ASIC sets the benchmark for effective scam management

Scott Grahame, Ananya Roy and Aidee Varan
07 Jul 2023
Time to read: 2.5 minutes

As technology continues to advance, the frequency and complexity of scams are increasing, posing substantial risks to Australian consumers. The startling increase in scam volumes has prompted greater regulatory scrutiny, with ASIC and the ACCC working together to lead the first fusion cell to disrupt investment scams.

With combatting and disrupting scams identified as one of ASIC's enforcement priorities for 2023, ASIC has also put the spotlight on the banking industry's approach to protecting customers from losses arising from scams with the publication of its Report 761 ''Scam prevention, detection and response by the four major banks'', following an industry review of the four major banks responses to customer scams.

We outline the key points from ASIC's Report that should be considered in guiding any response to managing customer scams. ASIC's Report provides learnings not only to the banking industry, but as ASIC stated, also for telecommunication providers, digital platforms and other industries that could have a role to play in protecting consumers.

Key findings from ASIC's Report

ASIC's key findings from a review of the major banks included:

  • the overall approach to scams strategy and governance of Australia’s major banks was variable and less progressed than expected;
  • the banks had inconsistent and narrow approaches to determining liability for scams;
  • scam victims were often not well supported by their bank (with banks failing to adequately reduce further distress and help customers manage the situation);
  • bank customers were overwhelmingly the bearer of scam losses, accounting for 96% of total scam losses across the banks;
  • collectively, the banks stopped only 13% of scam payments made by their customers;
  • while there were some examples of emerging good practice, further steps need to be taken to help prevent customers fall victim to scams.

The key message from ASIC's Report and our experience is that ASIC expects banks should be doing more to protect customers from the financial losses stemming from scams and ASIC will be monitoring the banks actions in response to Report.

ASIC can be expected to take other action to disrupt and combat scams as a result of increased funding from the Federal Budget, which has included establishment of the National Anti-Scam Centre, public-private sector Fusion Cells to target specific scams and funding for ASIC to identify and take down phishing websites and other websites which promote investment scams.

The ultimate question – who should bear the responsibility for the loss?

We have noticed that the rise in scams has raised the question – from both a legal and policy perspective – of who should assume responsibility of the losses which fall from scams.

From a legal perspective, whether or not a company considers itself liable for losses suffered by its customer from a scam will depend on a range of factors, including whether the company's practices allowed the scam to occur, whether the company could have taken any steps to prevent the losses from the scam once notified and whether the company could have take any steps to assist the customer in locating or tracing the funds after the event. While there has been no contested case in Australia, in a recent UK case involving Barclays, where a customer argued that the bank was under a duty not to carry out a payment if the bank had reasonable grounds for suspecting that the customer may be defrauded, the UK Supreme Court found that no such duty exists. This does not detract from the bank's duty to make reasonable attempts to retrieve the funds once notified that the customer has in fact been defrauded.

From a policy perspective, the community looks to the well-resourced and profit earning companies to take responsibility for doing more to prevent scam losses. As is expected, the banks play a critical role and in being able to prevent scammers and support customers by having effective scam prevention, detection and response activities. Similarly, telecommunications providers, social media platforms and digital platforms, among others, have capacity to also play an important role.

While companies may be comfortable that from a legal perspective they are not liable for scam losses, there are other important considerations:

  • There are reputational risks if a customer suffers significant losses from a scam and feels they are not adequately supported by the company or had a bad customer experience.
  • There is a risk that Australian regulators will seek to move to a model that will force or incentivise companies to combat fraud. For example, the UK recently passed legislation where banks and other payment providers are now legally liable to reimburse the vast majority of their customers for losses from scams that occur following transfers on their platforms. This solution is said to incentivise banks to invest in technology that can prevent and stop scam transactions.

Implementing effective scam management processes

In our experience, companies with effective scam management processes and controls do so by:

  • documenting a company-wide scam strategy;
  • providing feedback on potential areas for improvement based on the themes being reported to the company by customer complaints on scams; and
  • training staff in customer facing roles including to detect where a customer may be at risk of financial hardship.
Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.