When is your bank liable for scam losses?

As far as your bank is concerned, scams fall into two broad categories: unauthorised access scams, and authorised push-payment scams. We explain what these scams are and how this affects your bank’s liability.

If your internet banking is hacked: unauthorised access scams

An unauthorised access scam is where criminals gain access to your internet banking, then transfer money out of your account. To do this, criminals must harvest your personal information, either by installing malware on your computer, or through phishing, where they trick you into disclosing your personal information.

Is your bank liable?

Yes, in theory.

Protection for bank customers in New Zealand comes from a short section of the New Zealand Banking Association’s Code of Banking Practice. The code says your bank will reimburse any fraud losses from unauthorised access if you:

• weren’t dishonest or negligent
• complied with its terms and conditions for electronic banking or card use
• took reasonable steps to protect your banking.

In theory, this gives New Zealand consumers a relatively strong level of protection – consumers in many other countries are not afforded this level of protection by their banks.

The protection could be stronger, though. In the UK, instead of “negligence” the equivalent banking code refers to “gross negligence”. That means, if a consumer has a moment of vulnerability and gets fooled into giving away their personal information by a scammer, they’re more likely to get their money back in the UK than in New Zealand.

While the language in the New Zealand code is better than nothing, it’s also open to interpretation. If you’re scammed, your bank – with serious skin in the game – is left to interpret the code. If your bank decides you acted dishonestly or negligently, breached your terms and conditions, or didn’t take reasonable care, it can refuse to reimburse you. If it does this, your only option is to make a complaint to the Banking Ombudsman.

In response to these issues, in October 2023, the Banking Ombudsman released guidance on how banks should use the code. The guidance explained that words in banks’ terms and conditions such as “allow” or “disclose” imply that a customer knows and intends the consequences of their actions. This is rarely the case when a scam takes place.

The government believes that the code should be updated to provide better consumer protections.

In August 2023, a report by the parliamentary Finance and Expenditure Committee recommended that the government urge the New Zealand Banking Association to “update its Code of Banking Practice to offer further measures that help protect consumers from scams and fraudulent activity”. The government accepted this recommendation and, in February 2024, commerce and consumer affairs minister, Andrew Bayly, wrote an open letter to the banks saying that if the code is not updated within the year, he will consider options for a regulated mandatory code.

If you make a payment to a scammer: authorised push payments

The news is not so good for payments that you authorise.

If you are tricked into making a payment to a scammer – known as an authorised push payment – then your bank has no obligation to reimburse you for your loss. These types of scams are prevalent at the moment, and range from ‘hey mum’ and romance scams, to investment and fake invoice scams.

Is your bank liable?

It’s simple. If you’re fooled into making a payment to a scammer, you have no protection.

You might think this sounds fair enough. After all, in an authorised push-payment scam, your bank is just following your instructions. What else can it do?

The answer is quite a lot. New Zealand’s banks are lagging badly behind leading nations when it comes to the prevention of authorised push-payment scams.

Confirmation of payee is a scam prevention measure that has been used in the Netherlands since 2017 and has now been adopted more widely. The technology checks whether the details you provide when arranging a transfer, match the name on the account you’re transferring to. If you’re in love with a John Doe who you met online, but his bank account is under someone else’s name, you’ll receive a warning before making a payment.

This is not foolproof, with scammers capable of explaining around the issue, but it can be enough to make a victim think twice. In the Netherlands, adopting confirmation of payee led to an 81% decline in the number of fraudulent domestic bank transfers.

New Zealand’s banks look set to begin rolling this technology out by the end of 2024.

Should your bank be liable?

We think so.

We think that making banks liable for authorised push-payment scams could help prevent scam losses occurring in the first place. If banks are liable for losses, they have greater incentive to improve preventative measures and stop scams from taking place.

This is the thinking behind a world-leading, voluntary reimbursement scheme implemented by the UK banking sector. Under that code – named the Contingent Reimbursement Model – banks reimburse victims of authorised push-payment fraud unless they are considered to have acted fraudulently or with gross negligence. This move has been incredibly positive for consumers, with reimbursement rates increasing from 19% in the year prior to the code’s introduction, to 69% in the first half of 2023.

Following the success of the voluntary scheme, in June 2023, it was announced that from October 2024, all UK payment service providers would be required to reimburse customers who are victims of authorised push-payment fraud, where the customer has not acted fraudulently or with gross negligence. Reimbursement costs will be split between the sending and receiving bank or payment provider, with victims to be reimbursed to a limit of £400,000 (NZD$860,000) within 5 business days. The UK Payment Services regulator says that this will act as “a clear financial incentive for payment firms to do everything they can to limit a fraudster’s ability to access the UK banking system.”

A similar reimbursement scheme could be on the way in New Zealand. The Finance and Expenditure Committee’s August 2023 report recommended a voluntary reimbursement scheme should be investigated by banks. The government accepted this recommendation in March 2024. In response, the New Zealand Banking Association said it would review international best practice in this area by September 2024 and consider updating the current approach in the Code of Banking Practice.