On 20 April 2023, ASIC published its Report 761 which provides ASIC’s findings from a review conducted between May 2022 and February 2023 into the activities of the major banks in the areas of scam prevention, detection, and response.
Following the release of the report, ASIC has called on all financial institutions to improve their approaches to handling scams, with scam losses for customers of the major banks alone exceeding $550 million in FY2021. ASIC acknowledges that the major banks have invested significantly in their anti-scam efforts in recent years, although its view is that there is still more to be done.
We summarise below ASIC’s expectations for banks regarding scam management practices as set out in the report. These measures require significant resources to be invested and a co-ordinated “whole of bank” approach. ASIC’s expectations are particularly relevant to the prevention, detection and responses to authorised push payment’ scams (where a person is tricked into sending money to a scammer posing as a genuine payee).
ASIC will be monitoring the actions taken by the four major banks in response to the improvement opportunities identified in the report and expressed strong encouragement for all banking and other financial service businesses to consider the findings outlined in the report.
ASIC’s expectations for banks in relation to scam management practices
ASIC expects banks to implement a range of specific measures to combat scams:
1. Bank-wide scams framework: Banks should develop a scams framework which includes:
- a bank-wide strategy to addressing and responding to scams;
- appropriate governance arrangements; and
- effective reporting, including on customer experiences and outcomes.
2. Timely responses to scams: Banks should have sufficient resources to enable them to respond to scams in a timely and effective manner in order to reduce customer distress and improve the likelihood of being able to recover scammed funds.
3. A clear approach to determining scams loss liability: Banks should have in place a bank-wide policy to determining liability for losses associated with scams and a clear approach to reimbursing or compensating customers who fall victim to scams. Although the provisions in the ePayments Code outline liability in relation to unauthorised transactions for subscribing banks, the majority of scams involve transactions authorised by the customer which are not currently covered by the ePayments Code. ASIC’s view is that banks currently adopt inconsistent and generally narrow approaches to liability, reimbursement and compensation; and that outcomes for scammed customers should not be dependent on whether they choose to raise a complaint.
4. End-to-end procedures for responding to scams: Banks should document their end-to-end internal procedures for responding to scams, to support fair and consistent customer outcomes. This includes documenting the approach to ensure that extra care is taken when responding to scams involving customers who are experiencing vulnerability.
5. Scams prevention initiatives: To address new and emerging scam typologies, banks should consider the changes they can make to how services are delivered. Banks should ensure their scams prevention initiatives remain relevant and fit for purpose and should have capabilities across all payment types and channels to detect, hold and assess potential scam transactions.
6. Appropriate levels of friction in payment channels: Banks should consider the appropriate levels of friction which should exist in the modern environment of digital payment channels in order to:
- allow customers more opportunity to identify that they have been the victim of a scam and seek recovery of the funds before the funds leave the bank; and
- enable the bank to make reasonable inquiries with their customer, if the bank is on notice that the transaction may relate to a scam.
The effectiveness of warning messages and prompts should be monitored given the potential for customers to experience ‘warning fatigue’ over time.
7. Better education for customers: Banks should better educate their customers about scams given their strong understanding of the scam threat environment and of their customers’ financial circumstances and banking practices. Banks should regularly monitor and measure the effectiveness of their scam awareness and education activities.
8. Anti-phishing measures: Banks should vigilantly monitor any fraudulent misuse of their brand to prevent customers from becoming the victim of a bank impersonation scam. These scams are on the rise - the ACCC’s report into 2022 scams activity published on 17 April 2023 identified that Scamwatch received reports of over $20 million of losses in 2022 from bank impersonation scams.
9. Oversight from Boards and senior management: ASIC expects that Boards and senior management will have oversight of scam prevention, detection and response activities. To support effective oversight, there should be regular reporting to the Board and senior management which covers the scams threat environment, operational efficiency and effectiveness, customer experiences and outcomes.
What comes next?
Combatting scams is one of ASIC’s core strategic projects in its Corporate Plan for 2022 – 2026. It should be expected that ASIC will monitor and seek updates on the progress of banks and other financial service businesses in addressing the improvement opportunities summarised above.