Arcturus banner

Arcturus banner

Tuesday, 12 March 2013

Another Moral Dilemma at the Bank

They are rich, they are powerful, they are high tech, and most of the time they ARE accurate and reliable, but sometimes banks DO make mistakes. The news has been full of stories about innocent account holders and tax payers suffering due to wilful misconduct by the big banks – the PPI mis-selling scandal, Liborgate and rate fixing, money-laundering and the multi-billion dollar bank bail-outs – but sometimes things go wrong purely by accident, and sometimes the error is in favour of the customer.

Moral dilemmas created by bank errors fascinate me, and I have written about this subject before:
What do I mean by a moral dilemma? Well, for example:
  • What happens when an ATM goes crazy and starts spewing out cash?
  • What do you do if you find the previous customer has left a wad of notes behind in the ATM?
  • What about cash transferred into your account by mistake?  Are you entitled to spend it? 
 A story hit the UK headlines recently concerning a hapless lady who tried to set up an on-line transfer of £1000 per month into a Nationwide joint account she shared with her husband.  Hairdresser Sally Donaldson mis-keyed some of the account information and the money was mis-directed into somebody else’s account. 

It took two years before she noticed that the money was going missing!  The recipient of the serendipitous cash has long since spent it, and Nationwide has refused to reimburse Ms Donaldson. A whole host of interesting questions arise from this:
  • How did she fail to notice a substantial amount was going missing every month for an entire TWO YEARS?
  • Was it her own fault for mis-keying her own account number?
  • Should she have taken responsibility for validating the transaction, for example by carrying out a test transfer of a small sum before doing the real one?
  • What about the recipient of the monthly windfall?  Surely they must have known that the money was finding its way into their account in error. Should they have reported the mistake and handed the money back?  Was keeping quiet and spending it  a crime, just as much as stealing a car on the street?
BTW, I love this comment I read on the Guardian’s Money blog, posted by somebody called Cognitator: "I'm not sure it is quite the same as stealing a car on the street. More like finding one in your locked garage having had the keys posted through your letter box".

Well said, Cognitator, that hits the nail right on the head!

Security Checks

For me, the most interesting aspect of this story concerns the quality and security of the validation routines used by the banks in their on-line banking services. It would seem that they don’t see it as their responsibility to put cross-checking in place.  As long as Sally entered a valid combination of sort code and bank account number, then whoosh! Off went the 1K per month.

Now you may take the view that Sally is an adult and as such should take responsibility for safe-guarding her own money, but what about the bank’s duty to its customers?
They are supposed to be the professionals, and, let’s face it, they make a hell of a lot of money out of us. Most of us ordinary customers are just simple, trusting souls with little time to spend checking our bank statements in detail.  Is it too much to ask to expect the bank to do some of the worrying for us?

In Sally’s case, I believe she entered the name correctly (not too challenging, as the target account was a joint account belonging to her & her husband, and therefore her own surname), but it is all too easy to mis-key a long string of digits.  Surely any online banking system worth its salt should ensure that the account number matches the name of the target account holder? Not a bit of it, however: there was no cross-referencing, neither was any check-digit validation carried out. 

What is a check digit routine? This is a security control used on credit and debit card numbers, but not on bank account numbers (in the UK at least).  The intention is to prevent hard-to-enter data, such as the long number on the front of your credit card, from being mis-keyed. An additional character, known as the check digit, is computed from the original account number and included at the end of the character string.  Every time an account number is manually typed into a computer system a check-digit routine can be used to ensure every digit is correct and in the right sequence. A useful security check, but it would not have prevented Sally’s mistake, as although she entered the wrong number, it was nevertheless a valid bank account number for the given sort code.

Thinking about the way an on-line cash transfer works (in the UK at least), you have to enter
  • The recipient’s name
  • A reference number
  • The recipient’s account number
  • The recipient’s sort code

 Since the bank asks you to input all this information it does not seem UNREASONABLE to expect that part of their security procedure would be to cross-check the name of the recipient  against the account number.  Perhaps this is something that the banks should  look into as a matter of urgency.  Prevention is always better than a cure; it is much easier to prevent funds going astray than it is to reclaim them after a mistake has happened.  It would also be a great piece of PR and would help reassure customers that the banks have their best interests at heart and are dedicated to protecting their hard-earned cash as well as using them as one enormous money-making opportunity.


  1. I can't believe bank account numbers don't contain check digits!

    1. I know! Me neither. The likelihood is that what I have said in this posting is far from the whole story. If there are any banking IT security experts out there who want to add to the debate, please leave some comments.