What should be in a revised fraud compensation code?
Banks don’t plan to consult the public, but victims are beginning to list their demands. Rob Stock reports.
The Banking Association Te Rangapū Pēke is not planning to ask the public how it should change its voluntary Code of Banking Practice to give fairer compensation and better protection.
The association, which is the political lobby group for banks, has been told by Commerce and Consumer Affairs Minister Andrew Bayly to change its voluntary code to provide better fraud protection to consumers, possibly modelled on protections in the United Kingdom.
Scams have become a major threat to personal wealth, with at least $200 million lost to scammers in the past year, and Bayly has threatened a law change if banks don’t change the code this year.
But while Consumer NZ chief executive Jon Duffy says victims must be given their chance to have their say on what should be in the code, the Banking Association said the short timeline given by the minister necessitated dropping the public consultation that usually preceded a change to the code.
Roger Beaumont, its chief executive, said it would “look at what’s happening around the world and then see how we can update the current practice set out in the code”.
But “given the timeframe involved, and the focus on scams, this isn’t likely to be our usual code review process”.
Banking industry insiders do expect to be consulted, however.
Banking Ombudsman Nicola Sladden would not say what she would like to see in the code, but expected the association to consult widely, including the Banking Ombudsman Scheme during the review.
The scheme was set up by banks as a form of self-regulation, before a law change in 2008 gave it a more official status, though it is not independent of banks even now, with bank chief executives occupying two of the five seats on its board, giving them the ability to veto any changes to the scheme.
Duffy, who is on the Banking Ombudsman Scheme board as a representative of the public, said Consumer NZ would be sending its thoughts to the Banking Association.
The UK has tougher fraud compensation rules than New Zealand, and polling by Horizon Research shows the public here believed it deserved the same level of protection.
Britain’s fraud compensation system started as voluntary banking industry selfregulation, but it is now mandatory for larger banks under the Payments System Regulator.
Under the British scheme, banks must reimburse scam victims for both unauthorised, and authorised scam losses, except in certain circumstances, such as when the defrauded person has been grossly negligent; for example, ignoring a warning from their bank.
Authorised payment fraud happens when a crook tricks someone into making a payment. Unauthorised payment fraud happens when crooks find a way to take control of someone’s bank account and make payments without their permission
In New Zealand, banks wrote their voluntary code to require banks to compensate scam victims only for unauthorised payment fraud, excluding liability for a large proportion of scam losses.
Authorised payment fraud accounted for 40% of fraud losses in 2022, the UK’s Payments System Regulator said.
The UK rules have seen some banks refund 90% or more of customer fraud losses, with the £237m (NZ$495m) reimbursed out of £389m of reported fraud.
Retired banker Janine Starks, who has been working pro bono to held scam victims take cases to the Banking Ombudsman, said the UK code encouraged banks to invest in anti-fraud systems to protect customers.
In New Zealand, banks have been severly criticised for failing to put in place adequate fraud prevention systems, and the minister has given them until the end of the year to begin to roll out the key confirmation of a payee system that’s already standard for big banks in the UK.
Bayly said banks had a duty to act with reasonable care and skill, which included identifying and acting on possible signs of fraud. “Where you do not act on possible signs of fraudulent behaviour, or suspicious payments, my view is that you should reimburse customers,” he told banks.
This is an area that’s caused outrage among victims, with the Banking Ombudsman ruling banks’ human staff have a duty to watch out for “red flags” that could indicate possible fraud, but banks’ electronic systems do not have to be set up to spot those red flags.
Starks said the reason the UK regulator decided it was fair to put banks on the hook for authorised payment fraud was because of banks’ failures to invest in strong enough fraud protections, and criminals and money mules had been exploiting weaknesses.
“Even with no red flags, banks have to pay. It is fair due to the huge under-investment in surveillance and technology,” she said.
Duffy suggested “a fundamental element of that is banks keeping their fraud protection measures up to date”.
The Financial Markets Authority Te Mana Tātai Hokohoko, which is set to become the conduct regulator for banks in March next year, could monitor banks’ fraud protection systems for compliance with new duties under the revised code.
Starks said banks should not be writing their own code. If a code change was needed, “it should be written by the FMA”, she said.
She also said victims would be writing to the Banking Association to share their views on how the code should be revised.
The revised code should require banks to have effective fraud protections, she said, as well as binding them to higher levels of account monitoring for signs of fraud.
It should also commit banks to promptly share with other banks information on known money-mules and criminal activity, which they started to do systematically only late last year, and to ensure identified mule accounts were frozen and money prevented from leaving the accounts.
She would also have it include something over which the Banking Ombudsman has said her own scheme had no jurisdiction.
When a person makes a payment, the service often requires two banks – one to send the money, and the other to receive it. Some scam victims have been horrified to find receiving banks were hosting moneymule accounts which the victims believe the banks should have identified.
Starks said victims wanted the code to acknowledge that in such instances both banks had a duty of care to the payer, and to pay joint compensation to scam victims.