ASIC digs deeper on scam management practices in non-major banks

Ross McInnes, Matt Spain, Katie Wood, Josh Krechman and William Maher
29 Aug 2024
2.5 minutes

ASIC says co-ordinated effort to reduce scam losses is needed, after it surveys anti-scam practices of 15 non-major banks.

Substantial work has been afoot in the scam prevention space since April 2023 when ASIC released Report 761 “Scam prevention, detection and response by the four major banks”, with a number of initiatives implemented between then and now. For example:

ASIC’s recently released Report 790: “Anti-scam practices of banks outside the four major banks” demonstrates the significance that ASIC is placing on ensuring that the reduction of scam losses is not limited to the big banking institutions alone.

We set out below the key observations and findings that you should take into account from Report 790 to ensure your organisation is part of ASIC co-ordinated effort to reduce consumer scam losses.

ASIC’s observations

ASIC’s key observations from its review of the non-major banks included:

  • Governance and reporting tended to be fraud, rather than scam, focused;
  • Capabilities to stop, hold or delay potential scam payments were inconsistent across payment channels;
  • Lack of protection against brand misuse across all telecommunication channels;
  • Poor customer experiences due to lack of resourcing and customer focus;
  • Adoption of inconsistent and narrow approaches when considering liability; and
  • Variations in anti-scam practices and data outcomes

ASIC’s key findings

Immature approach to scam prevention, detection and response

ASIC said that the scam detection, prevention and response practices among the 15 non-major banks reviewed were less mature than it expected. Only some institutions had an anti-scam strategy, and only 1 institution had fully implemented an anti-scam strategy. Few non-major banks had targets to measure progress and change against. Lack of bank-wide strategy and resourcing in key functions resulted in inconsistent and narrow approaches to determining liability for scam losses, a lack of support for scam victims and poor customer outcomes.

Significant differences in findings across non-major banks

ASIC noted material differences between the maturity level of anti-scam practices between non-major banks. The regulator pointed to significance of having a “tone from the top” that focussed on responding to scams. However, the regulator also noted that scale and size of the non-major banks did not impact the ability of non-major banks to respond to findings in the initial report into the Big 4 Banks.

Failing to ensure that your company strives to have sufficiently mature systems and processes in place to identify and prevent potential scam events can not only lead to substantial financial but also reputation harm to your business.

Poor customer outcomes

Report 790 provides a number of case studies from non-major banks which demonstrated “particularly poor customer experiences, such as difficult-to-navigate investigation processes that result in further harm to scam victims”.

Those case studies included poor responses by frontline staff to scam alerts, multiple staff handoff points for customers that reported scams, poor communication with scam victims, and limited focus on customers experiencing vulnerability.

Instances such as the above, especially when systemic within an institution, pose a real risk of causing significant financial and reputation damage to a institution. As ASIC states in the report “It is important that entities consider the end-to-end customer journey, including appropriate contact points, to reduce negative customer experiences.”

Improving your business' response to scams

ASIC Deputy Chair Sarah Court made it clear upon the report’s release that ASIC “expect[s] all banks regardless of their size, to pull their weight in the fight against scams. Boards and senior management have a key role to play in driving improvement.” Of course, responsibilities for preventing scams also falls on telecommunications providers and digital platforms as well.

In our experience, this requires, among other things:

  • reviewing the appropriateness of governance frameworks to respond to emerging threats in the scam environment;
  • analysing whether scam prevention systems and processes comply with legal, regulatory or contractual obligations; and
  • considering potential liability sources of liability in instances where anti-scam mechanisms may have fallen short and avoiding regulator enforcement or civil litigation; and
  • identifying when and how you may wish to compensate customers for scam losses.

If you would like to explore how to improve your response to scams, please contact us for a discussion.

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.