.svg)
Australian banks outside the "Big Four" are failing to update their anti-scam measures in line with current best practices, the country’s financial regulator has said.
In a new report published this week, the Australian Securities and Investments Commission (ASIC) said that anti-scam detection, prevention and response remains “immature” outside the country's four largest banks, namely Commonwealth, Westpac, ANZ and NAB.
After publishing a similar report on the Big Four in April last year, ASIC followed up with a look at the anti-scam practices of 15 non-major authorised deposit-taking institutions (ADIs).
As was the case with the Big Four, the regulator found that anti-scam strategy and governance practices at the reviewed banks were “less mature” than was expected.
Sarah Court, deputy chair at ASIC, said that although recent data has shown that Australians have become more savvy in avoiding scams, the report shows the need for continued focus from regulators on this issue.
“While scam education initiatives many banks are delivering are one step in the right direction, this report outlines areas where banks needed to improve,” she said.
“We expect all banks, regardless of their size, to pull their weight in the fight against scams. Boards and senior management have a key role to play in driving improvement.”
The 15 ADIs reviewed by ASIC account for around 70 percent ($278bn) of household deposits outside the Big Four.
They include local banks such as Bendigo and Adelaide Bank, foreign-headquartered banks such as ING and Rabobank, and payment firms such as PayPal and Wise.
Of the 15 ADIs, only one third had a company-wide scam strategy and many did not have a company-wide policy for determining reimbursement.
The report also identified a lack of adequate training for frontline staff to support customers who reported that they had been scammed.
Common issues: Lack of payment ‘hold’ capabilities
All of the reviewed banks had systems and controls in place to monitor and stop scam transactions on at least some payment channels.
However, only two had hold capabilities across all payment channels, while seven had some level of hold capability on some payment channels.
During the period under review (July 2022 to June 2023), the reviewed banks reported that they were able to detect and stop about 19 percent of scam transactions (by value) made by customers.
The review’s definition of “detected and stopped” excludes other scams that were prevented by the bank prior to the customer performing a scam transaction.
Of the total A$232m ($156m) scam transactions that were made by customers, about 20 percent of funds transferred were recovered from the receiving banks or financial institutions.
However, ASIC notes that recovery rates “varied significantly” across the 15 banks.
Common issue: Scam response times
Six of the reviewed banks had no end-to-end policy dedicated to responding to scam victims.
ASIC referred to the practices of these firms as “outdated” and suffering from gaps in areas such as triage of scam alerts, identification of scams, and templates and timeframes used in customer communications.
There were significant delays to resolutions, with the average case involving customer loss resolved in 42 days, while 15 percent of cases took more than 90 days to resolve.
ASIC said that the failure of receiving banks to respond to recovery requests from sending banks was one of the main drivers of long case times.
In one case where a customer sent A$50,000 ($33,000) in scam funds to two financial institutions, one of the receiving banks never responded to recovery requests from the sending bank, despite receiving repeated requests for help over an 11-month period.
“We saw examples of wait times of up to three months to a year for the return of funds and responses to recovery requests, resulting in significant customer distress,” ASIC noted.
The overall share of scam transactions that were reimbursed by the reviewed banks was 4 percent, compared with 7 percent across the Big Four. However, as noted by ASIC, just one Big Four bank made up the majority of the increased reimbursement rates.
On the plus side, among the reviewed banks, scam losses as a percentage of scam transactions declined from 77 to 62 percent from the first half to second half of the period under review, pointing to a gradual improvement in line with data from other anti-scam agencies.
More controls needed
Moving forward, ASIC recommended that smaller banks follow the lead of the Big Four in introducing new forms of controls.
For example, the regulator called on the banks to implement new friction initiatives, such as by partnering with telcos to detect scam calls in real time, and implementing Australia’s forthcoming confirmation of payee (CoP) system, which is expected to go live in 2025.
Firms are also encouraged to put in place a company-wide anti-scam strategy, based on quality data streams that are reported to boards and senior management.
Scam education campaigns that specifically target at-risk customers are also advised, as are regular audits of anti-scam practices, either internally or by consumer advocates.
