Closing out what was perhaps one of the most active years in regulatory news in the banking industry, the Australian government issued the Scams Code Framework consultancy seeking feedback on the introduction of new mandatory industry codes to outline the responsibilities of the private sector in relation to scam activity. The consultancy has an initial focus on banks, digital communications platforms, and telecommunications providers. It also leaves open the possible inclusion of other sectors in the future.
The framework outlined in the consultancy rests on three principles.
1. A whole-of-ecosystem approach to address scams
a. Prevent scammers from contacting consumers through key telecommunication channels and digital platforms
b. Educate consumers
c. Prevent and take timely steps to recover scam payments
2. The framework must be flexible and responsive.
a. Respond to existing and new fast/dangerous scams
3. The Framework will compliment and leverage existing interrelated regimes, systems and initiatives. Some of these frameworks that exist or are being updated include:
a. Reforms to government digital identity framework
b. Interact with Anti-Money Laundering and Counter-Terrorism Financing (AML-CTF)
c. Reforms to strengthen privacy
d. Australian Cyber Security Strategy 2023-2030
e. Anti-Scam initiatives being developed by the banking sector
Proposed Obligations Under Scams Code Framework
The Scams Code Framework consultancy has defined several controls common to each business sector. The table below summarizes the proposed obligations for the three key sectors of the scam ecosystem – banks, digital communications platforms, and telecommunications providers.
Table 1. Proposed Ecosystem-wide Obligations in Competition and Consumer Act (CCA)
| Prevention | Detection / Disruption | Response | Reporting |
|
Have an anti-scam strategy based on assessments from scam ecosystem. |
Detect, block and prevent scams from initiating contact with customers. |
Once customer identifies they are a scam victim, prevent further loss. |
Provide immediate reporting to other businesses and govt entities on large scale and rapidly emerging scams. |
|
Prevent misuse of its services by scammers. |
Verify and trace scams from scam intelligence. |
Have user-friendly effective options for customers to report scams. |
Share data on incidences of scams and action taken with law enforcement and regulators. |
|
Implement anti-scam systems. |
Act in timely manner from scam intel, including from customers and info sharing. |
Have user-friendly effective options for customers to file complaints about a scam report. |
Keep records of incidences on scams. |
|
Provide customers with information on identification and risk of scams. |
Alert customers to targeted scams. |
If customer escalates a complaint, they should be dealt with fairly and promptly, providing them dispute resolution options. |
|
|
Train staff to identify and respond to scams. |
Provide customers with tools to verify information real-time. |
|
Table 2 below lists the specific controls proposed for banks.
Table 2. Possible Bank-Specific Obligations
| Prevention | Detection / Disruption | Obligation to Customers |
|
Enable confirmation of the identity of a payee to reduce payments to scam accounts. |
Be part of information sharing with other banks that account or transaction is likely scam. |
Give consumers user-friendly way to take action when they suspect when their account has been compromised or they have been scammed. (e.g., in app ‘freeze switch’) |
|
Verify a transaction is legitimate where a consumer undertakes activity that is identified as having higher risk than normal or likely to be a scam. |
Have processes in place to act quickly on information that account or transaction is likely to be a scam, including blocking/disabling On-Us (same bank) scammer account or working with receiving bank. |
Assist consumer to trace and recover transferred funds. Receiving bank should revert a transfer within 24 hours of sending bank request. |
|
Additional steps must be in place if consumer is identified as having a higher propensity to be affected by a scam. |
|
Respond to ASIC (Australian Securities and Investment Commission) information requests in a timely way. |
|
Bank must implement methods to detect higher risk transactions and take appropriate action to warn the consumer, block or suspend the transaction and limit exit channels for the proceeds of the scams, including blocking/disabling On-Us (same bank) scammer account or working with receiving bank. |
|
|
Prior to the release of the Scams Code Framework consultancy , the Australian Bankers Association (ABA) introduced the Scam-Safe Accord. According to Anna Bligh, CEO of the ABA, “This Scam-Safe Accord is a new offensive in the war on scams. It reflects the banking sector’s unwavering commitment to safeguarding every Australian. It outlines the actions every bank will take to protect Australian consumers and small businesses and to harden the system against scams.” Australian banks have committed to several key controls as part of this Accord as outlined in Table 2A.
Table 2A. Australian Bankers Association Scam-Safe Accord Controls (from ABA Press Release)
| Control | Description |
|
Confirmation of Payee System |
A $100 million investment to help reduce scams by ensuring people can confirm they are transferring money to the person they intend to. Design of the new system will start immediately, and it will be built and rolled out over 2024 and 2025. |
|
Warnings and Payment Delays to Protect Customers |
If a customer is transferring money to someone they haven’t paid before or raising payment limits, they can expect more questions, warnings and delays from their bank to protect them from falling victim for a scam. |
|
Strong Controls Around Online Account Opening |
Control must use at least one biometric check for new individual customers opening accounts online by the end of 2024. These checks will be either detectable to a person’s behavior or involve a check of a customer’s face or fingerprint, enabling banks to use these characteristics to verify their customer’s identity. |
|
Major Expansion of Intelligence Sharing Across the Sector |
All ABA and COBA (Customer Owned Banking Association) members will join the Australian Financial Crimes Exchange (AFCX) to be ready to use their scams intel to fight scams from mid-2024, and the Fraud Reporting Exchange over 2024-25. |
|
Limit payments to high-risk channels to protect customers |
Expect more banks to start limiting payments to high-risk channels such as some crypto currency platforms. |
|
Implement Anti-Scam Strategies |
All banks will implement an anti-scams strategy to enhance oversight of the bank’s scams detection and response. |
Digital communication platforms, including social media companies, are also named as a key sector in the scam ecosystem. The specific controls proposed for these providers are listed in Table 3.
Table 3. Possible Digital Communication Platform Specific Obligations
| Prevention | Detection / Disruption | Obligation to Customers |
|
Implement processes to authenticate and verify identity and legitimacy of business users and advertisers. |
Have methods in place to identify and share information with other platform providers and National Anti-scam Centre (NASC) that an Australian user is likely to be a scammer. |
Have user-friendly methods for consumers to take action when they expect their account is compromised or they have been scammed. |
|
Detect high risk interactions and alert customers, block or disrupt the interaction to reduce scam activity. |
Have in place a process to act quickly on users likely to be a scam, including blocking or disabling the user account. |
Respond to ACMA (Australian Communications and Media Authority) information requests in a timely way. |
|
Have solutions in place to prevent user accounts from being hacked and have process to restore hacked user account. |
|
In late November, the UK Government introduced the voluntary Online Fraud Charter identifying several controls recommended for internet companies to help reduce financial scams. See Table 3A below for this list of key controls.
In addition, the Online Fraud Charter requires internet companies to have dedicated liaisons to respond to law enforcement requests and a process for fraud intelligence sharing. This should also include analyzing established and potential ways fraud is occurring on these internet platforms. The Charter also addresses the communication that these platforms can provide to educate users on fraud.
Since this UK proposal came out at the same time as the Australian consultancy, there should be a review of the Online Fraud Charter to see what might be relevant for Australia.
Table 3A. UK Online Fraud Charter Proposed Controls for Internet Companies
| Blocking | Reporting | Takedowns | Advertising |
|
Have effective processes to identify and remove fraudulent content and accounts. |
Adopt a simple mechanism to report fraud, within 2 clicks of a button. |
Remove fraudulent content immediately. |
Deploy verification measures for new advertisers. |
|
Block users that have been previously removed for fraud. |
Have process for law enforcement and trusted partners to report suspected fraud on the platform. |
Take appropriate and timely enforcement action against persons entering fraudulent content. |
Screen advertisements for suspicious content and continuously scam for fraudulent embedded URLs. |
|
For dating sites, give user choice to verify accounts. |
Develop warnings when users are contacted by unknown accounts. |
Have clear process to reinstate victims’ accounts following account takeovers. |
Assess URLs that redirect to another web page. |
|
Deploy verification measures for sellers of goods. |
For dating sites, warn users about suspicious contacts. |
|
Allow users to quickly report on fraudulent adverts. |
Telecommunication providers in Australia are currently under some standards to support scam reduction. The Reducing Scam Calls and Scam Short Messages industry code was rolled out by the Australian Communications and Media Authority (ACMA) in July 2022 and has already been effective. Telecommunications providers have reported that approximately 1.4 billion scam calls and 336 million scam SMS messages have been blocked under the code in its first year. Consumer reports of scam calls have also decreased by 56% from 2021 to 2022.
The ACMA take this code extremely seriously. Some companies have been found in violation of the rules.
Telecommunication providers have agreed to certain obligations to reduce scams under the industry code which are outlined in more detail in Table 4
Table 4. Sample Current Obligations for the Telecommunications Industry| Prevention | Detection / Disruption | Obligation to Customers |
|
Provide controls for consumers to block suspicious calls and SMs (Short Messaging service). Explain how to report these activities to Scamwatch. |
Investigate and take action to stop unauthorized spoofing once it is identified. |
At the end of each quarter, the telco providers must report to ACMA the number of scam calls/SMs blocked. |
|
Originating telecommunication providers must verify a call/SMs originator has the right to use a number or alphanumeric Sender ID. |
Share information with other telco providers and ACMA in a timely way once a material case has been identified. |
|
|
Monitor telco network for scam calls/SMs based on characteristics identified in the (telco) code. |
Where a scam call/SMs is confirmed, block the phone number/alphanumeric Sender ID or message header ASAP. |
|
|
Have system in place to trace the origin of suspicious calls/scams. |
|
Summary of Additional Requirements
There are several additional requirements for the three key sectors. First, each entity must have an implemented anti-scam strategy. The strategy would cover how “the business would prevent, detect, disrupt and respond to scams, based on its assessment of its risks in the scam ecosystem.” This strategy should involve senior management.
Second, the Code pushes for scam information sharing among the sectors noting, “Businesses regulated under this framework would be required to share and act on (scam) information.”
Third, the framework would require regulated businesses to strengthen protections against scams through “receiving customer scam reports, complaint handling and internal and external dispute resolution.” According to the consultancy, there “will be clear redress pathways for consumers.”
Consumer Reimbursement Remains a Gray Zone
The fourth requirement revolves around potential consumer reimbursement for scams. In May 2023, when these proposed new controls started to be discussed publicly, there was speculation that these new controls would include requirements for banks, telcos, and social media platforms to reimburse consumers for scams. But in the consultancy, there are no statements about reimbursement for scam losses. There are only two open questions:
• Question 32. Should the Government consider establishing compensation caps for EDR (external dispute resolution) mechanisms across different sectors regulated by the Framework? Should these be equal across all sectors and how should they be set?
• Question 33. Does the Framework set out a clear pathway for compensation to consumers if obligations are breached by regulated businesses?
There is also a brief mention of compensation for scam losses under the penalties for non-compliance, but there is no meaningful discussion.
So, at this point, it is not clear if reimbursement will be included in the final document or not. However, it is clear banks do not want mandated scam reimbursement. In July, several bankers made it clear they did not believe scam reimbursement was needed.
The consultancy does include penalties for failure to meet the obligations described in the document. These can be the greater of:
• $50 million AUD
• Three times the value of the benefits obtained
• 30 percent of the corporations adjusted turnover (revenue) during the breach
There could be other penalties included.
Conclusion
The Australian government met its year-end obligation of providing proposed controls for banks, digital communication platforms, and telecommunication providers to fight financial scams. And it will make them mandatory, upon review of comments and final revisions. This is a big step forward to protect Australian consumers from scams. The final version will also take into account the new and important bank Scam-Safe Accord introduced in November and the existing telco rules under the Reducing Scam Calls and Scam Short Message-SMs Code. The government may need to engage Google and Apple because they are both important vendors for phone messaging; Apple with iMessage and Google with increasingly popular Rich Communication Service (RCS) messages which can include graphics and video.
On the banking controls, I think there should be mandatory controls around online account opening and money mule detection. There needs to be a serious effort to detect and eliminate money mules, a key contributor to these scams.
For the digital communication platforms, it would be wise to review the UK Online Fraud Charter to see what might be important to add.
On the topic of scam reimbursement, so little was said in the consultancy, that it remains to be seen if/how this concept will be included in the final version of these mandatory requirements for banks, digital communication platforms, and telecommunications providers. Will Australia follow the UK PSR scam reimbursement model?
Overall, this is a significant effort by the Australian government to involve all key sectors in the fight to eliminate consumer financial scams. Specifically, kudos to the ACMA for their aggressive efforts to bring errant telco providers in line to support its scam rules and to penalize those providers when they fail to do so.
