Legislative and regulatory context
The Scams Prevention Framework Bill 2024 (SPF) was introduced into Federal Parliament on 7 November 2024. The SPF provides overarching principles from which sector-specific codes can be drafted and an external dispute resolution (EDR) scheme established, with the objective of facilitating ‘economy-wide reform to prevent and respond to scams impacting the Australian community’. The banks will play a critical role in this scheme, and although the sector-specific codes will be some time in the drafting, Australian Securities and Investment Commission (ASIC) has already outlined practical steps that can be undertaken to address scams.
In August 2024, ASIC published Report 790 on Anti-scam practices of banks outside the four major banks, which followed an earlier publication (Report 761, April 2023) that focussed on the majors. Collectively, the reports provide a benchmark by which banks can review their current anti-scam practices. Although investment choices will be required to tackle technology-related issues, Report 790 observes that ‘the size and resources of the bank were less of a contributing factor to how the organisation managed scams than management’s level of engagement with scam prevention’, thereby flagging key organisational measures that banks can already focus on.
Formal strategy and executive leadership
Scams have been treated as a subset of fraud by operational teams historically and ASIC highlights the impact this has had on practices not always being ‘fit for purpose’. This reinforces the need for banks to develop scam-specific strategies as a starting point, with measurable targets, clearly articulated activities, and milestone timeframes to achieve them. Securing executive-level sponsorship and oversight is important to ensuring sustainable progress. As a corollary, standardisation is required to streamline the way in which banks report on scams to their boards, including doing more to track and report on the customer experience, and not just scam volumes and financial losses.
Staff training and customer awareness
The way frontline and operational staff communicate with scam victims is critical, given victims are often in a confused and distressed state. Fraud-focused call centres may be staffed with junior team members who would benefit from more tailored, in-depth training. Placing more experienced and empathetic staff in these teams will also continue to improve the handling of vulnerable customers over time, and organisations need to consider if their existing operating models facilitate this.
Many banks grapple with backlogs and the pressures that longer call times place on operational teams due to scam complexities. An enterprise-wide approach to triaging scam cases and clear written guidance for staff on escalation channels, processes for liaising with other financial institutions, and timeframes for resolution will complement ongoing customer education activities and minimise complaints from delays in resolving cases.
Banks continue to share guidance with their customers to help them identify and avoid scam attempts, but ASIC highlights the need for additional focus on ‘specific at-risk customer cohorts’ which include those for whom English is a second language, older customers, and those in indigenous communities.
Technology and measures to prevent and detect scams
Technology features heavily in ASIC’s observations, particularly the varying ability of banks to hold or delay payments in real-time across payment channels and networks. Progress in this regard may introduce further ‘friction’ from a customer standpoint, but the trade-off from a customer protection standpoint will be invaluable. The accessibility and speed of digital payment channels has made it easier for customers to transact but also for scammers to evade bank intervention and attempts to recover funds. Scammers are establishing fabricated websites and have greater access to personal information through data breaches and ubiquitous use of social media platforms.
Scammers have shown themselves prolific in targeting customers via short message service (SMS) and direct calls. Some banks have employed the following measures to address this (with ASIC encouraging more consistent adoption of measures across the industry):
- liaising with telecommunication providers to ensure their numbers are on Do Not Originate lists to protect them from being ‘spoofed’ by scammers and tricking call recipients into thinking they are legitimate; and
- replacing SMS with in-app messaging to help customers more clearly distinguish genuine bank communications.
Whether blocking or preventing scam transactions is outsourced to third-party payment providers (as it is by some smaller banks) or is operated in-house, all banks should consider implementing measures that will give their customers more time to identify that they have been victim to a scam attempt, including, for example:
- using machine learning to identify anomalous transactional behaviour rather than relying on static rulesets which produce high rates of false positives;
- using behavioural biometrics to authenticate customers prior to processing payments and to identify anomalous activity relating to device use and internet protocol address; and
- implementing payment holds and customer prompts on higher risk transaction types, such as payments to first time payees and to digital currency exchanges. The Australian Financial Crimes Exchange reports that data from the end of the 2022-23 financial year indicates nearly half of all scam losses were processed through cryptocurrency exchanges.
What’s next?
Although ASIC has observed that the share of scam transactions that were detected and stopped increased from 13% (in the 2021-22 financial year) to 24% in the nine months to March 2024, the regulator’s focus will only intensify following the introduction of the SPF. The way organisations respond to and manage scams will also increasingly become a source of differentiation for customers, influencing their choice of who to bank with.
ASIC strongly encourages banks to conduct a comprehensive review of scam practices, emphasising prevention, detection, and response. This includes a particular focus on improving the customer experience and implementing measures that provide customers with more time and opportunities to recognise potentially illegitimate payments.
Led by some of Australia’s most respected risk and legal practitioners, our Risk and Regulatory team work with clients to assess, manage and leverage risks, understand obligations and implement new regulation in a way that is practical, sustainable and strategically aligned.