Dutch banks set common rules for online banking. But have they gone far enough?

Dutch banks set common rules for online banking

Piggy bank. Image courtesy of Shutterstock.Dutch banks have agreed on a common framework of rules for their online banking customers, which they will require people to follow if they are to qualify for refunds of money stolen through phishing, carding or other forms of online fraud.

The Dutch Banking Association (Nederlandse Vereniging van Banken, NVB), representing most banks operating in the Netherlands and working together with consumer representatives, has come up with a list of five key areas (Dutch language – Google translation) in which people must exercise the appropriate caution if they are to qualify for refunds.

For the most part, how banks respond to claims of online or card fraud is covered by government-imposed banking regulations, with banks given more or less flexibility to demand evidence of fraud, depending on the region.

In many areas the customer is assumed to be innocent and funds returned without much proof required.

In the UK, for example, the FCA rules state that banks must refund any unauthorised transaction, with the burden of proof on the bank to show that the customer either gave their explicit authorisation or that there was “gross negligence” in how they protected their card or login details. A 13-month time limit applies for reporting theft.

US banks are covered by the 1978 Electronic Fund Transfer Act, which details the levels of liability consumers must absorb, depending on how quickly they report an unauthorised transaction – generally a $50 limit is imposed if theft is reported within 48 hours, and losses occurring more than 60 days after an initial unreported loss may not be protected.

Just how understanding banks may be about phished or guessed login details may well vary from state to state and bank to bank. Regulations in some other countries are less consumer-friendly, while others leave the decision entirely up to the individual banks, as was the case in the Netherlands until the recent agreement.

The new Dutch policy will come into force in January 2014, and sets out five rules for people to keep to.

Paraphrasing fairly loosely from the scheme’s main summary (Dutch language – Google translation) and local Dutch coverage of the scheme:

  1. Passwords and codes should be kept secret – they shouldn’t be written down or given to other people to use, nor should they be given out over the phone or in email. Make sure no-one can see you when you enter passwords or PINs. Passwords should be well-chosen so as not to be easily guessable, avoiding standard personal info like birthdays.
  2. Don’t let other people use your cards – keep them in a safe place and regularly check that your cards are where they should be.
  3. Keep the devices you use to access online banking well secured – ensure that any devices used to access online banks are kept updated with the latest security patches. This includes security software such as anti-malware and firewalls. Don’t run any pirated software. Lock your devices with a passcode, and make sure you log off when you’re done with an online banking session.
  4. Keep an eye on your account – check your account at least every two weeks. If you’re on old-fashioned paper statements, you need to read them within two weeks of their arrival. If you can’t check on your account for some time, you’ll need to be able to give a good reason.
  5. Report any incidents or anything suspect to the bank – tell your bank promptly if you think anything is amiss, and then follow their instructions.

Mostly fairly unexceptionable stuff – numbers 2, 4 and 5 at least are all fairly obvious and should perhaps be classed as “general common sense” for any bank user.

The parts that specifically relate to digital security feel a little sparse though. When I first heard of this agreement, I imagined something rather more detailed, and pictured it being the foundation of a serious consensus on how people are expected to behave online – how they treat their own digital identity.

It called to mind the “Internet Driver’s License” debate which has rumbled on for years, and offered the promise of some firm ground on which to base such a qualification.

Banks these days seem to be merging into ever-larger global juggernauts, so if they can agree on the level of caution they expect from their customers around the world, it could set out a good standard for people to apply in all areas where their identity must be proven online.

But so far at least there’s not much to see – just some vague platitudes about choosing good passwords, with no real specific recommendations, beefed up a little by some sensible ideas on keeping them secure once they’ve been picked. Then some similarly generic comments on keeping your devices reasonably safe, but again no specific advice.

I’d like to see this taken much further, adding a detailed breakdown of the main things to avoid when choosing passwords, as well as some handy tips on choosing strong ones, perhaps even a general agreement on the minimum length and complexity.

There could also be more detail in the section on securing your devices. Banks and regulators seem happy setting fairly arbitrary deadlines for things, such as the cut-off dates for reporting, so why not insist that patch levels on operating systems and key software, and updates for security tools, be no more than n hours/days/weeks behind current at the time of infiltration, with good reasons needed for skipping patches.

There could be more explicit requirements regarding screen locking and unlocking, and there are many other topics the Dutch rules don’t seem to really cover at all, although something could have missed in translation.

Examples of areas which could be added might include using only wireless access points you know to be reasonably secure, or your systems and data properly encrypted to foil hands-on hackers.

In short, this feels like a reasonable start, but if this sort of thing is going to become a proper and verifiable basis for how people should protect themselves, I’d expect to see future revisions being a lot more explicit and detailed.

For now, Dutch consumers have been presented with a fairly vague set of rules, making it hard to be sure if one is fully following them. Those vague rules are also likely to give banks quite some flexibility to assert that their defrauded customers weren’t fully cautious and compliant, should they want to.

Dutch banks will, we would hope, be fairly understanding and lenient with their customers, but in some areas this sort of looseness could easily be exploited by more aggressive banking regimes.

Thanks to Martijn Grooten of Virus Bulletin for help with Dutch sources.

Image of piggy bank courtesy of Shutterstock.