sign up log in
Want to go ad-free? Find out how, here.

We have to make it harder for scammers, but the battle against fraudsters won't be won with one change: Janine Starks

Banking / news
We have to make it harder for scammers, but the battle against fraudsters won't be won with one change: Janine Starks

Introducing new anti-fraud measures including name and account number checking would make it far more difficult for scammers to get away with “big haul” investment frauds, a personal finance commentator says.

Parliament’s Finance and Expenditure Committee recommended last week that name and account number checking, or confirmation of payee, should be introduced by New Zealand banks as scammers were “actively targeting New Zealanders”.

Financial commentator Janine Starks said there are “gaping holes” in New Zealand banks' fraud security without confirmation of payee, which allows people to check the details of who they are paying before they make a transaction.

She said New Zealand “doesn’t have a choice” in introducing it.

“Once it’s in, scammers have to make the name and account number match. That means they can still scam people, but they need to change the type of fraud they commit. Investment frauds which are big haul are far more difficult to commit.”

Starks said scammers would need to open an account in the name of a firm which sounded like a financial intermediary to make their scams work if name and account checking is in place, and it removed scammers' ability to use personal accounts for money mule activities.

There have been a number of high-profile investment scams perpetrated against New Zealanders where payments were made to “Citibank” accounts for fake term deposit investments, but the accounts were actually mule accounts used to shift funds, held with New Zealand banks.

“Getting a business account name will likely mean registering a company and getting through a bank's KYC rules ( know your customer). If they manage that, the bank has again failed in security,” Starks said.

NZ’s big four banks say they support confirmation of payee, but have warned it hasn’t stopped frauds in the UK.

ASB Chief Executive Vittoria Shortt said the UK had name and account matching, but frauds and scams had "escalated even further".

She said this didn't mean it wasn't worth doing, but New Zealand banks should "go after the biggest beneficial option which I think is the centralised capability".

Shortt said ASB was very supportive of an industry-backed scheme to bring in confirmation of payee, which was being discussed with bank-owned payments system Payments NZ — but the banking industry hasn't said when it could be achieved.

Westpac's Head of Fraud and Financial Crime, Peter Barnes, said there were several ways name and account checking could be managed, but it would require an agreement from all banking entities on what the model would look like.

"Implementation of this initiative would have to be carefully considered as it has the potential to disrupt many legitimate day-to-day transactions."

ANZ said it was supportive of the recommendations made by the Finance and Expenditure Committee, "and continued to carefully review and learn from what’s working in other countries and what isn’t".

Starks said confirmation of payee “isn’t weak or pointless”. 

“It is a hole that needs plugging, but once that's done fraud is still viral and innovative and it will morph into other schemes that ensure the account number matches, or they attack frailty in other parts of the system like the weak security around two-factor codes sent via text message. Fraudsters always attack the fraud-hole banks haven’t fixed. That doesn’t mean that we should say the plugs we put in place are now pointless. They absolutely aren’t.”

Starks said failure to act meant New Zealand could end up with “hyper-viral fraud”.

She said NZ banks’ current fraud systems were at least 10 years behind the UK, and “the UK regulators keep insisting their own banks must do more”.

“Given the technology banks use — more security is a constant, not a goal with an end point.”

The UK now has a Contingent Reimbursement Code, which means people who are tricked into making payments to scammers will likely get their money back from banks, “if the combination of a person’s individual circumstances and the scam itself mean that it wasn’t reasonable to expect that person to have protected themselves then they should always be given their money back”.

NZ's Finance and Expenditure Committee recommended investigating a similar system.

The UK’s code has consumer protection standards for banks to reduce “authorised push payment” (APP) scams, where people are conned into authorising payments to accounts they believe are legitimate.

It is voluntary. Those who sign up commit to protecting customers with with procedures to detect, prevent and respond to APP scams, to provide a greater level of protection for customers considered to be vulnerable to this type of fraud and greater prevention of accounts being used to launder the proceeds of APP scams, including procedures to prevent, detect and respond to the receipt of funds from this type of fraud.

It also means banks must reimburse customers "who are not to blame for the success of a scam".

The United Kingdom introduced confirmation of payee in 2020, and an Australian bank had brought in its own checking system this year. 

Commonwealth Bank, which owns ASB in New Zealand, introduced NameCheck earlier this year, "an Australian banking first".

It said NameCheck had helped over 11,000 of its customers and saved over A$11 million in mistaken payments since March 31.

In the UK, Lloyds Banking Group said confirmation of payee had helped to reduce bank transfer scams by 31% within the first couple of months of its introduction in 2020.

Banks across the Tasman have also launched a fraud reporting exchange, which has “near” real-time reporting of fraudulent transactions between member banks and  the ability to halt multiple fraudulent transactions taking place as part of the same scam.

Australia also launched a National Anti-Scam Centre recently, bringing together regulators, police and banks to work together to identify and combat financial frauds.

It appears introducing an anti-scam centre in NZ has momentum. The Financial Markets Authority said recently it was looking at a national anti-scam centre.

The FMA said in an emailed statement that along with fellow agencies in the financial sector it was looking at ways to achieve greater coordination and cooperation around tackling scams.

This was on the agenda for the Heads of the Council of Financial Regulators (the Chief Executives of the Reserve Bank, the Treasury, MBIE, the Commerce Commission, and the FMA) at their next meeting, it said.

"We are also talking with industry groups on the same theme to encourage more coordination in the private sector with Government agencies.”

A number of agencies were involved in protecting New Zealanders from scammers including the Department of Internal Affairs, NZ Police, Cert NZ, the Commerce Commission and the FMA.

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.

5 Comments

New Zealand banks and telcos make it super easy to commit financial scams in NZ:

 

1. Telcos and banks make it impossible to report scams occurring in real time. "your call is important to us but due to the Covid pandemic 5 years ago call waiting times are longer."

 

2. Telcos and banks dont do anything and clearly have no dedicated teams to take action when you report phone numbers used to initiate fraudulent SMS and calls from scammers and bank numbers provided by scammers to make those NZTA licence fee payments to, or to send funds to a family member stuck in Nigeria without their passport and cards.

 

3. Banks pushed us to electronic payments and took cheques away passing the risks and losses caused by payment errors (e.g. miscoding recipient account number) and some scams onto customers. 

 

4. Banks T&Cs universally state that customer is prohibited from disclosing online banking login and account credentials to anyone else. And yet, various NZ companies, Councils, and government departments collect payment online using Paymark and other payment service providers "bank to bank" "service" which requires customers to enter their online banking login credentials so that the payment company can access customer's online banking and initiate a payment on the customer's behalf. Complete breach of bank T&Cs, encourages and conditions customers into being lax with their online banking credentials and banks have nary a bad word to say. Then there's the fact that Paymark's T&C's expressly exclude liability for losses incurred using their service - even if caused by negligence on their part.   

All of this breaches the CGA 1993, but no-one gives a flying.  

 

Banks need to be brought in line as has occurred in Aussy and the UK. 

 Govt should legislate to allow bank customers to opt in to more restrictive handling by bank of their payments. That way, customers who think they know it all and would never get scammed can operate their accounts, making payments to whomever they like and they pay the cost when that payment to Luigi in Bali they insist is legitimate turns out be a scam. Conversely, customers who have opted in, don't get the dodgy payment processed until after bank has verified that the payment is legit. The opt in customers get full reimbursement from their bank if the payment has gone to a scammer. 

The majority of payments made daily by Kiwis would never be affected as they are to payee organisations who can be relied on to refund money paid in error.    Banks can contract with individual customers on terms that require customer to return proceeds of mistaken or unauthorised payments into their accounts (so the poor payer customer isn't left relying on a court action for money had and received). 

i.e. make the banks (and telcos) liable for scams committed using their technology and services. Then watch the level of financial fraud drop very fast.   

Up
4

i.e. make the banks (and telcos) liable for scams committed using their technology and services. Then watch the level of financial fraud drop very fast. 

Bingo

Up
2

Yeah...no.  Once personal responsibility is removed from the equation,  it's open slather for the scammers.  In addition, people won't pay (or use a free )  password manager or a secure VPN to minimise the chances of being hacked. I know dozens of people that use the same password for multiple services, store their credit card details in several on line stores, yet despite my advice, won't change their habits.  Sometimes it seems that the only way to learn is the very hard way. 

Up
1

" Banks T&Cs universally state that customer is prohibited from disclosing online banking login and account credentials to anyone else."

I think ASB still disapprove of poli payments not withstanding it is used quite extensively by other large financial organisations.

Certainly on an online retail outlet that i use has most of the major banks setup for poli

Up
0

This seems similar as to why Banks are expempt from administrating GST on their services like account fees.  i.e. it would take too much admin which will result in lower profits for them.

I say you have a 12 month introduction period of implementing this.  The payment goes through but you get a message saying the payee name is not correct and please amend it to the correct one for next time.

A country the size of China can do it. I know becasue I've had payments declined becasue there wasn't a period between a comma and a fullstop. Its makes NZ look lazy,

 

Up
0