Legal aspects of internet banking related to international business transactions

Table of Contents

i Declaration

ii Summary

1 Chapter 1 Introduction
1 1 Problem statement
1 2 Aim and method of research
1 3 Conceptualisation
1 3 1 Banking group
1 3 2 Branch of a bank
1 3 3 Data
1 3 4 Electronic banking
1 3 5 Electronic money
1 3 6 Internet banking
1 3 7 Money laundering
1 3 8 Profiling
1 3 9 Transaction
1 4 Structure of the Thesis

2 Chapter 2 Internet banking: changing the face of financial services
2 1 Introduction
2 1 1 Virtual banks: future of banking
2 1 2 Main risks for electronic banking

3 Chapter 3 Jurisdiction: the cross-border nature of the Internet 14
3 1 Introduction to the Jurisdiction
3 1 1 The problem of targeting the Internet bank customers
3 1 2 Supervision of e-banking: need for international cooperation

4 Chapter 4 Internet banking: selected issues
4 1 Introduction
4 1 1 Data protection and consumer privacy
4 1 2 The importance of privacy: risks
4 1 2 1 Regulation in the United Kingdom
4 1 2 2 Regulation in South Africa
4.1.3 Consumer profiling
4.2 Providing services
4.2.1 Regulation in the United Kingdom
4.2.2 Regulation in South Africa
4.3. Advertising internet banking services
4.3.1 Regulation in the United Kingdom
4.3.2 Regulation in South Africa

5 Chapter 5: Conclusion

i Declaration:

I, the undersigned, hereby declare that the work contained in this study project is my own original work and that I have not previously in its entirety or in part submitted it at any other university for a degree.

Signature:

Date:

ii Summary

This paper focuses upon legal issues arising in the field of electronic or Internet banking. The overview of previous developments in this field and of types of e-banks will be given. It analyses existing and potential problems mainly connected with cross-border services. The issue of data protection, the right to provide services and the advertisement of e-banking services will be especially examined. The paper will evaluate current regulation and it will be shown, that there are either lacunae in such legislation, in the alternative, several important issues are left unanswered, possibly severely hindering the further progress of Internet banking. This dissertation suggests that further developing of both international and domestic legislation is crucial for banks to be able to make use of the possibilities offered by the Internet.

1 Chapter 1 Introduction

The Internet is still developing rapidly. Presently it has approximately 1.08 million users and by 2010 the estimated number of users according to some researchers might be as high as 1.8 billion users.^[1] Despite all of this, the regulation of cyberspace is still quite poor. Even in the areas of banking and other financial services, which are normally vastly regulated and supervised by governments, legislation in this field is not up to date and consequently the various problems arising from the unique nature of the Internet remain unaddressed.

1 1 Problem statement

As the Internet has become such a big part of everyday life for a large number of people, empirical literature is developing, which is evident from the numerous articles and books being written, especially over the past few years. Nevertheless, banking over the Internet has not been one of the most researched areas, as it is still only moderately used in most countries of the world. In as recently as 2001, Dan Niedzwiecki says:

“The actual effects of Internet banking, however, have relatively little effect on the current profitability of most banks, as Internet banking channels generally serve only a small percentage of a bank’s customer base.”^[2]

Notwithstanding, Internet banking clearly has considerable potential. The chief factor pushing the increased use of Internet technology has been competitive pressure. Money has become primarily digital.^[3] Banks must offer Internet services or lose their customers to the competition.^[4] Besides research, which is lacking in material aspects, there is also the problem of the developing speed of the Internet. New problems continently arise and the solutions offered only a few years ago are likely to be outdated.

1 2 Aim and method of research

This paper will analyse the specific legal issues connected with Internet banking, focusing on the current legislation of the United Kingdom and South Africa. Therefore an extensive literature study has been undertaken and recent articles, case law and statutory materials have been used. It will be shown, that the regulation pertaining to Internet banking is either insufficient or leaves several important questions unanswered and thus potentially leading to serious problems. Some useful definitions of relevant terms will now be dealt with.

1 3 Conceptualisation

Before embarking on this literature study a number of terms need to be defined for purposes of the study.

1 3 1 Banking Group

Banking group means a group consisting of two or more persons, whether natural or juristic persons, that are predominantly engaged in financial activities and one or more of which is a bank.^[5]

1 3 2 Branch of a bank

Branch of a bank means an institution by means of which a bank conducts the business of a bank outside the Republic.^[6]

1 3 3 Data

Data means any representation of information, knowledge, facts or concepts, capable of being processed in a computer system.^[7]

1 3 4 Electronic banking

Electronic banking refers to the provision of retail and small value banking products and services through electronic channels.^[8] Such products and services can include deposit-taking, lending, account-management, the provision of financial advice, electronic bill payment, and the provision of other electronic payment products and services such as electronic money (defined separately, below). Currently, widely used access devices through which electronic banking products and services can be provided to customers include point of sale terminals, automatic teller machines (ATM), telephones, personal computers, smart cards and other devices.

1 3 5 Electronic money

Electronic money refers to “stored value” or prepaid payment mechanisms for executing payments via point of sale terminals, direct transfers between two devices, or over open computer networks such as the Internet.^[9] Stored value products include “hardware” or “card-based” mechanisms (also called “electronic purses”), and “software” or “network-based” mechanisms (also called “digital cash”). Stored value cards can be “single-purpose” or “multi-purpose”.^[10] “Single-purpose cards (e.g. telephone cards) are used to purchase one type of good or service, or products from one vendor; multi-purpose cards can be used for a variety of purchases from several vendors.^[11] Banks may participate in electronic money schemes as issuers, but they may also perform other functions. Those include distributing electronic money transactions for merchants; handling the processing, clearing, and settlement of electronic money transactions; and maintaining records of transactions. In South Africa the Financial Intelligence Centre Act 38 of 2001 (hereinafter FICA) established rules for banks to collect information of customers and to keep them for at least 5 years.^[12]

1 3 6 Internet Banking

“The Controller’s Handbook defines Internet Banking as the systems that enable bank customers to access accounts and general information on bank products and services through a personal computer or other intelligent device”.^[13]

1 3 7 Money laundering

Money laundering or Money laundering activity means an activity which has or is likely to have the effect of concealing or disguising the nature, source, location, disposition or movement of the proceeds of unlawful activities or any interest which anyone has in such proceeds, and includes any activity which constitutes an offence in terms of section 64 of the Act.^[14]

1 3 8 Profiling

Profiling means that banks collect, process, operate, trade, and merge the transaction data with data from other sources, to create a profile of each customer.^[15]

1 3 9 Transaction

Transaction means a transaction concluded between a client and an accountable institution in accordance with the type of business carried on by that institution.^[16]

“They take place in the mysterious silence of the cyberspace and may take place over a number of days while the necessary clearances are obtained and encryption codes are deciphered.”^[17]

1 4 Structure of the thesis

Following this introductory chapter, the study will unfold as follows: The paper will give in chapter one an overview of internet banking and explain the different types of Internet banks as well as the main risks connected with an e-banking process. The second chapter will analyse jurisdictional problems in cyberspace, focusing especially on the issues arising from the nature of e-banking. Especially the problem of targeting consumers will be addressed together with the need for international regulation. The third chapter will cover some of the key issues in the electronic banking area, limited aspects of the regulation of data protection, the right to provide services and the question of promoting these services. The fourth chapter will provide remarks in conclusion.

Chapter 2 Internet banking: changing the face of financial services

2 1 Introduction

Banking forms part of the financial services sector. Any financial service institution operates as a financial intermediator between savers, investors and borrowers.^[18] Differing from many areas it is an extremely regulated and supervised industry, the banks are subject to licensing, examinations, limitations and supervision by the governments of the countries in which they are established.

A development has occurred in the field of financial services, where, increasing use is being made of computers to disseminate information on financial services such as investments and to enable customers to enter into such transactions by direct communication with the system. Therefore Internet banking is not a new form of banking, but only a new delivery system to provide the financial services already offered by the banks. It is particularly advantageous because of the low costs involved. To illustrate, Internet transactions cost about one cent each compared to $ 1.07 for a branch transaction, 73 cents by mail, 54 cents by telephone, and 27 cents at an ATM.^[19] In the next chapter it will be examined, whether there is really a world trend to Internet banking as it saves on the one hand, the expenses of the bank for example employees and offices and on the other hand the user’s time, because he is able to do banking around the clock from any place where he has Internet access without contacting his bank personally.

2 1 1 Virtual banks: the future of banking?

First it has to be shown, which different online banking variations exist. There are several classifications of banks offering services online.

One possible classification of electronic banking is that there are firstly “online banks”, where bank’s private networks are used to connect to the bank to carry out conventional banking transactions, secondly “web-based banks”, where the same transactions are performed over Internet and thirdly “Internet banks” providing services totally online, all of which are performed without even buildings of a traditional bank .^[20] However, most authors draw a distinction on a slightly different basis, distinguishing between traditional “brick and click banks” as being traditional banks, which have started offering their services through the internet; that is, becoming a so-called “clicks and bricks” and “virtual banks”, also called “internet-only banks”.^[21]

At present, most Internet banking is carried out by the traditional brick and click banks. It must be noted, that as the Basel Committee has said,

“While “clicks” are cheaper than “bricks”, they are not without their unique risks”.^[22]

This means that an Internet “click” transaction is not at all as secure as when the user would personally go to the bank’s office, for example the “brick”. However, the nature of the Internet allows institutions to provide a direct service to their clients, to explain investment schemes and saving plans and allow these banks to exist only in cyberspace. In addition clients acknowledge the risks involved in Internet banking by signing contracts.^[23]

A virtual bank can of course reduce the maintenance costs of the bank, as it will not need offices in buildings or the employment of many people for a customer service. Furthermore, compared to banks that are not using Internet banking, significantly larger geographical markets can be reached.^[24] As a result the bank can offer better prices. It has been expected by commercial experts that internet banking will drive traditional brick and clicks banks to extinction and that only virtual banks will survive, due to better prices being offered as a result to low maintenance expenses. This opinion is not widely held anymore by finance experts and business people and this can be said for several reasons. Virtual banks have not been as successful and have not developed as rapidly as was expected. At this time there are only a small number of internet only banks and these are still quite ineffective, what can perhaps be attributed to people having more confidence in a bank which is a materially existing place. The main reason for not using banks only via the Internet is perhaps the lack of public trust, as many people still need a physical structural presence and do not have confidence in the security of Internet.^[25] Research has shown that the average one-year-old internet-only bank earned significantly lower profits than the average one-year-old traditional bank, which was attributed primarily due to low business volumes and high non-interest expenses.^[26] Another problem that can be cited is the insufficient regulation of Internet banking and legislation is generally a national concern as the Internet is of a trans-border crossing nature. The approaches developed for the traditional banks appear to work well for virtual banks^[27] as most regulators have not paid special attention to internet-only banks. As Internet banks simply do not need the same type of facilities as traditional banks, the assumption is included that they have rooms for customer service and does not mention the possibility of some banks having no physical presence whatsoever. Therefore personal contact with an investment consultant is nearly impossible. An additional difficulty is that the targeted demographic groups (young, educated and active customers of financial services) are not the most loyal customers.^[28] Even though Internet-only banks can offer higher rates of interest, the Internet banking customers will continue to search for more profitable arrangements.^[29] Perhaps, the reason that a lot of customers prefer to have a real person assisting them when confronted with complex issues will continue to endure. Research shows that only 2% of all bank customers would prefer to use Internet for dealing with complicated banking products.^[30]

There are two ways to begin the business of banking. The bank offers its services directly through the Internet, a so-called Internet start-up or the bank opens an office with employees and offers Internet banking optional to its clients.

Due to the lower investment costs, the profitability improves more quickly over time at the internet-only start-ups than at the traditional start-ups. Therefore there is a good chance that in spite of the failure to fulfill the expectations, virtual banks will prove to be feasible and the advantages of internet-only banking will be more extensively exploited.^[31]

Even if the prognostic view for the future development stays all together a positive one, there are a lot of risks that remain for example when an electronic transfer is made, as the Internet is a virtual world and opens the floodgates to potential criminals as well. An overview of the main risks will be identified in this study.

2 1 2 Main risks for electronic banking

The explosion of technology in the financial services industry has resulted in a wealth of new services and efficiencies. Unfortunately a number of new risks have arisen with these opportunities. Identifying and managing these new risks have become the newest challenge for financial institutions and their regulators.^[32]

The Electronic Banking Group^[33] suggests that “

operational risk, reputational risk, and legal risk [are] the most important risk categories for electronic banking.”

An operational risk is a risk connected to the potential for loss due to significant deficiencies in system reliability or integrity.^[34] It may include both external and internal attacks and the misuse of a bank’s computing system, in other words security risks, which are especially significant due to e-banking and the public network of the Internet. The reputation risk is “the risk of significant negative public opinion that results in … critical loss of funding [for the bank] or [a loss of] customers.”^[35] The legal risk arises, because most Internet banking users are unaware of the current existing Internet legislation.

Concerning the operational risk, the Federal Bureau of Investigation noted the explosive growth in computer intrusion cases handled by the FBI. Ninety percent of the companies in private survey reported security breaches and at least seventy-four percent of the companies reported “security breaches including theft of proprietary information, financial fraud, system penetration by outsiders, data or network sabotage, or denial of service attacks.”^[36] The attacks on a system work on the assumption that somebody sends instructions from a computer to which the hardware security module is connected.

“One could write a programme, save it on a disc then feed that disc into a computer to which the hardware security module is connected and then the programme would talk to the hardware security module on your behalf”^[37]

Due to these and other problems the South African government established a Financial Intelligence Centre^[38] and a money laundering Advisory Council^[39] in order to combat money laundering activities and the financing of terrorist and related activities.^[40]

The Functions of the Centre as a juristic person^[41] are to “

(a) process, analyse and interpret information disclosed to it, and obtained by it, in terms of this Act,
(b) inform, advise and cooperate with investigating authorities, supervisory bodies, the South African Revenue Service and the intelligence services and
(c) monitor and give guidance to accountable institutions, supervisory bodies and other persons regarding the performance by them of their duties and their compliance with the provisions of the Act.”^[42]

Due to the swift developments in the IT industry the systems can also rapidly become outdated and be inadequate. Furthermore, there is the risk of customer misuse, because where people are uneducated with regard to the security precautions that should be taken, they may unintentionally assist the security breaches by performing transactions in non-secure environments.^[43]

The second risk category is the reputation risk^[44], which can arise from systems or products not working properly, from security breaches, from mistakes, malfeasance, and fraud by third parties. The outcome of such events is not only significant for the bank directly involved, but can also lead to public distrust of Internet banking in general, which would definitely “hinder both the growth of banking on the Internet, and the growth of electronic commerce collectively.”^[45]

The third category of risks identified by the Basel Committee is the legal risk arising from the violation of laws, rules, regulations, or prescribed practices as the banks are often not aware of all the banking regulations in countries where their services are available for consumers. There are substantial differences between jurisdictions with respect to bank licensing, supervisory and customer protection requirements.^[46] Legal risk also involves the insufficient regulation in the field of e-banking. The existing South African Bank Acts, for example the Banks Act 94 of 1990, the FICA 38 of 2001 and the Financial Services Board Act of 1997 contain no direct provisions relating to online banking.^[47] The reason is in the opinion of the current writer that there is uncertainty about how the “choice of law” principles can be applied in an e-banking context. Furthermore, the contracts concluded over the Internet might not be valid or enforceable.^[48]

Obviously these are not the only hazards that have to be attended to. On the contrary, with the use of Internet banking new problems are encountered on a daily basis, because the access to the bank can be done by any person, who has an official authorisation and can take place anywhere in the world. Identifying those threats is an important task for lawyers who should be aware of such risks. The risks connected with online banking have been identified here and the study will now focus on jurisdictional aspects in an attempt to address this problem as well as relevant jurisdiction precedent with regard to internet contracts and banking practices.

[...]

---

^[1] ClickZ Stats staff “Population Explosion” November 3, 2005 accessed at http://cyberatlas.internet.com/big_picture/geographics/article/0,1323,5911_151151,00.html

^[2] Niedzwiecki, D. “Developments in Banking Law: 2000, Electronic Banking” 2001 Annual Review of Banking Law.

^[3] Katz, E.M. & Claypoole, T. F. “Willie Sutton Is On the Internet: Bank Security Strategy In a Shared Risk Environment” 2001 5 North Carolina Banking Institute 167.

^[4] Douglas, J.L. “Cyberbanking: Legal and Regulatory Considerations for Banking Organizations” 2000 4 North Carolina Banking Institute 57.

^[5] Banks Act 94 of 1990, Section 1.

^[6] Banks Act 90 of 1994, Section 1.

^[7] Financial Intelligence Centre Act 38 of 2001 (in the following FICA), Section 67 (d); in the Electronic Communications and Transactions Act 25 of 2002 (section1) the definition is more general: “data means electronic representations of information in any form”.

^[8] This document focuses on retail electronic banking and electronic payment services. Large-value electronic payments and other wholesale banking services delivered electronically are outside the scope of the present discussion.

^[9] Several official bodies have each issued their own definition of electronic money. As pointed out in a recent Group of ten report on electronic money, a precise definition of electronic money is difficult to provide, in part because technological innovations continue to blur distinctions between forms of prepaid electronic mechanisms (See Electronic Money: Consumer protection, law enforcement, supervisory and cross-border issues, Group of Ten, April 1997, for a list of such studies.)

^[10] Stored value cards may be characterized by the use of a magnetic stripe or a computer chip embedded in the card. A plastic card with an embedded computer chip (known as a “smart card”) may perform stored value applications, in addition to other functions such as debit and credit applications.

^[11] Increasingly, the terms “multi-purpose” or “multi-function” are also used to convey the idea that the card or device can function as several types of payment instrument (e.g. identification card, repository of personal medical information). The lack of standardisation of terminology is perhaps a reflection of rapid technological innovations.

^[12] The FICA 38 of 2001, Section 23 states about the Period for which records must be kept.

^[13] Douglas, J.L. “Cyberbanking: Legal and Regulatory Considerations for Banking Organizations” 2000 4 North Carolina Banking Institute 57.

^[14] See FICA 38 of 2001, Section 1.

^[15] Gertz, J. “The Purloined Personality: Consumer Profiling in Financial Services” summer 2002 San Diego Law Review.

^[16] FICA 38 of 2001 section 1 (Definitions).

^[17] Primesite Outdoor Advertising (Pty) Ltd v Salviati & Santori (Pty) Ltd 1999 (1) SA

^[18] Hall, A. “International Banking Regulation into the 21st Century: Flirting with Revolution” 2001 New York Law School Journal of International and Comparative Law 49-89.

^[19] Watson, C., N. ”The Growth of Internet-only Banks: Brick and Mortar Branches are Feeling the "Byte" 2000 4 North Carolina Banking Institute 345; Referring to interviews with South African banks the employees are not allowed to give out information about the internal banking costs of transactions to external persons.

^[20] Marcucci, J. “The Brave New World of Banking on the Internet: The Revolution of our Banking Practices” winter 1999 Nova Law Review.

^[21] Ibid.

^[22] Schott, P. “The New Basle Risk Principles for electronic Banking” July/August, 2001 Electronic Banking Law and Commerce Report accessed at www.bis.org.

^[23] The major South African banks (Nedbank, First National bank, ABSA and Standard bank) offer online banking optional. The customer has to apply directly online and accepts the terms and conditions via Internet.

^[24] De Young, R. “The financial progress of pure-play Internet banks” The Bank of International Settlements paper nr 7.

^[25] Litan, R.E.; Masson, P.; Pomerlando,M.;eds . Open doors: foreign participation in financial systems in developing countries Brookings Institution Press, Washington D.C. (2001) 397

^[26] De Young, R. “The financial progress of pure-play Internet banks” The Bank of International Settlements paper nr 7.

^[27] Nieto, M. “Reflections on the regulatory approach to e-finance” The Bank of International Settlements paper nr 7.

^[28] Litan, R.E.; Masson, P.; Pomerlando, M.; eds. Open doors: foreign participation in financial systems in developing countries Brookings Institution Press Washington D.C. (2001) 397

^[29] Niedzwiecki, D. “Developments in Banking Law: 2000, Electronic Banking” Annual Review of Banking Law 2001.

^[30] Watson, C.N. “The Growth of Internet-only Banks: Brick and Mortar Branches are Feeling the "Byte"” 2000 4 North Carolina Banking Institute 345.

^[31] De Young, R. ”The financial progress of pure-play Internet banks” The Bank of International Settlements paper nr 7.

^[32] Douglas, J. “Cyberbanking: Legal and Regulatory Considerations for Banking Organizations” April 2000 5 North Carolina Banking Institute.

^[33] Serving as a working group of the Basel Committee on Bank Supervision, the EBG was formed in November of 1999 to focus on the electronic banking from supervisory point of view.

^[34] Basel Committee on Bank Supervision “Report on Risk Management Principles for Electronic Banking” May 2001 accessed on the Bank for International Settlements’ Web site at http://www.bis.org, 7.

^[35] Basel Committee on Bank Supervision, “Report on Risk Management Principles for Electronic Banking”, May 2001 accessed on the Bank for International Settlements’ Web site at http://www.bis.org, 10.

^[36] Eugene M. Katz & Theodore F. Claypoole “Willie Sutton Is On the Internet: Bank Security Strategy in a Shared Risk Environment” 2001 5 North Carolina Banking Institute 167.

^[37] Diners Club SA(PTY) LTD v SINGH AND ANOTHER 2004 (3) SA 630

^[38] The Centre was established with the Financial Intelligence Centre Act 38 of 2001.

^[39] Section 17 (2) of the FICA 38 of 2001.

^[40] Section 3 (1) of the FICA 38 of 2001states that the principal objective of the Centre is to assist in the identification of the proceeds of unlawful activities and the combating of money laundering activities and the financing of terrorist and related activities.

^[41] Section 2 (2) FICA.

^[42] See Section 4 of the FICA.

^[43] Ibid.

^[44] See in this regard the definition under conceptualisation par 4.

^[45] Eugene M. Katz & Theodore F. Claypoole “Willie Sutton Is On the Internet: Bank Security Strategy in a Shared Risk Environment” 2001 5 North Carolina Banking Institute 167.

^[46] Electronic Banking Group of the Basel Committee on Banking Supervision, Management and Supervision of Cross-Border Electronic Banking Activities, Summary of Initiatives accessed at www.bis.org.

^[47] The legal aspects will be discussed at 4 2 2

^[48] See chapter 4.