The ePayments Code (“Code”) is a voluntary code of practice regulating electronic payments. ASIC administers the Code and recently released a consultation paper with proposals to amend the Code, following an earlier consultation in 2019. The Code was last updated in 2016 and the changes proposed are mainly driven by changes in payments technology.
In this article we summarise the planned amendments to the Code. Depending on the outcome of the consultation, some of the proposals may be modified.
Comments on the consultation paper are due by 2 July 2021, and there will be a transition period before any updates to the Code commence.
Mistaken internet payments
ASIC proposes that the processes in the Code which have to be followed in relation to mistaken internet payments would apply not only where there are sufficient credit funds available in the recipient’s account to cover the mistaken internet payment (as currently applies) but also where only a portion of the funds is available.
Under the revised Code, the receiving ADI will be required to both seek return of the partial (if any) funds and to make reasonable endeavours to retrieve the remainder of the funds.
The Code would also be amended to include examples of what a receiving ADI might do to meet the requirement to make “reasonable endeavours” to retrieve the consumer’s funds.
ASIC also proposes to amend the Code to require the sending ADI to investigate whether there was a mistaken internet payment and send the request for return of funds to the receiving ADI “as soon as practicable” and, in any case no later than five business days after the report of the mistaken internet payment.
Both the sending and receiving ADIs would be required to keep reasonable records of the steps they took and what they considered in their investigations.
When the sending ADI tells the consumer the outcome of the investigation into the reported mistaken internet payment, it will have to include details of the consumer’s right to complain to the sending ADI about how the mistaken internet payment was dealt with, and to complain to AFCA if they are not satisfied with the result.
There would also be amendments to clarify that non-cooperation by the receiving ADI or the unintended recipient would not by itself be a relevant consideration in assessing whether the sending ADI has complied with its obligations.
The definition of “mistaken internet payment” would be amended to ensure that it only covers actual mistakes inputting the account identifier and does not extend to payments made as a result of scams.
ASIC also proposes to require ADIs to provide additional important information in the on-screen warning about mistaken internet payments. The revised Code would require that the messaging include a call to action for the consumer to check that the BSB and account number are correct, and plain English wording to say that if the BSB or account number they provide is wrong (even if the account name is correct), the consumer’s money will be sent to somewhere other than to the intended account and that the consumer may not get their money back.
Coverage for small business
The proposed Code amendments will extend the Code to protect small businesses for the first time in relation to a subscriber. This will not apply where the subscriber to the Code opts out by notifying ASIC, ASIC has published the subscriber’s opted-out status on its website, and the subscriber has included notification of its opted-out status in its terms and conditions with small business customers.
As a transitional provision, the Code will only apply to small businesses who acquire their facilities on or after the date on which the revised Code commences.
After the first 12 months, ASIC will review the number of subscribers who have opted out of small business coverage and will consider options for any enhancements to the experience under the Code for both subscribers and small businesses.
A small business will be defined as a business employing fewer than 100 people or, if the business is part of a group of related bodies corporate, fewer than 100 employees across the group. The definition will apply as at the time the business acquires the facility in question.
Amendments will clarify that the unauthorised transactions provisions in the Code only apply where a third party has made a transaction on a consumer’s account without the consumer’s consent, and do not apply where the consumer has made the transaction themselves as a result of misunderstanding or falling victim to a scam.
The amendments will also clarify that the pass code security requirements in the Code mean that consumers are unable to disclose their pass codes to anyone, subject to the exceptions in clauses 12.8 and 12.9 of the Code. If they do, and the subscriber can prove on the balance of probability that the disclosure contributed to an unauthorised transaction, the consumer will not be able to get an indemnity from the subscriber for that loss.
Clause 12.8 of the Code says that where a subscriber to the Code expressly authorises particular conduct by a user, either generally or subject to conditions, then a user who engages in the conduct (complying with any conditions) does not breach the pass code security requirements in clause 12.
Clause 12.9 of the Code says that if a subscriber to the Code expressly or implicitly promotes, endorses or authorises the use of a service for accessing a facility (for example, by hosting an access service on the subscriber’s electronic address), a user who discloses, records or stores a pass code that is required or recommended for the purpose of using the service does not breach the pass code security requirements in clause 12 of the Code. ASIC proposes to include examples to illustrate express or implicit promotion, endorsement or authorisation of the use of a service referred to in clause 12.9.
One area of uncertainty in this context is how the Code applies to so-called “screen scraping” services. ASIC says that it proposes to “maintain the status quo” in the Code in relation to screen scraping services. In the consultation paper, ASIC says that a consumer will only be liable for loss from an unauthorised transaction following use of a screen scraping service if the use of the service amounted to a “disclosure” of the consumer’s pass code, and the subscriber can prove on the balance of probability that the use of that service contributed to the loss.
ASIC also notes in the consultation paper that it has not seen any evidence to date to suggest that use of screen scraping services has contributed to loss from unauthorised transactions.
It will be clarified that a breach of the pass code security requirements by itself is not sufficient to find a consumer liable for an unauthorised transaction. The subscriber will also have to prove on the balance of probability that the consumer’s breach of the pass code security requirements contributed to the loss.
It will also be clarified that the provisions concerning liability for an unauthorised transaction are separate to any additional arrangements available under card scheme arrangements (e.g. chargebacks).
Biometric authentication will be incorporated into the Code in some specific clauses, recognising that present day transactions can be authenticated by use of biometrics such as fingerprints.
References in the Code to ASIC Regulatory Guide 165 Licensing: Internal and external dispute resolution (RG 165) will be replaced with references to Regulatory Guide 271 Internal dispute resolution (RG 271), the new ASIC guidance on dispute resolution which comes into effect in October 2021.
All subscribers will be required to have IDR procedures that are set out in RG 271 and be members of AFCA.
The layout of the Code will also be changed by combining Chapter F and Appendix A so that complaints handling requirements are contained in a single framework.
ASIC plans to remove the requirement that subscribers must report annually to ASIC about unauthorised transactions, but retain ASIC’s power to undertake ad hoc targeted compliance monitoring of compliance with Code obligations and to monitor or survey matters relevant to subscribers’ activities relating to electronic payments.
Other proposed changes
- The term “device” will be replaced with “payment instrument”, and virtual debit and credit cards will be included in the definition of payment instrument.
- The Code will be amended so that it expressly applies to situations in which a Pay Anyone payment is made through the NPP, and a definition of “Pay Anyone internet banking facility” will be included – a facility where a consumer can make a payment from the consumer’s account to the account of another person by entering, selecting or using a BSB and account number or PayID or other identifier that matches the account of another person.
- The Code will also be amended to cover the provision of electronic transaction receipts as well as paper receipts.
- The minimum expiry period in the Code for facilities with an expiry date (e.g. gift cards) is currently 12 months. This will be changed to align with the minimum expiry period in the Australian Consumer Law, which is 36 months.
Patrick Dwyer and Kathleen Harris
Click here to subscribe to our email list for news, comment and analysis