[fc-discuss] Financial Cryptography Update: 'bonus pater familias'

iang@iang.org iang@iang.org
Mon, 10 Oct 2005 15:09:45 +0100 (BST)

((((((((( Financial Cryptography Update: 'bonus pater familias' )))))))))

                            October 10, 2005




An article in the aforementioned JIBC, "Security as a legal obligation"
by Edwin Jacobs, argues the current security crisis from the
perspective of _bonus pater familias_.	This legal doctrine has it that
we should ask, what would the good citizen do in this case?

What can be reasonably expected of all the actors here, assuming they
were good citizens?  As I argued in a recent blog entry concerning
online account fraud (a.k.a. phishing), you can't blame any one party
totally, and if you put all the cost on one party and none of the
responsibility on the other parties then we give rise to moral hazard. 
That's the economics idea that anyone who is fully insured is more
likely to incur the events, as they take no care.

The current situation in most western countries is, in simple terms, if
a transaction was not authorised by the account owner then the
financial institution carries the risk.  This is by no means cut & dry,
but when push comes to shove, that's what gets written down in the

Does that mean that the FIs are already on the hook for it all?  By no
means, as the greater part of cost of any online fraud seems to be the
cost to the individual's identity.  Although the estimated heist is
about $1000, I've also seen estimates of time lost to the user of 100
hours.	If your time is worth more than $10 per hour, then you are now
more concerned about the waste of your life;  and another statistic has
it that one in four never recover completely from the situation.

So we already have risk sharing in place.  Which isn't to say that it's
a nice way to live and do business, but it is at least a clearly
demarcatible sharing arrangment.  FI's pick up the tab for the money,
but your identity's your own problem.

Where we go from here is that if there is to be any adjustment from
this current risk sharing between the FIs and their users, then it has
to be a better risk sharing.  That is, not only does it need to better
account for the economics of repairing the damage, it also has to be as
easily measurable.  That's a tall order, and my hat off to anyone who
can do this.

Jacobs takes Sarbanes-Oxley to task by pointing out that not only are
there already many laws in Europe that cover these points (and he works
through some of them), but both providers and customers have a general
duty of care.  Obviously in the current environment, there is no lack
of examples of failure to follow this guideline, so the question arises
how it is that the principle has failed to save us in this case?

3.1. The concept of general duty of care

 The presence of specific legislation related to security and risk
management should not make us forget that every person (so also
customers of on line services!) and every company have a general duty
of care. If the lack of appropriate security measures leads to damages
for third parties, the liability of the company which omitted to apply
best practices in this field (and hence to behave as the 'bonus pater
familias') will automatically be involved. Contrary to the specific
legal security obligations described above in the specific laws, _the
general liability can to a certain extent be reduced by liability
disclaimers that have to be carefully drafted_.

(My emphasis.)	It would seem that if one were to stereotypically cast
the models as European above and American for the alternate, we could
ascribe his last comment as the reason for the failure:  general
liability and a duty of care has been widely written out by liability
disclaimers in the American model.  This is no light thing, as the
history of the credit card shows.  When banks were aggressively
marketing their cards in the mad ramp up to saturation, it was common
to send cards to people who hadn't asked for them, _and_ to stick them
with the fraud bills.  This blatent act of fraud on the part of the
banks resulted in the regulations (Reg E?) that made the banks liable
for _all_ of any transaction not authorised, thus switching _all_ of
the risk from the consumer to the bank.  At least until identity fraud
took off.

It would seem simplicity itself to write to our congresspersons and
demand they write liability back in again.  "Dammit!"  But I fear it
isn't so easy, and it may very well be that Reg E recognises _bonus
american pater est mortuus_.  The counterbalance to this dramatic
accusation is that the ecommerce revolution happened in the US and only
to a lesser extent in the European circles.  If we looked at all the
startups and IPOs, we should expect to find a massive difference,
perhaps as much as an order of magnitude.

Which meant that the value was created in the US and then exported by
copycats to other farflung dominions of capitalism.  All of which goes
to show that making a claim of _bonus pater familias_ as against the
widespread disclaiming of same by contract is not easy:  either we need
to show correlation not causality with dotcom boom, or the pundits of
_bonus pater familias_ need to find something that counterbalances the
'economic miracle' argument.

Jacob's article is worth reading if you are trying to make sense of
Choicepoint, phishing, viruses and keyloggers and the madness known as
Sarbanes-Oxley.  I don't think it answers everything but it does offer
a perspective why the crisis in security and governance is primarily
American and not elsewhere.

Powered by Movable Type
Version 2.64