Uganda: The Duty of Banks and Customers in Preventing ATM Fraud

A commentary of Stanbic Bank (U) Ltd vs Moses Rukidi Gabigogo Civil Appeal No. 0028/2023 before Justice Stephen Mubiru.

Background:

Moses Rukidi (the respondent) had an account with Stanbic Bank. On 19th March 2021 he used the bank’s Metro Branch ATM with an intention of depositing Ug. Shs. 2,500,000. He inserted his card into the machine and keyed in the deposit option after which he changed his mind and pressed the cancel button after which he tapped the balance inquiry option. The mini-statement showed his credit balance. He withdrew the card and inserted it afresh. This time round when he entered his PIN, the display screen showed “no deposit” which he understood to mean that he could not deposit cash using the machine. He pressed the “cancel” button once again but the ATM card did not come out immediately.

As Moses waited for the machine to eject the ATM card, out of the blue a hand of a stranger reached out across his shoulder from behind and pressed the yellow and blue buttons causing the card to eject immediately. The stranger then handed the ATM card to Moses, muttering words that the card had delayed to eject. The stranger then moved to the next machine. Moses inserted the card but when he typed in his PIN, the machine returned a message on the user interface which read “capture” and printed out a receipt to that effect. He was left with no option but to move into the banking hall and deposited the money. He also requested that they retrieve his card but he left before it had been retrieved.

He later that day received a series of sms alerts on his phone indicating various transactions on his account. Upon returning to the bank and reviewing the CCTV he realised the stranger that assisted him eject the card was a fraudster who had been watching him and memorised his PIN before he intervened. This man had exchanged the respondent’s card for a dummy as he retained the genuine card which he used to make the transactions.

The respondent sued the bank contending the loss of his funds was occasioned by the bank’s failure to deploy a security guard at the ATM and monitor the CCTV. The Magistrate court found for the respondent which decision the bank decided to appeal against.

What was the decision of the court?

The court held that:

Digital banking is the integration of digital technologies into the business model and overall organisation, including the provision of banking products and services through digital means and with a focus on customer experience. It expands beyond banks and financial institutions: non-bank institutions (e.g. payment providers, credit card issuers, e-commerce and other digital corporations) are now part of the ecosystem. It presents a delicate balance regarding the interface of usability and security; a trade-off between technical security levels to protect customers from cybercrime losses on the one hand, and on the other the ease of use related to the willingness and capability of users to accept and adopt security measures, in the context of usable security of systems requiring multiple level tracking and multiple levels of authentication, without hindering efficiency
Cards issued by banks to enable electronic transactions usually comprise of three components, namely; the plastic card, the chip which is an embedded microprocessor and the magnetic strip. The card has embedded in it the customer account number, usually a multiple digit number serving as a unique identifier for each customer, and the customer’s PIN, usually comprising four digits designed to be known only by the customer or persons to whom he or she discloses it. The sole purpose of the chip is to interact with terminals to enable cash withdrawals at automatic teller machines (ATMs) and to enable payments and transactions on the account. Transactions are initiated with the ATM card and are essentially authorised with an input of a PIN. The information in the magnetic stripe is used to identify the cardholder via the PIN. The PIN and the usage of the card constitutes the cardholder’s electronic signature that authenticates the transaction. What follows is a series of prompts and inputs from the cardholder, where after a receipt of the cash marking the completion of the transaction, the card is returned. A debit entry is then entered on the relevant account.
ATM cards issued by banks may be used by the cardholder to effect cash withdrawals at any ATM of the issuing bank, and those by other banks which are linked to an inter-bank network, to which the issuer of the card belongs, which allows for cross-bank ATM withdrawals (such as “Interswitch”). The standard terms of use normally stipulate that when the correct PIN is entered it is considered to be the customer’s mandate and effect will be given to that instruction. The standard agreement between the bank and the cardholder usually contains provisions in respect of losses which may be incurred as a result of the unauthorised use of the credit card. Banks usually contract out of the risk associated with electronic payments, specifically the liability for unauthorised electronic funds transfers. This culminates in bank’s customers bearing the bulk of that risk as a result of the bank-customer contract. Apparently, there is currently no specific or dedicated legislation in Uganda covering electronic banking services. A number of aspects surrounding the use of electronic banking products are not necessarily covered by the provisions of The Electronic Transactions Act, No. 8 of 2011 or The Electronic Signatures Act, No. 7 of 2011.
Under the bank-customer contract, a bank is required to effect a customer’s orders timeously once the instruction is given in accordance with the terms agreed between the parties. Where an ATM transaction is initiated using the card issued by the bank and the correct PIN entered, it would constitute an electronic signature signifying a payment order. The bank has a duty to carry out its customer’s authorised payment instructions (where the customer’s account is in credit). While the bank has a duty to exercise reasonable skill and care when effecting its mandate the customer in turn has to effect the payment order with reasonable care so as to limit the chances of fraud and deception. If owing to neglect of this duty, forgery takes place, the customer is liable for the loss. Otherwise, banks generally have the duty to compensate customers for fraud on their accounts provided the customers have not been grossly negligent, which is a degree of negligence where whatever duty of care may be involved has not been met by a significant margin; a very significant degree of carelessness.
In the context of digital banking, authority of the customer is controlled by the restricted personal access to his or her PIN which he or she has duty to keep secret. Upon slotting of the correct card and typing of the corresponding PIN onto the machine’s keypad, the bank is deemed to have received the necessary authorisation from the customer and then the ATM dispenses cash, which makes bank customers easy targets for thieves and fraudsters, thus rendering this method of payment risky. As a result, if a third party were to gain access to a customer’s electronic payment device or were able to bypass it altogether and send payment instructions to a bank, the obligation on the bank to assess whether it had the consent to process the transaction would be dependent on the terms of the contract between the parties.
For the criminal or fraudster, there are three options for illicit access to cash at the ATM: copying the card, stealing the card or going directly for the cash by breaking into the machine or snatching it from a customer who has just withdrawn it from the machine. Of course, to be effective in terms of accessing cash via the ATM, the first two options must also involve theft of the PIN. Some of the above options may be executed in the following ways;

Cloning. Here criminals copy information off the ATM Card magnetic strip by attaching card skimming devices to the fascia of an ATM. A genuine bank card’s magnetic-stripe is copied and then placed on a duplicate card. This cloned card can then be used to withdraw money from an ATM. However, the fraudster will not be able make any withdrawals unless he has also obtained the PIN.

Card trapping. Here the criminal steals the actual card at the ATM. This is done by attaching a device to the card reader slot that allows the card to be inserted in the normal way but stops the card from being returned to the cardholder. Sometimes this activity is compounded by the criminal, in the guise of offering assistance, advising the cardholder to re-enter the PIN (which is observed). When the cardholder gives up and walks away the criminal will release the device with the card.

ATM assistance to soft targets. Fraudsters also target old age persons or those persons who are not tech savvy and disguise to be providing assistance. The fraudsters carry a number of ATM cards of various banks (most probably stolen from other bank users) and when they spot a soft target in operating the ATM they offer them help. They ask for the user’s ATM pin and help them in his task. But during this so called help they replace the ATM card of the user with another card of the same bank. After a period of time, when the fraudster makes transaction from the user’s card, the user realises that money has been withdrawn from his bank account. Further, it is usually when the user attempts to use the card or approaches the bank to report the incident, then he comes to know that he is not in possession of his own ATM card and his ATM card has been swapped by a criminal.

Jamming ATM buttons. Fraudsters may jam both the “Enter” and “Cancel” buttons on the ATM machine by applying glue or by inserting a pin or blade at the edge of the button. So when the customer tries to press the “Enter/OK” button after entering his ATM PIN, the key does not function and the customer cannot proceed with his transaction. At this juncture the customer thinks that the machine is not working and tries to cancel the transaction, which also does not go through as that button is also jammed. Thinking that the transaction is cancelled, he leaves the ATM machine. As soon as the customer leaves or is prompted to visit the nearby ATM machine, the fraudster takes over the machine and since the transaction is active for around 30 seconds in most cases (some banks have reduced it to 20 seconds), he keeps the transaction active by pressing some functional buttons and in the meantime removes the glue or pin from the “Enter” button to go ahead with the transaction. The fraudster then withdraws the cash from the customer’s account, leaving the customer unaware of the fraud till he checks the message from the bank.

Card swapping. When a customer visits an ATM and uses his/her card for a transaction, a stranger pretending to offer help (fraudster) notes down the ATM PIN when it is keyed in by the customer. Later, while returning the card to the customer, the stranger swaps the customer’s card with a dummy card that is identical to the customer’s card. Since the customer is unaware of the swapping, he secures the dummy card whereas the fraudster gets both the card and the PIN which he uses to withdraw cash till the card is blocked by the customer. Experts say that the fraudsters keep several dummy cards of various banks and depending upon the card provided by the customer for the transaction, they pull out a similar card and hand it over to the customer. Since most customers don’t check if the returned card is theirs or not, the fraudsters are successful in cheating the customer.
It is trite that Banks owe a duty of care to users of their payment technology to provide sufficient features to ensure that information transmitted on their electronic platform is protected from fraudsters. In general terms, the bank will be liable when the unauthorised transaction takes place in circumstances of contributory fraud/negligence/deficiency on the part of bank, or third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within a reasonable time of receiving the communication from the bank regarding the unauthorised transaction, or when it fails to ensure sufficient security to prevent fraudsters from accessing the technology behind its electronic payment system.
For ensuring safety and security of electronic banking transactions carried out by the customers, the bank should; have in place digital or other systems capable of analysing / monitoring transactions to identify suspicious ones; monitor the network regularly to check authenticity of source of transactions; SMS alerts are sent to customers for every electronic banking transaction carried out by them; regular risk assessment and analyses of the system are undertaken, and also whenever the situation demands; regularly conduct awareness programme on carrying out safe electronic banking transactions to its customers and staff; repeatedly advise its customers about the risks and responsibilities involved in electronic banking transactions by various means.
In matters of electronic transactions, banks have a duty to take reasonable measures to ensure that their digital banking systems are secure and are regularly reviewed and updated. This requires constant testing, artificial simulations, and machine learning at the back-end. They should know when a suspicious transaction or withdrawal takes place, and to this extent, must ensure that transactions on their digital banking services and received by their systems can be checked and traced. A bank will not be held liable once it shows that the security procedure it has in place is a commercially reasonable method of providing security against unauthorised digital payment orders.
The bank will be liable where its employee colludes with fraudsters outside the bank in appropriating the holder’s card and PIN and for fraud perpetrated by the bank employees who have access to sensitive customer information. Banks are under a duty to observe highest standards of integrity and performance. A bank employee with knowledge of circumstances which would indicate the facts to an honest and reasonable man or would put an honest and reasonable man on enquiry, acts with “knowing assistance”. A bank employee dishonestly assists in a transaction if they have sufficient knowledge to render their participation in the transaction contrary to normally acceptable standards of honest conduct thereby rendering “dishonest assistance”. Although the dishonest assister will often know that what he or she is doing is dishonest, that subjective understanding is not necessary. Deliberately closing one’s eyes, in the sense of having suspicions of misfeasance but making a conscious decision not to ask questions or otherwise enquire, satisfies the test of dishonesty.
Unless expressly excluded by the contract, banks will generally owe a parallel common law duty of care to customers in tort (often but not necessarily consistent with the express contractual terms) to take reasonable care in relation to the services they provide. In determining whether a duty exists, reasonable foreseeability of harm is the primary concern. The fact that a person using an ATM might be subject to fraud is conceivable, but conceivability is not the equivalent of foreseeability.

Banks are responsible for keeping customers safe while on their property. Banks know that ATMs are common targets of crime, so they must provide adequate security at and around the machines to keep their customers safe. Since crimes perpetrated against ATM customers occur on bank property, ATM owners are required to provide customers with adequate security measures. Bank owners are responsible for gauging the risk of crime and using proper security measures to prevent harm to customers; at least one camera inside the machine pointing out; adequate lighting around the ATM; should not have plants, pillars, shrubbery, or other large items nearby that criminals could hide behind; ensure that access to the machines is always limited to persons possessing valid ATM cards; and security personnel that ensure the safety of ATM users.
A private security guard is responsible first and foremost for the safety of the property of the company or group that he or she has been hired to protect, in this case the ATM, which involves monitoring access in and out of the booths, as well as responding to incidents, security threats, and emergency situations. Their job is to observe and report. When something illegal happens then they alert the police. Private security guards often rely on their visible presence to deter potential threats. By patrolling or standing watch, they create a sense of security and discourage unwanted activities. A security guard represents the ATM owner and has the authority to ask anyone to leave if there is a violation of policy. In certain situations, where there is an imminent threat to the safety of individuals or property, security guards may intervene and de-escalate situations, or use physical restraint techniques to immobilise or control individuals. They may also provide assistance to individuals in need, such as helping with directions.

Private security guards are the first, but certainly not the ultimate, line of defence against fraudsters or violent attacks for ATM users within the vicinity of its location. They are not deployed to provide personal or close protection for the ATM users. Even if they were, often one of the most challenging aspects of personal or close protection can be balancing the customer’s need for personal space while at the ATM, with the security related functions of the job. ATM users can have their very specific personal preferences, including having their personal helpers with them inside the booth during their transactions. A close protection security officer can often be a seemly intrusive inconvenience to the uninitiated ATM user in such situations. They are not expected to hover over the customer while they are transacting at the ATM. They are expected to respect the privacy rights of individuals at the ATM. Utmost professionalism and constraint would be expected so as not to embarrass the customer in any way. It is important for the private security guards to remain especially flexible and adaptable in these situations.
It’s the customers’ duty to manage their personal space by preventing invasions of that space in a manner which causes an experience of physical or emotional discomfort, and to bring such invasions, when they occur, to the immediate attention of the private security guards deployed at the ATM.

While waiting in line or inside the ATM booth itself, the customer must make sure he or she has adequate personal space. The customer must keep an eye out for anyone standing too close while they are conducting their transaction. The customer must be cautious of people who might be trying to watch him or her enter the PIN. It is the duty of the customer to pay attention to his or her surroundings at that critical time while accessing private information, which usually takes only a few moments. It does not require one to be on the constant look-out throughout the transaction. The customer should position his or her body between their sensitive information and anyone’s direct line of sight. For example, by shielding the keys on a PIN pad when entering it. Upon detecting that their sensitive information has been compromised, they have a duty to report it to the bank in order to take back control of their accounts.
The customer has a common law duty to affect the payment order with reasonable care so as to limit the chances of fraud and deception and this duty imposes a number of obligations on the customer which include; Selecting a well-lit, busy, and reputable ATM location is a customer’s first line of defence. A customer is expected to avoid using ATMs in isolated or poorly maintained areas, as they are more vulnerable to criminal activity. The customer has the duty to use the ATM card in accordance with its terms and conditions, to take all reasonable steps to keep the card’s security features safe, and to inform the bank, without undue delay, on becoming aware of its loss, theft, misappropriation or unauthorised use.

The customer must also ensure: he or she conducts all ATM transactions in complete privacy by not seeking or receiving help from any unknown person, not to hand over his or her ATM card to any unknown person and especially where that person’s activities at the machine are not in the customer’s line of sight and also ensure that the transaction is cancelled, before they leave the machine to be accessed by someone else. After completion of transaction, he or she should ensure that the “welcome screen” is displayed on the ATM. They should beware of and alert to suspicious movements of people around the ATM or strangers trying to engage them in conversation, or offering unsolicited help.

The customer should ensure that his or her card is always in his or her eyesight while at the ATM. The ATM card and PIN must be protected as if it were cash. They should not share their ATM card details with any unknown person, or even the bank officials or its agents.
The customer will be liable for the loss occurring due to unauthorised transactions in the following cases; where the loss is due to negligence by a customer, such as where he or she has shared the payment credentials details namely; internet banking user id /PIN, ATM Card PIN/OTP or due to improper protection on customer devices like mobile phones/laptops/desktops leading to malware/Trojan or phishing/vishing attacks. Similarly, they are liable for loss arising from phantom withdrawals. These are a cases where it is suspected that a person known or close to the card holder accessed the card and knowing the PIN, makes withdrawals using the card. The card is then returned to the card holder without him knowing that the card was removed or used. This can occur within family member groups, close friends or acquaintances. In these circumstances, the bank cannot be held liable as it is unable to prevent access to the card.
For losses caused by unauthorised third party action where the cause, gap or deficiency lies neither with the bank nor with the customer but lies elsewhere, and the customer notifies the bank within a reasonable time of detecting the unauthorised transaction, or when the customer fails to ensure sufficient security to prevent fraudsters from accessing the bank’s technology behind its electronic payment system, the customer bears the entire loss incurred until he or she reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction is borne by the bank.
Attribution of liability has to be based on the facts of the case. Conclusions must be drawn first as to what actually happened based on probabilities and the process begins by elimination of systemic failures, glitches or lapses in the bank’s electronic system.
Where a security breach occurs at the ATM, the onus lies on the customer to prove negligence by showing that the bank in question could have done more to safeguard the integrity of customer’s personal information from unauthorised access, and that the bank failed to put in place effective counter fraud measures to safeguard that sensitive information. This includes personal banking details such as an account name, account number and personal identification numbers or codes which can be used to access a customer’s account to perpetrate fraud, as well as any information about the customer that has been acquired by the bank.
With the increasing sophistication of scams, the bar for gross negligence is high; it is more than just mere carelessness. A person can commit gross negligence if they intentionally act in a manner that they know, or should know, is highly likely to cause them loss. It involves a failure to use even slight care or conduct that is so careless as to show complete disregard for the safety of the card’s security features and their Personal Identification Number. Factors that will be relevant to the degree of negligence include; the complexity of the scam and whether the customer can reasonably be expected to have paused or otherwise prevented the fraud from being executed. One of the key things to be considered is the environment that was created by the fraudster for the consumer, essentially the nature of the “spell that was cast.”
Under the terms and conditions of using an ATM card, parties also agree on a crucial allocation of risk of fraud and this lies on transactions taking place before notification of loss, theft or misappropriation of ATM card and transactions taking place after notification. Liability of the former is borne by the customer while it’s the bank to bear the latter. The implication of these indemnity obligations is that where the customer’s failure to exercise ordinary care in safeguarding his/her personal identification number (PIN) causes or substantially contributes to unauthorised access to his/her funds by use of the debit card issued to him/her thereby causing him/her loss or injury, he or she cannot then use his/her lack of authorisation of the withdrawal as a basis for a claim for refund against the bank. The same applies to the customer’s delay in reporting the card as lost. The customer bears the losses deriving from the use of a lost or stolen ATM card or if he/she has failed to keep the personalised security features safe from misappropriation, occurring before he/she has fulfilled his/her obligation to notify the bank.
Since the respondent failed to protest when unsolicited help came from a stranger while at the ATM and also failed to prevent that person from seeing him entering his PIN, the respondent’s conduct fell short of the conduct demanded of a reasonable customer at an ATM. He should have been concerned and watchful as he typed his PIN. In the circumstances, his negligence was the real, immediate or proximate cause of the loss occasioned by the fraud.

What are the key take aways?

The court held that;

The customer at all times has a duty to protect his/her ATM card and PIN and this duty should never be neglected. Falling short of this, the customer shall have to bear the resulting loss.
When using an ATM, the customer must ensure they protect their personal space from intruders and prevent anyone from observing the keypad while entering their PIN.
If customers need assistance with using the ATM, they should seek help from the security guard rather than from strangers. Although warnings are often posted in ATM areas, they are frequently ignored. If an unknown person encroaches on your personal space, immediately notify the security guard, as their intentions may be unclear.
Immediately notifying the bank upon realising that your personal details have been compromised may save you from bearing any loss that occurs thereafter.
5. Choose the ATM you’re to transact from carefully, as the bank can only guarantee your security while you are using the ATM. Once you leave the ATM area, your security becomes your own responsibility.

6. It’s the duty of the bank to ensure that fraudsters don’t hijack its systems in anyway.

Conclusion

According to “The Cybercrime Barometer: A Uganda Police Centenary Plus Awareness Campaign Paper,” ATM/VISA fraud has resulted in losses exceeding 1.2 billion UGX (460,000 USD) in a single year, affecting over 700 victims through the use of skimming devices installed on ATMs in Kampala and other areas. This highlights the significant threat of ATM fraud within the banking and finance sector, underscoring the need for vigilance from all stakeholders. Both banks and customers must diligently fulfil their responsibilities to prevent fraudsters from succeeding.

Author

Namugera Joel Peter

DISCLAIMER: The contents of this article are intended to convey general information only and not to provide legal advice or opinions. The contents of this website, and the posting and viewing of the information on this website, should not be construed as, and should not be relied upon for legal advice in any particular circumstance or fact situation. An Advocate/ attorney should be contacted for advice on specific factual legal issues.

Discover More News and Insights

Stay informed and deepen your understanding of important legal topics. Explore our extensive library of articles covering various aspects of law, business, finance and more.