A change to a key definition in the revised ePayments Code, which took effect on June 2, threatens to further weaken already inadequate scam detection and prevention offered by financial institutions.
The new code clarifies the definition of “mistaken internet payment”, so it only covers actual mistakes in inputting the account identifier and does not extend to payment made to a scammer.
During the consultation process for the new code, consumer groups objected to this change, arguing that consumer protections under the code would be void in relation to scams.
They argued that if there are discrepancies between the customer’s instructions when processing payments and the identity of the recipient of the funds, ADIs should have a positive obligation to act with due care and skill and to make further inquiries.
According to this view, when a consumer is tricked by a scammer into inputting an incorrect identifier into a payment instruction, that is essentially a mistaken internet payment.
ASIC said the code was never designed to protect consumers from scammers. “The mistaken internet payments framework has not been designed to allocate liability between the consumer and subscriber for lost funds. Rather it is a process for the sending of receiving ADIs to assist the consumer, who has made the mistaken payment, in retrieving their funds from the unintended recipient.”
This change adds greater urgency to ASIC’s recent call for financial institutions to improve their approach to handling scams.
In a report last month, the regulator criticised the major banks for their scam detection and prevention, saying they detected and stopped a low proportion of scam payments made by their customers, in the order of 13 per cent.
The ePayments Code is a voluntary code of practice that regulates electronic payments, including ATM transactions, online payments, BPAY, point of sale transactions, credit and debit card transactions and mobile banking.
The new code extends coverage to payments made using the new payments platform.
The key protection in the code is that consumers will not be liable for any unauthorised transactions on their accounts if they have taken reasonable precautions to protect their accounts.
Other protections include a requirement to disclose product terms and conditions and fees, a requirement to assist consumers to seek a return of funds mistakenly transferred to the wrong recipient and a requirement to handle complaints.
The updated code removes the requirement for annual reporting by code subscribers, replacing it with a power for ASIC to conduct ad hoc monitoring.
ASIC said it did not consider that the value produced from the requirement for annual collection of unauthorised transaction data outweighed the burden on subscribers, particularly smaller entities.
ASIC had intended to extend the code’s protections beyond individuals to small business. But the regulator bowed to industry arguments that it would be a complex and costly change and that payment issues experienced by small business are of a different order.
The new code also includes changes to compliance monitoring and data collection, and complaints handling procedures.