In April this year, the Financial Ombudsman Service Australia (FOS) issued a Determination[1] whereby a bank had to reimburse a customer for money sent to an offshore ‘boiler room’ known to the bank to be a scam.

The Determination now means that banks owe customers a duty to prevent them suffering a loss to known fraudsters.

The Facts

So called ‘boiler room‘ scams have been around for many years and regularly feature in ASIC warnings. Lists of perpetrators can be found on ASIC’s MONEYSMART website[2]. In this recent Determination, FOS noted that in April 2015 ASIC sent an email to financial service providers, including the bank in question, saying a company and an associated company were making unsolicited calls to Australian ‘victims’ seeking investment in ‘non-existent financial products’ and that consumers were being ‘directed to deposit funds into an identified foreign bank account’.

Two weeks after this notice was issued, the bank’s customer, using a credit card account, began transferring $360,324.73 to the fraudsters’ account. This happened over a period of two weeks in 21 transactions. The bank’s fraud system identified the transactions as suspicious almost immediately and placed a block on the account after the second transaction. The block was removed (possibly an analyst placed a temporary block initially, incorrectly determined it was legitimate and released this first block) allowing a third transaction after which a second block was placed on the account.

As the account block was stopping transactions, the customer called the bank’s call centre, confirmed the transactions were his transactions and requested the block be released. The call centre operator contacted the credit card fraud team, confirmed the block was present, advised that the transactions were authorised by the customer and arranged for the block to be removed. In an unusual move for FOS, all of this is revealed in a copy of the telephone transcript which is included in the FOS Determination.

The customer, drawing funds from a line of credit and depositing those funds into his credit card account, was then able to send a total of $360,324.73 to the fraudsters.

The Determination

FOS assessed the customer’s culpability at 25% on the basis:

  1. “that an applicant has a duty to themselves to protect their own position and to take reasonable steps to mitigate loss. This would include making reasonable enquiries about an investment and an entity with which they were dealing”; and

  2. “that regardless of whether or not he was aware of the scam he would reasonably have been aware or ought to have been aware, that his decision to invest with the company was high risk and there was potential for loss.”

FOS held that the bank was responsible for an alarming 75% of the losses that were incurred after the first three transactions when the second block on the account was established. This amounts to $235,539.06.

According to FOS, the bank’s liability arose on the basis that:

  1. “the bank should have had a detection process in place and blocked transactions in any event… after.. the second block”; and

  2. when “the applicant contacted the credit card payments area and the banker referred the matter to the fraud area… at least by that stage the bank should have informed the applicant of the ASIC warning of a scam and retained the block.”

From the bank’s perspective – what went wrong?

The bank received the ASIC warning and placed detection parameters in its ‘sanctions list’ which appears to be a different system (most likely it is part of the bank’s AML screening system) from the transactional fraud detection system. So whilst the fraud system detected the customer’s transactions as suspicious, it appears the analyst was not aware of the ASIC warning and released the block when the customer phoned to confirm the transactions as being authorised (or genuine). It appears that the fraud analyst and call centre staff were not in a position to advise the customer of the ASIC warning. Again, this is in part evident from the copy of the telephone transcript which is included in the Determination.

Implications of the Determination

Courts have been willing to impose a duty of care on banks where these institutions are providing detailed transactional advice as an advisor[3]. In this case, FOS is imposing such a duty in respect of protecting customers from all known fraud in all cases. The Determination should not be seen as being limited to just ASIC warnings. The key fact in the Determination was that the bank had been put on notice of the exact fraud for which the customer suffered a loss. This appears to be an extremely high burden to place on banks. The cost of such a burden will of course be borne by all bank customers through higher fees and charges.

Such a duty does not sit comfortably with the general law regarding the duty of care owed by a bank to its customer in many areas of that relationship. For example, in a decision of the Supreme Court of NSW, the Court held that, despite the current post global financial climate and the consequential focus on bank lending practices, the Courts are not willing to import a duty of care on banks to investigate the financial circumstances of its commercial loan customers[4].

FOS determined that upon receipt of an email a bank is obliged to put in place ASIC’s recommended process to detect and block payments.

How to respond in future

In view of this Determination, banks should carefully assess their internal procedures and have regard to the following tips for how to respond in future:

  1. ensure ASIC, AUSTRAC and other regulator recommendations in respect of fraud are monitored and implemented in a timely fashion;

  2. review the list of known fraud entities on ASIC’s MONEYSMART Website and ensure rules are implemented within the bank’s fraud detection architecture to stop payment to those entities (including entities with similar names);

  3. have processes in place that identify known fraud blocks so staff are unable to remove a block to a known fraud destination. This will upset some customers who, completely convinced by the fraudsters of the investment opportunity, will resent the bank’s staff not helping them and banks will need to be able to address this type of issue;

  4. regularly review all channels through which the bank receives intelligence on fraudulent matters to ensure all known fraud perpetrators and types are included in the bank’s fraud detection systems; and

  5. review transaction limits to stop, when appropriate, large amounts being sent from debit or credit card accounts.

Some may argue that this FOS Determination is an aberration and under its own Terms of Reference, FOS is not bound by previous decisions. However, it is important to note that where a Determination is made and accepted by the parties, challenging the decision can prove difficult – particularly since FOS decisions are only subject to being overturned by a court if it is one to which no reasonable tribunal could arrive at based on the evidence[5]. Ultimately, prevention is better than a cure – a focus on the tips set out above will go a long way towards mitigating against the risk of a matter ending up in the FOS environment to begin with.