[Home] [Databases] [WorldLII] [Search] [Feedback] New Zealand Law Commission

[Database Search] [Name Search] [Previous] [Next] [Download] [Help]

• The Movement Of Money Across Borders
• Liability For Unauthorised Electronic Transactions
• Unauthorised Eft Transactions

15 Banking

284 IN ECOM 1 we raised a number of issues regarding the issue of “electronic money” (EM) and many submissions were received on this point. They were almost unanimous in concluding that at present it seems unnecessary to require issuers of EM to register as banks under the Reserve Bank of New Zealand Act 1989, unless they purport to carry out other banking activities. This is because:

• registration would not solve difficulties in regulating EM issued offshore;
• the rapid rate of technological development is not compatible with specific controls;
• it could create double regulation, eg in relation to credit card payments;
• the issue of EM is already covered by the Securities Act 1978;
• it would conflict with the non-discrimination principle, and may inhibit businesses from issuing EM;
• EM is unlikely to have a large impact as consumers will be subject to small limits and the existing framework can accommodate it. This is because New Zealanders (unlike overseas consumers) tend to use EFTPOS (Electronic Funds Transfer at Point of Sale) even for very small transactions, so EM will have to compete in a market that is already well serviced.

285 No submissions were received commenting on whether further steps, beyond redefining “writing” and “signature” to include electronic equivalents, were required to facilitate electronic banking transactions.⁴¹⁸

286 Furthermore the submissions indicate that it is not necessary to introduce specific legislation to deal with laundering of EM or defaulting issuers as it is not possible to predict how these will be conducted; ie by what means.⁴¹⁹

287 EM has the potential to facilitate money laundering as it is less conspicuous than large amounts of cash, and can be transferred around the world instantly. It is also anonymous, as it can be transferred without any physical encounter. However there are some aspects of EM which can aid in the detection and suppression of illegal activity. Systems can generate a detailed audit trail. Limits can be placed on the amount of EM carried on smart cards, and on the number of face-to-face transactions that can be made before the EM has to be encashed through an intermediary financial institution. At that point, the reporting requirements for financial institutions are activated.

288 The Financial Transactions Reporting Act 1996 (FTRA) aims to prevent and detect money laundering by imposing obligations on financial institutions to verify the identity of persons conducting transactions (sections 6–7), to report suspicious transactions (section 15) and to keep transactions records (section 29). It is however, arguable whether issuers of EM would be considered to be “financial institutions” under the FTRA. The definition in section 2 is wide and includes banks registered under the Reserve Bank of New Zealand Act, as well as

(k) Any person whose business or a principal part of whose business consists of any of the following: . . .
(v) Providing financial services that involve the transfer or exchange of funds, including (without limitation) payment services, foreign exchange services, or risk management services (such as the provision of forward foreign exchange contracts); . . .”. (emphasis added)

Arguably the issue of EM constitutes “transfer or exchange of funds”. However if issuers of EM were required to comply with the FTRA they would incur compliance costs which could in turn hinder competition.

289 The submissions concluded that no amendments to legislation were currently required. It was, however, suggested that the Reserve Bank should undertake review of the FTRA in the near future to ensure fraudulent and other illegal activities involving EM are within the scope of the FTRA. We leave that issue to the Reserve Bank to consider further.

The movement of money across borders

290 Since the abolition of exchange controls, the movement of money internationally has ceased to be an issue, according to submissions made by the Reserve Bank. Under section 37 of the FTRA everyone arriving or leaving New Zealand with cash of or in excess of NZ$10 000 must make a report to the Customs Service. “Cash” is defined in section 2 as “any coin or paper money that is designated as legal tender in the country of issue”. This definition would not appear to encompass EM.

291 No immediate problems arise in allowing EM issued in one country to be redeemed in another, as only the issuer can “redeem” the value issued, so cross-border issues will not usually arise. The spending of EM in another country can be equated with the spending of travellers cheques.

292 A possible obstacle to conducting transactions over the internet is where the merchant is obliged to bill overseas purchasers in New Zealand dollars.⁴²⁰ While many websites incorporate a currency converter so the purchaser can calculate the approximate price in his or her own currency, the end price will still fluctuate with the exchange rate. This uncertainty can operate as a barrier to commerce as consumers prefer to know exactly how much they will be charged, in their own currency, before making the decision to purchase. However, New Zealand banks currently only accept credit card vouchers denominated in domestic currency, although the possibility of enabling foreign currency transactions is being investigated.⁴²¹

293 A local private sector initiative is tackling this obstacle, offering a service in conjunction with a British bank which enables retailers to bill customers in up to six different currencies. Merchants must satisfy credit checks before availing themselves of the service, which can be problematic for new companies without a credit history.⁴²² A possible solution the company is considering is to impose an upper purchase limit on transactions undertaken by these merchants.

LIABILITY FOR UNAUTHORISED ELECTRONIC TRANSACTIONS

294 An issue which we did not address in ECom 1 was the question of who should bear the risk of unauthorised electronic banking transactions. This is an issue which we now explore. We have explained in broad terms the competing viewpoints. We request submissions on the issues raised so that we can address them further in our third report.

295 Electronic transactions have become increasing popular in the banking environment over the last 20 years.⁴²³ In the retail sector these transactions take place through automatic teller machines and EFTPOS terminals. In addition, consumers can use telephone and internet banking services, and the use of stored value cards and digital cash seems likely to develop (although at the time of writing no New Zealand bank had yet issued any). ⁴²⁴ 

296 These electronic systems require some form of electronic authentication, such as a password or a code like a four digit PIN. The use of these forms of authentication can make it difficult to detect an unauthorised transaction as, unlike a manual signature, a password or pin is identical whether used by an authorised user or not. The issue then arises as to what extent the payment system provider or its customers should be liable for unauthorised use. In the manual world, the bank normally bears the risk for forgery.⁴²⁵

297 By way of analogy, we refer to the case of unauthorised credit card transactions. When an unauthorised credit card transaction occurs, a “charge-back” can be effected so that the customer is reimbursed the disputed amount and the merchant is debited. If the merchant is unable to pay then the bank carries the loss rather than the consumer. The rationale for offering such a high level of protection to the consumer is to encourage use of the credit card facility.⁴²⁶

298 All that is required to effect a charge-back is that the consumer makes a request to the bank in writing. The mechanism is not restricted to cases of fraud but can also be used where a merchant has failed to deliver goods, for example. In general the bank is under no obligation to verify the consumer’s claim or carry out any checks on the card when a request is made; if the merchant considers that the claim is not bona fide then its only option is to initiate proceedings against the consumer.

299 Brownsword and Howells⁴²⁷ identify four potential avenues in contract law for challenging a clearly drafted charge-back clause:

• the clause has not been incorporated, ie that “reasonable notice” of the clause has not been given: Thornton v Shoe Lane Parking Ltd.⁴²⁸ A merchant would be unlikely to succeed on this basis unless shortcuts were taken in presenting the clause;
• the clause does not apply to the facts because if it were it would produce an unreasonable outcome. If on an ordinary construction the clause produces an unreasonable result then the court may be prepared to consider a less obvious construction: Lancashire County Council v Municipal Mutual Insurance Ltd.⁴²⁹
• the clause contravenes the Unfair Contract Terms Act 1977 (UK);⁴³⁰
• to enforce the clause would violate principles of good faith and unconscionability. However these doctrines are used sparingly and would be unlikely to be applied in relation to a feature of everyday dealing such as a charge-back clause.

300 Brownsword and Howells conclude⁴³¹ that it is unsatisfactory for retailers to have to rely on “occasional judicial interventions” in their favour in cases of credit card fraud by someone other than the cardholder. They recommend that credit based dealings be regulated in such a way that the interests of all participants are fairly represented.

301 The Banking Ombudsman has also expressed concern at the number of complaints received regarding credit card transactions made by telephone/mail order and the authority given by the actual credit card owner.⁴³² These complaints generally submitted that when a merchant rang a credit card company for authorisation of a transaction, it was under the impression that authorisation meant the payment was guaranteed. The Banking Ombudsman did not uphold any of these complaints as it was found that the transactions were governed by the merchant’s contract with the banks, which stated (although perhaps not as clearly as it ought) that referral for an authorisation number did not constitute a guarantee. The Banking Ombudsman noted that the limited guidance to merchants seemed to be prefaced on the assumption that most credit card transactions took place face-to-face, and that it was out of date.⁴³³

302 Some of these issues fell to be considered by the High Court in the recent decision of Master Thomson in The Laptop Co Ltd v ANZ Banking Group (New Zealand) Ltd.⁴³⁴ In that case the plaintiff company took 34 telephone orders from a person in the United Kingdom for computer hardware. Payment was to be made with 18 personal credit cards . For each transaction the plaintiff obtained authorisation from its bank, the defendant. The telephone orders were in fact fraudulent. The defendant bank told the plaintiff it would not honour the authorised transactions, and debited the amounts it had previously credited to the plaintiff’s bank account. The plaintiff was able to halt some deliveries of the hardware but sued for the shortfall, claiming breach of contract, and misleading or deceptive conduct under the Fair Trading Act 1986. It was held that there had been no breach of contract by the bank. A clear construction of the standard form agreement and operating guide showed that obtaining authorisation from the bank was no guarantee of payment.⁴³⁵

303 In the short term, banks who offer credit card transaction processing services to merchants should educate their merchant customers of the risk that payment for “remote” orders (via telephone/fax/internet) will be charged back to them if the transaction is not authorised by the cardholder, and that authorisation does not constitute guarantee of payment.

304 On the other hand, it must be noted that a bank or a credit card company has no control over the way in which its products are used by the customer. The customer may fail to take care of his or her card or may not advise the bank or credit card company in a timely fashion if the device is compromised.⁴³⁶ Where control of the credit or debit card primarily rests on the consumer, it is not surprising that banks seek to allocate risk in their favour. An allocation of risk in favour of a bank should also, in principle, lead to more competitive prices for the services offered. The question is whether the risk is appropriately allocated at present in the triangular relationship involving consumer, bank and merchant. We seek submissions on this issue. We will address any residual concerns from these issues in our third report.

Unauthorised EFT transactions

305 In New Zealand, guidelines regarding customer liability for unauthorised EFT transactions can be found in the Code of Banking Practice (The Code), administered by the New Zealand Bankers’ Association (NZBA), and the EFT Code of Practice, administered by the Ministry of Consumer Affairs. Formerly, member banks of the NZBA were signatories to the EFT Code, however in 1996 the NZBA decided to withdraw from the EFT Code and include its consumer liability provision in the Code of Banking Practice. Other providers of EFTPOS services (in effect, a small number of finance companies) remain bound by the EFT Code. Consumers whose EFT services are provided by banks have seen a shift in liability for unauthorised transactions in favour of the banks.⁴³⁷

306 The Code of Banking Practice covers member banks’ dealings with individual customers, however the Statement of Principles relating to Small, Medium Size and Farming Businesses released by the NZBA in 1999 imports the provisions of the Code into these dealings, with the exception of credit arrangements. Clause 5.5.3 of the Code provides that customers may be liable for loss arising from unauthorised transactions if they have contributed to or caused that loss (our emphasis). This places a heavy burden on the customer, especially when compared to the equivalent United Kingdom Code, under which a customer is only liable where they have acted fraudulently or been grossly negligent. In addition, the burden for proving gross negligence or fraud lies with the card issuer in the United Kingdom, whereas the New Zealand Code is silent as to where the burden of proof lies. While in practice, we are advised, the Banking Ombudsman would be unlikely to find against a customer who, for example, allowed another to observe him or her inputing a PIN in a shop, such conduct arguably constitutes “contributing to the loss”.

307 A further example of the stringency of the New Zealand Code is the standard of care which the banks require their customers to take with regard to cards, PINs and passwords. Clause 5.5.3 (iii) imposes liability on the customer if loss is caused by keeping a written record of a PIN or password. Sneddon observes that the Australian Code only prohibits keeping a written record if the PIN or password is not reasonably disguised. Although ambiguous, the Australian standard is clearly not as onerous as the New Zealand one. As Sneddon observes many customers simply cannot remember a PIN and must record it.⁴³⁸

308 Another area of the Code which may expose customers to disproportionate liability is clause 5.5.6 which provides that where customers have contributed to the loss they may be liable for loss occurring before notification to the bank up to the daily transaction limit on the card or account(s). These limits have increased in recent years, from between $4–5000 up to $10 000 per account. As one card may access more than one account, and limits may include credit available on a loan facility, this provision of the Code exposes the customer to potentially enormous liability.

309 The Code is monitored by the Banking Ombudsman, and is due for a comprehensive public review by 1 November 2001 (five years since it came into force). In the Annual Report for 1997/8 the Banking Ombudsman notes that the use of credit and debit cards make up the majority of complaints regarding electronic banking services. During this period the Banking Ombudsman conducted the first investigation into a complaint relating to computer banking services.⁴³⁹ Few complaints are received regarding telephone banking, although the low numbers of customers making use of these services (compared with other electronic services such as ATMs and EFTPOS) perhaps indicates a degree of caution on the consumer’s behalf.

310 Sneddon makes the point that as the authentication system is chosen by the bank or financial institution, and is a “primitive and inherently insecure” procedure, then the institution should bear the risk of unauthorised use. He cites examples of more secure authentication methods which will undoubtedly become more prevalent, including digital signatures and biometric verification such as iris scanners and voice recognition (although notes that these are not yet cost effective for mass roll-out).⁴⁴¹

311 These issues were considered by the Australian EFT Working Group in its Discussion Paper on an Expanded EFT Code of Practice.⁴⁴² The Group (which includes Professor Sneddon) concluded that liability should be shared between the institution and the customer, depending on the circumstances of the loss. Three options for allocation were proposed:

• adapt the existing code by refining the definition of a “reasonable attempt” to protect the security of a PIN;
• apportion liability to the institution unless it can affirmatively prove that the customer was fraudulent or grossly negligent (similar to United Kingdom and Danish models, and the European Commission’s recommendations);
• apportion liability to the institution except where loss is caused by delays in reporting lost or stolen cards, or a failure to report unauthorised transactions appearing on statements (similar to United States Regulation E).

312 Similar issues arise here to those referred to in para 304. Similar arguments for the need to allocate risk in the bank’s favour apply in this situation also. We invite submissions on whether:

• the existing allocation of risk set out in the Code of Banking Practice is appropriate given the various factors we have identified; and
• if not, what justifiable basis may exist for legislative action to cure any problems.

Our view is that the onus should be on those who seek to justify legislative intervention to demonstrate that this would be preferable to contractual arrangements. While our principle of private sector leadership is of some importance on this issue, we also note that consumer protection issues fall outside the scope of that principle as previously defined.⁴⁴³