BNZ expects protest from some customers at compulsory security procedures. Photo / Martin Sykes

BNZ expects protest from some customers at compulsory security procedures. Photo / Martin Sykes

A major bank has turned up the heat on its rivals by taking responsibility for any online fraud.

Up until now, BNZ customers have been accountable for losses if their PINs and passwords were stolen online by fraudsters.

The BNZ's move follows an earlier one by Westpac to "promise to pay" customers who fall prey to online crime. The move goes beyond the Banking Code of Practice that requires customers to have up-to-date antivirus, firewall, anti-spyware and operating system software.

Both BNZ and Westpac now say they do not require customers to have up-to-date software. But customers are advised to use it even if it's not compulsory, says Blair Vernon, general manager for strategy and marketing. He says such software is still essential to protect customers' privacy.

At the same time as changing its terms and conditions for online banking, the BNZ has announced it will make its two-factor authentication compulsory from March next year.

Two-factor authentication adds a step to logging into online banking, over and above a PIN and password.

BNZ customers are given a card called NetGuard, and are asked to enter numbers from the card.

Two-factor authentication makes banking on computers infected by viruses or Trojans safer.

BNZ head of fraud Ron Watt says online fraud is relatively rare. Losses, which the BNZ has reimbursed, have ranged from $10 to $13,000.

The BNZ is expecting protest at compulsory two-factor authentication from some customers, but says that an extra layer of protection is a fact of life of banking on the internet.

Both BNZ and Westpac said customers would be reimbursed if their account was plundered while they used an internet cafe overseas, a common situation for online fraud.

Overseas, the picture varies from country to country. Banks in Belgium and the Netherlands are required to take appropriate measures to protect their customers, Mike Heath chief executive of RaboPlus in New Zealand says.

"Exact definition of 'appropriate' is left to the banks but they must adhere to minimum standards. If a customer is defrauded and the bank neglected its responsibility, the judges tend to rule in favour of the customer."

The British Banking Code protects innocent victims from fraud. In Ireland, for banks other than RaboPlus, the rules are that any transaction done with a customer's password is the customer's responsibility, Heath says.