I think there is confusion here.
The banks are making the claim, that, if you the user, has an infected PC, that is compromised by an 3lit3 h4x0r, and your password to your bank account is compromised, then the bank is not responsible.
That is what you are saying, Sean?
While the bank holds your money, it is responsible for its safety. This includes making sure the money is only released to you or to those you authorize. If an act of theft or fraud causes the bank to release that money without your authorization, the bank can certainly be held responsible. This is why they hold checks and even, from time to time, call people up to confirm suspicious transactions. Generally banks have a blanket bond to cover theft/fraud losses and this protection extends to their customers. I don't think it would be that difficult to show that there are significant security flaws in the online banking system that the user is neither responsible for nor capable of correcting. You could get a dozen security experts to testify that a static password is not sufficient to protect a system that can perform unretrievable funds transfers. If that's all the bank's online scheme provides, this may negate the argument that the user's negligence was the sole/primary cause of the loss. In most states, you have additional protections under state law. DS