Voice Phishing Damage, Banks Also Share Responsibility According to Prevention Efforts... Including Compensation for Losses

From now on, banks will also share responsibility for damages caused by smishing and voice phishing. While users have often borne the full brunt of such damages, banks will now compensate for losses within a reasonable scope according to the standards of responsibility.

On the morning of the 5th, the Financial Supervisory Service and 19 domestic banks signed an agreement titled "Agreement for the Promotion of Non-face-to-face Financial Accident Prevention," which includes this content. The amount of compensation by banks will be determined by comprehensively considering the level of banks' preventive efforts against non-face-to-face financial accidents and the degree of user negligence. This will be primarily implemented in the banking sector for incidents occurring after January 1 of next year.

Until now, cases such as exposure of identification cards or loss of control over mobile phones due to installation of malicious apps were often regarded as users’ gross negligence, resulting in no compensation. However, going forward, responsibility will be shared within a reasonable range by considering not only the customer's negligence but also the extent of banks' efforts to prevent non-face-to-face financial accidents. At the signing ceremony, Lee Bok-hyun, Governor of the Financial Supervisory Service, emphasized, "The responsibility-sharing standards for non-face-to-face financial accidents will impose reasonable compensation liability on banks while motivating them to proactively prevent financial accidents themselves."

For example, an 80-year-old victim, Mr. A, who had never used a bank app, clicked on an electronic wedding invitation address sent via text message. The smishing perpetrator stole a photo of Mr. A’s resident registration card stored on his phone, opened a mobile phone and bank account in Mr. A’s name, and executed a loan. Until now, the user bore full responsibility in such cases, but from now on, banks’ preventive efforts will also be considered. If banks fail to implement malicious app detection systems during non-face-to-face loans or do not apply abnormal transaction detection rules for elderly users with no app usage history, effectively disabling suspicious transaction detection and response functions, banks must compensate 20-50% of the damage amount. However, the compensation ratio may vary depending on the actual case.

The level of responsibility sharing will be determined based on banks’ sufficiency in fulfilling non-face-to-face identity verification obligations, monitoring and responding to abnormal transactions, and other financial accident prevention activities. For users, the degree of negligence will be determined by the process and scope of providing personal information such as real-name verification documents (resident registration card, etc.), electronic devices (mobile phones, etc.), authentication numbers, and passwords.

Deputy Governor Kim Byung-chil explained in a briefing, "There is an effect of being able to promptly resolve disputes through voluntary compensation procedures instead of long-term litigation," adding, "From now on, responsibility will be shared within a reasonable range by considering not only user negligence but also banks’ efforts to prevent financial accidents." However, it should be noted that if users store photos of identification cards or passwords on their mobile phones leading to financial accidents, relief may be limited.

Financial Supervisory Service, Yeouido, Seoul. Photo by Jinhyung Kang aymsdream@

In addition, looking at the main contents of the agreement, banks must comply with the guidelines for operating the Fraud Detection System (FDS), build and operate the system accordingly, and continuously strive to refine and advance it. Deputy Governor Kim explained, "Since standards differed among banks, relatively weak links emerged. We have prepared 51 common suspicious transaction detection rules (Rule-set) deemed necessary for all banks to apply uniformly, and these will be reflected in each bank’s FDS system going forward."

For example, if a certain number of transfers are detected within a short time from accounts of minors or customers above a certain age to accounts with no past deposit history, additional authentication such as outbound calls or video calls must be conducted after detection. If a certain number of calls are missed or the call content indicates an accident, electronic financial transactions will be blocked.

Furthermore, banks must proactively introduce and improve various preventive measures such as biometric authentication to strengthen the safety of non-face-to-face financial transactions. The Financial Supervisory Service will actively support banks’ efforts to prevent non-face-to-face financial accidents and continuously consult with banks to enhance the safety of non-face-to-face financial transactions. On the same day, the Financial Supervisory Service also signed a business agreement with the Korea Post to establish a mutual cooperation system for detecting and blocking suspicious financial transactions.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.