[Reporter’s Notebook] Why Should Banks Be Liable for Voice Phishing Damages?

Changhwan Lee, Deputy Head of Economic and Financial Department

The government has once again announced measures to eradicate voice phishing. Despite more than a decade of pledges to eliminate voice phishing, the number of victims has continued to rise each year, with annual damages now approaching 1 trillion won. In response, the government has decided to pursue legislation requiring parties responsible for preventing voice phishing, such as banks and credit card companies, to compensate for losses.

The core of the "Comprehensive Plan to Eradicate Voice Phishing" announced by the government the previous day is the principle of "strict liability for compensation in voice phishing cases." At first glance, this may appear to be a virtuous move to protect victims, but for financial institutions, it is a shocking and unreasonable decision. Its effectiveness is also in question.

Consider one of the voice phishing cases made public this year by the Financial Supervisory Service. Last year, a woman in her 60s living in Seoul, referred to as Ms. A, suffered losses amounting to hundreds of millions of won after falling victim to voice phishing. A scammer impersonating a credit card company employee called her and, claiming her identity had been stolen due to a data breach, induced her to install a malicious application. Subsequently, another scammer, pretending to be an employee of the Financial Supervisory Service or the prosecution, called and threatened her with "arrest," frightening Ms. A into transferring a large sum of money.

Ms. A's case is truly unfortunate, but was there anything the bank did wrong or could have done to prevent the loss? She transferred the money herself to the criminal via a non-face-to-face transaction. How could the bank have prevented this in advance? Demanding that banks compensate for and take responsibility for crimes that even law enforcement could not prevent is unreasonable.

The government explained that the background for this legislation is that, due to the advancement of artificial intelligence (AI) technology, criminal methods have become more sophisticated, making it difficult for individuals to protect themselves, and therefore, financial institutions with expertise should be held responsible. However, it is the government and the political community that have failed to achieve effective results despite announcing dozens of measures over the past decade. Shifting the responsibility to private financial institutions at this point is a feeble and irresponsible idea.

Financial institutions have stated that they will "establish voice phishing prevention measures and prepare necessary steps in line with government policy," but internally, they have complex concerns. There is resistance to the idea of having to compensate for even unavoidable losses, as well as worries that the compensation system could dull consumers' sense of caution. Ultimately, there is significant dissatisfaction that this simply imposes yet another financial burden on the industry.

Voice phishing has proliferated not because financial institutions have failed to prevent it, but because the government, the National Assembly, and the judiciary have all responded complacently. The government has announced dozens of countermeasures, but they have lacked effectiveness; the National Assembly has neglected to enact relevant legislation; and the courts have handed down lenient sentences to voice phishing criminals, increasing the rate of repeat offenses.

Before shifting the responsibility for compensation to the private sector, there must be reflection on why fundamental solutions have failed to work. Eradicating voice phishing is an issue that the state, not financial institutions, must take responsibility for. Reviewing the policy failures of the past few years should come first.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.