British banks will soon be required to reimburse customers who fall victim to authorised push payment fraud – where a scammer convinces you to authorise a payment, generally by masquerading as a legitimate business or person.
The new rules from the UK’s Payment Systems Regulator are intended to incentivise all businesses involved in payments to take more action against scam activity, with reimbursement costs split 50:50 between the bank that sends and the bank that receives the payment.
There is a strong case that banks and other payment providers in Australia (and New Zealand) should be made to do the same. Scam-related losses are soaring, and banks are falling short of detecting, stopping and recovering losses.
In 2022 Australians lost at least $3.1 billion to scams – an 80% increase on 2021. The Australian Competition and Consumer Commission says the actual losses were far higher, because about 30% of victims don’t report their loss to anyone.
While the biggest losses came from investment scams (totalling $1.5 billion), payment redirection scams – where a scammer impersonates a business or individual asking for payment – amounted to A$224 million.
Among the most vulnerable groups are older people (25% of losses were reported by those aged 65+), people with a disability (6% of reported losses), and people from culturally and linguistically diverse communities (almost 10% of reported losses).
What are Australian banks doing?
No regulations oblige Australian banks to reimburse scam victims, though some banks
have self-governed reimbursement policies.
While banks have dedicated fraud teams to prevent scams and support victims, the most recent review of the four major banks’ processes by the Australian Investments and Securities Commission, published in April, says they detected and stopped just 13% of scam payments.
Reimbursement policies and practices varied from bank to bank but the overall rate was low – ranging from 2% to 5%.
The review described the banks’ approaches to liability, reimbursement and compensation as “inconsistent and generally very narrow”.
Why the UK has made banks responsible
The greater obligations being imposed on British banks follows attempts by the UK’s Payment Systems Regulator to improve consumer protections through a voluntary code of conduct.
Introduced in May 2019, this voluntary code was intended, under certain conditions, to ensure the reimbursement of victims of “authorised push payment” scams. These conditions included the customer taking reasonable care and notifying any scam incident to the bank.
It had modest success, with 46% of reported scam losses being reimbursed between 2020 and 2022.
But the Payment Systems Regulator wants 95%. So it has pressed for a mandatory reimbursement scheme. Under the new provisions money must be reimbursed within 48 hours of a fraud being reported.
The idea is to get banks to put more effort into detecting and preventing scams.
Overall, the UK has accepted the need for a more regimented regulatory approach over a market-based one.
A more pragmatic approach needed
While the Australian Investments and Securities Commission’s own reports have revealed the sorry state of scam prevention, management, and reimbursement practices at major banks, the regulatory body is still not walking in the footsteps of the UK. It is instead advising banks to improve their governance and scam management practices.
The Australian Banking Association, which represents the banking sector, has strongly argued against regulation supporting mandatory reimbursement. It has even suggested this could increase scamming losses because of the risk customers will take less care if they know any losses will be covered by their bank. It has called for greater personal responsibility in preventing scam losses.
But such an argument ignores the effects of the digitisation push by financial service providers, which has made scamming so much easier. Scammers are also becoming more sophisticated.
The statistics speak for themselves. Scamming losses are increasing. Recovery rates are meagre. A more pragmatic approach based on this reality and banks’ fiduciary responsibilities is needed.