Mandatory industry codes on responsibility for scams

The Commonwealth Government has issued a discussion paper on the introduction of new mandatory industry codes to outline the responsibilities of the private sector in relation to scam activity, with a focus on banks, digital communications platforms and telecommunications providers.

There is currently no agreed formal definition of a scam in Australian legislation. Currently, regulators generally address scams as a category of fraud.

The proposed definition of a scam under the Framework would be :

“A scam is a dishonest invitation, request, notification or offer, designed to obtain personal information or a financial benefit by deceptive means.”

The proposed definition is not intended to capture unauthorised fraud, such as cybercrimes that may use hacking, data breaches, and identity theft, that do not involve the deception of a consumer into ‘authorising’ the fraud.

The definition is also not intended to include consumer disputes about misleading and deceptive practices relating to the sale of goods and services, other than where a seller profile or website is not legitimate.

The discussion paper lists the following possible bank-specific obligations:
• A bank must implement processes to enable confirmation of the identity of a payee to reduce payments to scam accounts.
• A bank must implement processes to verify a transaction is legitimate where a consumer undertakes activity that is identified as having a higher risk than their normal activity and is or is likely to be a scam.
– A bank must have processes in place to identify consumers at a higher risk of being targeted by scammers (vulnerable cohorts). Additional steps must be taken if the consumer is identified as having a higher propensity to be affected by a scam.
• A bank must implement and have in place processes and methods to detect higher risk transactions and take appropriate action to warn the consumer, block or suspend the transaction, or as well as take other measures to reduce scam activity and limit exit channels for the proceeds of scams, including blocking or disabling the scammer account (if in the same bank) or working with the recipient bank to do so.
Detection and disruption
• A bank must have in place methods or processes to identify and share information with other banks that an account or transaction is likely to be or is a scam.
• A bank must have in place processes to act quickly on information that identifies an account or transaction is likely to be or is a scam, including blocking or disabling the scammer account or the transaction (if in the same bank) or working with the recipient bank to do so.
Response (obligations to consumers)
• A bank must have user-friendly and accessible methods for consumers to immediately take action
where they suspect their accounts are compromised or they have been scammed (e.g. an in-app
‘freeze switch’).
• A bank must assist a consumer to trace and recover transferred funds to the extent that funds are recoverable, including a receiving bank to revert a transfer within 24 hours of receiving a recall request from a sending bank.
• A business must respond to an information request from ASIC within the timeframe specified.

Separately on 24 November 2023, the Australian Banking Association Ltd and the Customer Owned Banking Association launched an industry-led ‘Scam Safe Accord’ that outlines the anti-scam measures that will be implemented across the banking sector to disrupt, detect and respond to scams.

Measures include a new confirmation of payee system, warnings and delays to protect customers, expansion of intelligence sharing across the sector, and limiting payments to high-risk exit channels, among other initiatives.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

Print Friendly, PDF & Email

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.