Small Australian banks are well behind their Big Four rivals in protecting their customers from scammers, according to an ASIC analysis of 15 financial institutions that found just 19 per cent of scam transactions were detected and stopped – with customers carrying 96 per cent of the losses.
Only 11 of the banks were able to provide data of good enough quality to be included in the new report, which is entitled Anti-scam Practices of Banks Outside the Four Major Banks and identified 37,500 cases where customers of those banks made scam transactions during fiscal 2022-23 – of which 20,300 victims experienced financial losses totalling $232 million.
The 15 banks and financial institutions are AMP Bank, Bank Australia, Bank of Sydney, Bendigo and Adelaide Bank, Beyond Bank, Credit Union Australia, Heritage and People’s Choice, ING Bank, Macquarie Bank, Newcastle Greater Mutual, Suncorp Bank, PayPal Australia, Rabobank, Teachers Mutual Bank, and Wise Australia.
Just one third of the surveyed organisations had formal, organisation-wide strategies for managing reported scams, with many failing to train front-line staff to adequately assist customers reporting scams.
This had exacerbated “inconsistent and narrow” policies for assigning liability for scams, ASIC found, with a lack of resources delivering “poor customer outcomes” because banks “frequently mishandled” scam victims’ reports and “did not always consider the likely distressed state and vulnerability of the scammed customer.”
With most banks relying on governance and reporting frameworks that were focused on fraud – intentional manipulation of their systems for customers’ financial gain – many struggled to assist well-meaning customers manipulated by smooth-talking criminals or caught out by fraudulent websites.
While all small banks ran anti-scam campaigns for their customers, none were found to follow up to see if the campaigns were working – although the banks did report an overall reduction in the share of scam transactions leading to losses, which dropped from 77 per cent in the first half of the year to 62 per cent in the second half.
Banks still deflecting liability for scam losses
Despite recent declines in the overall number of scams reported, debate about banks’ responsibility for compensating customers for scam losses has raged in recent years as losses to remote access, fake invoice, and other scams surged to $2.74 billion last year alone.
ASIC limited its analysis to situations where customers authorised a scam transaction – either by making a transaction at the scammer’s request, or by providing multi-factor authentication and other details to inadvertently help the scammer.
This allowed ASIC to evaluate situations where, the report notes, “in the current environment, the customer is likely to be liable for the transaction under the [financial industry’s] ePayments Code, as the lack of recourse leaves customers in a vulnerable and difficult position of potentially losing significant amounts of money.”
The ePayments Code exonerates customers for losses “where it is clear that a user has not contributed to the loss”, but blames them for losses due to breaches of passcode security requirements where “on the balance of probability” that breach was more than 50 per cent responsible for the scam losses.
That’s a low bar since many scam victims are often tricked into sharing one-time passcodes, leaving compensation up to the banks – with ASIC finding that just 2 per cent of scam losses were reimbursed to customers when banks detected fraudulent activity (this increased to 7 per cent in cases where the customer complained).
The report surfaced the banks’ “shameful neglect of thousands of banking customers who have been scammed through no fault of their own and collectively lost millions of dollars,” Consumer Action Law Centre CEO Stephanie Tonkin said in slamming an industry that she said “is not taking the scams crisis seriously enough.”
“Something is very wrong in Australian bank culture,” she said, “that a person must complain to get their stolen money back or their bank does nothing.”
Still trailing the Big Four
ASIC’s new analysis follows a similar analysis of the Big Four banks’ scam protections, which last April found that “while the four major banks recognised the significant harm caused by scams, their approach to scams strategy and governance was less mature than expected.”
Although anti-scam initiatives such as the introduction of the National Anti-Scams Centre, information sharing and ASIC’s website takedown service had notched up some wins since then, ASIC updated its figures and found 68,317 Big Four customers had still lost $941 million to scammers in just nine months.
While some small banks were nearly as mature as the Big Four, many had immature, “inconsistent”, or completely absent ‘monitor and stop’ systems to detect unusual activity and put questionable transactions on hold.
With few of the smaller banks having fully implemented such systems, just 19 per cent of scam transactions were detected and stopped automatically, leaving customers and bank representatives chasing stolen funds – unsuccessfully in 4 out of 5 cases – as scammers move them from bank to bank.
“Like the four major banks we reported on last year, the 15 banks in this latest report also demonstrated a less mature approach to scams strategy and governance than we expected,” ASIC deputy chair Sarah Court said in releasing the new report.
Case studies reviewed for the report, she said, unearthed “examples of poor customer service, including slow response times, mishandling of reports, confusing communications, and failure to identify vulnerable customers impacted by scams.”
“The report outlines areas where banks needed to improve,” Court added.
“We expect all banks regardless of their size, to pull their weight in the fight against scams.”
