Tackling payment account fraud – the latest regulatory changes in Australia | A&O Shearman

On 30 November 2023, the Australian Government Treasury published a consultation paper on the Proposed Fraud Code Framework (the “Framework”), which aims to establish robust codes and targeted measures to reduce fraud.


  • Latest developments
  • Scope of the regime
  • Basic duties
  • Enforcement and non-compliance
  • Next steps

The framework stems from government concerns about the current siled approach taken by businesses or sectors to combat fraud. It aims to take a holistic approach to tackling fraud in the private sector by placing obligations on banks, telecommunications providers and digital platforms to monitor and prevent fraud.

Latest developments

  • The consultation is being conducted jointly by the Treasury and the Department of Infrastructure, Transport, Regional Development, Communications and the Arts (DITRDCA).
  • The consultation period ended on January 29, 2024, and the industry is waiting for the government’s response.

Scope of the regime

People covered

All companies operating in the following sectors will be considered in-scope and required to comply with the proposed Principles if adopted by the government.

  • Digital communication platforms: all digital platforms providing communication or media services that could be exploited by fraudsters, including content aggregation services, connection media services and media sharing services. Digital currency exchanges (such as cryptocurrency exchanges) and other transaction-based digital platforms will not be captured.
  • Banks: any authorized deposit-taking institution under section 9 of the Banking Act 1959, including small and large banks, building societies and credit unions.
  • Telecommunications providers: all carriers and carriers within the meaning of the Telecommunications Act 1997.
Definition of fraud

The proposed framework defines fraud as:

“an unfair invitation, request, notice or offer intended to obtain personal information or financial gain by fraudulent means.”

The proposed catch-all definition is intended to cover common types of fraud such as investment fraud, romance fraud, phishing fraud, employment fraud and remote access fraud.

However, this definition does not cover unauthorized fraud, which will be considered as part of the review of the Electronic Payments Code.

Basic duties

The proposed framework introduces a principles-based approach, setting out obligations that will apply to all persons within scope. Those in scope will need to take a proactive approach to combating fraud and adapt their business models as necessary to meet their core responsibilities.

Primary responsibilities can be divided into three broad categories:

  1. Prevention: Scoped individuals must develop, maintain and implement an anti-fraud strategy that outlines the company’s approach to preventing, detecting, disrupting and responding to fraud and taking reasonable steps to prevent misuse of services by fraudsters.
  2. Detection and Disruption: Scoped individuals must strive to detect, block, and prevent consumer-initiated fraud, verify and track fraud upon receipt of fraud information, and respond in a timely manner upon receipt of such fraud information.
  3. Reporting obligations: persons covered by this scope must take reasonable steps to promptly notify other companies and relevant regulatory authorities of suspected or identified large-scale/cross-sector frauds and share data on incidents of fraud and actions taken in response to such fraud.

Special obligations also apply to Banks and Digital Communication Platforms.

The proposed Bank-specific responsibilities include:

  1. Prevention: implementing processes to: (i) enable confirmation of the identity of the payee; (ii) verify that the transaction is legal if the consumer is taking a high-risk action; and (iii) implement processes and methods to detect high-risk transactions and take appropriate actions to warn the consumer, block or suspend transactions or take other measures to reduce fraud.
  2. Detection and Disruption: Having methods or processes in place to: (i) identify and share with other banks information that an account or transaction may be or is fraudulent; and (ii) respond promptly to information that identifies that an account or transaction may be or is fraudulent, including blocking or disabling the fraudster account or transaction or working with the recipient bank to do so.
  3. Consumer reporting obligations: establish user-friendly and accessible methods for consumers to take immediate action if they suspect their accounts have been compromised or have been defrauded (e.g. an in-app ‘kill switch’) and provide assistance to consumers wishing to trace and recover transferred funds in the extent to which these funds are recoverable, including the need for the receiving bank to reverse the transfer within 24 hours of receiving a withdrawal request from the sending bank.

The specific responsibilities of the proposed digital connectivity platforms include:

  1. Prevention: implementing processes and methods to: (i) authenticate and verify the identity and legitimacy of business users and advertisers; (ii) detect high-risk interactions and take appropriate action to warn, block or terminate the interaction; and (iii) preventing fraudsters from hacking user accounts and restoring user accounts to the correct users in a timely manner.
  2. Detection and disruption: having methods or processes in place to: (i) identify and share with others information that an Australian user may be a fraudster; and (ii) respond quickly to information that identifies that an account or transaction may be or is fraudulent, including blocking or disabling the fraud account that the fraudster is using.
  3. Consumer reporting obligations: establishing user-friendly and accessible methods to enable consumers to take immediate action if they suspect that their accounts have been compromised or that they have been defrauded, in addition to responding to any information requests made by the Australian Communications and Media Authority within a specified period .

Enforcement and non-compliance

The framework introduces a multi-regulatory model of supervision and enforcement under which the following regulatory authorities will be responsible for monitoring compliance:

  • The Australian Competition and Consumer Commission will be responsible for enforcing the principles-based obligations set out in the overarching regime and for issuing best practice guidance.
  • The Australian Securities and Investments Commission will be responsible for enforcing the Bank-specific code.
  • The Australian Communications and Media Authority will be responsible for enforcing specific digital communications platform codes.

Regulated companies that fail to comply with their obligations and take remedial measures will be subject to non-compliance penalties of up to A$50 million. Additional penalties for breaches of sector-specific obligations (i.e. in particular for banks, digital communications platforms and telecommunications service providers) will be determined under sector-specific rules.

Next steps

The responses to the consultation are being analyzed by the government. There is no timetable for the entry into force of the regulations.

Thanks to Osama Shabaan, Trainee in A&O Shearman’s Financial Services Regulation team in London, for his contribution to this position.

(Show source.)