On March 6th 2019, ASIC has released the first of two papers as part of its ePayments Code review. This initial paper is to determine the scope of its review;
The areas proposed to be reviewed include: Future Proofing the Code, Complaints Handling, Unauthorised Transactions, Data Reporting, Mistaken Internet Payments, Small Business and Access to Code Provisions;
A second consultation paper will be released in August 2019, which will seek stakeholder feedback on ASICs proposed amendments to the Code.
Source: ASIC Consultation Paper (CP 310)
Point of View
The ePayments Code (the Code) is a voluntary code of practice, administered by ASIC, that regulates electronic payments, including automatic teller machine (ATM) transactions, online payments, BPAY, EFTPOS transactions, credit/debit card transactions and internet and mobile banking. The majority of banks, credit unions and building societies in Australia, as well as a small number of other providers of electronic payment services, are subscribers to the Code. Once an entity subscribes to the Code it forms part of the terms and conditions between them and their customer.
ASIC has confirmed that mandating the Code for all senders and receivers of payments is out of scope in the current review. Making the code mandatory was recommended by the Productivity Commission’s (PC) Review into Competition in the Australian Financial System, and before that the Financial System Inquiry in 2014. The government is still to formally respond to the PC Report into Competition, but ASIC confirmed that it “does not have a power to make the Code mandatory”.
The Code contains some important consumer protections including:
What information can be included on transaction receipts;
A general principle that customers will not be liable for any unauthorised transactions;
Procedures to seek a return of money if a consumer has mistakenly transferred it to the wrong person; and a Complaints handling processes for dissatisfied customers.
These provisions and others are all included within ASICs scope for this review.
Future Proofing the Code
There has not been a major review of the Code for over eight years. Developments in technology, new payment operating models and changes in the ways that customers pay has created a need for the ePayment’s Code to be updated to reflect those changes. Some areas that exemplify this need include:
The development and emerge of the New Payments Platform (NPP) - The NPP is a significant piece of national infrastructure designed to meet the needs of the digital economy. The Code does not currently incorporate the NPP;
The growth of Mobile and Other Non-Device Payments - The Code currently relies on concepts such as ‘device’ and ‘identifier’, but the provisions that rely on those concepts do not explicitly extend to electronic payments made without such a ‘device’/’identifier’ (e.g. card-on-file, in-app and tokenisation);
Developments in Biometric Authentication - Protections under the Code that apply to the use of a pass code (e.g. a PIN) do not currently extend explicitly to biometrics;
Coverage of Transaction Receipts – in its current form, the Code does not explicitly apply to all forms of receipts sent electronically.
Recommendation 17.6 of the PC Inquiry, Competition in the Australian Financial System, stated (in part), that “ASIC should more clearly define the liability provisions for unauthorised transactions when third parties are involved, including participation in financial dispute resolution schemes”.
Given that the Australian Government and the banking sector are working to deliver an open banking regime as part of the broader Consumer Data Right (CDR), account aggregators will have the option to utilise Application Programming Interfaces (API), rather than screen-scraping. Sharing data in a framework which has clear operating standards, including liability allocation, would provide better security for consumers and remove the need to share login details.
The Review will also consider the six-year limitation period for customer claims for unauthorised transactions. Some industry participants are of the view that this is too long a period to allow effective investigation and recovery of customer funds. A 12-month period for a customer to bring a claim after becoming aware of the circumstances of the claim – which would need to be defined – could achieve more reliable and successful outcomes.
Mistaken internet payments
Subscribers to the Code that are ADI’s must have an effective and convenient process for users to report mistaken internet payments, i.e. a payment made via the Bulk Electronic Clearing System (BECS). The BECS framework co-ordinates and facilitates the exchange and settlement of bulk electronic transactions between participants. Direct entry is used for internet banking transactions and direct debit and direct credit instructions. It is generally used for smaller day-to-day payments but is available for payments up to $100 million. Payments collected from customers' bank accounts are "direct debits" and payments sent to customers' bank accounts are "direct credits".
The current wording of the Code provisions means the ‘sending ADI’, the customer who sent the payment, is the one that must undertake the investigation and seek to recover the funds. One of the proposals the Review will consider is introducing a regime where the intended recipient can initiate a recovery process. This requires careful consideration, including ensuring that privacy requirements are met along with achieving successful outcomes for both senders and receivers of payments.
The Review will also explore the effectiveness of on-screen warnings in reminding customers of the importance of entering the correct details to reduce the risk of mistaken payments, including the warning that correctly entering the account name will not fix an incorrect BSB or account number.
Other Aspects of the Code
Given the review is likely to take a further year to complete, other areas under further consideration are included, such as:
SVFs - The Code will need to reflect the final version of the regulatory framework currently under development by the Council of Financial Regulators and timetabled for mid-2019 (with APRA then reviewing its regulatory approach to SVFs that fall within its remit in 2020);
Gift Cards - bringing the expiry date for gift cards in line with the three-year period outlined in the Competition and Consumer Amendment (Gift Cards) Bill.
Frequency of Statements - The Code should be clarified where there is misalignment between it and other laws or regulations; for example, clause 7.1 of the Code, and section 33 of the National Credit Code.