OPINION: Optus data breach underscores urgent need for reforms to protect Australians from scams
Opinion piece by Gerard Brody, CEO Consumer Action
The massive data breach affecting up to 9.8 million Optus customers has shone a spotlight on what can be done to protect Australians from harm and losses associated with scams and online fraud. The Australian Competition & Consumer Commission reported that a minimum of $2 billion was lost to scams in 2021, and with a data breach the size of the one impacting Optus customers the losses will only increase.
Minister for Home Affairs Claire O’Neill has suggested reforms to force affected businesses like Optus to alert banks quickly about breaches of customer data to limit the likelihood of money being fraudulently taken from their accounts. The goal is to ensure banks take steps to ensure those vulnerable to scams are better protected, but without parallel reform to protect customer safety when using Australia’s payments systems, it’s unlikely people will be refunded if they lose money because of scams.
Unfortunately, Australia has fallen behind world standards when it comes to consumer protection for scam victims. In contrast, United Kingdom banks have taken steps to reimburse blameless scam victims. In 2018, a voluntary industry code was developed which included a fundamental principle that when a customer has been the victim of a relevant scam, the bank should reimburse the customer. There are some exceptions—for example, where the customer has ignored effective warnings (they were grossly negligent). Reimbursement is required regardless of exceptions where the victim is assessed as being vulnerable to scams.
A review of this code in 2021 found that average reimbursement rates have risen from around 20% to 45%. More importantly, this change has resulted in banks investing more heavily in warnings on their apps and online banking systems. Some institutions have introduced systems such as Confirmation of Payee to help people spot when they may be making a payment to the wrong account. These prevention measures are the goal of reform in this area—with greater liability for scam losses, banks and payment system providers face powerful incentives for banks and payment services to invest more in fraud prevention and protect customers from losses.
Being voluntary, the UK code faces weaknesses of not always being adopted and being applied inconsistently. As such, the UK Parliament is currently debating reforms to mandate the rules in the industry code to “ultimately improve reimbursement outcomes for victims of scams”.
Similar proposals are being considered by the United States consumer finance regulator, the Consumer Finance Protection Bureau. This follows advocacy from a group of Senators, who have pointed to payment services avoiding providing reimbursement where their customers are defrauded or scammed. The problem in the US is similar to that in Australia—the existing rules do not provide sufficient protection where someone is tricked into transferring funds to a scammer.
The personal information obtained by fraudsters through the Optus data breach can serve to facilitate scam activity. This includes where a customer is manipulated, through social engineering, into making a payment into an account that fraudster controls. The ability of fraudsters to manipulate is heightened exponentially when they have access to our personal information, as they can use that information to facilitate trust. This sort of fraud comes in a variety of forms—romance scams, investments scams, invoice scams and imposter scams. It is becoming easier rather than harder to fall victim—spoofing bank phone numbers, together with access to personal information, can be a powerful tool for exploitation.
In these circumstances, banks do not consider that customers deserve a reimbursement. This is despite waves of complaints to the Australian Financial Complaints Authority (AFCA), the ombudsman for banks. In 2021-22, complaints about unauthorised transactions (including scams) were up 45% at AFCA. Complainants assume that banks should be on the lookout for scam and fraudulent transactions and take steps to prevent transactions being authorised unless they are genuine. However, as analysis from Consumer Action Law Centre has shown, customers are not receiving awards in their favour.
The proposal to share details of customers at risk with banks is designed to enable them to apply greater scrutiny on bank accounts of potential scam victims—those that have had their personal data stolen through a data breach. If we want banks to be incentivised to actually protect customers through system and technology changes though, we need much clearer rules requiring our banks to proactively detect scams and prevent scam losses, and to reimburse to blameless victims. Without such reforms that are being applied internationally, Australia will become a magnet not only for data breaches but fraudulent and scam activity.
ENDS
Media contact: Mark Pearce, Media and Communications Adviser, 0413 299 567, media@consumeraction.org.au