Consultation to update and modernise the ePayments Code

ASIC is undertaking a further round of consultation in connection with its review of the ePayments Code.

Back in March 2019, ASIC issued a Consultation Paper 310 (review of the ePayments Code). It then consulted widely with industry and key stakeholders. Normally after such a comprehensive consultation a final report would have been issued by ASIC, instead, ASIC is now engaging in further consultation with industry and key stakeholders as outlined in Consultation Paper 341 released on 21 May 2021.

It never ceases to surprise that the ePayments Code remains a voluntary code and only binds organisations which have subscribed to the code.  While ASIC would prefer for the ePayments Code to be mandatory, it notes that this would require the intervention of Government at the appropriate time.

Further, the Code currently only applies to electronic payments utilising the bulk electronic clearing system (BECS) and does not cover electronic payments made using the new payments platform (NPP).  This anomaly is surprising, given the fact that customers can make a payment under NPP in an identical manner to a payment made under BECS – yet the protections afforded under the Code for matters such as mistaken internet payments do not apply to NPP payments.

It must be acknowledged that ASIC has a standing recommendation to industry that even though the ePayments Code might not apply to NPP payments, that banks should act as though it does.

Another anomaly noted when acting for small business clients, is that the ePayments code only applies to consumers and does not extend coverage to small business.

The new consultation process by ASIC looks to amend the code in many respects. ASIC states that the proposals it makes focuses on 8 key matters, namely:

1. compliance monitoring and data collection;
2. mistaken internet payments, including retrievable of partial refunds and the responsibilities for sending and receiving AVIs;
3. extending the code protection to small business customers;
4. unauthorised transactions and past code security requirements;
5. modernising the code;
6. complaints handling;
7. faulty facility expiry dates; and
8. transition and commencement of the updated code.

The key matters will now be considered in some further detail.

Compliance monitoring and data collection

ASIC is proposing to remove the requirement imposed on subscribers to report annually about unauthorised transactions, preferring instead to rely upon its right to undertake ad hoc targeted compliance monitoring.

Mistaken internet payment’s framework

ASIC is proposing to clarify and enhance the mistaken internet payment (MIP) framework in various ways including:

• providing examples as to what a receiving ADI can do meet the requirements of the “reasonable endeavours”;
• limit the definition of mistaken internet payment (MIP) to situations where a customer makes a genuine mistake in typing in the account identifier and excluding scam and fraud scenarios from the MIP regime;
• enhance existing on-screen warnings about MIPs;
• allow partial returns of funds for MIPs in circumstances where a full return cannot be received.

Recovery of MIPs relies on cooperation between the sending ADI and the receiving ADI. ASIC notes that there are many instances where that corporation has not been forthcoming to the required degree – hence the suggestion that examples be given as to what constitutes “reasonable endeavours”.

Sending of ADI will need to inform customers of their right to lodge a complaint with the Australian Financial Complaints Authority (AFCA). ASIC is still of the view that a customer of the sending ADI should not have a right to complain to AFCA about the acts or omissions of a receiving ADI – that makes sense.

The main reason MIPs occur is because ADIs do not match account names against account numbers.  ASIC considered whether ADIs should be required to do so but is currently against any changes required in this regard.

Expanding the code to small business

ASIC proposes to extend the code to small businesses but subject to the following limitations:

• subscribers can choose whether they will extend protections to small business operators;
• any changes to the Code in this regard will only apply to new small business accounts open post-the new Code becoming operational: existing small business accounts are quarantined.

Note that it is proposed to define a small businesses as one which employs fewer than 100 people.

Clarifying the unauthorised transaction provisions

ASIC proposes to make it clear that the unauthorised transaction provisions of the code apply only where a third party has conducted a transaction without the customer’s consent and does not extend to situations where the customer made the transaction themselves as a result of a misunderstanding or falling victim to a scam.

It is proposed to make it clear that a breach of passcode security requirements of itself is not sufficient to make a customer liable for a transaction – instead there must be a causal connection between the breach of passcode security and the loss – pretty obvious to our mind. In our view this distinction is a distinction that is being glossed over and forgotten by ADIs ever since the e-Payments Code first became operational.

ASIC also wants to make it clear that the protections under the Code are in addition to any “charge back” rights under card schemes – again a fairly obvious matter.

Modernising the code

Technology moves fast and at an ever-increasing pace. ASIC therefore proposes to update the Code to address recent technological changes by:

• referring to biometric authorisations;
• replace the term “device” with “payment instrument” to avoid confusion with customer owned smart devices;
• incorporate reference to virtual debit and credit cards;
• extend the code’s protection to NPP payments; and
• expressly provide for electronic receipts.

Complaints Handling

Modernise and streamline the complaints handling provisions, importantly to require compliance with Regulatory Guide 271 (internal dispute resolution) in lieu of current provisions.

Facility expiry dates

Bring the facility expiry date provisions in line with Australian Consumer Law, mandating a minimum expiry date of not less than 3 years, instead of the current 1 year.

Conclusion

Any changes to the Code will require changes to the T&Cs of ADIs because they must mirror the provisions of the Code.

The main contentious issues in this review are likely to be:

• unauthorised transactions;
• cooperation between sending and receiving ADIs; and
• extending coverage of Code to small business operators.

The consultation process is likely to be lengthy as always seems to be the case when reviews are undertaken in relation to the ePayments code. We predict that by the time this review has been completed and implemented that a further review will be needed because of further technological changes that have occurred in the interim. Reviews of the ePayments Code are a never ending story!