Banking CEOs should think twice before victim blaming
The piece went on to quote RBS CEO Ross McEwan who reportedly said that banks didn’t necessarily have a duty of care to defrauded customers. Subsequent articles from publications such as The Guardian have shared stories of people who were tricked into handing over large sums of money to fraudsters.
To be fair to Ross McEwan, the organisation when speaking to CNBC yesterday suggested that the Daily Mail had sensationalised McEwan’s comments and taken them out of context. Hardly surprising considering the publication, perhaps, but the fact remains that if someone’s credit card is attacked, banks are generally pretty quick to react. As a customer, you’re usually covered for any loss when money is fraudulently spent on your card. When it’s another account, however, regardless of however out of the blue or suspicious an activity is, you’re largely unprotected.
Right now, it’s a complex problem for the bank to solve. The Guardian article referenced above talks about the fact that behind the scenes, the bank doesn’t give a stuff about the recipient – all it’s looking for, and matching the transaction request with, is the account number provided.
Account numbers typically have no meaning to the sender, so verifying that it belongs to a specific person or company is hard. So, you have no other option than to trust what someone tells you is their number and then send the funds in that direction. Mistyping account numbers – this is nothing new. People tend to spend more time verifying account numbers when the amounts are high or it’s a new recipient.
Conversely, when we talk to people on Facebook, send email, text messages etc. we have an ecosystem around such dialogues that build trust. There is a profile to a friend request, there is a picture of a person in chat applications – it builds trust.
An account number is a black hole.
Using a phone number or a more verifiable destination would be the simple solution to most account number problems. But that would require an overhaul of legacy systems, or require someone to operate a lookup service to switch between accounts and numbers, something that is forming both in the Nordics and in Greece with the Iris service.
The second aspect which would help prevent these kinds of (potentially life-ruining) criminal acts is better and more robust fraud detection inside banks. Visa and MasterCard operate large networks where the various responsibilities, and the risk, is spread across several players. Fraud information is shared, blacklists are distributed and the revenue from card processing fees are partly set aside to cover whatever fraud cases pass the myriad of radars along the transaction rails. This is not the case for account-to-account payments.
We know that the bank’s priority right now lies in ensuring said legacy systems can comply with upcoming regulatory changes (such as PSD2 and GDPR). But, just as important is fending off potential disruptors once said regulatory changes come into effect. And the thing is, many of these disruptors will be and are taking the steps necessary to ensure “mistakes” like this just can’t happen. So, who then will customers choose to keep their money safe?
The RBS response to this particular case does not build trust. I would argue that it, in fact, crushes it.
If banks still believe that the trust and their current size alone is going to be enough to withstand the competition from innovations and technology-driven newcomers – like the digital chief at HSBC claimed recently – then cases like this certainly won’t help banks [to stay competitive and relevant for consumers].
Banks – in the late evening of what is certainly their biggest disruptive era – will do well to remember that their customers’ problems are actually their problems.