Case note: what are the security obligations of customers for passwords and PINs?

In National Australia Bank Ltd v Swed (No. 2) [2015] NSWSC 1322 the Supreme Court of New South Wales rejected the Bank’s application for possession of the Defendant borrower’s property and a judgment for the amount owing to the Bank of the balance of a loan of $400,000 plus enforcement expenses on the basis of fraud by the defendant’s wife. The Judge decided that the borrower had not breached the security obligations of customers relating to his password and PIN.

The principal issue in the case was whether the Defendant and his wife were to be believed that she obtained access to the accounts and misappropriated the funds without the Defendant’s knowledge. The second issue was whether the Defendant was in breach of the Telephone Banking Terms and Conditions that formed part of his arrangement with the Bank. The Bank asserted that he contravened the security arrangements of those Terms and Conditions, that he acted with extreme carelessness in failing to protect his PIN and telephone banking password, or voluntarily disclosed them to his wife.

The Defendant believed that his wife who resided with him, was responsible for having accessed his accounts through the telephone banking system and that she withdrew the money and used it for gambling purposes. The Defendant claimed to know nothing of his wife’s use of the accounts or the money.

There was no evidence to the contrary and Judge Davies decided that the onus was on the Bank to prove the defendant failed to keep his card, PIN and password secure.

The Bank relied on the EFT Code which contained a provision similar to clause 12.4 of the new ePayments Code which states:
“12.4 A user must not act with extreme carelessness in failing to protect the security of all pass codes where extreme carelessness means a degree of carelessness that greatly exceeds what would normally be considered careless behaviour.
Note 1: An example of extreme carelessness is storing a user name and pass code for internet banking in a diary, BlackBerry or computer that is not password protected under the heading ‘Internet banking codes’.”

Judge Davies concluded:

Whilst I accept that the evidence of each of Mr and Mrs Swed was not entirely satisfactory I accept the general thrust of their evidence. That is to say, I accept that Mr Swed did not disclose his password nor his PIN to Mrs Swed at any time. A number of matters provide support for this. First, there is no doubt on the evidence of all of the members of the family that Mrs Swed had earlier had a gambling problem which caused the family financial loss. As a result Mr Swed took the steps I have mentioned to minimise the risk of further losses from her gambling. Although, as he said, he may have forgiven her, he was still wary of what she might do. Particularly for that reason he gave instructions to the Bank not to let her give any instructions with regard to the account nor was she permitted to operate on the account.

Secondly, Mr Swed refused to give his daughters, whom he trusted entirely, his password or his PIN. If he would not do that, it makes no sense that he would have given his private information to Mrs Swed.

Thirdly, when it was ascertained that there were problems with the balance on the account he did not initially confront Mrs Swed about the matter. That would have been the obvious response if he had given her his password and his PIN. Rather, he went to the Bank believing that the Bank officer who had the right to operate on the account had done something that brought about the increased debit balance. When it was ascertained that that was not the case he went with his daughter straight to the police to report the matter to them. The report was not that his wife had done anything but that someone had interfered with the account.

Fourthly, Mr Swed acknowledged in his affidavit of 21 May 2014 that a number of drawdowns were for expenses that he knew and authorised. That tends to support his honesty.

Fifthly, Mrs Swed’s conversations with the Bank’s solicitors … tend to show that she was intercepting the mail as she said, and that she was trying to fend off action by the Bank to prevent her fraud becoming exposed.

Sixthly, Mr Swed was able to use, and did use, ATMs himself. He had no reason to give Mrs Swed his PIN for any reason associated with assistance he might need.

Finally, if Mrs Swed had been given the password and PIN by Mr Swed it would make little sense for her to have come to Court to confess that she engaged in this systematic fraud unless there was a conspiracy with Mr Swed for the purpose of avoiding the Bank retaking possession of the property and pursuing Mr Swed to a monetary judgment. …

I do not accept that there is any such conspiracy. Such a conspiracy would have involved the daughters … who gave evidence in the case. … I thought that they were honest witnesses doing their best to tell the truth, and in respect of most of their evidence I found it to be reliable…..

I do not consider that by entering his password and handing the phone back to Mrs Swed Mr Swed acted with extreme carelessness. It was not even reasonable for him to have considered that if he did so Mrs Swed would see and remember the password numbers. The test is considerably higher than acting unreasonably in any event. The example given in the footnote to the Code of what might constitute extreme carelessness shows that what Mr Swed did was in a different category altogether. There was no evidence to show that Mr Swed knew that the numbers he entered would be visible to Mrs Swed when he handed the phone back to her, let alone that she would try, or be able, to remember it…

In relation to his PIN Mr Swed gave evidence that if he used the ATM when Mrs Swed was with him he made her stand a metre or a metre and a half away so that she would not be able to see what he entered on the key pad. Mrs Swed’s evidence was that she was able to look around him to the side and see the number he entered. The Bank submitted that this evidence should not be accepted because the respective sizes of Mr and Mrs Swed would have made that impossible.

All the evidence suggests that Mr Swed did what he could to keep both his password and his PIN secret from Mrs Swed in particular. There is no other evidence of how Mrs Swed could have obtained his PIN. Her evidence of how she managed to see it is not so fanciful that it cannot be believed. It is possible for persons to observe the entry of a PIN because of where the keypad is located. Mrs Swed is a clever woman and one who appears to have perfected deception in various guises to feed her gambling habit. I consider that her evidence of how she came to know Mr Swed’s PIN should be accepted.

I do not consider, however, that this conclusion means that Mr Swed acted with extreme carelessness in relation to the entry of his PIN. Both his evidence and that of Mrs Swed was that he did what he could to prevent her being able to see what he was doing at the ATM. If he did not realise that she was closer than he thought, that cannot be characterised as extreme carelessness.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.