Physical Address
Kampala, Uganda
The financial services sector is undergoing what may be termed as a technology revolution. The hallmark of this revolution is an aggressive disruption of the operations of traditional financial institutions, especially banks. This disruption is attributable, in part, to the rise of financial technology companies (“Fintechs”) in Africa and the entry of big technology players such as Google and Apple into the financial services market.
The impact of this disruption is evident in the adoption of technologies such as cloud computing, and application programme interfaces (“APIs”) in the provision of financial services. These technologies are being deployed in payments, data sharing, customer relationship management, human resources, financial accounting among others.
But perhaps the most profound impact of the digital disruption is the rise of the customer-centric platform-based business models in the sector. While the traditional understanding of a bank was that it was a brick and mortar institution, the rise of platform-based market players is increasingly distorting this understanding. Today, customers can ably access end to end financial services without visiting a physical branch.
The digital disruption has therefore made it imperative for banks to become innovative with their product offerings to remain relevant and competitive. Many, if not all, have embarked on extensive digital transformation strategies in a bid to take their services closer to customers, with considerable success.
While technology is revolutionizing customer experience, it is also altering the nature of the legal obligations between financial institutions and their customers. This article considers a recent decision from the High Court of Uganda, which shines a light on the emerging nature of these obligations. The article also highlights other areas that financial institutions must be aware of as they implement their digital transformation strategies.
The Court Case
The High Court of Uganda considered the case of Aida Atiku V Centenary Rural Development Bank Limited Civil Suit No. 745 of 2020. Aida Atiku was a customer of Centenary Rural Development Bank. The central issue in contention in this case was the liability of the bank for loss of the customer’s funds – which were supposedly withdrawn without her knowledge or consent, via the bank’s mobile application (“App”). The value in question was approximately UGX 56 million / USD 14,000.
It was the customer’s case that she never applied for the mobile application service or consented to it and yet she lost her funds through the App. For this reason, the bank was liable for the loss she suffered. On the other hand, the bank argued that the customer, when filling her account opening forms, applied for the App service and subsequently, an account linked to her mobile phone number with a PIN created. The customer’s funds were consequently withdrawn using the App and her PIN. In the circumstances, the bank argued, the risk of loss lay with the customer because she permitted third parties to access her PIN, which then facilitated withdrawal of the funds.
The Obligations of the Bank and Customer in Digital Transactions
The court recognized the efficiencies and cost benefits that automation and artificial intelligence deliver to both banks and customers. The court then outlined the obligations of banks in digital transactions to be the following:
- To provide secure mechanisms for customers to conduct their banking safely online
- To put in place robust fraud detection and prevention solutions;
- To take reasonable steps to ensure their digital banking systems and technology are secure
- To provide customers with regularly updated information on how to access digital banking services, how to maintain security, liability for unauthorized access and selection of appropriate passwords among others
- To inform customers of the applicable terms and conditions; and
- To put in place reporting procedures for unauthorized access to customer’s information.
The court also highlighted the corresponding duty of the customer to be:
- To keep their banking information such as PINs and passwords confidential
The court then opined that the risk of loss in digital transactions would lay with a customer if the bank could establish that its security procedures are a commercially viable method of providing security against unauthorized payment orders.
Based on these principles, the court arrived at the finding that because the bank had put .in place two factor authentication in the App and the customer had provided her PIN to a third party, the risk of loss shifted from the bank to the customer. In the circumstances, the bank could not be held liable for the loss the customer suffered.
Limitations of the Court’s Decision
The court’s decision is important, to the extent that it lays down the critical obligations that a financial institution has, in ensuring platform security. However, in finding that the risk of loss would lay with a customer if the bank could establish that its security procedures were a commercially viable method of preventing unauthorized payment orders – as a lone test with no exceptions, the court did not ably address all the factors that could lead to unauthorized payment orders and subsequently on which party the risk of loss would lie in light of those factors.
Some of the factors that may lead to unauthorized payment orders with no fault on the part of the customer may include third-party access to a bank’s platform, commonly known as “hacking”, internal bank fraud and intermediary fraud – in this case, through agent banking intermediaries. It is imperative to note that these factors are not necessarily dependent on the viability of the security measures that a bank may have in place. Susceptibility to third-party access, for example, will not necessarily negate the fact that a bank has commercially viable security protocols for its platforms.
It may therefore be argued that the court may have failed to fully discharge its duty to assess all the possible causes of the unauthorized payment order in this case. But most importantly, the court may have created a precedent to the effect that it is enough for financial institutions to plead that the security platforms they have in place are commercially viable. The effect of such a precedent may be two-pronged. Firstly, fraudulent access to a bank’s platforms and the bank’s liability thereof may go unchecked, especially in cases where the customer’s diligence is found wanting. Secondly, the impact on customer uptake and confidence in digital financial services will be dented, as the chances of obtaining judicial remedies may have become slimer.
The foregoing concerns form part of the wider concerns that financial institutions must be alive to and I address them in the next section.
Key Ongoing Issues
The key issues financial institutions must remain mindful of, as possible sources of liability, may include customer experience – in terms of liability for system down-time, that leads to financial loss for a customer or any other form of loss, data privacy – including unlawful data sharing and processing especially within financial services groups, and liability for actions of third-party technology partners of financial institutions. Lastly, platform security, as highlighted above, will remain an ever present potential source of liability and it is expected that litigation in this area will continue to grow.
It will therefore be critical for financial institutions to embed proper risk governance mechanisms along with their digital transformation strategies to ably deal with emerging risks. Conversely, it is necessary for the regulators to come up with succinct consumer protection guidelines for digital financial services and e-commerce.
Disclaimer: “The views and opinions expressed on the site are personal and do not represent the official position of Stanbic Uganda and Khulani Capital.”
