First National Bank (FNB) is holding a 70-year-old customer liable for the loss of more than R22,000 stolen from her bank accounts, apparently without proof that she compromised her banking credentials. Barbara Louw of Gordon's Bay insists she did not divulge her online banking credentials in a phishing attack and has asked the bank repeatedly to provide proof she did. In a letter from FNB's fraud department to Louw, the bank says that since logs on her profile show no changes were made to her online banking username and password, this "suggests" that the perpetrators were armed with her login credentials. "We can therefore only conclude that you knowingly or unknowingly disclosed these details to a third party," the bank says.Louw received a phishing e-mail the day she was defrauded. She denies opening it, let alone clicking on any embedded links and logging on to her banking profile. At the bank's request, she had her computer examined for viruses and malware and it was found to be clean. The Code of Banking Practice, to which FNB adheres, says that unless the bank can show that you acted fraudulently, negligently or without reasonable care, it "will refund you the amount of any transaction together with interest and charges associated with the disputed transaction". But this applies in certain circumstances only, such as for transactions not authorised or made by you "after" you have reported to the bank that your PIN may have been com-promised.Louw reported the fraud to FNB the day it happened, on July 30 2017. Her accounts were cleaned out over the course of about an hour while her cellphone service was temporarily suspended. When Vodacom restored her service, she received SMS notifications of payments to five beneficiaries unknown to her. She later discovered that all the beneficiaries hold accounts with FNB. In most cases of online banking fraud, stolen funds are transferred into beneficiary accounts held at banks other than the victim's bank. This is because the victim's bank has no control over the accounts of another bank. When both parties are with the same bank, the bank is able to freeze the beneficiary accounts, and retrieve the money.Giuseppe Virgillito, spokesperson for FNB Digital, says Louw unfortunately reported the fraudulent transactions to the bank half an hour after they were processed. "Upon being notified, the bank immediately secured the customer's profile and blocked multiple accounts where the funds had been transferred. Despite all efforts, the funds were withdrawn from an ATM within minutes of the transfers."However, the beneficiaries' bank statements, which Louw had to subpoena FNB to give her, show that the money stolen from her and transferred into their accounts reflected only the following day, July 31. Most of it was withdrawn on August 1 - and not within minutes of the transfers, as claimed by the bank.Louw's attorney Glyn Williams alleges that FNB has been grossly negligent in failing to properly investigate her claims.To add insult to injury, Louw was charged a fee of R28.80 for the reversal of the single fraudulent transaction FNB managed to reverse and was also required to indemnify the bank against any claim that may arise as a result of the payment.Virgillito says it is standard practice to request a customer to sign an indemnity in such cases.Louw, who is still working despite being of retirement age, says the R22,000 stolen from her was equal to two months' earnings. "What's worse than the financial loss is the way that the bank has treated me," she says.Williams says Louw was made to obtain more than one section 205 subpoena to obtain information that FNB has always had in its possession - "information which would have been discovered had the bank bothered to properly investigate her claims". The bank only complied with the last subpoena in December last year, 18 months after the fraud. "Despite the subpoenas being issued, FNB has not disclosed what action, if any, it took to investigate the fraud committed by the fraudsters, whose ID numbers, residential and work addresses are known to the bank," says Williams.Virgillito says the bank is co-operating with the police, but did not respond to specific questions, including why it had refused to furnish Louw with IP logs on her profile, or why it accused her of acting negligently. He says the fraudulent transactions on Louw's account "could only be completed using a bank-generated one-time password (OTP)" sent to her contact number.The issuing of OTPs via the customer's mobile service provider is a security measure established by the banks, says Mark Heyink, an attorney who specialises in information security. Yet banks have known for many years that this is easily defeated by a SIM swap - and banks have failed to warn their customers of this risk, he says. Heyink has represented and advised close to 100 victims of online banking fraud. Last year he made a submission to the Financial Sector Conduct Authority about internet banking fraud and the unfair treatment of customers. He says there is commonly an absence of evidence of negligence on the part of clients who the banks typically hold liable for losses in online banking fraud...