ASIC finds Australian banks' scam detection, prevention and response practices to be 'less mature than expected' 

Report findings | ASIC Report 790 Anti-scam practices of banks outside the four major banks

What you need to know

• In April 2023, ASIC released Report 761 Scam prevention, detection and response by the four major banks (Initial Report) which found that the big four banks' approach to scam strategy and governance was 'less mature than expected'.
• ASIC has now released 'REP 790 Anti-scam practices of banks outside the major four banks' (Report) following its review of the scam detection, prevention and response activities of 15 other authorised deposit taking institutions (ADIs) (reviewed banks) ,. ASIC found that the practices of the reviewed banks was also 'less mature approach to scams strategy and governance than expected'.
• ASIC's key message is that all banks and financial services businesses should consider the findings in this Report and the Initial Report, and take steps to advance their scam prevention, detection and response activities. In ASIC's view, this should be one of the highest priorities for these organisations.

What you need to do

• Whilst the Report was based on the review of fifteen banks, ASIC notes that all banks have a critical role in combatting scams and that the observations, and findings set out in the Report are for all banks and financial services businesses to consider.
• If you are a bank or financial services business, you should consider implementing the recommendations made by ASIC in relation to the following priority areas identified in the Report:

1. Scams strategy, governance and reporting: which includes having an organisation-wide scams strategy.
2. Preventing, detecting and stopping scams: which includes having scam-prevention friction across all payment types and channels, implementing controls to minimise misuse of telephone numbers and SMS alpha tags.
3. Responding to scams and scam victims: which includes documenting end-to-end processes and procedures for responding to a scam and scam victims, processes and procedures for staff to identify and support customers experiencing vulnerability in a scams context.
4. Liability, reimbursement and compensation: which includes having a policy in relation to scam loss liability which outlines all the grounds on which a bank might be liable for scam related loss.

What is meant by 'scams'?

In the Report, ASIC used a narrow definition of 'scams' confining it to:

situations where customers authorised the transaction by either making the transaction or aiding the scammer to make the transaction, including by providing multi-factor authentication passwords.

This means that certain scams were not considered by ASIC for the purpose of the Report (such as scams where customers provide the scammer with their personal information (e.g. date of birth and address), which the scammer then uses to impersonate the customer and conduct the 'unauthorised transaction').

By adopting a narrower definition of 'scams', the Report only focuses on scams where the customer is likely to be liable for the transaction. The Report states that customers of the reviewed banks bore 96% of total scam losses. This is expected as the ePayments Code which sets out liability principles for 'unauthorised transactions', and is the starting point used by banks to determine their liability, will likely not apply to the scam transactions under the narrow definition adopted by ASIC in this Report.

When might a customer be entitled to receive compensation from a bank in relation to a scam?

In the Initial Report, ASIC noted that potential sources of liability for banks includes:

• ePayments Code – which only applies to unauthorised transactions.
• Contractual obligations between the bank and its customers.
• Implied contractual warranty in section 12ED of the Australian Securities and Investment Commission Act 2001 (Cth) that financial services will be provided with due care and skill.
• AFCA’s approach to similar matters (noting that under AFCA’s rules, when determining a complaint, an AFCA decision maker must do what they consider is fair in all the circumstances, having regard to legal principles, applicable industry codes or guidance, good industry practice and previous relevant determinations).
• Regulatory obligations, such as the obligation in section 912A of the Corporations Act 2001 (Cth) to do all things necessary to ensure that financial services are provided efficiently, honestly and fairly.

ASIC's observations and expectations in relation to scam detection, prevention and response activities

In the Report, ASIC sets out its observations and expectations in relation to the following four scam response priority areas which banks and other financial services businesses should have regard to:

1   Scams strategy, governance and reporting

Only five of the 15 reviewed banks had implemented an organisation-wide scams strategy and, of these, most did not have timelines to implement initiatives or measurable targets to monitor progress against the strategy.

Some banks had incorporated scams responses into their broader fraud prevention and response processes which resulted in practices that were not always fit for purpose for scams.

To improve the approach to scam strategy and governance, ASIC suggests that banks should:

• Consider implementing an organisation-wide strategy on scams.
• Consider regular reporting of scams prevention, detection and response metrics, including to the board and senior management so they can make investments in scams initiatives as needed.
• Conduct an end-to-end review of their scams process.
• Identify areas of further investment e.g. review effectiveness of anti-scam initiatives, assess and improve the quality of data used for reporting.

2   Preventing, detecting, and stopping scams

Friction across all payments types and channels

All of the reviewed banks had systems and controls in place to monitor and stop scam transactions on at least some payment channels. However, a significant number of reviewed banks did not have payment hold capabilities and the majority had not fully implemented monitor and stop capabilities across all payment channels.

ASIC noted that the reviewed banks had implemented or considered implementing greater friction capabilities which, in ASIC's view, would help avoid significant losses. These include:

• the use of biometrics; and
• the placement of stops or delays on payments to digital currency exchanges.

One of the four major banks had partnered with a telecommunication provider to help detect scam calls in real time and asking customers automated questions before they make a payment to help them identify high-risk transaction.

Education for customers

While all of the reviewed banks provided some level of customer education about scams, only a small number had executed campaigns targeted at specific at-risk customer cohorts.

In light of ASIC's observation above, banks and financial services businesses should:

• consider implementing scam prevention campaigns targeted at specific at-risk customer cohorts;
• consider implementing ways to measure the impact of educational activities on customer behaviour; and
• undertake a review of scam programs by internal audit or customer advocates.

Protecting brand assets from fraudulent misuse

Only one of the reviewed banks had fully implemented controls to minimise misuse of its telephone numbers and SMS alpha tags which would reduce the ability of scammers to make calls or send text messages that impersonated that bank's name or brand.

ASIC noted that other reviewed banks were talking with telecommunications providers to:

• place their phone number on 'do not originate' (DNO) lists; or
• block the use of their alpha tags.

3   Responding to scams and scam victims

Lack of end-to-end procedures for responding to scam victims

Most of the reviewed banks did not have end-to-end policies and procedures dedicated to responding to scam victims, with some procedures containing outdated information and gaps in key areas (e.g. triage of scam alerts, the steps required by frontline staff to identify and respond to scams, and the templates and timeframes used for customer communications).

Customers found it difficult to navigate the investigation processes with banks splitting their customer journey across a number of teams (e.g. frontline customer services, payment tracing, recall, investigation). Frontline staff missed scam red flags or did not properly escalate cases when identified, resulting in avoidable financial loss and increased distress to customers.

ASIC notes that systems, processes and procedures should account for a customer's likely distressed state and vulnerability and suggests banks and financial services businesses:

• review their scams reporting to ensure it reflects customer experiences and the unique characteristics of scams;
• review training policies, procedures, and governance structures to ensure scammed customers are treated in a fair, consistent and timely manner and are not impacted by fluctuating levels of scam cases reported by customers;
• provide customers with accurate and clear information and set realistic expectations; and
• proactively update customers on case progress.

Timely responses to scams

ASIC observed that there are significant case backlogs and long call-wait times for customers reporting scams. A key cause of this was that banks that receive scam funds (receiving banks) failed to respond in a timely manner to recovery requests from sending banks. In these cases, the wait times could range from between three months to a year for the return of funds and responses to recovery requests.

4   Liability, reimbursement and compensation

Many banks lacked a bank-wide approach to determining liability for scam losses resulting in inconsistent outcomes for customers. For most reviewed banks, liability decisions were largely guided by the ePayments Code (which would not apply to scam transactions considered in the Report as they were generally authorised by the customer).

Where policies were in place, they did consider some relevant factors for determining liability (e.g. level of customer vulnerability, errors made by the bank staff).

Scam victims who complained to the reviewed banks were more likely to receive some form of reimbursement however only 8% of the reviewed banks’ scam victims made IDR complaints.

ASIC suggests that banks and financial service providers should:

• have an organisation-wide policy for determining scam loss liability and reimbursement and compensation, which outlines all the grounds on which a bank might be liable;
• update policies and procedures to include guidance on all relevant factors needing consideration when determining liability, reimbursement and/or compensation; and
• implement guidance on handling vulnerable customers in the context of scams.

Next Steps

• ASIC notes that disrupting investment scams remains a key priority.
• ASIC will continue to engage with the four major banks about their anti-scam practices, including their development of initiatives to combat scams.
• AISC will monitor the progress of work by the reviewed banks in response to this Report and broader industry activities.
• ASIC will continue to review the scam prevention, detection and response activities of superannuation trustees.

Authors: Jonathan Gordon, Partner; Hong-Viet Nguyen Partner; Geena Davies, Senior Associate and Mansi Gupta, Associate.