Combatting payment account fraud: latest regulatory developments in Australia

The Framework stems from the Government’s concern over the current siloed approach of businesses or sectors to combat scams. It seeks to take a holistic approach to combat scam activity in the private sector by placing obligations on banks, telecommunications providers and digital platforms to monitor and prevent fraud.

Latest developments

• The consultation is being co-led by the Treasury and the Department of Infrastructure, Transport, Regional Development, Communications and the Arts (DITRDCA).
• The consultation period closed on 29 January 2024, and industry is waiting for the Government’s response. 

Scope of regime 

In-scope Persons 

All businesses that operate in the following sectors will be considered in-scope persons and required to comply with the proposed Framework if passed by the Government.  

• Digital Communications Platforms: all digital platforms that provide communications or media-type services which can be exploited by scammers, including content aggregation services, connective media services and media sharing services. Digital currency exchanges (such as cryptocurrency exchanges) and other transaction-based digital platforms will not be captured.
• Banks: any authorised Deposit-Taking Institution under Section 9 of the Banking Act 1959, including small and large banks, building societies and credit unions.
• Telecommunications Providers: any Carriers and Carriage Service Providers as defined in the Telecommunications Act 1997. 

Definition of a scam

The proposed Framework defines a scam as any:

“dishonest invitation, request, notification or offer, designed to obtain personal information or financial benefit by deceptive means”. 

The proposed catch-all definition is intended to cover common scam types such as investment scams, romance scams, phishing scams, employment scams and remote access scams. 

However, the definition is not intended to capture unauthorised fraud which will be considered as part of its review of the ePayments Code.

Core obligations 

The proposed Framework introduces a principles-based approach setting out obligations that will apply to all in-scope persons. In-scope persons will be required to take a proactive approach to combat scams and adjust their business models if necessary to fulfill their core obligations.

The core obligations fall into three broad categories: 

1. Prevention: in-scope persons must develop, maintain and implement an anti-scam strategy setting out the business’ approach to scam prevention, detection, disruption and response and take reasonable steps to prevent misuse of its services by scammers.
2. Detection and disruption: in-scope persons must seek to detect, block and prevent scams from initiating contact with consumers, verify and trace scams where scam intelligence has been received and act in a timely manner when receiving such scam intelligence. 
3. Reporting obligations: in-scope persons must take reasonable steps to notify other businesses and the relevant regulators promptly of suspected or identified large-scale scam activity / cross-sectoral scam activity and share data on the incidence of scams and the action taken in response to such scams. 

Specific obligations also apply to Banks and Digital Communications Platforms. 

The proposed Bank-specific obligations include:

1. Prevention: implementing processes to: (i) enable confirmation of the identity of a payee; (ii) verify a transaction is legitimate where a consumer undertakes a high-risk activity; and (iii) implement processes and methods to detect higher risk transactions and take appropriate action to warn the consumer, block or suspend the transaction or take other measures to reduce scam activity.
2. Detection and disruption: having in place methods or processes to: (i) identify and share information with other banks that an account or transaction is likely to be or is a scam; and (ii) act quickly on information that identifies an account or transaction is likely to be or is a scam, including blocking or disabling the scammer account or the transaction or working with the recipient bank to do so.
3. Reporting obligations to consumers: establishing user-friendly and accessible methods for consumers to immediately take action where they suspect their accounts are compromised or they have been scammed (e.g. an in app ‘freeze switch’) and providing assistance to a consumer seeking to trace and recover transferred funds to the extent that funds are recoverable, including a receiving bank to revert a transfer within 24 hours of receiving a recall request from a sending bank.

The proposed Digital Communications Platforms’ specific obligations include:

1. Prevention: implementing processes and methods to: (i) authenticate and verify the identity and legitimacy of business users and advertisers; (ii) detect higher risk interactions and take appropriate action to warn the user, block or disrupt the interaction; and (iii) prevent user accounts from being hacked by scammers and to restore user accounts to the correct users in a timely manner.
2. Detection and disruption: having in place methods or processes to: (i) identify and share information with other Digital Communication Platforms that an Australian user is likely to be a scammer; and (ii) act quickly on information that identifies an account or transaction is likely to be or is a scam, including blocking or disabling the scammer account being used by the scammer.
3. Reporting obligations to consumers: establishing user-friendly and accessible methods for consumers to immediately take action where they suspect their accounts are compromised or they have been scammed in addition to responding to any information requests from the Australian Communications and Media Authority within the timeframe specified. 

Enforcement and non-compliance

The Framework introduces a multi-regulatory oversight and enforcement model where the following regulatory authorities will be responsible for monitoring compliance:

• The Australian Competition and Consumer Commission will be responsible for enforcing the principles-based obligations as set out in the overarching regime and issuing guidance on best practice.
• The Australian Securities and Investment Commission will be responsible for enforcing the Bank-specific code.
• The Australian Communications and Media Authority will be responsible for enforcing the Digital Communications Platforms specific codes.

Regulated businesses that fail to comply with their obligations and take redress measures will be subject to penalties for non-compliance of up to AUD50 million. Additional penalties for breaches of sector-specific obligations (i.e. for Banks, Digital Communications Platforms and Telecommunications Providers specifically) will be set under sector-enabling legislation.

Next steps

Responses to the consultation are being reviewed by the Government. No timeline has been set for when legislation will come into force.

Acknowledgments to Osama Shabaan, trainee with A&O Shearman's Financial Services Regulatory team in London, for his contribution to this post.