Australia: ePayments Code - User beware - Getting scammed not a mistake

08 Jun 2022 3 minute read

- Share by email
- Share on
- Twitter
- LinkedIn
- Facebook
- Google plus
- Get link
- Get QR Code
- Download
- Print

Supply Chains FSR Financial Regulation & Enforcement

In brief

On 2 June 2022, ASIC published the updated ePayments Code (Code) which it states will strengthen and clarify a number of existing protections for consumers relating to various forms of electronic payments.

The Code has generally been the benchmark for consumer protections for payments and transactions that were triggered within the world of online and mobile banking. It has been an added level of regulation for its subscribers which include most banks, credit unions and building societies in Australia.

Background

The Code provided a step-by-step guide to retrieving 'mistaken payments' and for identifying the liable party for 'unauthorised transactions' within certain parameters. These sections in the Code have now been updated, with some of the more substantive amendments in the form of clarifying 'notes' added after particular requirements. While not all payment providers are subject to regulation under the Code, it is often referenced as an objective test of 'reasonableness' in the context of determining liability between consumers and the provider or between providers. Subscribers may also contractually ensure that their counterparties are compliant with and/or are governed in accordance with the Code. We summarise below what we anticipate to represent the substantive changes to the Code effective from 1 July 2022.

Key takeaways

Mistaken internet payments

Scams not covered as mistaken payments: The Code now expressly clarifies that the 'mistaken internet payment' definition expressly excludes mistaken payment resulting from a scam and was intended to relate only to typographical type errors.
On-screen warning: Where BSB and account details are used for transfers (i.e. not involving a payID) the on-screen warning is more comprehensive and is required to clarify that the names and identifies will not be matched, verified or checked.
Investigation timeline: There is now a new requirement to send a request to the ADI where mistaken funds were sent 'as soon as reasonably possible'. The Code effectively notes that this means within 2 days unless subject to the particular circumstances.
Record keeping: Both the sending and receiving ADIs must keep sufficient records to demonstrate their compliance with these requirements.
Insufficient funds: Previously, where funds which were mistakenly received by an ADI weren't readily available to the receiving ADI for recovery, it was required to use reasonable endeavours to retrieve the mistakenly received funds. Under the amended Code, the receiving ADI has the discretion to either pursue the total or partial return of the funds, taking into account the interests of both parties and a series of prescribed factors (including impact, history and certainty of recovery). ASIC notes that the overarching factor should be that the unintended recipient should not consider themselves entitled to funds that are not theirs.

Unauthorised transactions

Transactions not authorised by a user: 'Unauthorised transaction' was previously defined broadly as a transaction not authorised by a user. This definition has been clarified to only include transactions not performed by the person themselves or without their knowledge and consent.
Time limit for unauthorised transactions: The Code introduces a limitation period of 6 years within which a report of an unauthorised transaction must be accepted. This limit does not apply to disputed transactions under chargeback rules.
New process for investigating: The Code introduces a new process for investigating unauthorised transactions, including a requirement to obtain prescribed information (to the extent relevant and available), with non-cooperation by a user a potential consideration in the decision making process.
Timeline introduced: Similar to the timeframe for mistaken payments, there is only 15 days in which to respond to requests from other payment institutions (i.e. Code subscribers). The investigation itself must be completed within 21 days and the user advised of the outcome in writing. Reasons must also be provided.

Compliance monitoring and data collection

Targeted monitoring to replace reporting: ASIC has increased its targeted monitoring and surveillance capabilities of its subscribers' compliance with the Code. Subscribers are no longer required to report information about unauthorised transactions on a yearly basis. Instead, reporting is only required when ordered by ASIC in the course of its targeted compliance monitoring activities.

Consistency with updates

External dispute resolution scheme: References now specify AFCA.
Compliance with ASIC Regulatory Guide for disputes: References to 165 have been updated to RG 271.
Australian customer satisfaction standards: AS ISO 100002-2006 has been updated to AS/NZS 10002:2014, 'or its successor'.

Feel free to reach out to any of the lawyers named in this alert or your usual contacts at Baker McKenzie with any queries you have more generally about the application of the Code or similar frameworks to your business, or how you may be impacted by some of the change described.

Contact Information

Bill Fuggle
Partner
Sydney
Read my Bio
bill.fuggle@bakermckenzie.com

Yechiel Belfer
Special Counsel
Melbourne
Read my Bio
yechiel.belfer@bakermckenzie.com

Alan Darwin
Special Counsel
Sydney
Read my Bio
alan.darwin@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.