Stephen Mason » Actions to consider

Actions to consider

Please note that the suggestions noted below are not legal advice, but suggestions that you might consider if you have difficulties in having any money refunded where money was removed from your account without your authority or knowledge. It must be emphasized, that the bank has to determine whether a customer is telling the truth when they say money was withdrawn without their authority or knowledge. Chips were introduced to cards to try to eliminate or reduce fraud, and the evidence that a chip was read can go some way to proving it was the customer’s card, and not a clone in the ATM for instance. The problem for the banking industry, as the fraud figures on the UK Payments Administration Limited (replaced APACS from 6 July 2009) web site illustrate, is that fraud has increased annually, despite the introduction of chip and pin. This might mean the thieves have worked out to clone chip and pin cards, and that the banks’ hardware and software systems are given false information by a cloned card that is sufficient to make the software record that it was your card in the ATM.

Another problem with the figures for fraud issued by UK Payments Administration Limited is this: they collate the figures from their membership, and there is no breakdown of the accuracy of the figures placed in the public domain. For instance, if ten people claim money has been withdrawn form ATMs, and the bank refunds one of them, which figure is going to be reported? The entire amount from all ten customers, or just the singe figure from the single customer that has been refunded?

It cannot be emphasized too much, that you need to act as a matter of urgency (that is, within 24 hours) if you find unauthorized withdrawals have been made from your account.

Suggestions

1. Retain your card

You will need to have the transaction counter on your card checked by a digital evidence specialist. If the transaction counter on your card is less than the number of transactions recorded against your account, the evidence points to a cloned card being used by a thief to make withdrawals.

2. Ask for the ATM receipts

3. Put your bank on notice that you wish to see the ARQC

The bank may refuse to permit you to see the ATM receipts and the ARQC, but if you put them on notice (send them a letter by recorded delivery) that you may rely upon these items of evidence to assess whether your card was used or not, and they then destroy the evidence before legal action takes place (if it does take place), then this will not be good for the bank.

4. Alibi

If you were in another location at the times the cash was withdrawn, recall who you were with and get them to make a statement for you immediately, preferably in a statement made before a solicitor. Evidence that you were somewhere else at the time the withdrawals were made will be very helpful. Do not delay in doing this. If you were not with somebody, but shopping, perhaps, retain evidence of any transactions you made, especially if they were with other cards in your possession.

5. Other people might have the same problem as you

Do not delay in trying to find out if other people had the same problem with the same ATM. This is also very helpful, and you must do this quickly – ask your local newspaper if they will run a story, start a web site to ask for help, put up posters for the names and address of anybody else that might have had an identical experience.

6. Check the possibility that CCTV footage might exist

It might be that CCTV footage exists of those people using the ATM or ATMs in question. You will need to identify the owner of the relevant CCTV, then request to have a copy of the footage from the owner. This might be far more difficult than it appears. Although the owners of CCTV insist they are recording to prevent crime, it has transpired that since I posted this list of suggestions, many people have found obtaining CCTV footage almost impossible. In some cases, people have bene informed by the police that it is not their concern, and the police have informed the complainant that they must look to their bank to obtain such footage, and some banks will not cooperate with their customer over obtaining such footage.

There may also be technical problems with the actual CCTV footage because of poor quality, and it might be that the footage is destroyed after a set period of time. If a policy exists to destroy all footage after 30 days, then any subject access request you might consider making under the provisions of the Data Protection Act 1998 will mean the footage is destroyed before the request is dealt with. Ideally, you should find out if any CCTV footage is available, and obtain a copy immediately, if necessary, visit the shop or bank and ask to see the CCTV manager, and get them to go through the recording and copy the recording for you. If you do this, you will be wise to ask them to give you a statement - if not, you should obtain such details as the date and time you spoke to them, their name, address of the premises and any actions that were carried out. Further, if the CCTV is held by the bank, put them on formal notice (send them a letter by recorded delivery) that you wish the evidence to be retained, pending any legal action.

7. Request your bank to provide a full copy of your customer file

You should have a contractual right to see your customer file, but if this is refused, make a subject access request under the provisions of the Data Protection Act 1998 (if you make an application under the provisions of the Act, you must follow the guidance issued by the Information Commissioner).

8. Report the matter to the police

The police will probably not be interested in taking up your complaint. The official thinking on this issue is very confused - perhaps deliberately. The official line is that it is for the bank to make a complaint to the police that a crime has been committed, because the bank is the one that has lost money. This would be correct if the bank refunds your money. However, where the bank refuses to refund your money, then they are, in effect, accusing you of fraud by asking for the return of money you say that you neither withdrew yourself, nor authorized any other person to withdraw. In this respect, it will be worth considering submitting a request for information under the Freedom of Information Act 2000 to the local police. You might request information such as the number of crime reports (set out on a monthly basis over the material time withdrawals were made – perhaps three months either side) recorded in the relevant town, city or village, and relating to complaints made by individuals where withdrawals have been recorded at and where the individual claimed they were not responsible for the withdrawal.

9. Write a letter to your card issuer putting them on notice

Consider writing a letter fairly quickly putting your card issuer on notice that they must retain all the records that are relevant to the dispute. I have written one which is available as a free download.

If you have any more suggestions to make to add to this list, please feel free to get in touch with me.

Other suggestions received which I consider helpful:

1. Get an experienced litigator, familiar with digital evidence, involved very early.

2. Consider recording every conversation you have with your bank, and ensure the person you are speaking to understands you are recording the conversation. Obtain the name of the person you are speaking to, together with the name of their department and telephone number. Conversely, ask the person you are speaking to if the telephone conversation is being recorded. The bank usually records the conversation. You have the right to obtain a copy of the conversation.

3. Take full notes of every conversation if you cannot record the conversation. Ensure the person you are speaking to is aware you are taking notes. Ensure the person you speak to is aware that you are the customer, and you should be treated with courtesy. Some employees are very aggressive towards customers claiming money has been debited from their account for which they are not responsible, and it is important to remind the employee that you are the customer.

4. Write to your Member of Parliament. This is for two reasons. First, if every MP received regular letters of complaint from their constituents on this topic, then they would exert pressure on government ministers to do something about the present system of recording and handling unauthorized withdrawals from ATMs. Second, sometimes the only way you can obtain help is by going to your MP. Sometimes and MP can resolve the issue with a single letter to the Chairman of the bank. Some MPs will react to you by not doing anything, with the lame excuse that your case might go before the courts. In the vast majority of cases, this is impractical for the person that has suffered a loss, because they cannot afford legal help, and do not want to be faced with the uncertainty of paying the costs of the bank if they do not succeed. The risks of taking legal action can be very high for a variety of reasons.

5. With or without a litigator, try to put in issue at an early stage (both in correspondence and in the pleadings) the reliability of the bank’s records and systems, so that the bank is put to proof of their reliability. This will probably first become an issue if or when the bank fails to disclose relevant system and transaction documentation, and will be tested on an application for specific disclosure. Such an application probably needs to be supported by the report of a suitably qualified specialist on what is needed to assess reliability and security, and why it ought not to be a burden for the bank to provide.

6. Judges are likely to approach the reliability of computer systems much as they might once have approached the till roll from a mechanical cash register. It is reasonable to assume that the till roll correctly reflects the transactions entered on the till. Suitably qualified expert evidence will need to include explanations of why it is not reasonable to make the corresponding assumption in the case of computer systems. This evidence needs to address the complexity and unpredictability of software in general, as well as making the point that when security is being assessed, it is necessary to consider the performance of the system not only when it is operating in the face of the usual accidents of life, but also when it is under attack by a highly skilled and highly motivated attacker. This evidence provides a strong foundation for arguing that the bank must prove all the links in the chain.

7. If the bank complains of the burden imposed of what it is required to prove because of the complexity of its systems, suitable expert evidence should be adduced about the need for systems to be simple enough to be easily checked if their reliability and security is to be maintained. This provides a foundation for alternative arguments, either that the tasks to be imposed on the bank are not unduly burdensome, or that the fact that those tasks are unduly burdensome is in itself evidence of the unreliability of those systems.

Finally, bear in mind a point that APACS itself makes (http://www.apacs.org.uk/resources_publications/documents/PIN_Administration_Policy.pdf (p11)):

‘The PIN Administration process must not only be secure, but also be demonstrably secure. If PIN Security is publicly challenged, either in the media or in a court of law, it must be possible to respond to such a challenge and for the response to be supported with evidence. Furthermore, the use of that evidence in the public domain must not in itself compromise security.’

(This point was made in my skeleton argument on behalf of Mr Job).