Online banks under legal scrutiny

Got a complaint about your personal data at an online bank? Tell it to the judge

While most banking security and privacy issues are surrounded by an extensive legal and regulatory framework, consumers are not always protected when it comes to online banks, say experts.

If consumers feel their personal information is being abused -- as some have complained after two gaffes by Barclays' online bank this week -- in most cases they have recourse to the data protection commissioner, the banking ombudsman or the courts. In some cases, however, users could be left high and dry, for example if an online bank operates from outside the UK or if the bank limits its liability with its terms and conditions agreement.

"There are good regulations in place for banks, we don't need a lot of new laws to look after online banks, as long as they're in the UK," said Alan Stevens, head of digital services for the Consumer Association.

First-e, for example, is based in Ireland and backed by a French company, and therefore falls outside the UK's banking regulatory framework -- even though the UK makes up one of its primary markets. A consumer could pursue action against a foreign bank through its home country's legal system, but First-e has chosen to head off any customer dissatisfaction by creating its own arbitration system for the UK.

Customers unhappy at this system will have to seek legal action in the bank's country of origin.

Other banks, such as Prudential's Egg (which has had security issues of its own), take the controversial measure of making customers liable for any damages that occur before the customer notifies them their credit card has been misused.

"If you or an additional cardholder allow someone to have a card or the card number, you will be responsible for all use of that card before you tell us that it may have been misused," reads Egg's terms and conditions agreement.

In normal conditions, the customer's first action should be to talk to the bank, according to Stevens. But if the customer feels the bank will not sufficiently respond to his complaint, he can take recourse to the banking ombudsman's department.

The office has no regulatory powers and decisions taken there do not form a legal precedent. It exists to resolve disputes, and can enforce its decisions -- for example it could require a bank to pay a customer.

The ombudman's office says it has only received a handful of inquiries about online banking, and has not acted on such a case so far, but distributing personal information over the Internet as occurred at Barclays would fall under the ombudsman's jurisdiction, according to a spokesman for the office.

"If we're talking about breaches of security, that would translate into a complaint about breach of confidentiality," the spokesman said. "The underlying grievance is something that we are already looking at in other cases."

As an example, a bank that sent out a credit reference for the wrong person could be made to write to all the parties concerned and clarify the situation, the spokesman said.

Privacy breaches are also covered by the data protection registrar, who enforces the data protection act. This act, passed in 1984 but updated in March 2000, requires organisations who handle personal data to keep that data private.

Online privacy falls under the act's broad purview, according to the government's data protection office. "The act is there to tackle a wide variety of circumstances, including technical breaches on the Net, which is why it is quite loosely phrased," said Carol Huffton, senior compliance manager for data protection.

The data protection office's powers are powers "geared to getting compliance," said Huffton. The commissioner can assess an organisation and decide whether it is compliant with the act or not, and work with the organisation to achieve compliance.

Breaching the commissioner's enforcement notice can be a criminal offence, and can be pursued in court. In crown court, a case under the data privacy act can bring unlimited punitive damages, according to Huffton.

But one of the more powerful forces wielded by the commissioner and the ombudsman is bad publicity. "Loss of customers is one of the great business drivers toward compliance [with the Data Protection Act]," Huffton said. "Customer confidence is very important indeed, but it's wrong to ignore what are strong business factors here."

Take me to the e-commerce special.

What do you think? Tell the Mailroom. And read what others have said.