of
Business Ethics, 51(2), 129–141. doi:10.1023/B:BUSI.0000033607.45346.d2
BW:6. (2013). Burgerlijk Wetboek 6 Verbintenissenrecht.
BW:7. (2013). Burgerlijk Wetboek 7.
BW:7b. (2013). Burgerlijk Wetboek Boek 7b Betalingstransacties.
Capgemini. (2013). Trends in veiligheid (No. 0) (p. 72). Retrieved from
www.trendsinveiligheid.nl
CBS. (2012). Online Banking Users. Retrieved from www.cbs.nl
Consumentenbond. (2013). Banken laten beroofde klanten in de kou staan |
Consumentenbond. Retrieved July 16, 2013, from
http://www.consumentenbond.nl/actueel/nieuws/nieuwsoverzicht-2013/Banken-laten-
beroofde-klanten-in-de-kou/
“Criminelen dol op verspreiden malware via advertenties” | nu.nl/binnenland | Het laatste
nieuws het eerst op nu.nl. (2013). Retrieved June 07, 2013, from
http://www.nu.nl/binnenland/3494774/criminelen-dol-verspreiden-malware-via-
advertenties.html
Dictionary, C. E. (2013). cybercrime. Collins English Dictionary - Complete & Unabridged
10th Edition. William Collins Sons & Co. Retrieved June 14, 2013, from
http://dictionary.reference.com/browse/cybercrime
Page | 93
Dijsselbloem, J. R. V. A. (2012). Beantwoording kamervragen inzake vergoeding schade bij
fraude internetbankieren. Retrieved from http://www.rijksoverheid.nl/documenten-en-
publicaties/kamerstukken/2012/11/26/beantwoording-kamervragen-inzake-vergoeding-
schade-bij-fraude-internetbankieren.html
Dijsselbloem, J. R. V. A. (2013). Beantwoording kamervragen inzake vergoeding schade bij
fraude internetbankieren 2. Retrieved from http://www.rijksoverheid.nl/documenten-en-
publicaties/kamerstukken/2013/01/14/beantwoording-kamervragen-over-
schadevergoeding-ingeval-van-fraude-bij-internetbankieren.html
DNB. (2008). De Nederlandsche Bank Jaarverslag 2007 (pp. 1–182). Amsterdam. Retrieved
from http://www.rijksoverheid.nl/documenten-en-
publicaties/kamerstukken/2008/04/29/de-nederlandsche-bank-jaarverslag-2007.html
DNB. (2009). De Nederlandsche Bank Jaarverslag 2008 (pp. 1–190). Amsterdam. Retrieved
from http://www.rijksoverheid.nl/documenten-en-
publicaties/kamerstukken/2009/05/25/het-jaarverslag-van-de-nederlandsche-bank-over-
2008.html
ECB. (2013). RECOMMENDATIONS FOR THE SECURITY OF INTERNET PAYMENTS
(pp. 1–16). Brussels. Retrieved from
http://www.ecb.int/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofp
cfinalversionafterpc201301en.pdf?af7f3ee30c31b6dbb0eef7d9e7976c7c
Faber, W. (2011). Phishing, Kinderporno en Advance-Fee internet fraud (pp. 1–413).
Retrieved from http://www.wodc.nl/onderzoeksdatabase/exploratief-onderzoek-naar-
best-practices-high-tech-crime-in-binnen-en-buitenland.aspx
Fraude internetbankieren stijgt eerste half jaar met 14% -Nederlandse Vereniging van
Banken. (2012). Retrieved June 14, 2013, from
http://www.nvb.nl/nieuws/2012/687/fraude-internetbankieren-stijgt-eerste-half-jaar-met-
14.html
Gevaarlijke malware verspreid via NU.nl - Security.NL. (2013). Retrieved June 07, 2013,
from
Page | 94
https://www.security.nl/artikel/46539/1/Gevaarlijke_malware_verspreid_via_NU.nl.htm
l
Groenland, E. (2010). Kwalitatieve analyse in marktonderzoek : de Matrixmethode, 43(1),
43–48.
Hafkamp, W., & Steenvoorden, R. (2010). Experience from the financial sector with
consumer data and ICT security. In Securing Electricity supply in the cyber age (pp.
159–170). SpringerScience + Business Media B.V.
ING. (2013). Voorwaarden en overige regelingen Voor particuliere rekeninghouders, 1–56.
Retrieved from http://www.ing.nl/Images/Voorwaarden-en-overige-regelingen_tcm7-
33137.pdf
Intensieve samenwerking politie, justitie en banken tegen internetfraude -Nederlandse
Vereniging van Banken. (2011). Retrieved June 14, 2013, from
http://www.nvb.nl/nieuws/2011/1133/intensieve-samenwerking-politie-justitie-en-
banken-tegen-internetfraude.html
Internetbankieren ligt zwaarder onder vuur - Follow the Money. (2012). Retrieved July 03,
2013, from http://www.ftm.nl/original/internetbankieren-ligt-zwaarder-onder-vuur.aspx
IPOL. (2012). Nationaal Georganiseerde criminaliteit Nationaal dreigingsbeeld 2012 (pp. 1–
286). Retrieved from http://www.politie.nl/binaries/content/assets/politie/documenten-
algemeen/nationaal-dreigingsbeeld-2012/nationaal-dreigingsbeeld-eindrapport.pdf
Jeurissen, R. J. (2007). Ethics & Busines. (R. J. Jeurissen, Ed.) (1st ed., pp. 1 – 296). Assen:
Royal van Gorcum B.V.
Johnson, D. G. (2001). Computer Ethics (Third Edit., pp. 1–240). Texas: Pearson Prentice
Hall.
Johnson, D. G. (2009). Computer Ethics (Fourth.). London: Pearson Education Inc.
Kamer: bank moet schade phishing vergoeden - BNR Nieuwsradio. (2013). Retrieved July
04, 2013, from http://www.bnr.nl/feeds/anp/politiek/468013-1307/kamer-bank-moet-
schade-phishing-vergoeden
Page | 95
Kassa. (2013). Wie is verantwoordelijk bij internetfraude? Retrieved July 08, 2013, from
http://kassa.vara.nl/tv/afspeelpagina/fragment/wie-is-verantwoordelijk-bij-
internetfraude/speel/1/
Kassa, V. (2012). Slachtoffers van malware? Vara Kassa. Retrieved June 14, 2013, from
http://kassa.vara.nl/tv/afspeelpagina/fragment/slachtoffer-van-malware-bij-abn-amro-
geen-compensatie/speel/1/
KiFid. (2012). Phishing Uitspraak_2012-26. Kifid. Retrieved from
http://www.kifid.nl/fileupload/jurisprudentie/GeschillenCommissie/2012/Uitspraak_201
2-26.pdf
KiFid. (2013a). Phising Uitspraak_2013-117_Bindend. Kifid. Retrieved from
http://www.kifid.nl/fileupload/jurisprudentie/GeschillenCommissie/2013/Uitspraak_201
3-117_Bindend.pdf
KiFid. (2013b). Phising Uitspraak_2013-240_Bindend. KiFid. Retrieved from
http://www.kifid.nl/fileupload/jurisprudentie/GeschillenCommissie/2013/Uitspraak_201
3-240_Bindend.pdf
Koops, B., & Leenes, R. (2006). ID Theft , ID Fraud and / or ID-related Crime . Definitions
matter 1 Some existing definitions 2 Identity-related Crime, 2006, 553–556.
Krueger, R. A. (2009). Focus Groups: A pracitical Guide for Applied Research (Fourth Edi.,
pp. 1–219). SAGE publications.
Luijk, H. van, & Schilder, A. (1998). Patronen van verantwoordelijkheid (2e oplage., pp. 1–
198). Schoonhoven: Academic Service.
Malware Definition. (2013). Retrieved June 29, 2013, from
http://www.techterms.com/definition/malware
Malware vermomd als gratis antivirus AVG - Computerworld. (2011). Retrieved July 09,
2013, from http://computerworld.nl/beveiliging/74450-malware-vermomd-als-gratis-
antivirus-avg
Page | 96
McGregor, S. L. T. (2006). Understanding consumers’ moral consciousness. International
Journal of Consumer Studies, 30(2), 164–178. doi:10.1111/j.1470-6431.2005.00473.x
Meulen, N. S. van der. (2011). Financial Identity Theft (pp. 1–305). The Hague: T.M.C.
Asser press.
Mok, M. R. (2005). Door de Bank genomen. (U. van Amsterdam, Ed.) (pp. 1–38).
Wassenaar: Vossiuspers UvA.
NCSC. (2012). Cybersecuritybeeld nederland (pp. 1–76). Den Haag. Retrieved from
www.ncsc.nl
NCTV. (2013). Nationale Cybersecurity Strategie 2 (pp. 1–36). Retrieved from www.nctv.nl
Nederlanders massaal benaderd door internetcriminelen - Emerce. (2013). Retrieved July 11,
2013, from http://www.emerce.nl/wire/nederlanders-massaal-benaderd-door-
internetcriminelen
Newman, G. R., & Mcnally, M. M. (2005). IDENTITY THEFT LITERATURE REVIEW (pp.
1–114). Retrieved from https://www.ncjrs.gov/pdffiles1/nij/grants/210459.pdf
NVB. (2011). Vragen en antwoorden: Fraude met internetbankieren. Amsterdam:
Security.nl. Retrieved from http://www.security.nl/files/nvb.pdf
NVB. (2012). Betalingsverkeer veilig ondanks toename fraude -Nederlandse Vereniging van
Banken. Retrieved June 14, 2013, from
http://www.nvb.nl/nieuws/2012/1021/betalingsverkeer-veilig-ondanks-toename-
fraude.html
NVB. (2013). Scherpe daling fraude internetbankieren -Nederlandse Vereniging van Banken.
Retrieved June 14, 2013, from http://www.nvb.nl/nieuws/2013/1812/scherpe-daling-
fraude-internetbankieren.html
Pharming Definition. (2013). Retrieved June 29, 2013, from
http://www.techterms.com/definition/pharming
Page | 97
Phishing Definition. (2013). Retrieved June 29, 2013, from
http://www.techterms.com/definition/phishing
Provos, N., Mcnamee, D., Mavrommatis, P., Wang, K., & Modadugu, N. (2008). The Ghost
In The Browser Analysis of Web-based Malware (pp. 1–9). Retrieved from
https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/provos/provos.pdf
Raaij, G. A. & W. F. van. (1997). Consumentengedrag (Tweede dru., pp. 1 – 670). Utrecht:
Lemma BV.
Rabobank. (2013). Algemene voorwaarden voor betaalrekeningen en betaaldiensten van de
Rabobank 2013 (pp. 1–31). Retrieved from
http://www.rabobank.nl/images/av2013_webversie_29489024.pdf
Rechtspraak, D. (2012). ECLI:NL:GHSHE:2012:BY2749. Retrieved June 07, 2013, from
http://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:GHSHE:2012:BY2749
Rogerson, T. W. B. & S. (2004). Computer Ethics and Professional Responsibility (First
edit., pp. 1–358). Malden: Blackwell Publishing Ltd.
Slocum, N. (2003). PARTICIPATORY METHODS TOOLKIT A practitioner’s manual (pp. 1–
167). Belgian Advertising.
Social engineering attack definition. (2013). Retrieved June 29, 2013, from
http://security4web.org/glossary.php?w=Social engineering attack
SP: verplicht internetbankieren op vakantie is zot - Security.NL. (2013). Retrieved June 13,
2013, from
https://www.security.nl/artikel/46607/1/SP:_verplicht_internetbankieren_op_vakantie_is
_zot.html
Steeds meer slachtoffers bankfraude - Nieuwsuur.nl. (2012). Retrieved June 14, 2013, from
http://nieuwsuur.nl/onderwerp/327399-steeds-meer-slachtoffers-bankfraude.html
Techterms. (2013). Cybercrime Definition. Retrieved June 14, 2013, from
http://www.techterms.com/definition/cybercrime
Page | 98
Unisys. (2013a). Unisys Security Index 2013: The Netherland (p. 17). Amsterdam. Retrieved
from http://www.unisyssecurityindex.com/system/reports/uploads/289/original/Unisys
Security Index Netherlands 2013.pdf?1370377789
Unisys. (2013b). Unisys Security Index 2013: Global (p. 29). Amsterda. Retrieved from
http://www.unisyssecurityindex.com/system/reports/uploads/279/original/Unisys
Security Index Global May 2013.pdf?1368701986
Van Deursen, A. J. A. M. & V. D. (2012). Trendrapport internetgebruik 2012 (pp. 1 – 131).
Twente. Retrieved from
http://www.digivaardigdigiveilig.nl/uploads/Trendrapport_Internetgebruik_2012.pdf
Velasquez, M. G. (1998). Business Ethics Concepts and Cases (Fourth Edi., pp. 321–341).
Prentice-Hall Inc.
Wall, D. S. (2008). Cybercrime, media and insecurity: The shaping of public perceptions of
cybercrime1. International Review of Law, Computers & Technology, 22(1-2), 45–63.
doi:10.1080/13600860801924907
Website Toyota verspreidt week lang malware - Security.NL. (2013). Retrieved June 21,
2013, from
https://www.security.nl/artikel/46721/1/Website_Toyota_verspreidt_week_lang_malwar
e.html
Whithbeck, C. (1998). An appendix to ethics in engineering practice and research.
Witteveen, M. A. P. B. / C. J. M. S. / W. J. (1989). Verantwoordelijkheid: Retoriek en
Realiteit (1st ed., pp. 1–196). Zwolle: W.E.J. Tjeen Willink.
Page | 99
APPENDICES
Page | 100
Page | 101
Appendix 1: demographics of focus interviews participants
Demographics per focus group:
Focus group 1: age 18 – 34 years, higher educated, mixed living areas
Focus group 2: age 50+, majority lower educated, rural area
Focus group 3: age 18 – 34 years, medium to higher educated students, majority city
Focus group 4: age 35 – 49 years, majority higher educated, city
Focus group 5: age 18 – 49 years, lower to medium educated, majority immigrants, city
Page | 102
Page | 103
Appendix 2: Focus interview questionnaire
Perceived level of security of on online banking
Have you got any security related concerns using online or mobile banking?
Level of customer awareness per type of fraud
Are you aware of fraud executed on online banking?
o Which types of fraud do you know and do you know how it is applied?
How would you rate the possibility that you would become a victim of cyber crime?
Have you personally been impacted with fraudulent activities, if yes:
o How do you feel about this fraudulent occasion?
o How do you describe the communication and relation with your FSP during this
occasion?
Level of Moral Hazard
Who in your opinion is responsible for the security of online banking?
Who should pay in cases of fraudulent activities and why?
Do you feel morally responsible for secure behavior?
Level of knowledge about means of prevention per type of fraud
What do you feel as your current responsibility towards the prevention of fraudulent
activities?
What preventive measures do you take?
How do you feel about the information your FSP is providing you with related to
prevention possibilities?
Do you know which measures your FSP requires you to take in their terms of use? If yes:
o What do you think about these measures?
Current legal liability
Do you know that you currently have an excess risk?
FSPs do not want to reimburse your losses in cases of gross negligent behavior. What do
you define as gross negligent behavior?
Page | 104
Activities, responsibilities & liabilities of the Financial Services Provider
Which activities do you think the FSP currently undertakes to prevent fraudulent
activities?
What do you feel as the FSP’s current liability toward the prevention of fraudulent
activities?
Cyber crime related to physical crime
How do you relate cyber crime to physical theft?
Do you accept mandatory insurances towards physical theft?
Do you accept own risk in cases of physical theft?
Do you accept mandatory security measures to prevent physical theft?
To what extent would you accept the above measures for cyber crime related theft?
o Would you accept a mandatory insurance policy towards fraud executed due to
your own shortcomings?
Acceptable mandatory future customer responsibilities
Inform the customer about what they should do according to the terms and conditions
and ask them to react.
What would be acceptable safety measures / precautions you would need to take?
o Why?
Acceptable mandatory future customer liabilities
In general what liability would be acceptable (in terms of amount or percentages)?
o Why?
What liability would be acceptable when your PC is used for fraudulent behavior?
What liability would be acceptable when the fraud is executed when you have (indirectly)
given your credentials to a fraudster?
Future activities, responsibilities & liabilities for the FSP
What kind of additional activities should the FSP do to prevent cybercrime?
Should the FSP give you more information / insights into how cyber crime is committed
and what would you do with that information?
What of your customer and payment data is the FSP allowed to use?
Is the FSP allowed to monitor your PC for fraudulent behavior and to what extent?
Page | 105
o Is the FSP allowed to block your online banking access when malicious software
is detected on your PC?
Should the FSP inform you when a security breach is detected in your internet session?
Is the FSP allowed to block your online banking access when the software and security
measures on your PC are very outdated and therefore impose a potential security risk?
Should the FSP provide you with options you can set yourself related to access control
and security measures?
o Should you be able to restrict functionality of the online channel?
Page | 106