Growing debate about who pays for scam losses

John Kavanagh

Scam complaints are a growing area of activity for the Australian Financial Complaints Authority, occasionally putting the ombudsman at loggerheads with financial institutions as they work through interpretations of relevant regulation and industry codes.
 
In one recent case, the complainant entered a one-time password into a website believing she was paying an outstanding toll invoice. The one-time password was used to register her card on a scammer’s mobile phone, after which there was a series of unauthorised transactions made without an identifier.
 
AFCA’s reading of the ePayments Code was that the complainant was not liable and was eligible for compensation.
 
AFCA senior ombudsman Neva Skilton said the complainant’s financial institution disagreed with the ombudsman’s interpretation of the code, and there had been some correspondence between the parties.
 
Speaking at an AFCA member forum yesterday, Skilton said AFCA was aware of the need to give members a clear understanding of its approach to dealing with scam complaints but was holding off until the National Anti-Scam Centre, set up in July, completes work on an industry standard.
 
AFCA received 6,048 complaints about the handling of scams in the 2022/23 financial year. Since then, complaints have increased to nearly 1,000 a month. Scam types include investment scams, impersonation scams and email compromise scams.
 
In another case, the complainant lost A$185,000. AFCA considered that the daily transaction limit, which was the available balance of the account, was not reasonable under the ePayments Code. The bank was required to reimburse $141,000.
 
And in a third case, the scammer “spoofed” the bank’s number and asked the complainant to disclose a one-time password. The ombudsman found that the disclosure of the password was not voluntary and did not breach passcode security requirements.
 
Apart from questions of interpretation, another issue for AFCA is limits on its jurisdiction in this area. Skilton said AFCA does not have jurisdiction to look at the actions of the receiving bank.
 
“This includes where the receiving bank processes may have facilitated the opening of a mule account,” she said.
 
AFCA cannot consider claims where an account is opened using stolen identification documents. This is because the person impacted did not receive a financial service or does not have a customer relationship with the bank.
 
Skilton said AFCA was calling on financial institutions to do more to disrupt and prevent scams. It would like to see banks adopt confirmation of payee.
 
Under confirmation of payee, when a consumer or business sets up a new payee or amends an existing payee’s details, they receive a message from their bank confirming that the details entered match the account of the person or organisation they are paying.
 
It would also like to see financial institutions deliver one-time passwords more securely, give customer more authority to freeze or pause accounts and set low default limits for different payment types. And it would like to see restrictions on payments to crypto platforms.