he phrase ‘gross negligence’ is really important. It is used in the Payment Services Regulations (PSR), and I use it in my ‘£1bn challenge to the banks’ – but what does it mean?
My approach reads as follows:
Gross negligence is when an individual makes a conscious and voluntary decision to do (or not do) something, with a clear understanding of a foreseeable risk of loss that is directly attributable to that action (or inaction).
To understand what I mean let me take it bit by bit:
“Conscious and voluntary decision”
Most of the decisions that we make are “conscious and voluntary” in that we know that we are making a decision to do or not do something and we are making that decision of our own free will.
But fraudsters often use a process called ‘social engineering’ to get their victims to do exactly what they want them to do, without the victim realising what is actually happening.
These are not “conscious and voluntary” decisions because they have been cleverly “directed” by the fraudster.
“Clear understanding of a foreseeable the risk”
Every day we do things that involve risk. What is important is whether or not that risk is foreseeable. Riding a motorcycle without a helmet has a foreseeable risk.
If a fraudster tells their victim that there is a problem with their internet security and that they need to load some new software “to overcome the problem”, the victim is unlikely to understand, or even realise, that they are exposing their bank account to the risk of fraud.
The final part of my approach asks whether or the loss was resulted directly from the action (or inaction).
If an account holder responds to a text message that they genuinely believe comes from their bank (because it is in the same message thread as previous messages from their bank) then, in my view, a subsequent loss from an ‘Account Transfer Fraud’ cannot be said to have resulted directly from their response to the text message.
Payment Services Directive
This approach is drawn from the Payment Services Directive (PSD2) which is the European Directive from which the UK PSR2017 is developed. It gives an example of ‘gross negligence’ as ‘writing down your PIN in an undisguised form and keeping it in your purse or wallet with your card’. (This is the simple English version of the actual words in the Directive!).
The importance of this example is that nobody is making you write down your PIN and keep it with your card. It is your ‘conscious and voluntary decision’. And there is a ‘clear and obvious risk’ in that simply dropping your purse or wallet (it doesn’t even need to be stolen) would allow the finder to use the card and PIN to steal your money. This is ‘gross negligence’.
UK Legal Approach
There is no simple, legally accepted, definition of ‘gross negligence’ but there have been a number of court cases where ‘gross negligence’ was considered and in the most widely quoted cases the judges said that: “the concept of Gross Negligence seems to me capable of embracing ….. indifference to an obvious risk".
So, if a risk is obvious and a person (or business) demonstrates an indifference to the risk by not acting in such a way that would either eliminate, or at least mitigate, the risk when it was in their power to act then, in my view, they have been ‘grossly negligent’.