There's been a lot of discussion about banks carrying liability for internet banking fraud this year, not least because of attempts by some institutions to move partial liability to customers in the event that they are ripped off when they lack adequate computer security. If there was ever any doubt about what customers stand to lose through such a move, it was painfully played out in a case that came before the Supreme Court of Victoria in November.
Superannuant Trevor McGiddy is suing his financial planner after it somehow transferred $700,000 of his money to some charming alleged identity fraudsters in the Congo.
It seems somehow McGiddy's financial planners, Collins House Financial Services, received an email from a Yahoo! account set up in McGiddy's name and then came good on a request contained within it that they transfer funds to Bank Negara Indonesia.
McGiddy was not impressed. Unsurprisingly he wants his money back and has sued not just his financial planner, but his superannuation trustee, NMMT, which is owned by Axa.
There are two things here that should set off alarm bells in every financial regulator's office in Australia. First, the apparent ease with which such a large sum of money was obtained raises clear questions about the effectiveness of security within those organisations that were entrusted with the funds.
But the second and far more disturbing question is why McGiddy has been forced to sue to get his money back at all, especially given that deposit taking institutions - the banks - have already agreed that they will not shift liability to their customers for electronic scams.
It's a pretty crappy stance, considering that for a decade banks have sought to educate customers not to respond to the many email scams that seek to gain their sensitive details - and even when people fall victim, the bank wears the loss to retain customer confidence.
So why should superannuation funds, trustees and financial planners, with whom their customers entrust long-term financial security, be allowed to cost shift back to the client when hit by an electronic scam?
For years financial planners have arrogantly ignored the notion that there could be a massive fraud problem brewing in the super industry, all the time insisting that protections for dealing with identity fraud and theft, electronic or otherwise, are adequate.
But that's crap. If you don't believe me, try on for size some of these warnings that a serving state police officer gave, nearly two years ago, on the potential scope and scale of the problem (I'll leave the officer's name out of it for the sake of sparing the officer concerned the paperwork).
"An identified risk is with the self-management of superannuation funds, with the funds managers or financial planners [and] advisers. The clients of the fund managers [and] financial advisers hold all their trust in these people." Sounds credible, huh?
"Some of the risks are: inexperienced managers [and] advisers; lack of knowledge, accountability and potential identity fraud issues. These managers [and] advisers can advise where to invest the funds, and in some cases, have complete control over the funds [and] investment[s]. Even more credible. But there's more ...
"There have been numerous cases over the years where the fund managers have been unauthorised and have used the funds for fictitious investment schemes, share trading, fee gouging, and even straight-out theft of the funds."
And more ... "In December 2003, an organised crime gang sent a fax to a fund manager acting for the [Commonwealth Superannuation Scheme], requesting him to transfer money from various accounts to overseas accounts in Greece, Hong Kong and Switzerland, totalling $150 million.
Apparently the fax was a 'highly sophisticated fraud'."
Here's the punchline from our friendly cop. "Because superannuation fraud is an untapped market in Australia, the extent of the fraud problem will not be known until the realisation of the individual funds. This realisation may take from five to 20 years. Some people will turn up to collect their superannuation contributions, only to find that it had been fraudulently obtained [or] transferred years earlier."
Superannuation funds are not like everyday bank accounts or credit cards where there is a high volume of transactions that call on deposits or credit to make payments. They typically see regular contributions going in and large lump sums going out.
There is no cogent argument that can be made that transferring hundreds of thousands of dollars to a foreign bank account does not deserve stringent identity and authorisation checks - or some sort of escrow or quarantine facilities - before clearing.
That superannuation fraud liability is being contested at all by the financial services industry should be enough to spur immediate regulatory action to provide certainty against the possibility that funds are being illegally obtained through electronic means when a customer has no control over security.
© Fairfax Business Media
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.