Scams: Should your bank be liable for losses?

In August 2022, Doug was scammed by cybercriminals.

Doug received an e-mail claiming to be from the Inland Revenue Department (IRD). He had recently been dealing with the IRD, so the e-mail was not unexpected.

He clicked on a link in the e-mail where he was prompted to reset his myIRD password and click through to his bank website to receive a tax refund. That link took Doug to what looked like his bank’s website where he entered his log-in details.

However, the website was fake, and a scammer used the details to log into Doug’s internet banking. A few days later, Doug noticed that $60,000 in unauthorised payments had been taken from his account.

When Doug notified his bank of the fraud, he was told that he had breached the terms and conditions of his account by giving the scammer the information required to access his internet banking. Under the New Zealand Banking Association (NZBA) Code of Banking Practice – which sets out what the banking industry considers to be good banking practice – the bank said that it was not obliged to reimburse him for his loss.

But with the increasing sophistication of scams, should banks take more responsibility for protecting customers from these losses?

Are better consumer protections required?

When there are disputes between banks and their customers about who is liable for losses from scams, the Banking Ombudsman acts as an independent dispute resolution service.

Banking Ombudsman Nicola Sladden says, “In short, the Code of Banking Practice commits to reimburse customers that are the victims of unauthorized payment fraud, unless they have acted without reasonable care or breached the terms and conditions.”

Importantly, the NZBA code only covers you if “someone else” accessed and used your card or internet banking without your authority.  

If you’ve inadvertently given your details to someone you thought was legitimate but turned out not to be, your bank might decide you didn’t act with “reasonable care”.

“More often than not, that is the issue for our consideration,” Sladden says, “we need to think about what reasonable care is, and the context in which that consumer was operating at the time.” 

Scams are growing in sophistication, and it’s getting harder to spot fact from fiction, with victims across society, said Sladden.

“We've heard from senior people in businesses, from regulators, and from people who are in law enforcement, who have all become victims to these phishing scams.”

Changes to banking tech could make our money safer from scammers

Sladden believes that solutions implemented abroad could help make New Zealanders’ money safer.

“There are systems and technology that the banks could employ to help protect consumers from some of these fraud risks. An obvious example is the name and account checking functionality which has been adopted in the UK [a system which shows you whether the account details and the name of someone you are sending money to match]. That has prevented significant sums of money being taken by mistake or by fraud,” Sladden said.

Roger Beaumont, the chief executive of the NZBA, emphasises education, “We’re aware that scams are increasingly sophisticated and constantly evolving. That’s why we think public education and general scam awareness is very important.”

The NZBA has been active in the development of awareness campaigns, and the Code of Banking Practice has advice on avoiding scams, but is there more that could be done?

UK banking sector offers better protections for consumers

In the UK banking sector, collaboration between banks and consumer groups has seen the adoption of a voluntary code of conduct that addresses authorised push payments (APP). Unlike unauthorised payment fraud, in an APP, the victim makes the payment themselves, often under false pretences.

The code – named the “Contingent Reimbursement Model” (CRM) – began operating in 2019 following recognition within the banking industry that there are circumstances in which banks should have identified that a payment, despite being authorised by the customer, may relate to a scam.

Nicola Ponsonby is a New Zealand Financial Services director at Ernst & Young, helping banks and financial institutions to prevent and detect financial crime. Describing the differences between the UK and New Zealand when it comes to authorised push payments, she says:

“In the UK, most of the major banks have signed up to a voluntary code that states that where customers have suffered financial losses when payments may have had indicators that they are related to a scam, banks will make every effort to reimburse them for their financial losses. This places more of the burden on the banks.”

This code does not exist in New Zealand. NZBA chief executive Roger Beaumont believes that broadening the Code of Banking Practice to cover APP scams would mean “banks take on all or most of the risk of customer decisions, meaning customers have little incentive or responsibility to protect their money. This could lead to much greater fraud losses.”

Consumer CEO Jon Duffy says, “We find the idea that bank customers will make no effort to protect their money if banks have greater responsibility for protecting scam victims problematic. Being the victim of a scam is highly stressful and uncertain, even if you are eventually reimbursed. We don’t think this is an experience consumers treat lightly.”

And increased fraud losses are not a guaranteed impact of reimbursement, with Ponsonby suggesting that while the requirement to reimburse would lead to increased costs for banks, it could incentivise the development of better fraud prevention systems.

“For banks, in the short term, there would be increased costs in terms of reimbursing financial losses, but because of that there may be a drive to invest in better methods of detecting these types of payments and pausing them, or contacting the customers before the money goes out the door,” Ponsonby said.

In Australia, banks have teamed up to develop a platform that will help them to act more quickly to freeze fraudulent transactions, but consumer rights groups say it will not do enough and are calling on banks to reimburse scam victims.

Without broader coverage of fraud, Ponsonby believes that “both from a financial and a criminal justice perspective, consumers in the UK have better protection and are more likely to have a positive outcome.”

Thankfully, Doug brought his case to the Ombudsman, who, unlike his bank, judged that he had acted reasonably, and was reimbursed the $60,000 plus interest.  However, many thousands of others scammed in Aotearoa haven’t been so fortunate.

But its bigger than banking

In writing about the need for a fair compensation and protection model for consumers in New Zealand, Ponsonby has called for an “ecosystem approach,” recognising that this is bigger than any one sector.

Nicola Sladden, the Banking Ombudsman, and Roger Beaumont of the NZBA agree, saying that several parties, including global tech companies, telcos and government agencies have a role to play in reducing fraud. Just as a bank can spot the red flag of a scam, so can an online marketplace. And just as a bank can get the word out about a copycat government website, so can the agency being imitated.

This week, the Australian National Anti-Scam Centre has announced an “investment scam fusion cell”, bringing together representatives from the banks, telecommunications industry, and digital platforms to disrupt criminal activities.

New Zealand does not yet have a similar initiative, and while the various service providers agree that cross-sectoral attention is required, reaching a consensus on each party’s role could prove a stumbling block, according to Ponsonby.

“A co-operative approach to consumer protection across social media companies, technology providers and the banks is a challenge, because where there’s a potential for refunds, there’s a natural tendency to point elsewhere in terms of responsibility. But I think that’s no longer an acceptable framework in which to operate”.

Consumer would like to see better, fairer outcomes for consumers:

• Scam prevention and ecosystem approach in Aotearoa. Developing a system, like Australia’s recently announced fusion cell, that can share intelligence with banking, social media, telcos and government agencies to detect and prevent scams.
• Banks reimbursing losses for authorised push payments scams. A voluntary effort, or regulation, which sees banks take on the liability for losses to authorised push payment scams, so long as the consumer hasn’t done anything that has contributed to or increased the impact of the scam.