A reduction in friction associated with payments facilitated by financial institutions has undoubtedly created a fertile environment for scams to flourish. Reports of consumer loss resulting from these scams regularly feature in the news media. Against this background, a legislative response to the issue was inevitable. The process of framing that response has now begun with proposed amendments to the Competition and Consumer Act 2010 (Cth). What will these proposed laws, if enacted, mean for the banks [1] they regulate?
Approach to liability has not changed
Importantly, the proposed legislation does not purport to alter the legal position with respect to the scope of banks’ duties in connection with transactions they facilitate which, insofar as it concerns authorised push payment (APP) fraud, was recently discussed in the Australian Banking & Finance Law Bulletin.[2] Nor does it propose an automatic reimbursement scheme of a nature recently implemented in the United Kingdom.
As a result, banks and their customers’ liability for scam losses will, in most cases, continue to be determined in accordance with the approaches adopted by the Australian Financial Complaints Authority (AFCA). It is worth noting in passing that a recent AFCA determination with respect to the interpretation of cl. 12.2(a) of the ePayments Code[3] may significantly impact future allocation of liability where a customer has disclosed one-time passcodes to a scammer.
The scams prevention framework
Six “SPF principles” (discussed in further detail below) form the pillars of the scams prevention framework. While some of the substance of the SPF principles is articulated in the draft legislation, more detail is contemplated via (yet to be drafted) industry codes. All of the SPF principles are subject to civil penalties for non-compliance.
What is a “scam”?
The scope of the SPF principles is framed by reference to the definition of “scam”. The definition adopted is broad, reflecting the breadth of activities commonly understood to represent scam activity. At its core is a “deception” which, if successful, causes loss or harm to the consumer, or from which the perpetrator derives a benefit.
The elements of a deception proposed[4] include, relevantly, “an attempt to deceive the SPF consumer (an Australian individual or small business) into facilitating an action using the regulated service”. This definition is particularly broad when considered in the context of banking as the “regulated service”.
A deception causing loss via the use of a bank account is apt to describe categories of conduct which, while misleading, deceptive or even fraudulent, do not fall within commonly understood notions of scam conduct. An obvious example is misleading and deceptive conduct under the Australian Consumer Law, a fact acknowledged in the Exposure Draft Explanatory Materials (the EDEM).[5] Other kinds of conduct that might unintentionally fall within the definition of scam are legion, particularly given the EDEM make clear that the use of “deceive” in the definition of “scam” does not introduce a fault element, or require the scammer’s state of mind to be established.
The exposure draft foreshadows an intention to exclude particular conduct from the scam definition of scam via subordinate legislation. These exclusions will need to be comprehensive to ensure that the definition of “scam” is appropriately calibrated.
“Actionable scam intelligence”
As is apparent in the discussion of the SPF principles below, several of the obligations in the draft legislation relate to banks having “actionable scam intelligence”. The legislation defines this as the existence of “reasonable grounds to suspect that a communication, transaction or other activity on, or relating to” a banking service is a scam.[6] As discussed further below, adherence to the SPF principles that rely on this definition may be challenging in practice.
The SPF principles
SPF principle 1 – Governance
The governance principle requires policies and procedures to be developed and implemented, and the efficacy of those policies measured via metrics and targets. The adequacy of these policies is to be certified annually by a senior officer or manager.
This SPF principle also requires banks to publish information with respect to its scam prevention activities and policies, keep records of them and produce them to the regulator on demand. Many banks will already be substantially complying with SPF principle 1.
SPF principle 2 – Prevent
Under this principle, banks are required to “take reasonable steps” to prevent scams in relation to the services they provide. These steps concern scam activity generally, rather than a particular event. The EDEM suggest that such steps may include additional identity verification measures for new accounts, warnings to customers, actively seeking out information on relevant scam activity and staff training.[7] The draft legislation specifically mandates:
1. Making relevant resources and information available to consumers to assist them to avoid scams (s. 58BK(1)); and
2. Identifying higher risk consumers, and specifically warning each of those consumers (s. 58BK(2)).
The Exposure Draft foreshadows the possibility of further guidance as to the above matters via industry codes. Guidance as to how to identify high risk consumers is likely to be especially welcome given that, as the facts in Philipp v Barclays Bank UK plc [2023] UKSC 25 demonstrate, victims of fraud can be found in all age and socio-economic brackets.
SPF principle 3 – Detect
This SPF principle is also subject to a reasonable steps obligation. These steps may include the detection of scam activity as and after it happens through consumer reports, scam intelligence received from the regulator or via the bank’s own fraud detection systems.
Where the bank is in possession of actionable scam intelligence, it must “take reasonable steps within a reasonable time” to identify a consumer who “is or could be impacted”.[8]
SPF principle 4 – Report
This proposed provision obliges banks to report actionable scam intelligence to the regulator within the time specified by any industry code, or as soon as reasonably practicable if no time is specified. Much of the detail of the information these reports are to contain has been deferred to notifiable instruments issued by the regulator. However, s. 58BS(3) contemplates that the information will include personal information of individuals suspected of being involved in scam activities and their victims.
An important aspect of the reporting obligation is the subordination (by s. 58BT) of contractual duties of confidence owed by the bank. This makes clear that the bank’s implied contractual duty of confidentiality, as recognised in Tournier v National Provincial and Union Bank of England[9], will not be a basis upon which relevant information may be withheld. This is an important reform. It overcomes an obstacle which may previously have prevented a bank from disclosing information concerning an account into which funds have been fraudulently transferred. Identifying the individuals behind “mule” accounts in a timely way has the potential to significantly disrupt scam activity.
SPF principle 5 – Disrupt
The duty to disrupt requires the bank to take reasonable steps within a reasonable time to:
1. disrupt a scam relating to actionable scam intelligence or prevent loss (s. 58BW);
2. disclose the actionable scam intelligence to:
its customers to enable them to act in relation to it (s. 58BX(1)); and
(b) the regulator within 24 hours of acquiring it (s. 58BX(2)).
In practice, the point at which the bank acquires actionable scam intelligence may be difficult to discern, particularly with respect to the investment and romance scams which comprise the vast majority ($112,427,338 and $15,047,943 respectfully of the $186,310,467 lost to scams so far this year)[10] of losses to scam activity.
It is not uncommon for a bank to, through its surveillance activities, become aware of large or unusual transactions and seek to verify these with its customer. On many occasions those customers, themselves having been convinced of the bona fides of an investment or romantic liaison, or coached by the scammer, will assure the bank of the legitimacy of the transactions. In some cases, the transactions will be legitimate. In such circumstances, when do the reasonable grounds to suspect scam activity arise? Does the bank need to report to the regulator on every occasion its fraud system is triggered, even where its customer gives assurances of the legitimacy of the transaction?
Section 58BZ of the ED is a safe harbour provision that protects banks from civil liability with respect to proportionate, good faith actions taken in compliance with the legislation during the period beginning when actionable scam intelligence is acquired and ending when the entity identifies that the activity is not a scam. This is an important measure which recognises the bank’s primary duty to follow its customer’s mandate and the exposure to liability that subsists where there is a delay in following its customer’s instructions to make a payment.
SPF principle 6 – Respond
This principle obliges banks to have an accessible internal dispute resolution mechanism for its customers to report scams or complain about the bank’s conduct relating to scams. Many banks will already have these measures in place.
Conclusion
The obligations contemplated by the draft anti-scam legislation will focus banks’ attention on the tools they have available to combat scam activity. There are some indications that payee account matching measures put in place by some banks has reduced the incidence of “false billing” scams[11], and these may be expected to reduce further as more banks adopt these measures. The introduction of safe harbour provisions and (in particular) circumventing the duty of confidentiality, remove legal obstacles that have hitherto diminished banks’ effectiveness in dealing with scams.
It may be, however, overly optimistic to expect these measures to significantly reduce ongoing losses to the APP scams which make up the majority of scam losses, and according to data compiled by AFCA for the 2022-23 period, is growing.[12] The obligations proposed with respect to telcos may prove to be more impactful, given the significant number of scams perpetrated using a telephone.
[1] The proposed amendments also regulate telcos and insurance companies. The focus of this article is, however, banks only
[2] L Aitkin “Quincecare revisited in the UK Supreme Court – the customer, the bank and the fraudster” (2023) 39(7) BFB 107
[3] AFCA determination case number 12-00-1016692 (https://my.afca.org.au/searchpublisheddecisions/kb-article/?id=f9f8941f-7379-ef11-ac20-000d3a6acbb4)
[4] s. 58AG of the Exposure Draft (ED) (p. 11) (https://treasury.gov.au/sites/default/files/2024-09/c2024-573813-ed.pdf) and paragraphs 1.73 and 1.74 of the Exposure Draft Explanatory Materials (EDEM) ( p. 16) (https://treasury.gov.au/sites/default/files/2024-09/c2024-573813-em.pdf)
[5] Paragraphs 1.78 and 1.80 of the EDEM (pp. 17 and 19)
[6] s. 58AI of the ED (p. 13)
[7] Note 5, paragraph 1.131 (p. 29)
[8] Note 6, s. 58BO (p. 21)
[9] [1924] 1 KB 461
[10] https://www.scamwatch.gov.au/research-and-resources/scam-statistics
[11] Ibid. The data published indicates that the quantum of losses suffered from this type of scam has significantly decreased in 2024 in comparison to prior years.
[12] Annual Review of the Australian Financial Complaints Authority 2022-23 (p. 60) (https://www.afca.org.au/annualreview).