ASIC has published Report 718: Response to submissions on CP 341 Review of the ePayments Code: Further consultation (REP 718), on updates to the ePayments Code (the Code). The Code regulates electronic payments including automatic teller machine (ATM) transactions, online payments, EFTPOS transactions, credit/debit card transactions and internet and mobile banking.

ASIC’s review is intended to provide clarity (and remove ambiguity) in specific areas, as well as enhancements to some of the existing consumer protections, taking into account significant developments in financial technological innovation and the need to ensure the Code is simple to apply and easy to understand.

ASIC has confirmed that:

• ASIC does not propose to expand the protections of the Code beyond individual consumers to small business in this review.
• ASIC will extend the Code to transactions made using the New Payments Platform (NPP). The Code will expressly refer to the Bulk Electronic Clearing System (BECS) and the NPP and will not be platform neutral in its scope.
• the distinction between the Code’s unauthorised transactions provisions and the card scheme chargeback frameworks will be maintained. Consumers will continue to have protections under the Code’s unauthorised transactions provisions even if they have missed the deadline under the chargebacks framework.
• ASIC will clarify the Code’s definition of ‘mistaken internet payment’ so it only covers actual mistakes in inputting the account identifier and does not extend to payments made to a scammer.

Timetable

ASIC says it intends to publish an updated ePayments Code in April 2022. A transition period of 12 months will apply.

Subscription to the Code is currently voluntary, but the Government has accepted several recommendations to mandate the Code.

Other areas

ASIC’s report also contains its final response to feedback in the following areas:

• ASIC will remove the requirement in clause 44.1 of the Code that subscribers must report annually to ASIC on unauthorised transactions;
• ASIC will amend the Code so that the mistaken internet payments process applies not only where there are sufficient funds available in the unintended recipient’s account to cover the mistaken internet payment (i.e. the current position in the Code) but also where only a portion of the funds is available in the unintended recipient’s account. If there are insufficient funds in the unintended recipient’s account, the Code will give the receiving ADI discretion to decide which option (i.e. complete funds, partial funds or no funds) is appropriate to pursue in the circumstances (i.e. the
  Code will not mandate one particular approach over another).
• The Code will require that the sending ADI must investigate an mistaken internet payment report and (if satisfied that there was a mistake) send a request to the receiving ADI for a return of the funds ‘as soon as reasonably possible and, by no later than five business days’ and will includeng a note to the effect that ASIC’s expectation is that industry best practice on what amounts to ‘as soon as reasonably possible’ is for the sending ADI to commence the process within two business days—however, this will ultimately depend on the facts of the individual case.
• the Code will require both the sending and receiving ADIs to keep reasonable records of the steps they took and what they considered in their investigations.
• ASIC intends to clarify that an unauthorised transaction occurs only where a third party has made the transaction without the consumer’s consent. The provisions are, from the time of issue of the
  updated Code in 2022, not intended to cover scenarios in which a consumer themselves has made the transaction in question. ASIC notes that some types of remote access scams (where the scammer, and not the consumer, has made the transaction) will continue to meet the definition of ‘unauthorised transaction’. However, given this is only an interim Code position, it has chosen to prioritise clarity and transparency in the Code’s provisions. ASIC does not intend to categorise matters into either ‘scam’ or ‘non-scam’ groups as the means for determining which ones are covered by the Code.
• ASIC will clarify the existing position that the pass code security requirements mean that consumers are unable to disclose their pass codes to anyone and, if they do and the subscriber can prove on the balance of probability that the disclosure contributed to an unauthorised transaction, the consumer will not be indemnified by the subscriber for that loss. A breach of the pass code security requirements by itself is not sufficient to find a consumer liable for an unauthorised transaction—the subscriber must prove, on the balance of probability, that the consumer’s breach of the pass code security requirements contributed to the loss. Consumers will not be prevented from using screen scraping services.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.