Ray abused the trust Tama had put in him and transferred $112,500 from one of Tama’s accounts through mobile banking. The bank spoke to another account holder, who was a family member, about the theft and explained that Tama was liable for the loss because he had given Ray his login details. The bank told this person to tell Tama to change his password. It did not contact Tama directly. The password was never changed, and Tama and Ray eventually resolved their differences about the transfer.

Six months later, however, Ray transferred a further $45,000 from one of Tama’s accounts through mobile banking. Tama argued the bank should accept responsibility for the loss because it allowed Ray to access his mobile banking on his phone and because it did not take sufficient steps to protect his accounts after the earlier unauthorised transaction.

Our investigation   

To install mobile banking on a device, a person must have the internet banking login details and must verify the installation using a text code sent to the customer’s registered phone. The bank sent the code to Ray’s phone because his number was loaded against Tama’s profile in the bank’s system. Tama was adamant he never authorised the change to the mobile number and suggested Ray might have impersonated him to do so. He said he had never visited the branch where the number was changed, never visited any branch with Ray and also pointed out that the branch in question was in Ray’s neighbourhood. The bank was unable to offer any evidence Tama authorised the change. In these circumstances, we were not satisfied Tama had authorised the change to the mobile number.

We also looked at the steps the bank took after it was notified of the unauthorised $112,500 transaction. We considered the bank had further opportunities at this point to protect the accounts, including contacting Tama personally, following up to ensure the password was changed, or resetting the password itself to force a change.

We considered three factors contributed to the loss: Tama’s disclosure of his login details, the apparent unauthorised change to his mobile number, and the lack of follow-up steps by the bank after the earlier unauthorised transaction. Tama was responsible for the first, and the bank for the second and third. We suggested Tama and the bank consider apportioning the loss on a one-third, two-thirds basis. 

Outcome

They agreed to do so, and the bank reimbursed two-thirds of the $45,000 loss, or $30,000.