Opinion piece by Gerard Brody, CEO Consumer Action
As more and more people contact Consumer Action Law Centre regarding scam losses, and increasingly large losses, I’ve been thinking about the adequacy of consumer protection in relation to scams. Unfortunately, I think it’s wanting.
The focus of effort from regulators and industry in relation to scam losses is to issue warnings. The campaign from the Australian Banking Association this week is the latest effort. While the intention is admirable, I highly doubt that it will reduce scam losses. The evidence shows that scam losses are increasing, and increasing substantially. The ACCC reports that scam losses reported to regulators and leading financial institutions reached $851m last year, noting that these losses ‘are a fraction of the total losses suffered by Australians’. I understand that losses have increased substantially again this year.
A reason that consumer education isn’t likely to succeed is that scammers are sophisticated and exploit consumer trust. In romance or investment scams, for example, the scammer often grooms the consumer over a long period of time. In investment scams, sometimes there are some initial small returns before the scammer takes all your savings. A relationship of trust develops, and the scammer exploits that trust. In these circumstances, the consumer is acting under the undue influence of the scammer. At law, we know that undue influence deprives people of their free will, and people cannot protect themselves. Other scams, like invoice-hacking or remote access scams, are opportunistic with scammers taking advantage of weaknesses in processes or perhaps a moment of panic. Again, it is very hard for people to protect themselves—behavioural research tells us that our decision-making capacity contracts in times of stress or panic.
So, what can be done? I think we need to look at the role of banks and financial firms for some answers. This is because fraudsters behind scams hold or control bank accounts. Given this, banks are better placed than individuals to identify scams and take steps to protect against losses.
For some sorts of scams and frauds, the banks are already liable. Where a scammer directly accesses a bank customer’s account or card to initiate transactions—think counterfeit/skimming fraud, fraud on lost and stolen cards, and ‘card not present’ fraud—consumers do not bear the losses. Given banks bear liability, they have an incentive to take steps to reduce losses. AusPayNet, a banking industry body, says that bank fraud reduction initiatives have been successful in these areas, with card fraud rates dropping from 73 cents per $1,000 spent in 2018 to 58 cents per $1,000 spent in 2021.
However, for scams where a customer authorises a payment to another bank account that turns out to be fraudulent, the consumer is very unlikely to obtain reimbursement. This is the case even if the consumer has taken steps to protect themselves. While banks do take various steps to try to recover funds when consumers report such scam losses, systematic bank fraud prevention efforts appear to be focused on guarding against unauthorised access to accounts, where banks do face liability.
If this changed—if banks had greater liability for scam losses—would things change? I think they would, as banks would have a strong incentive to detect and prevent such losses. And given their systems and technology, banks are in a much better position to do this compared to individuals.
There are a couple of practical suggestions that might help. First, banks should ensure ‘confirmation of payee’ for any online payment. When you make a ‘pay anyone’ transaction through internet banking (known as ‘direct entry’ using the BECS system), the bank does not match account numbers with the account name. Given we are asked to enter the account name by internet banking platforms, most consumers would expect that the account numbers are matched with the account name. While banks generally do warn consumers about the risks, the research shows that consumer warnings often do not work.
The banking industry has developed new payment methods, such as PayID, which might help. This system provides for matching the transaction to the account name or owner. However, this system currently relies on individuals to create a PayID for their account and know how to use it, rather than the banks taking responsibility for this to happen. If banks wore greater liability for losses, I’m sure we’d see the faster and more effective rollout of measures like PayID.
Second, we should consider enacting rules such as those in the UK’s Contingent Reimbursement Model Code. Signatories to this code have committed to protect their customers with procedures to detect, prevent and respond to ‘authorised push payment’ fraud (where someone tricks you into sending them money from their account). The Code provides that blameless people should be reimbursed for any losses through bank transfer fraud, provided the victim did not engage in ‘gross negligence’. A recent review of the CRM Code found that average reimbursement rates have risen from around 20% to 45% and banks have invested more heavily in systems to help people spot when they may be making a payment to the wrong account. In a joint submission from consumer groups to the Review of the Banking Code of Practice, consumer groups have called called on there to be included a code commitment for banks to take reasonable steps to flag and stop a scam transaction. Banks should also commit to reimbursing blameless victims.
Absent such a reform, consumers have little means of raising a complaint and pursuing redress against a bank that has been recalcitrant in preventing scams, or that has failed to take reasonable steps to recover scam losses.
While advertising campaigns to warn us about the risk of scams might seem like ‘doing something’, I think we should be focusing our efforts on doing something that is more likely to work.