As online fraud becomes more sophisticated and more common, banks have no choice but to shoulder the financial burden of reimbursing consumers for their losses.
Regulation E, the Federal Reserve Board's banking rules covering consumer electronic funds transfers, makes it clear that banks are on the hook.
Or does it?
To some, the rules seem silent in key areas and leave open the possibility of an interpretation that might let banks shift some of the responsibility back to the consumer.
Though there are no indications that any banks are considering mounting such an argument - many have opted instead to promote fraud-protection policies that go beyond their duties under Reg E - some observers say it is conceivable that the idea could catch on if covering fraud losses ever becomes prohibitively expensive.
Avivah Litan, a vice president and research director with the Stamford, Conn., market research firm Gartner Inc., said that while Reg E requires that banks reimburse consumers for unauthorized electronic transfers, in some cases it is mute on whether to define a transfer as unauthorized.
For example, phishing victims who reveal their passwords at phishers' bogus Web sites might be faulted for voluntarily handing over this information.
If the con artist logs on to the account and drains the funds, Ms. Litan said, "consumers have to prove that their password was stolen," which could allow a bank to dispute that the information was illegally used.
"With credit cards, people don't have to prove anything to dispute a transaction," she said. "Here they are guilty until proven innocent. Reg E is kind of vague."
Not so, said Nessa Feddis, the senior federal counsel in the American Bankers Association's government relations division.
She points to section 205.6 of Reg E, which clearly says that as long as consumers notify the bank in a "timely" manner (generally within 60 days of receiving their statement), they are protected against any unauthorized transfer, no matter how irresponsibly they may have acted.
The classic example is a consumer who writes their PIN on their automated teller machine card. If they lose the card and it is used to withdraw money from the machine, the customer is still covered for the loss, Ms. Feddis said.
"There is no negligence standard in Reg E," she said.
Steve Zeisel, a senior counsel at the Consumer Bankers Association, agrees.
He said that according to one of the commentary sections, negligence on the consumer's part "cannot be used as the basis for imposing" liability, and "behavior that may constitute negligence under state law, such as writing the PIN on a debit card … does not affect the consumer's liability for unauthorized transfers." In other words, banks definitely seem to be responsible for the loss.
However, David Jevans, the chairman of the Anti-Phishing Working Group, a trade association that tracks online fraud, said he knew of no legal cases where the rules had been challenged and upheld and were therefore vulnerable.
Mr. Jevans noted that when people set up online banking accounts, banks have typically included warnings that they not disclose their passwords to anyone, and phishers would presumably be high on that list.
This could potentially "give bankers an out" if they wanted to challenge their liability, Mr. Jevans said. "They could legitimately say, 'You were warned not to do this.' "
But Rob Rowe, a regulatory counsel at the Independent Community Bankers of America, said some bankers have already pursued the idea that consumers should be responsible for at least some portion of the loss if they do not protect their PIN. "They have said it's contributory negligence."
Reg E does put some burdens on consumers, he said, notably their duty to report a loss. Mr. Rowe said that if people never inform the bank of an unauthorized transfer, the bank has no responsibility.
This lends some support to the idea that consumers may be responsible for protecting their accounts, Mr. Rowe said. However, none of those discussions with the Fed regarding consumers who are careless with their PINs have ever led to any changes in liability, and he is doubtful that banks could exploit this to carve out any further protections for electronic transfers.
"It's been a dead end," he said. "Right now, a bank could not" try to refute its liability for fraud losses.
Banks so far have shown no interest in doing so, despite sizeable losses. Mr. Jevans said that their fraud-protection promises are costing major banks well over $1 million a month; a giant like Citigroup Inc. could be spending more than $10 million a month, he said, while midsize banks could be spending $100,000 a month.
(Banks may be more interested in avoiding responsibility for losses to corporate accounts. Bank of America Corp. is being sued by a corporate customer that claims B of A has refused to cover a $90,000 unauthorized wire transfer. Corporate accounts are regulated by the Uniform Commercial Code, which imposes a different standard for liability.)
Mr. Jevans stressed that trying to change its consumer liability policy would lead to a huge hit to a bank's reputation and would probably drive away customers. "It would be suicide," he said.
In fact, banks are moving in the opposite direction by offering protection that exceeds Reg E. Though banks can hold customers responsible for up to $50 of a loss, many banks are waiving even that.
