Overview

Combatting scams is identified in the Australian Securities and Investment Commission's (ASIC's) latest corporate Plan as a strategic project, ASIC has also identified disrupting investment scams as an enforcement priority.  

In line with this strong focus on the issue, ASIC undertook a review of the scam identification and response strategies of the four major banks (CBA, ANZ, NAB and Westpac) and has now released the findings of that assessment (REP 761).  

The key message running through the report is that ASIC considers banks:

'can and should do more to protect Australians from the financial loss of scams'.  

To this end, the report includes a number of 'observations for all banks to consider to minimise the impact of scams on their customers'.  

Broader relevance 

ASIC also considers that the report findings have broader relevance beyond the major banks.  ASIC Deputy Chair Sarah Court states that:

'combatting scams is a critical task for all of corporate Australia - financial institutions, telecommunication providers, digital platforms and other organisations need to work cohesively to stop scams at the source...

This review will aid banking and other financial service businesses, telecommunication providers, digital platforms and other organisations in developing consumer-focussed scams management practices and strategies,' 

Our key takeaways from the report, with a focus on the 'improvement opportunities' identified by the regulator are below.  

Scam strategy and governance

ASIC found that banks' overall approach to scams strategy and governance was 'variable and overall less mature than expected'.  For example ASIC highlights that:

• Only one of the banks assessed had a documented bank-wide scams strategy in place – ie a bank-wide strategy to address and respond to scams.  
• Though all banks provide some form of scam reporting to their board/senior management committees, there was variation in both the frequency of this reporting, and in what information was reported.  
• Only one of the banks assessed had carried out review activities across its scams prevention, detection and response capability and activities during the past three years to ensure the ongoing effectiveness of these activities 

Improvement opportunities identified 

To strengthen banks' overall approach to scam strategy and governance, ASIC considers that banks should:

• Have a bank-wide, documented scams strategy in place to help minimise the overall impact of scams on customers.  ASIC considers this important in terms of:
  • helping to 'ensure there are bank-wide objectives in relation to scams, and clear accountabilities and measures in place to support achievement of those objectives'; and
  • supporting 'decision making throughout the organisation' as well as the deployment of the necessary resources to achieve the objectives set (especially where decisions may 'conflict with commercial imperatives').  
• Provide regular reporting to the board and senior management on a 'broad range' of scam-related matters including: a) the scams threat environment; b) operational efficiency and effectiveness; and c) customer experience and outcomes.  Importantly, the report flags that this means banks need to have the data systems capability to enable analysis of scam cases 'in an end-to-end manner'.   ASIC considers this important to support 'effective oversight of a bank’s scam prevention, detection and response activities'.  
• Undertake regular reviews of scam prevention, detection and response activities to ensure their ongoing effectiveness.   

Scam prevention

The report found that: 

'overall there was a great deal of variability in the steps being undertaken by the banks to help prevent their customers from becoming the victim of a scam'. 

Three examples of the activities being undertaken by the banks flagged in the report include: 

• Scam awareness education activities: The report found that all banks assessed were undertaking some form of activity to increase their customers' ability to identify potential scams.  For example: 
  • inclusion of scam warnings/messaging on their websites about fraud and scams with links to cyber safety information/where customers can access assistance as well as message through other channels eg internet and mobile banking alerts, email, text, radio and print advertising and social media posts.  
  • ASIC also observed that banks are increasingly targeting messaging about particular types of scams to particular groups eg elderly customers 

  However, the report found there was typically only limited/in some cases no monitoring of the effectiveness of these activities.   

• Deliberately increasing 'friction' when conducting payments to allow more time/opportunities for customers to identify that a payment may not be legitimate.  Examples of this highlighted include: 
  • all banks introducing payment processing delays of some kind
  • (in the case of one bank) introducing prompts for the customer to review before making a payment that triggers certain risk alerts eg for first time investments in crypto-currency
  • (in the case of one bank) requiring branch network staff 'to make meaningful inquiries with the customer about certain transactions and types prior to completing them'.
• Protecting against scammers impersonating banks: ASIC found that all banks are 'vigilant' when it comes to monitoring for the fraudulent use of their brand.  For example ASIC observed that:
  • banks ask customers to forward suspicious messages to them
  • banks also work with domain registrars, telecommunications providers and others to take down phishing websites and disable scammer contact numbers
  • some banks have also taken steps to try to prevent more sophisticated forms of scams where SMS messages from the scammer appear in the same thread as previously received (legitimate) SMS messages or where scammers make calls that (fraudulently) appear to be coming from a bank's phone number.  In the case of SMS impersonation scams, ASIC found that two banks have introduced 'alpha tag' blocking to block messages with specified alpha tags (eg a bank’s name) that are not from an approved point of origin.  In the case of phone impersonation scams, two banks were found to have placed the bank's number on a 'do not originate list'.  
• Other scam prevention measures:  Other scam prevention measures being developed/implemented include (among others): 
  • (in the case of two banks), replacing as much SMS (text) communication as possible with secure messaging through their banking app 
  • (in the case of one bank) encouraging customers to make payments using PayID, which shows the payment recipient’s name with the PayID identifier (eg a mobile phone number) before the paying customer proceeds with the payment transaction
  • (in the case of one bank) implementing functionality to show customers whether the name and account details match the payee

Improvement opportunities identified 

• Implementing a continuous improvement approach to scam awareness activities: The report acknowledges the efforts banks are making to 'educate' their customers about scams, but emphasises the value of regularly monitoring and measuring the effectiveness of these activities to ensure they are/remain fit for purpose/to inform future activities.  ASIC observes:

'By monitoring scam prevention activities, banks can review their campaign messages against any changes in customer awareness and the number of scam cases.  They can also measure the effectiveness of particular types of communication or delivery methods to identify those having the greatest impact on reducing scams'.

• Monitoring the effectiveness of deliberately introduced points of 'friction' in the payments process: Similarly, the report acknowledges the 'benefits that appropriately designed levels of friction may offer' but suggests banks should also be monitoring the effectiveness of these measures (including use of warnings/prompts)  to ensure they are having/and continue to have the intended outcome and adjust their approach as necessary.  
• Protecting against scammers impersonating banks: The report encourages cooperation between financial institutions and others (eg telecommunication providers) to protect against this form of scam.  The report underlines that 'this is one area where it is important for the broader scam ecosystem - including banks and telecommunications providers - to work together to strengthen the response to scams'.
• Implementing 'innovative' scam prevention measures: ASIC observes that:

'The rapidly changing nature and increasing sophistication of scam typologies makes it important for banks to continue to trial and implement a range of innovative ways to prevent customers from becoming victims of a scam.  To address new and emerging scam typologies, banks should consider the range of contributors to scam activity and the changes they can make to how they deliver services.  They should also ensure their prevention initiatives remain relevant and fit for purpose'.

How banks detect and stop scam payments

The report concludes that:

'banks are detecting and stopping a low proportion of scam payments, and that the capability to detect and stop scam transactions varies both across and within banks'.

The proportion of scams detected is low

• During the period 1 July 2021 to 30 June 2022, a total of $845 million in  scam transactions were made by customers across the four major banks of which approximately $109 million in payments (13%) were detected and stopped by the banks.
• The proportion of payments detected by each of the four banks varied between five and 18% 

ASIC's observations about the detection measures in place

In terms of the detection measures being implemented by the lenders, ASIC found that:

• all of the banks have in place transaction monitoring to detect potentially fraudulent transactions.  Though there was variation in their approaches to setting detection rules/thresholds.  
• banks are also using what the report describes as 'a range of device analytics and behavioural biometrics capabilities to identify unusual customer activity during transactions', though again the take up of this functionality varies across banks and across payment channels.  . 
• there was also found to be variation in the way banks respond once a potentially fraudulent transaction is detected (even within the same bank) depending on the payment channel and network used.  ASIC found that in many cases a potential scam transactions are paused in real-time, until banks can make inquiries with the customers.  However, putting the transaction on hold is not always an option – the lender may only be able to reject the payment or make inquiries after the payment has been sent (at which point it is too late to recover the funds)

ASIC also found that banks:

'regularly monitor and assess the performance and effectiveness of their detection systems and calibrate and refine them accordingly. This includes reviewing undetected customer reported scams to determine any changes required'.  

Improvement opportunities identified

ASIC considers that: 

'banks should have capabilities implemented across all payment types and channels that allow them to detect, hold and assess potential scam transactions'.

Response to scams and to scam victims

The report found that:

'there were multiple areas for improvement in how the banks responded to scam victims.  These areas relate to resourcing, policies and procedures, and the identification and management of customers experiencing vulnerability'.

For example, the report found that:

• In the case of three banks, 'staff resourcing levels and capability had not kept pace with the increasing volume and sophistication of scams'.  Delays in response times, delays in communicating with customers, increased scam-related call waiting times and lack of capacity to review all potential scam transactions were some of the consequences ASIC attributes to insufficient resourcing.
• None of the banks fully documented their end-to-end process for responding to scam victims/scams.   Further, the 'processes and procedures that did exist lacked the clarity to support the consistent management of scams'.  The report highlights that the policies and processes observed lacked detail around:
  • how scam alerts and cases are prioritised
  • timeframes for assessing scam alerts
  • scam case management and timeframes
  • contacting and responding to other financial institutions
  • communications with customers (eg when to provide customers with progress updates) 
  • dealing with vulnerable customers
  • liability, reimbursement and compensation
  • the scams team’s role during the complaints process.
• ASIC also found that processes and procedures around banks' written communication with customers 'required improvement' and in some cases were 'contributing to poor customer experiences at a time of potentially great distress' for example: advising a customer 
• ASIC found that despite (in some cases) having internal policies and procedures in place for referring customers experiencing vulnerability to a dedicated customer support team, banks did not always either identify these customers or refer them on in line with their policies/procedures.

Opportunities for improvement

• Documenting processes/procedures for responding to customers: ASIC considers that all banks should 'document their end-to-end internal procedures for responding to a scam or scam victim' to 'support fair and consistent customer outcomes'.  
• Documenting their approach for dealing with customers experiencing vulnerability (and ensuring this is consistently followed): 
• Resourcing: The report emphasises the need for banks to ensure there is 'sufficient resources to enable them to respond to scams in a timely and effective manner. They should also ensure that the skills and experience of staff take into account the unique needs of scam victims'.

Approach to liability, reimbursement and compensation

Financial impact for customers 

In terms of the financial impact of scams on customers, the report found that: 

• Bank customers are 'overwhelmingly the bearer of scam losses' with major bank customers losing $550m+ last financial year to scams 
• Reimbursement and/or compensation was paid in only around 11% of the cases where there was a scam loss with customers who made a complaint to their lender more likely than those who did not to receive some form of compensation..

ASIC's assessment of banks' approach to the issue is that: 

'banks adopted inconsistent and generally narrow approaches to liability, reimbursement and compensation'.

Looking at banks approach in more detail, ASIC found that: 

• None of the banks had a bank-wide policy for determining scam loss liability and reimbursement or compensation. 
• The liability-related policies that were in place were observed to 'generally limited in scope (eg to a particular type of scam typology) and/or limited to a particular business unit'.  For example, the report highlights only one of the four banks reviewed had the same policy in place for both their scams and complaints teams (though this was not fully documented) – ie the other three banks had different policies in place for the scams and complaints teams).
• The report also found that though banks had considered a range of potential sources for liability beyond the ePayments Code, in practice they were:

'not consistent in taking all these grounds into account and, in general, we found that when it is confirmed that a customer has been the victim of a scam, the banks tended to adopt a narrow approach to considering liability, and reimbursing or compensating customers. For example, the banks often only consider the ePayments Code, and in some cases the scam typology, without going on to consider other potential sources of liability and factors that may warrant reimbursing or compensating the customer'.

Customer complaints about scams

ASIC also found that scam victims who made a complaint to their bank were more likely to receive some form of compensation than those who did not make a complaint.  According to the report, 37% of scammed customers who lodged an internal complaint received some form of reimbursement and/or compensation.   

The report identifies both banks making 'commercial decisions to pay compensation' to settle complaints and the issue of scams response teams staff 'appearing' to have 'less scope or authority' than those in complaints teams as contributing factors to this issue.     

Opportunities for improvement

• Bank wide approach: ASIC considers that 'all banks should have in place a bank-wide policy or approach to determining scam loss liability, and reimbursement or compensation'.  These policies should 'cover the range of grounds on which a bank may be liable for scam losses' (eg the grounds included in the list at p21 of the report).
• Not complaints 'dependent': The report also comments that: 

'Outcomes for scammed customers should not be dependent on whether or not they choose to raise a complaint in relation to their case'.

Next steps

• Reviewing banks' response to the report findings: ASIC flags that it intends to continue to monitor the actions being taken by the four banks in response to the 'improvement opportunities identified in this report'. 
• Review of other parts of the banking sector: ASIC has commenced a review of the scam prevention, detection and response activities in other parts of the banking industry.

[Source: ASIC Report 761 Scam Prevention, Detection and response by four major banks; ASIC media release 20/04/2023]