ASIC has released a consultation paper (CP 341) seeking feedback on proposed updates to the ePayments Code. The updated Code will be released later in 2021.

ASIC’s proposed updates primarily relate to the following areas of the Code:

• compliance monitoring and data reporting;
• mistaken internet payments;
• small business protections;
• unauthorised transactions; and
• complaints handling.

The review also considers options for modernising the Code, to reflect changes in the field of electronic payments since the Code’s last review.

Clarifying and enhancing the mistaken internet payments framework
ASIC proposes to extend the mistaken internet payments framework in the Code to allow consumers to retrieve partial funds if the full amount of the payment is not available in the unintended recipient’s account.

The Code would include a non-exhaustive list of examples of what a receiving ADI can do to meet the requirement to make ‘reasonable endeavours’ to retrieve the consumer’s mistaken internet payment (while acknowledging that what amounts to ‘reasonable endeavours’ depends on the individual case).

There would be a number of additional responsibilities on ADIs to ensure that the process starts promptly and that consumers are made aware of their rights to lodge a complaint with the subscriber and then with the Australian Financial Complaints Authority (AFCA).

ASIC also proposes to:
•clarify the consequences for the sending ADI where the receiving ADI and/or unintended recipient do not cooperate in the process; and
•clarify the definition of ‘mistaken internet payment’, limiting it to situations in which the consumer has made a genuine mistake in typing the account identifier (and not extending it to scam scenarios); and
•enhance the content of the existing on-screen warning about mistaken internet payments so that it is clear to consumers that typing a correct account name will not remedy an incorrect BSB and/or account number.

Extending the Code to small business
ASIC proposes to extend the Code’s protections to small businesses, but to provide an opt-out arrangement whereby subscribers may elect not to extend the protections to their small business customers.

It proposes to:
(a) define ‘small business’ as a business employing fewer than 100 people or, if the business is part of a group of related bodies corporate (as defined in the Corporations Act), fewer than 100 employees across the group, and
(b) apply the definition as at the time the business acquires the facility in question (i.e. a point-in-time approach to defining small business).

Clarifying the unauthorised transactions provisions
ASIC proposes to clarify that:
•the unauthorised transactions provisions of the Code apply only where a third party has conducted a transaction without the consumer’s consent;
•a breach of the passcode security requirements by itself is not sufficient to find a consumer liable for a transaction (the consumer must have contributed to the loss); and
•the protections available under the Code are separate from the chargeback processes available through card schemes.

Modernising the Code
ASIC proposes to:
•define biometric authentication in the Code and incorporate it into specific provisions of the Code where it is relevant;
•revise the Code’s use of the term ‘device’ and instead use the term payment instrument’ to avoid confusion with consumer-owned smart devices;
•include virtual debit and credit cards in the definition of ‘payment instrument’;
•extend the Code’s protections to NPP payments; and
•include electronic receipts in the Code’s provisions relating to transaction receipts.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.