ASIC finds Australian banks' scam detection, prevention and response practices to be 'less mature than expected'
27 August 2024
27 August 2024
In the Report, ASIC used a narrow definition of 'scams' confining it to:
situations where customers authorised the transaction by either making the transaction or aiding the scammer to make the transaction, including by providing multi-factor authentication passwords.
This means that certain scams were not considered by ASIC for the purpose of the Report (such as scams where customers provide the scammer with their personal information (e.g. date of birth and address), which the scammer then uses to impersonate the customer and conduct the 'unauthorised transaction').
By adopting a narrower definition of 'scams', the Report only focuses on scams where the customer is likely to be liable for the transaction. The Report states that customers of the reviewed banks bore 96% of total scam losses. This is expected as the ePayments Code which sets out liability principles for 'unauthorised transactions', and is the starting point used by banks to determine their liability, will likely not apply to the scam transactions under the narrow definition adopted by ASIC in this Report.
In the Initial Report, ASIC noted that potential sources of liability for banks includes:
In the Report, ASIC sets out its observations and expectations in relation to the following four scam response priority areas which banks and other financial services businesses should have regard to:
Only five of the 15 reviewed banks had implemented an organisation-wide scams strategy and, of these, most did not have timelines to implement initiatives or measurable targets to monitor progress against the strategy.
Some banks had incorporated scams responses into their broader fraud prevention and response processes which resulted in practices that were not always fit for purpose for scams.
To improve the approach to scam strategy and governance, ASIC suggests that banks should:
All of the reviewed banks had systems and controls in place to monitor and stop scam transactions on at least some payment channels. However, a significant number of reviewed banks did not have payment hold capabilities and the majority had not fully implemented monitor and stop capabilities across all payment channels.
ASIC noted that the reviewed banks had implemented or considered implementing greater friction capabilities which, in ASIC's view, would help avoid significant losses. These include:
One of the four major banks had partnered with a telecommunication provider to help detect scam calls in real time and asking customers automated questions before they make a payment to help them identify high-risk transaction.
While all of the reviewed banks provided some level of customer education about scams, only a small number had executed campaigns targeted at specific at-risk customer cohorts.
In light of ASIC's observation above, banks and financial services businesses should:
Only one of the reviewed banks had fully implemented controls to minimise misuse of its telephone numbers and SMS alpha tags which would reduce the ability of scammers to make calls or send text messages that impersonated that bank's name or brand.
ASIC noted that other reviewed banks were talking with telecommunications providers to:
Most of the reviewed banks did not have end-to-end policies and procedures dedicated to responding to scam victims, with some procedures containing outdated information and gaps in key areas (e.g. triage of scam alerts, the steps required by frontline staff to identify and respond to scams, and the templates and timeframes used for customer communications).
Customers found it difficult to navigate the investigation processes with banks splitting their customer journey across a number of teams (e.g. frontline customer services, payment tracing, recall, investigation). Frontline staff missed scam red flags or did not properly escalate cases when identified, resulting in avoidable financial loss and increased distress to customers.
ASIC notes that systems, processes and procedures should account for a customer's likely distressed state and vulnerability and suggests banks and financial services businesses:
ASIC observed that there are significant case backlogs and long call-wait times for customers reporting scams. A key cause of this was that banks that receive scam funds (receiving banks) failed to respond in a timely manner to recovery requests from sending banks. In these cases, the wait times could range from between three months to a year for the return of funds and responses to recovery requests.
Many banks lacked a bank-wide approach to determining liability for scam losses resulting in inconsistent outcomes for customers. For most reviewed banks, liability decisions were largely guided by the ePayments Code (which would not apply to scam transactions considered in the Report as they were generally authorised by the customer).
Where policies were in place, they did consider some relevant factors for determining liability (e.g. level of customer vulnerability, errors made by the bank staff).
Scam victims who complained to the reviewed banks were more likely to receive some form of reimbursement however only 8% of the reviewed banks’ scam victims made IDR complaints.
ASIC suggests that banks and financial service providers should:
Authors: Jonathan Gordon, Partner; Hong-Viet Nguyen Partner; Geena Davies, Senior Associate and Mansi Gupta, Associate.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
Sign-up to select your areas of interest
Sign-up