Who should pay for the cost of scams in Australia?

We need a fair compensation and protection model that efficiently defends Australians against scammers

The widescale success of identity and social engineering fraud means scammers are gouging billions from Australian consumers, businesses and the economy each year. In 2021, Australians lost more than $2 billion to scams, despite significant efforts from law enforcement, government and the private sector.¹ In 2022, after large-scale data breaches put citizens’ details on the dark web, losses reported to Scamwatch² are significantly higher than the previous year, with the ACCC suggesting that combined losses might reach $4 billion.

Who compensates the scammed?

For regulators with the remit of protecting consumers, compensation is a thorny question. Australians are used to banks refunding fraudulent payments if their credit card is hacked. But to what extent should banks be responsible for compensating the victims of scams? Especially if victims have ignored bank and government warnings and authorised payments where there were clear signs that indicated a potential scam. Examples have emerged of customers falling victim to the same dating website scam three times in short succession. The UK has been active in addressing this issue, in particular for authorised push payments (APPs), where losses were up 39% year on year in 2021 to GBP583.2 million.⁵ An APP, where a customer has given instructions to their bank to make a payment, is different from an unauthorised payment where an account is taken over and used without the customer’s knowledge.

The UK’s regulatory stance is that if a customer hasn’t authorised a payment, the bank should refund the money, provided the customer had not acted fraudulently or negligently. The voluntary code in the UK has also resulted in a heavy (and likely increasing) burden on banks to reimburse scammed customers in almost all circumstances. This is despite the legal position that the bank is not liable for the customer’s loss, even in circumstances where the customer might be tricked by a plausible scam; for example, where a fraudster is posing as a genuine payee.

This situation evolved from a recognition in the banking industry that there are circumstances where banks should have identified that a payment, despite being authorised, may relate to a scam. In these circumstances, the reasoning goes, it is within the bank’s power to intervene.

From this logic came the voluntary UK code offering consumers greater protection through a contingent reimbursement model. The model will reimburse scam victims in circumstances where banks (and other payment service providers) are deemed to have been able to identify the fraudulent nature of the transaction and failed to do so.

A recently proposed update to this voluntary compensation model will place the burden further onto banks, with reimbursement to customers for APP fraud to be provided by banks in all but exceptional cases and executed within 48 hours. Based on reported scam losses in 2021, achieving the payout rate targeted by the PSR (95%+) would cost the UK banking industry an additional GBP286m (AUD517m) minimum in annual customer payouts.⁶

What should Australia’s scam response look like?

While much of the UK’s approach has merit, there are strong benefits to Australia forging its own path with a balanced compensation, prevention and response model that is fair on all parties. Elements to consider include:

• A level of consumer responsibility – The problem with a ‘no-questions’ compensation model is that it can remove any incentive for customer vigilance and places responsibility on banks for consumer actions out of an institution’s reasonable control. Cases have already emerged where consumers are instructing the movement of their own funds, due to scams that originate outside of the banking system. Despite repeated warnings from the bank that a payment is suspicious, consumers authorise fund transfers anyway in the knowledge that they will be reimbursed. It seems fair in these cases that the consumer should bear the consequences of lost funds, which would serve to create an incentive to remain vigilant and complete their own due diligence as to where their money is going. Banks certainly have a role to play in protecting consumer funds through customer education and proactively identifying fraud or scams. Where controls fail, banks should rightly be held accountable financially. However, the potential outcomes from any compensation model need to be considered carefully. We need to agree what consumers can expect in terms of protection from scams, but also articulate the limits of this protection so consumers retain responsibility for their actions and are incentivised to remain vigilant.
• An ecosystem approach – Banks should not be the only organisations carrying the burden of consumer protection. Other financial institutions, telcos, digital platforms and messaging services, social media companies and payments system providers also have a role to play in increasing their vigilance and controls to prevent and detect scams — and collaborating in sharing information and coordinating community responses. This should include establishing a central point to collate information on scams, enabling data-driven analysis of scam activity that can be used to further inform Australia’s response to this challenge. While many individual organisations collect scam information, there are too many siloed sources making it difficult to get accurate aggregate information. Australia needs a single repository for data sharing across the ecosystem, like Scamwatch, that participants should be compelled to use. The Australian Financial Crimes Exchange infrastructure could potentially be built on and expanded to provide this. We should also take a more efficient, ecosystem-wide approach to consumer education. The focus should be on guiding customers to more secure channels for payments (e.g., PayID) and improving awareness of the latest scamming trends. The delivery mechanism will also require thought, with a focus on reaching the most vulnerable customers, especially the elderly, who can be missed by digital education campaigns.
• Stronger payment controls – Australia needs to follow international peers in driving multi-factor authentication for payments and broader consumer adoption of PayID. The UK has already introduced a payee confirmation system where banks are required to confirm both name and account number before a new payee can be registered. Meanwhile, the Monetary Authority of Singapore has mandated a two-factor authentication process for banks and has a well-established process for banks to complete screening of unusual transaction activity and delays for payments where the recipient is a new third-party payee. These types of controls are effective to some degree in reducing scams but also introduce friction into the system of fast payments, which can throttle innovation. Further controls such as delaying payments to high-risk destinations where scam proceeds are commonly transferred (e.g., crypto exchanges) would slow the system further.
• Hybrid investigation capabilities – Banks typically have segregated investigation capabilities for fraud, anti-money laundering transaction monitoring and financial intelligence units. Synergies between these teams and the data they use to conduct investigations should be explored to improve customer outcomes. Banks also need to develop mechanisms to effectively use information obtained through investigations to inform their efforts around prevention and detection, as well as to inform and cooperate with law enforcement to ultimately capture and punish fraudsters.

There is no silver bullet to solve the problem created by scams, but we cannot continue as is. Australia has an opportunity to plot its own path to address this issue and harness all parties in a focused effort to protect our economy and society from scammers.