13 Apr 2023
Women victim of credit card.

How can we tackle the costs of scams in New Zealand?

By Nicola Ponsonby

EY New Zealand Financial Services Director

Dynamic leader and problem-solver. Helping banks fight financial crime. Wife. Mother. Food lover. Number one fan of our English Cocker Spaniel.

13 Apr 2023

We need a fair compensation and protection model that efficiently defends New Zealanders against scammers.

In brief:

  • Scams are a growing problem in New Zealand and costs to the economy are significant.
  • Overseas, payments regulators have introduced voluntary schemes and are pushing for legislation to make repayment mandatory to victims of payment fraud.
  • New Zealand needs a considered framework that mobilises the entire ecosystem (fully leveraging technology) to combat scams efficiently and is fair to all parties.

The widescale success of identity and social engineering fraud means scammers are gouging billions from New Zealand consumers, businesses and the economy each year. Individual New Zealanders are losing millions of dollars each year to scammers – with $9m of this lost in the last quarter (the highest financial loss since records began)¹. This is despite significant efforts from law enforcement, government, consumer organisations and the private sector. The volume of scams and fraud reports increased by 32% from the prior quarter, with $4.8m being lost to unauthorised money transfers alone.

Many scams may go unreported due to the sense of embarrassment that may be felt by victims. While individuals may now be more switched on to look out for phishing, romance scams and fake lottery wins, it seems we have not been so savvy with regards to purchasing goods online. In Q3 2022, Certnz received the highest number of scam and fraud reports related to buying, selling, and donating goods online. There has been an increase in websites imitating well-known brands who then either don’t deliver goods or deliver an inferior product. We have seen that scammers often use tactics to instill a sense of fear and urgency that mean individuals and businesses may not take the time to think and look out for red flags before responding.


of one New Zealand bank’s customers have experienced scam attempts in the last six months.²


lost by Kiwis in just three months to scammers.³

Who compensates the scammed?

For regulators with the remit of protecting consumers, compensation is a thorny question. New Zealanders are used to banks refunding fraudulent payments if their credit card is hacked. But to what extent should banks be responsible for compensating the victims of scams? Especially if victims have ignored bank and government warnings, and authorised payments where there were clear signs that indicated a potential scam. Examples have emerged of customers falling victim to the same dating website scam three times in short succession. The New Zealand Police estimate that tens of millions of dollars are lost each year to romance scammers.⁴

The UK has been active in addressing this issue, in particular for authorised push payments (APPs), where losses were up 39% year on year in 2021 to GBP 583.2m.⁵ An APP, where a customer has given instructions to their bank to make a payment, is different from an unauthorised payment where an account is used without the customer’s knowledge.

The UK’s regulatory stance is that if a customer hasn’t authorised a payment, the bank should refund the money, provided the customer had not acted fraudulently or negligently. The voluntary code in the UK has also resulted in a heavy (and likely increasing) burden on banks to reimburse scammed customers in almost all circumstances. This is despite the legal position that the bank is not liable for the customer’s loss, even in circumstances where the customer might be tricked by a plausible scam; for example, where a fraudster is posing as a genuine payee.

This situation evolved from a recognition in the banking industry that there are circumstances where banks should have identified that a payment, despite being authorised, may relate to a scam. In these circumstances, the reasoning goes, it is within the bank’s power to intervene.

From this logic came the voluntary UK code offering consumers greater protection through a contingent reimbursement model. The model will reimburse scam victims in circumstances where banks (and other payment service providers) are deemed to have been able to identify the fraudulent nature of the transaction and failed to intervene.

A recently proposed update to this voluntary code (which includes a voluntary compensation model) will place the burden further onto banks, with reimbursement to customers for APP fraud to be provided by banks in all but exceptional cases and executed within 48 hours. Based on reported scam losses in 2021, achieving the payout rate targeted by the Payments System Regulator (“PSR”) (95%+) would cost the UK banking industry an additional GBP286m (NZD553m) minimum in annual customer payouts.⁶

In another example of victims receiving refunds, New Zealanders who were defrauded by an illegal sweepstake and prize promotion scheme will have accessed refunds from The Federal Trade Commission, a US public agency responsible for protecting consumers from fraud. The FTC sued the operators of Next-Gen Sweepstakes in 2019, and in 2022 FTC returned almost $25m to consumers worldwide.⁷

What should New Zealand’s scam response look like?

While much of the UK’s approach has merit, there are strong benefits to New Zealand forging its own path with a balanced compensation, prevention and response model that is fair on all parties. Elements to consider include:

  • A level of consumer responsibility – The problem with a ‘no-questions’ compensation model is that it can remove any incentive for customer vigilance and places responsibility on banks for consumer actions out of an institution’s reasonable control. Cases have already emerged where consumers are instructing the movement of their funds, due to scams that originate outside of the banking system. Despite repeated warnings from the bank that a payment is suspicious, consumers authorise fund transfers anyway in the knowledge that they will be reimbursed if it is a scam. It seems fair in these cases that the consumer should bear the consequences of lost funds, which would serve to create an incentive to remain vigilant and complete their own due diligence as to where their money is going. Banks certainly have a role to play in protecting consumer funds through customer education and proactively identifying fraud or scams. Where controls fail, banks should rightly be held accountable financially. However, the potential outcomes from any compensation model need to be considered carefully. We need to agree what consumers can expect in terms of protection from scams, but also articulate the limits of this protection so consumers retain responsibility for their actions and are incentivised to remain vigilant.
  • An ecosystem approach – Banks should not be the only organisations carrying the burden of consumer protection. Other financial institutions, telcos, digital platforms and messaging services, social media companies and payments system providers also have a role to play in increasing their vigilance and controls to prevent and detect scams. This should include collaborating in sharing information and coordinating community responses as well as establishing a central point to collate information on scams, enabling data-driven analysis of scam activity that can be used to further inform New Zealand’s response to this challenge. While many individual organisations collect scam information, there are too many siloed sources making it difficult to get accurate aggregate information. New Zealand needs a single repository for data sharing across the ecosystem, like Scamwatch⁸ , that participants should be compelled to use. We should also take a more efficient, ecosystem-wide approach to consumer education. The focus should be on guiding customers to more secure channels for payments and improving awareness of the latest scamming trends. The delivery mechanism will also require thought, with a focus on reaching the most vulnerable customers, especially the elderly, who can be missed by digital education campaigns.
  • Stronger payment controls – New Zealand needs to follow international peers in driving multi-factor authentication for payments and broader consumer adoption of PayID. The UK has already introduced a payee confirmation system where banks are required to confirm both name and account number before a new payee can be registered. Meanwhile, the Monetary Authority of Singapore has mandated a two-factor authentication process for banks and has a well-established process for banks to complete screening of unusual transaction activity and delays for payments where the recipient is a new third-party payee. These types of controls are effective to some degree in reducing scams but also introduce friction into the system of efficient payments, which can throttle innovation. Further controls such as delaying payments to high-risk destinations where scam proceeds are commonly transferred (e.g., crypto exchanges) would slow the system further.
  • Hybrid investigation capabilities – Banks typically have segregated investigation capabilities for fraud, anti-money laundering transaction monitoring and financial intelligence analysts. Synergies between these teams and the data and systems they use to conduct investigations should be explored to improve customer outcomes. Banks also need to develop mechanisms to effectively use information obtained through investigations to inform their efforts around prevention and detection, as well as to inform and cooperate with law enforcement to ultimately capture and punish fraudsters.

There is no silver bullet to solve the problem created by scams, but we cannot continue as is. New Zealand has an opportunity to plot its own path to address these issues and engage all parties in a focused effort to protect our economy and society from scammers.


New Zealand’s scam prevention and compensation model needs to consider the role of each party in the ecosystem, including consumers, banks, other financial institutions, telcos, social media companies, and government. Through collaboration, we have an opportunity to develop a fair model that reflects what each party can (and should) control.

About this article

By Nicola Ponsonby

EY New Zealand Financial Services Director

Dynamic leader and problem-solver. Helping banks fight financial crime. Wife. Mother. Food lover. Number one fan of our English Cocker Spaniel.