New guidelines for the processing of electronic financial transactions will improve consumer protections and remove the “ambiguity” of previous versions, ASIC argues – although some have questioned the new ePayments Code’s abandonment of scam protections.

Published this month after an extensive consultation period, the new revision of ASIC’s ePayments Code marks the second major update since the voluntary code was first introduced in 2011.

The code lays down a set of standard practices around the delivery of electronic payments such as Internet and mobile banking, online payments, EFTPOS and credit card transactions, BPAY and ATM transactions – and, in the new version, payments made using the New Payments Platform (NPP) that has enabled instant money transfers through services like PayID.

Designed to protect consumers that deal with a subscriber to the code – a list that includes most Australian financial institutions – it lays down guidance such as requiring companies to give consumers “clear and unambiguous terms and conditions” for their financial products.

“The ePayments Code plays an important role in reinforcing consumers’ confidence and trust in making electronic payments,” said ASIC commissioner Sean Hughes. “These updates will ensure the code remains relevant now and for the foreseeable future.”

The code also lays down rules for the way changes to terms and conditions must be made, receipts and statements issued, and lays down rules to determine who pays for unauthorised transactions, including a formal regime for recovering ‘mistaken Internet payments’.

This last condition was the source of some controversy during the consultation period for the new code, with ASIC moving to clarify the definition of the term to explicitly rule out losses related to scams.

“We do not consider the mistaken internet payments framework to be suitable to assist in the return of funds in relation to scams,” ASIC noted in its extensive response to submissions about the proposed changes to the ePayments Code.

“The speed with which scammers withdraw their victims’ funds from the receiving account means that the process of retrieving the payment through the code’s mistaken internet payments framework is generally unable to be carried out with sufficient speed to secure the lost funds.”

Noting that clarifying the rules leaves space for other anti-scam frameworks to function, ASIC focused on situations where a consumer accidentally transfers money to an incorrect account – requiring warnings that consumers verify their account details, financial allowing them to recover part of misdirected money even when the recipient has already spent some of it.

That proposal “aligns with the idea that an unintended recipient generally should not benefit from someone else’s mistake and that the mere presence of only a portion of the funds in the unintended recipient’s account does not make it fair for the recipient to keep those funds.”

Making faster payments safer

With payment card fraud climbing 9.2 per cent between fiscal 2020 and 2021 – including a 12.3 per cent surge in card-not-present fraud related to transactions such as Internet purchases – the need to tighten consumer protections has steadily increased.

The ePayments Code reforms modernise the payments architecture to address a range of issues and technologies that have emerged in recent years – for example, the use of virtual credit card details generated through mobile and banking apps, which ASIC considers to be another payment ‘device’.

Although the code does not specifically regulate QR codes – which proved susceptible to fraud as COVID-era check-ins normalised their use in all kinds of settings – ASIC considers them to be ‘tokens’ and, therefore, covered within the Code’s current definition of an ‘identifier’, which is to say ‘information that a user knows but is not required to keep secret and must provide to perform a transaction’.

The new code is awash in nuanced discussions about new payment technologies, complaints handling requirements, and issues such as the amount of personal data should be stored on physical and electronic receipts.

“Just as a paper receipt can be discarded in public places,” ASIC noted, “today’s electronic receipts can be easily lost through security breach or misdirection through emails.”

The changes reflect long-discussed adjustments as Australia’s payment providers pivot to embrace novel services driven by mobile and other new payment systems such as the multi-currency wallet offered by Currencycloud, which last week announced it had been granted an ASIC license after entering the Australian market earlier this year.

Such innovation will be crucial to improve Australia’s payments ecosystem, after being recently flagged as being well behind our Asia Pacific neighbours – having ranked 12th out of 14 regional countries in the maturity of mobile payment platforms.