What Banks Should Be Doing About Scams, According to ASIC
Introduction
Scammers are causing significant financial and other harm to Australian consumers, especially the most vulnerable. Scams are increasing in volume and sophistication. Advances in technology and digital financial services have made it easier for scammers to target and contact victims.
Scamming is an epidemic. The four major banks collectively lost over $558 million through scams between July 2021 and June 2022, an increase of 49% in customers and 50% in financial losses compared to the previous year. The banks paid around $21 million in reimbursement and/or compensation payments to scam victims during the same period.
ASIC report
ASIC recently reviewed the activities of the four major banks in scam prevention, detection, and response. Report 761 Scam prevention, detection and response by the four major banks released in April 2023 has the findings of its review.
ASIC found that bank customers bore 96% of total scam losses. The banks detected and stopped only about 13% of scam payments made by their customers, and the reimbursement and/or compensation rate varied but was low. Customers who made a complaint were more likely to receive compensation, but only around 11% of cases with a scam loss had reimbursement and/or compensation paid.
ASIC found that scam victims are not always well-supported, and there were gaps and inconsistencies in the abilities of banks to detect and stop scam payments.
While banks recognise the gravity and significance of scams, ASIC says that they need to do more to protect Australians from financial loss. The overall approach to scam strategy and governance was less mature than expected, with banks having inconsistent and narrow approaches to deciding liability.
Despite emerging good practices, there was a great deal of variability in the steps being undertaken by the banks to prevent their customers from becoming victims of scams.
ASIC is encouraging all financial service businesses to consider the findings in the report and to take steps to advance their scam prevention, detection, and response activities.
So, what is ASIC recommending in its report?
Key ASIC recommendations
Scams strategy, governance and reporting
Framework: An effective framework to guide and oversee scam prevention, detection, and response activities, which should include a strategy to address and respond to scams, proper governance arrangements, and effective reporting, including on customer experience and outcomes.
Oversight: Oversight by senior management and the board in relation to scam prevention, detection and response activities.
Internal reporting: Regular reporting to the board and senior management covering a broad range of matters including the scams threat environment, operational efficiency and effectiveness, customer experience and outcomes.
Scam-related data and systems capability: Scam systems implemented that enable analysis of scam cases in an end-to-end manner. The results should be interpreted having regard to system or process limitations, such as the inability to link complaint records to scam cases.
Ongoing review: Regular reviews of scam prevention, detection and response activities to ensure they remain fit for purpose.
Preventing scams
Scam awareness education activities: Use banks’ knowledge of scams to educate customers, and regularly monitor and measure the effectiveness of scam awareness and education activities.
Friction in banking services: Digital payments have made it easier and quicker for customers but also increased the speed of moving scam proceeds and reduced the opportunity for banks to identify and intervene in scam transactions. Banks should consider the benefits of introducing more friction, to allow customers more opportunity to identify that they have been the victim of a scam and enable them more time to recover funds before they leave the bank, and to allow the bank to make reasonable inquiries with their customer if the bank is on notice that the transaction may relate to a scam. Banks should also monitor the effectiveness of increased friction measures, and the effectiveness of consumer warnings and similar tools.
Protecting against misuse of bank brand: Vigilantly monitor for fraudulent misuse of the bank’s brand (e.g. phishing) and ensure the use of all available measures to protect the brand and brand assets from misuse by scammers. Banks should work with telcos to block messages with specified “alpha tags” that are not from an approved point of origin, and to place the banks’ phone number on a “do not originate” list.
Other scam prevention initiatives: To address new scam typologies, consider the range of contributors to scam activity and the changes that can be made to methods of service delivery, and ensure that prevention initiatives remain relevant fit for purpose.
Scam detection and stoppage capabilities: To maximise the ability to detect and stop scam transactions, banks should have capabilities implemented across all payments and channels that allow them to detect, hold and assess potential scam transactions.
Responding to scams and scam victims
Resourcing: Ensure that there are sufficient resources to enable responses to scams in a timely and effective manner, and ensure that the skills and experience of staff are able to take account of the unique needs of each scam victim.
Processes and procedures: Document end-to-end internal procedures for responding to a scam or scam victim.
Customers experiencing vulnerability: When responding to a scam, extra care should be taken with customers experiencing vulnerability. Identify and document the approach to vulnerable customers, and ensure that the approach is consistent.
Liability, reimbursement and compensation
Documented policy: Have bank-wide policies that relate to liability, reimbursement and compensation for scam losses. These should cover the range of grounds on which the bank may become liable for scam losses.
Customer complaints: Outcomes for scammed customers should not be dependent on whether they choose to make a complaint in relation to their case. Banks should consider whether it is appropriate to compensate customers who fall victim to a scam regardless of a complaint being lodged. A customer should not be required to express their dissatisfaction for the bank to treat the matter as a complaint.
Conclusion
It is important that banks recognise their role in scam prevention, detection and response. ASIC’s recommendations may help banks to stay on top of the evolving and sophisticated nature of scams.
How can we help?
We advise banks and other financial institutions on legal liability matters relating to scams and also assist them in disputes with customers about scam losses. Contact us for a confidential discussion.