In August 2024, ASIC published Report 790: Anti-scam practices of banks outside the four major banks (Report 790). In preparing Report 790, ASIC reviewed the scam prevention, detection and response activities of 15 banks outside the big four banks during the 2022-23 financial year.

All banks and financial services businesses, regardless of size and scale, should assess their anti-scam practices in light of ASIC’s findings in Report 761 and Report 790. Where banks and financial services businesses fall short of these baseline measures, it is expected that ASIC may take enforcement action to ensure compliance. 
Disrupting technology-enabled scams is a focus area for ASIC as outlined in its Corporate Plan 2024-2028. ASIC continues to engage in targeted communications campaigns (for example, warning consumers about fake ASIC branding on social media) and has published a new investor alert list for consumers to check whether an entity they are considering investing in could be a scam.  

Mandatory Scam Codes  

In November 2023, the Treasury launched a public consultation on the introduction of new mandatory industry codes to outline the responsibilities of the private sector in relation to scam activity, with a focus on banks, telecommunications providers and digital platforms.

In the consultation paper, the Treasury acknowledged that there is currently no overarching regulatory framework that sets clear roles and responsibilities for the government, regulators and the private sector in addressing scams. The Treasury state: 

“While regulators like the ACCC, the Office of the Australian Information Commissioner (OAIC) and ASIC can take some action to protect consumers from the impact of scams through their role as consumer protection, privacy and financial system regulators, there are no specific requirements on banks and digital platforms to address scams.” 

Underpinned by the whole-of-ecosystem approach, the proposed scams code framework (the Framework) would be incorporated into the Competition and Consumer Act 2010 (Cth) to set mandatory obligations for designated businesses, including banks. There is currently no agreed formal definition of a scam in Australian legislation. The scams code framework would define a scam as ‘a dishonest invitation, request, notification or offer, designed to obtain personal information or a financial benefit by deceptive means.’ 

All designated businesses would have a variety of requirements under the Framework including implementing an anti-scam strategy, obligations to verify and trace scams on receipt of scam intelligence, and a requirement to take all reasonable steps to prevent further loss to a customer and treat customers fairly and consistently when notified they have been affected by a scam. 

Codes and standards under the Framework that are specific to the banking sector would be incorporated into ASIC administered legislation. Possible bank-specific requirements are proposed to include: 

• Prevention: processes and methods to detect higher risk transactions and take appropriate action to warn the consumer, block or suspend the transaction as well as blocking or disabling the scammer account (or working with the recipient bank to do so).  
• Detection and disruption: processes or methods to identify and share information with other banks that an account or transaction is likely to be a scam. 
• Response: user friendly and accessible methods for consumers to take action where they suspect their accounts are compromised or have been scammed (e.g. an in-app ‘freeze switch’). 

In his recent remarks to the National Press Club, the minister described the Framework as the centrepiece of the government’s response to scams. According to the minister, existing law is not fit-for-purpose. While the ePayments code sets out the rules for redress for consumers for unauthorised payments, the nature of scams involves the consumer being duped into authorising the transaction. The government proposes to ensure that if a designated business breaches the Framework, that business must pay a financial penalty as well as pay compensation to the victim (including for inaction or negligence).

Submissions on the consultation closed on 29 January 2024. To date, no Bill containing the scams code framework has been put before Parliament. Given the minister’s recent remarks, any such Bill will likely include provisions on the paying of financial penalties for breach of the Framework as well as the circumstances where compensation is payable. 

National Anti-Scam Centre (NASC) 

In July 2023, the government established the NASC within the ACCC. 

The NASC has three domains of activity: 

Collaboration 

• The NASC facilitates collaboration between regulators, banks and telecommunications providers (among others) to combat scams. For example, the NASC identified and referred investment scam websites to ASIC, contributing to 5,000 website takedowns. 
• The NASC is also developing a near real time scam intelligence sharing service which will support the mandatory and enforceable obligations in the Framework. 

Disruption

• One of the NASC’s key objectives is the disruption of scams. Disruption can involve preventing contact, stopping contact where it has already occurred, or preventing payment. 
• In May 2024, the NASC published the final report of its first fusion cell. A fusion cell is a team of multidisciplinary specialists from different agencies and organisations who collaborate to disrupt a particular type of scam. The first fusion cell targeted investment scams and resulted in the takedown of over 220 investment scam websites and the diversion of 113 attempted calls from scammers to a recorded warning. The fusion cell also removed more than 1,000 instances of scam advertisements, advertorials and videos from digital platforms. 
• The NASC’s second fusion cell will target jobs and employment scams. 

Awareness and protection 

• The NASC coordinates scam awareness campaigns (such as this week’s scam awareness week) to ensure consistent messaging. 
• The NASC also undertakes outreach to at-risk communities including First Nations communities, older Australians, youth, people from culturally and linguistically diverse backgrounds, people with disability and small business. 
•  The NASC has also taken over publishing the Targeting Scams report from the ACCC, incorporating further data sources (including from ReportCyber and the AFCX) and has commenced quarterly reporting of scam losses. 

Law enforcement action  

There has been a relatively small number of law enforcement actions in Australia as frequently scammers are based overseas. One recent action was in August 2022, where the Australian Federal Police arrested two men in connection with an alleged role in stealing banking and identification details of thousands of Australians. 

The NASC has placed a secondee at the Joint Policing Cybercrime Coordination Centre and engages internationally on law enforcement, including participating in the Global Fraud Summit in London in March 2024. 

Scam Safe Accord  

In November 2023, the Australian Banking Association (ABA) and Customer Owned Banking Association (COBA) announced a comprehensive set of anti-scam measures to be implemented across the banking industry known as the Scam-Safe Accord.

At the core of the Scam Safe Accord is a $100 million investment by the industry in a new confirmation of payee system to be rolled out across all Australian banks in early 2025. Confirmation of payee operates as a traffic light system as it cross checks the account details, branch number and name entered before a payment is made. Confirmation of payee will help reduce scams by ensuring people can confirm they are transferring money to the person they intend to. Australia will be the fourth global market with such a system, following the UK, the Netherlands and New Zealand. 

In addition, major banks committed to include at least one biometric check (fingerprint, facial recognition or unique behaviour) for new customers opening accounts online by the end of 2024. All banks will increase warnings, payment delays and security questions by the end of 2024. ABA and COBA members have also committed to joining the AFXC and its automated Fraud Reporting Exchange to share intelligence at speed by July 2024. 

Lastly, members have committed to place limits on payments to high-risk channels (including some cryptocurrency platforms). This requirement is at each bank’s discretion and does not have an anticipated implementation date. 

A comparative approach: the UK reimbursement model

From 7 October 2024, the UK will have in place a mandatory reimbursement scheme for authorised push payment fraud (scams) for payments on the Faster Payments System (being a real-time payment system, roughly equivalent to Australia’s New Payments Platform). 

Payment Service Providers (PSPs, including banks) will be required to reimburse victims of scams, subject to certain requirements, up to a maximum level of £415,000 per claim for payments on the UK’s faster payments system.

As specified in the UK Payment System Regulator’s Policy Statement, the paying PSP will be required to reimburse customers within five business days, but the cost of reimbursement is to be shared 50/50 between paying and receiving PSPs. 

Only when the customer has acted fraudulently themselves or with gross negligence are the PSPs exempted from reimbursement. The Payment System Regulator interprets the term ‘gross negligence’ to be a higher standard than the standard of negligence under common law. The consumer needs to have shown a significant degree of carelessness in order for a PSP to rely on an exclusion from mandatory reimbursement. 

The introduction of this mandatory reimbursement scheme follows four years of voluntary reimbursement by 10 UK banks under the Contingent Reimbursement Code. In its most recent fraud report, UK Finance reported $459.7 million in losses suffered by UK APP fraud victims in 2022. Of this amount, 62% was returned to victims by their bank (either voluntarily, pursuant to a decision of the Financial Ombudsman Service or pursuant to a court decision). 

When the mandatory reimbursement scheme comes into force, the amount returned to victims will increase further. The concern about this reimbursement scheme is whether the amount of scam losses will also increase as scammers (and UK consumers, given the challenges of proving the gross negligence standard) consider losses to be ‘underwritten’ by banks. 

The CEO of the ABA, Anna Bligh, recently commented that fundamental flaw of the UK model is that it does not address the core issue – stopping people being scammed in the first place. She noted that TSB, the bank with the highest reimbursement rate in the UK, now receives the highest value of scams of all British banks. 

What comes next

Downward trend 

In 2022, scam losses in Australia peaked at $3.1 billion. In the following year, scam losses decreased to $2.74 billion. While this figure remains unacceptably too high, the downward trend is the first modest dividend of Australian’s whole-of-ecosystem approach in which the private sector, law enforcement, regulators and community cooperated to combat scams. The NASC is cautiously optimistic that these combined efforts will see the downward trend in scam losses continue. 

Social media 

Going forward, more pressure on social media companies to combat scams is expected. Scam losses originating on social media were up 17% in 2023. In his address to the National Press Club, the minister remarked “social media companies are dragging their heels”. 

In September 2023, CHOICE published the results of an investigation that found numerous scam ads were impersonating some of Australia’s most popular retailers. These fake ads were posted on Google as well as Meta’s Facebook and Instagram. According to CHOICE senior campaigns and policy adviser Alex Soderlund, “big tech companies have a perverse incentive not to act on scams because they generate advertising revenue, so it's clear that only strong mandatory rules to prevent scams developed and enforced by a regulator will result in any meaningful change for consumers”. 

According to the minister, digital platforms have a moral obligation to join the fight as part of their social licence and have more than adequate resources to invest more in a significant uplift in consumer protection. The second phase of the government’s response may include mandating that social media platforms verify advertisers and take down scam pages. Meta has responded to the minister’s remarks, noting that it had “signed up to the Australian Online Scams Code along several other digital platforms, introduced SMS verification for new advertisers and removed 63,000 accounts in Nigeria attempting to target people with financial sextortion scams”. 

Reimbursement or compensation 

Consumer Group CHOICE is also calling on the Australian Government to introduce a mandatory reimbursement scheme in Australia. 

Whether Australia will adopt a mandatory reimbursement scheme on a similar basis to that of the UK’s scheme via the Framework is yet to be determined. The minister’s latest remarks at the national press club on 31 July 2024 referred not to reimbursement but to compensation in the right circumstances. 

Should Australia’s whole-of-ecosystem approach fail to make further progress against the scourge of scams, the government may impose stricter requirements on liability, including the potential for mandatory reimbursement. Policy-makers would look to the experience of the UK mandatory reimbursement scheme, including any unintended consequences, in designing any such scheme in Australia. 

While the scourge of scams remains endemic, this Scam Awareness Week there are at least some first signs that Australia’s whole-of-ecosystem approach is beginning to work. More work is required, including from government in bringing forward a Bill to establish the Framework, before Australians are able to tell more positive stories of stopping scammers in their tracks.