On 2 June 2022, ASIC published the updated ePayments Code (Code) which it states will strengthen and clarify a number of existing protections for consumers relating to various forms of electronic payments.
The Code has generally been the benchmark for consumer protections for payments and transactions that were triggered within the world of online and mobile banking. It has been an added level of regulation for its subscribers which include most banks, credit unions and building societies in Australia.
- Key takeaways
The Code provided a step-by-step guide to retrieving ‘mistaken payments’ and for identifying the liable party for ‘unauthorised transactions’ within certain parameters. These sections in the Code have now been updated, with some of the more substantive amendments in the form of clarifying ‘notes’ added after particular requirements. While not all payment providers are subject to regulation under the Code, it is often referenced as an objective test of ‘reasonableness’ in the context of determining liability between consumers and the provider or between providers. Subscribers may also contractually ensure that their counterparties are compliant with and/or are governed in accordance with the Code. We summarise below what we anticipate to represent the substantive changes to the Code effective from 1 July 2022.
Mistaken internet payments
- Scams not covered as mistaken payments: The Code now expressly clarifies that the ‘mistaken internet payment’ definition expressly excludes mistaken payment resulting from a scam and was intended to relate only to typographical type errors.
- On-screen warning: Where BSB and account details are used for transfers (i.e. not involving a payID) the on-screen warning is more comprehensive and is required to clarify that the names and identifies will not be matched, verified or checked.
- Investigation timeline: There is now a new requirement to send a request to the ADI where mistaken funds were sent ‘as soon as reasonably possible’. The Code effectively notes that this means within 2 days unless subject to the particular circumstances.
- Record keeping: Both the sending and receiving ADIs must keep sufficient records to demonstrate their compliance with these requirements.
- Insufficient funds: Previously, where funds which were mistakenly received by an ADI weren’t readily available to the receiving ADI for recovery, it was required to use reasonable endeavours to retrieve the mistakenly received funds. Under the amended Code, the receiving ADI has the discretion to either pursue the total or partial return of the funds, taking into account the interests of both parties and a series of prescribed factors (including impact, history and certainty of recovery). ASIC notes that the overarching factor should be that the unintended recipient should not consider themselves entitled to funds that are not theirs.
- Transactions not authorised by a user: ‘Unauthorised transaction’ was previously defined broadly as a transaction not authorised by a user. This definition has been clarified to only include transactions not performed by the person themselves or without their knowledge and consent.
- Time limit for unauthorised transactions: The Code introduces a limitation period of 6 years within which a report of an unauthorised transaction must be accepted. This limit does not apply to disputed transactions under chargeback rules.
- New process for investigating: The Code introduces a new process for investigating unauthorised transactions, including a requirement to obtain prescribed information (to the extent relevant and available), with non-cooperation by a user a potential consideration in the decision making process.
- Timeline introduced: Similar to the timeframe for mistaken payments, there is only 15 days in which to respond to requests from other payment institutions (i.e. Code subscribers). The investigation itself must be completed within 21 days and the user advised of the outcome in writing. Reasons must also be provided.
Compliance monitoring and data collection
- Targeted monitoring to replace reporting: ASIC has increased its targeted monitoring and surveillance capabilities of its subscribers’ compliance with the Code. Subscribers are no longer required to report information about unauthorised transactions on a yearly basis. Instead, reporting is only required when ordered by ASIC in the course of its targeted compliance monitoring activities.
Consistency with updates
- External dispute resolution scheme: References now specify AFCA.
- Compliance with ASIC Regulatory Guide for disputes: References to 165 have been updated to RG 271.
- Australian customer satisfaction standards: AS ISO 100002-2006 has been updated to AS/NZS 10002:2014, ‘or its successor’.
Feel free to reach out to any of the lawyers named in this alert or your usual contacts at Baker McKenzie with any queries you have more generally about the application of the Code or similar frameworks to your business, or how you may be impacted by some of the change described.
Save my name, email, and website in this browser for the next time I comment.