The Japanese Bankers Association has released guidelines for companies and banks to follow to prevent fraudulent money transfers through online banking.
The guidelines recommend that banks not compensate companies for damage if they do not take sufficient safety precautions, as well as limit the services available to them.
Strengthening safety measures at corporations is expected to have a certain effect in preventing bank fraud, though with the techniques used in such crimes becoming more sophisticated, the banking industry will likely have to constantly renew its guidelines.
Damage related to online bank fraud has risen sharply this year, according to the National Police Agency. There were 873 incidents costing 1.42 billion yen (S$17.34 million) as of May 9, already more than the 1.4 billion yen recorded in all of 2013.
The average loss per case was 1.62 million yen, 550,000 yen higher than last year's average.
Companies have a total of about 500 million yen, about five times more than last year.
Recently, there has been an increase in bank frauds involving a computer virus that displays a bogus screen resembling an online banking site. Other techniques include controlling computers remotely to steal IDs and passwords.
The JBA's guidelines call on companies to follow six recommendations, including implementing safety measures prepared by the banks, updating operating systems to the latest version and regularly changing passwords.
Under the guidelines, banks would only fully compensate companies that follow all the recommendations.
The guidelines are not enforceable, but most banks are expected to adopt similar criteria.
However, it is difficult for individuals to implement the guidelines as they do not have the financial leeway that companies do. For this reason, the guidelines recommend compensating individuals for the full amount of losses, in principle, unless negligence is involved.
Under the guidelines, if a bank decides a company has been lax with its safety measures, it should not only refuse to compensate the firm for losses, but also restrict the services the company can use to prevent further losses, such as by setting an upper limit on the amount that can be sent by bank transfer.
The banks are now expected to set about creating criteria for judging when a company's safety measures are insufficient.
For instance, this could include the use of Windows XP, which is seen as less secure as Microsoft Corp. is no longer providing support for this operating system.
The safety measures recommended in the guidelines are all fundamental principles. Mid-sized, small and micro-enterprises that do not take such preventive measures are seen as vulnerable, so banks will need to make an effort to make the guidelines universally known.
The guidelines have several recommendations for banks, such as introducing secure one-time passwords and limiting transfers to accounts that have been registered beforehand.
Sumitomo Mitsui Banking Corp. is already using one-time passwords, and some regional banks delay transfers to unregistered accounts until the next day.
However, there is significant disparity among the banks, so the JBA is seeking to promote the guidelines throughout the industry.
Yet, the techniques used in fraudulent bank transfers are becoming more sophisticated every day. "Phishing" techniques that send fake e-mails attempting to get users to enter their passwords have been the mainstream technique.
Cases involving virus infection began to appear in 2005 and first spread in Europe, the United States and other countries. Accounts in Japan began being targeted in late 2012 because the domestic industry was seen as having a low level of safety awareness.
"If users follow the banks' guidelines and elevate their safety awareness, it should greatly reduce the amount of damage," said Itsuro Nishimoto, chief technology officer at LAC Co., a Tokyo-based information security company.
Both banks and companies need to be constantly vigilant in improving their safety precautions.