ASIC digs deeper on scam management practices in non-major banks
ASIC says co-ordinated effort to reduce scam losses is needed, after it surveys anti-scam practices of 15 non-major banks.
Substantial work has been afoot in the scam prevention space since April 2023 when ASIC released Report 761 “Scam prevention, detection and response by the four major banks”, with a number of initiatives implemented between then and now. For example:
- the establishment of the National Anti-Scam Centre which is “run by the ACCC, brings together experts from government, law enforcement and the private sector to disrupt scams before they reach consumers”; and
- ASIC has coordinated the removal of more than 7,300 phishing and investment scam websites that seek to swindle consumers out of their information.
- the Federal Governments announcement of a proposal to introduce a new mandatory code that “outline[s] the responsibilities of the private sector in relation to scam activity, with a focus on banks, digital communications platforms and telecommunications providers.”
ASIC’s recently released Report 790: “Anti-scam practices of banks outside the four major banks” demonstrates the significance that ASIC is placing on ensuring that the reduction of scam losses is not limited to the big banking institutions alone.
We set out below the key observations and findings that you should take into account from Report 790 to ensure your organisation is part of ASIC co-ordinated effort to reduce consumer scam losses.
ASIC’s observations
ASIC’s key observations from its review of the non-major banks included:
- Governance and reporting tended to be fraud, rather than scam, focused;
- Capabilities to stop, hold or delay potential scam payments were inconsistent across payment channels;
- Lack of protection against brand misuse across all telecommunication channels;
- Poor customer experiences due to lack of resourcing and customer focus;
- Adoption of inconsistent and narrow approaches when considering liability; and
- Variations in anti-scam practices and data outcomes
ASIC’s key findings
Immature approach to scam prevention, detection and response
ASIC said that the scam detection, prevention and response practices among the 15 non-major banks reviewed were less mature than it expected. Only some institutions had an anti-scam strategy, and only 1 institution had fully implemented an anti-scam strategy. Few non-major banks had targets to measure progress and change against. Lack of bank-wide strategy and resourcing in key functions resulted in inconsistent and narrow approaches to determining liability for scam losses, a lack of support for scam victims and poor customer outcomes.
Significant differences in findings across non-major banks
ASIC noted material differences between the maturity level of anti-scam practices between non-major banks. The regulator pointed to significance of having a “tone from the top” that focussed on responding to scams. However, the regulator also noted that scale and size of the non-major banks did not impact the ability of non-major banks to respond to findings in the initial report into the Big 4 Banks.
Failing to ensure that your company strives to have sufficiently mature systems and processes in place to identify and prevent potential scam events can not only lead to substantial financial but also reputation harm to your business.
Poor customer outcomes
Report 790 provides a number of case studies from non-major banks which demonstrated “particularly poor customer experiences, such as difficult-to-navigate investigation processes that result in further harm to scam victims”.
Those case studies included poor responses by frontline staff to scam alerts, multiple staff handoff points for customers that reported scams, poor communication with scam victims, and limited focus on customers experiencing vulnerability.
Instances such as the above, especially when systemic within an institution, pose a real risk of causing significant financial and reputation damage to a institution. As ASIC states in the report “It is important that entities consider the end-to-end customer journey, including appropriate contact points, to reduce negative customer experiences.”
Improving your business' response to scams
ASIC Deputy Chair Sarah Court made it clear upon the report’s release that ASIC “expect[s] all banks regardless of their size, to pull their weight in the fight against scams. Boards and senior management have a key role to play in driving improvement.” Of course, responsibilities for preventing scams also falls on telecommunications providers and digital platforms as well.
In our experience, this requires, among other things:
- reviewing the appropriateness of governance frameworks to respond to emerging threats in the scam environment;
- analysing whether scam prevention systems and processes comply with legal, regulatory or contractual obligations; and
- considering potential liability sources of liability in instances where anti-scam mechanisms may have fallen short and avoiding regulator enforcement or civil litigation; and
- identifying when and how you may wish to compensate customers for scam losses.
If you would like to explore how to improve your response to scams, please contact us for a discussion.