Consumer lobby group Consumer NZ is adding its voice to calls for New Zealand banks to match what banks in the United Kingdom and Australia do to help combat an "avalanche" of cybercrime their customers are facing.
Chief executive Jon Duffy says Consumer NZ wants a "scam prevention and ecosystem approach" similar to Australia’s recently announced task force, enabling intelligence sharing across relevant industries, including banking, to detect and prevent scams. It also wants banks to reimburse losses for authorised payment scams so long as the consumer hasn’t actively contributed to, or increased the impact of, the scam.
"To suggest that with so many resources at their disposal, the banks should have no responsibility to protect and refund their customers when they are scammed into authorising a transaction feels wrong,” says Duffy.
“There’s no question that banks must do better.”
Consumer NZ's full press release is below. And see all our recent stories on these issues here.
Banks need to do better in NZ's financial cybercrime avalanche
Consumer NZ is urging banks to raise their game and provide better protection to New Zealanders who fall victim to scams.
“In New Zealand at least $200 million is lost to scams each year.
“We know there is widespread underreporting, so that number is likely to be much higher. Many of these losses are not covered by banks,” said Jon Duffy Consumer chief executive.
Under the New Zealand Banking Association Code of Practice, banks only have to refund customers who fall victim to unauthorised payment fraud. Consumer thinks this is unfair in many cases.
“If your wallet is stolen and someone goes on a shopping spree using your credit card, this is classed as an unauthorised transaction – and your bank should reimburse you.
“However, as scams become increasingly sophisticated, people are at higher risk of being lured into making authorised payments by professional scammers.
“Of course, people must take their banking safety seriously and should do all they can to avoid falling victim to scams.
“But to suggest that with so many resources at their disposal, the banks should have no responsibility to protect and refund their customers when they are scammed into authorising a transaction feels wrong,” said Duffy.
Banks are often the last line of defence between professional scammers and innocent victims.
“We know scams are getting more sophisticated, which means New Zealanders are increasingly at risk.
“There’s no question that banks must do better.”
A cyberscam story
In August last year Doug lost $60,000 to cybercriminals. As Doug had been dealing with the Inland Revenue (IR), an email from them did not arouse suspicion.
The email contained a link which prompted Doug to reset his myIR password and click through to his bank website to receive a tax refund.
The bank website Doug landed on looked just like his bank website and he entered his log-in details. However, it was a fake website and the cybercriminals extracted $60,000 from his account.
Doug reported the incident to his bank, who told him he had breached the terms and conditions of his account by giving the scammer the information needed to access his internet banking. His bank said it was not obliged to reimburse his loss.
Doug brought his case to the Banking Ombudsman, who judged he acted reasonably. Doug was reimbursed the $60,000 plus interest.
“Doug was fortunate to have the knowledge to navigate the system and enlist the help of the Banking Ombudsman, not everyone has that knowledge or capability," said Duffy.
The case for change
“Our consumer protection ecosystem is massively out of step with many jurisdictions we like to compare ourselves to.”
Most big banks in the UK are signatories to a voluntary code where they typically refund scam victims for their losses.
Duffy would like to see a similar stance taken by the banks in New Zealand.
“We expect banks here to argue they should not be liable for their customers' perceived mistakes – but the way we see it, right now customers are carrying pretty much all the risk in the fight against scams.
“We don't accept the view that banks taking more responsibility will mean customers suddenly become careless with their bank details.
“Getting scammed is extremely stressful, and most people do everything they can to avoid becoming a scam victim.”
In Australia, banks have teamed up to develop a platform, enabling them to act more quickly to freeze fraudulent activity.
Recently the Australian National Anti-Scam Centre has announced an investment scam task force – which brings together representatives from the banks, telecommunications, and digital platforms to disrupt criminal activities.
“We want to see similar action here – there has to be fairer outcomes for consumers in New Zealand.”
What Consumer wants
- Scam prevention and ecosystem approach – like Australia’s recently announced task force, this would enable intelligence sharing across relevant industries, including banking, to detect and prevent scams.
- Banks reimbursing losses for authorised payment scams – banks should be liable for losses arising from authorised payment scams – as long as the consumer hasn’t actively contributed to, or increased the impact of, the scam.
9 Comments
Yes albeit their banking system is still somewhat archaic in the UK (they have to post your debit card to you and a separate letter with a given password you can't change in), each bank has fraud teams and mechanisms that trigger and prevent certain transactions without verification by the account holder.
So the banks must bail out gullible fools who fall victim to scams. Okay, so where's the protection for gullible young fools who took out mortgages to buy a house at market rate, only for the RBNZ/Banks to nearly triple the mortgage rate in less than 2 years? Young people might too be feeling scammed and extremely stressed too as they come off fixed rates this year.
In both instances, personal responsibility comes into play.
Well the banks are happy to close down retail branches and push their customers into a virtual world. And I'm sure their legal teams triple check the terms and conditions and make sure the bank itself is indemnified suitably.
Thinking outside the box, how hard would it be for banks to collectively fund a public service where there is induction and ongoing refreshers for vulnerable groups in the risk and the dos and don'ts of banking in the e-world? I mean the banks will have the demographic information on which are the most vulnerable cohorts.
It's pretty confronting for some elderly for example who used to deal with their bank face to face, to then be pushed into the virtual world, to then suddenly have human contact out of the blue in the form of a scammer cold calling them and convincing them it's their bank calling them.
Whilst I am a proponent for personal responsibility, I do view some of the banks actions as downright predatory - such as stupidly low unrealistic stress tests. These tests are to protect the bank, not the consumer. We could easily change this - legislate that a bank may not increase a mortgage rate to above what it was stress tested at, and may not refuse roll-over at this rate either. The effects of pushing this responsibility onto the banks would likely be profound. Too late for those already caught, however :(
I have commented this idea in the past limiting the maximum interest rate to the stress test rate, only to be told that it would create some huge barriers as banks would apply a much higher risk assessment/borrowers would be limited in what they can borrow. Sounds awfully prudent to me, with an outcome similar to a DTI except the bank has more flexibility.
It would result in less distortions as their test rates become risk bearing, rather than arbitrarily setting them ever lower to increase loan book size until interest rates to climb up again. A bait and switch of sorts, or "teaser loans".
https://www.interest.co.nz/personal-finance/120682/big-banks-mortgage-s…
Earlier this month the UK Supreme Court (their highest court) issued a new judgment setting out the rules for liability of banks where a customer directly authorises the bank to make a payment to a fraudster, and also where the customer has an agent authorise the bank to make the transfer.
Essentially, the bank is not under a duty to vet payments before making them. The bank’s duty to check before making the payment arises only where the bank has reasonable grounds for believing there might be a fraud. In the overwhelming number of cases the bank will have no knowledge of possible fraud and will not be liable in any way for the payment.
here’s the judgment: http://www.bailii.org/uk/cases/UKSC/2023/25.pdf
Credit card fraud is a separate matter. But the really big numbers tend to be where the customer or their agent authorises payment from a bank account.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.