Hackers, Bank Records, and Going Paperless

The traditional allocation of losses at a bank was first loss bank, second loss government, but never losses to insured depositors. To wit, if Willie Sutton robs a bank, the money lost is the bank's, not that of any particular depositor.  If bank fails, then the FDIC steps in pays out the insured depositors. It does so on the basis of the bank's books and records.  

The phenomenon of hacking strikes me as changing this loss allocation paradigm:  the hacker might steal from individual customers' accounts, not from the bank vault. If the hacking can be identified, then the traditional loss allocation kicks in. But this depends on the bank having an uncorrupted set of books and records that the hacker hasn't accessed. If the hacker can both grab money from the account and mess with the bank's books and records, then there's a royal mess.  

This scenario doesn't strike me as a major concern for a simple thief whose primary goal is stealing money. The only reason the thief would mess with the books and records would be to cover his trail in an Ocean's 11 type move. That would take a lot more work, however, and it might be counterproductive as it would require more code, etc., that could point to the thief. 

But what if the hacker isn't a simple thief, but a state actor? So far the publicly discussed hackings blamed on Iran have been denial of service attacks aimed at disrupting access to banks' websites, rather than stealing from customers' bank accounts. That could easily change. And if a hacker really wanted to wreak havoc on the US financial system, why not go an screw around with customers' accounts and the books and records of a major financial institution? I don't have any sense of how easy this would be, but it's a scary thought. I assume that there are some very smart and well-compensated people working to ensure that this can't happen (e.g., off-line storage of bank records), but even so, things can go wrong.  

All of this brings me to a rather old-fashioned point: paper has some benefits over electronic records. The virtues of paper over electronic records have become patently clear in the mortgage foreclosure context (more about that soon in another post), but what about bank statements? Every time I log onto my bank's website I get badgered to go paperless. And every time I say "No thanks." My bank tries everything:  pleading how paperless is better for the environment, pointing out how nifty its mobile banking app is, etc. Of course, the bank never mentions that going paperless saves it a lot of money, and that none of those cost savings are being offered to me. (How about additional interest equal to 50% of the postage and paper costs? That might make my account start to have something like a positive yield...)

There's another problem with going paperless.  Going paperless means that my account records exist only in the control of the bank. And banks are now national security targets. While hackers haven't gone after accounts so far, that could well change, and a hacker aiming for maximum havoc might target both accounts and bank records.  Having my own set of paper records isn't perfect--they are costly to store, can themselves be doctored, and might lag by up to 30 days. Paper records don't protect against a hacking, but if the doomsday scenario spelled out above were to happen, I'd much rather be a depositor with a trail of paper statements than nothing but electronic records.