Could a recent ruling change the game for scam victims? Here’s why the banks will be watching closely

In Australia, it’s scam victims who foot the bill for the overwhelming majority of the money lost to scams each year.

A 2023 review by the Australian Securities and Investments Commission (ASIC) found banks detected and stopped only a small proportion of scams. The total amount banks paid in compensation paled in comparison to total losses.

So, it was a strong statement this week when it was revealed the Australian Financial Conduct Authority (AFCA) had ordered a bank – HSBC – to compensate a customer who lost more than $47,000 through a sophisticated bank impersonation or “spoofing” scam.

This decision was significant. An AFCA determination is binding on the relevant bank or other financial institution, which has no direct right of appeal. It could have implications for the way similar cases are treated in future.

The ruling comes amid a broader push for sector-wide reforms to give banks more responsibility for detecting, deterring and responding to scams, as opposed to simply telling customers to be “more careful”.

Here’s what you should know about this landmark ruling, and what it might mean for consumers.

Read more: Australia’s new scam prevention draft is welcome – but it needs to be broader in scope

A highly sophisticated ‘spoofing’ scam

You might be familiar with “push payment” scams that trick the victim into paying money to a dummy account. These include the “mum I’ve lost my phone” scam and some romance scams.

The recent case concerned an equally noxious “bank impersonation” or “spoofing” scam. The complainant – referred to as “Mr T” – was tricked into giving the scammer access to his HSBC account, from which an unauthorised payment was made.

The scammer sent Mr T a text message, purportedly asking him to investigate an attempted Amazon transaction.

In an effort to respond to the (fake) unauthorised Amazon purchase, Mr T revealed security passcodes to the scammer, enabling them to transfer $47,178.54 from his account and disappear with it.

The fact Mr T was dealing with scammers was far from obvious – scammers had information about him one might reasonably expect only a bank would know, such as his bank username.

On top of this, the scam text message appeared in a thread of other legitimate text messages that had previously been sent by the real HSBC.

AFCA’s ruling

HSBC argued to AFCA that having to pay compensation should be ruled out under the ePayments Code, a voluntary code of practice administered by ASIC.

Under this code, a bank is not required to compensate a customer for an unauthorised payment if that customer has disclosed their passcode. The bank argued the complainant had voluntarily disclosed these codes to the scammer, meaning the bank didn’t need to pay.

AFCA disagreed. It noted the very way the scam had worked was by creating a sense of urgency and crisis. AFCA considered that the complainant had been manipulated into disclosing the passcodes and had not acted voluntarily.

AFCA awarded compensation covering the vast majority of the disputed transaction amount, lost interest charged to a home loan account, and $5,000 towards Mr T’s legal costs.

It also ordered the bank to pay compensation of $1,000 for poor customer service in dealing with the matter, including communication delays.

Other cases may be more complex

In this case, the determination was relatively straightforward. It found Mr T had not voluntarily disclosed his account information, so was not excluded from being compensated under the ePayments Code.

However, many payment scams fall outside the ePayments Code because they involve the customer directly sending money to the scammer (as opposed to the scammer accessing the customer’s account). That means there is no code to direct compensation.

Still, AFCA’s jurisdiction is broader than merely applying a code. In considering compensation for scam losses, AFCA must consider what is “fair in all the circumstances”. This means taking into account:

• legal principles
• applicable industry codes
• good industry practice
• previous AFCA decisions.

Relevant factors might well include whether the bank was proactive in responding to known scams, as well as the challenges for individual customers in identifying scams.

Broader reforms are on the way

At the heart of this determination by AFCA is a recognition that, increasingly, detecting sophisticated scams can be next to impossible for customers, which can mean they don’t act voluntarily in making payments to scammers.

Similar reasoning has informed a range of recent reform initiatives that put more responsibility for detecting and responding to scams on the banks, rather than their customers.

In 2023, Australia’s banking sector committed to a new “Scam-Safe Accord”. This is a commitment to implement new measures to protect customers, including a confirmation of payee service, delays for new payments, and biometric identity checks for new accounts.

Changes on the horizon could be more ambitious and significant.

The proposed Scams Prevention Framework legislation would require Australian banks, telcos and digital platforms to take reasonable steps to prevent, detect, report, disrupt and respond to scams.

It would also include a compulsory external dispute resolution process, like AFCA’s, for consumers seeking compensation for when any of these institutions fail to comply.

Addressing scams is not just an Australian issue. In the United Kingdom, newly introduced rules make paying and receiving banks responsible for compensating customers, for scam losses up to £85,000 (A$165,136), unless the customer is grossly negligent.