Cyber Brief for CFOs: November / December 2024
All the news, tactics and scams for finance leaders to know for November / December 2024.
Scams in both Australia and New Zealand are rampant, spurring debates about how governments and banks should protect consumers. These debates include whether victims should be reimbursed after losing money – and which entities should do the reimbursing.
Consumer advocates have long pushed for banks to bear the cost of scam losses, while the banking sector has resisted this as a blanket policy for various reasons. Generally, Australian banks maintain a policy of not automatically refunding victims of fraud, while New Zealand’s Code of Banking Practice mandates reimbursement unless the consumer acted without “reasonable care or breached the terms and conditions.” It’s a caveat that leaves many victims shouldering the loss.
So what are the alternatives? Will current approaches change, and where might policy be headed in the future?
Let’s start by establishing what current approaches actually are.
In a 2023 report, the Australian Securities and Investments Commission concluded that banks’ customers overwhelmingly shoulder scam losses, accounting for 96% of total scam losses. Across three banks with available data, the ASIC analysis found that compensation happened in only about 11% of the cases where there was a scam loss.
Meanwhile, in New Zealand, customers are generally only eligible for reimbursement if they’ve lost money through unauthorised transactions. This doesn’t usually include scams where victims have been duped into sending money to cyber-criminals or fraudsters. Consumer advocates have pushed for banks to do more to help these types of victims, while Banking Ombudsman Nicola Sladden has said she’s open to reviewing scam liability and reimbursement.
In short, despite some exceptions and different approaches, Aussies and Kiwis who’ve fallen victim to a scam are rarely reimbursed by their banks. That’s not the same in other countries.
Refunding scam victims is a common bank policy in some countries. The reasoning is that, even if the bank is saving money by withholding reimbursement for a defrauded customer, their bottom line will still take a hit through lost loyalty and customer churn.
For instance, UK banks like TSB Bank implemented a reimbursement policy years ago. Widely considered successful, the rest of the nation’s banks are set to adopt the same policy by next year. The initiative aims to protect customers and underscores the divergent approaches in a landscape where digital transactions are the norm.
So why haven’t banks in other countries adopted similar practices?
The obvious answer is that no profit-seeking entity is in a rush to lose money or create a slippery slope in which they’re increasingly on the hook for others’ actions. But the other reasons are multi-faceted – and not all of them are simply self-interest.
For starters, some banking leaders are worried about creating perverse incentives. In a recent Financial Review summit, NBA’s chief of financial crime risk, Paul Jevtovic, warned that focusing too much on bank reimbursements could “create a honeypot for organised crime.”
Explaining that this might actually increase overall losses, Jevtovic urged other leaders and the public sector to also consider the “root cause” of criminal activity – that is, sophisticated cybercrime groups and attacks backed by nation-states.
It isn’t a new sentiment. In 2022, Financial Services Minister Stephen Jones also cited the risk of creating “a honeypot for scammers” as a reason for opposing bank liability.
Alongside that concern is usually a call for greater collaboration and shared liability. These same voices often point to the need for telcos and social media platforms to share the cost of scam losses – after all, banking loopholes aren’t the only tools in a cyber-fraudster’s arsenal. And governments may be in a better position to fight certain types of cybercrime.
Others note the possibility of consumers taking less responsibility for poor investment decisions if they know banks will cop the cost no matter what. New Zealand Banking Association’s chief executive, Roger Beaumont, has said adopting policies like those in the UK could lead to bigger fraud losses because “customers have little incentive or responsibility to protect their money.” And, at the end of the day, if scammers are making more money, it’s a net loss for everyone.
However, the status quo sees everyday consumers and businesses bearing most of the financial burden of surging cybercrime. Some leaders have indicated they don’t see this as sustainable or fair.
While some prominent figures have voiced openness to reassessing scam liability and reimbursement for victims, it’s unclear whether governments in Australia or New Zealand will force any changes.
Still, there are a few signs that a sea change might be on the horizon. For example, Risky Business podcaster and journalist Patrick Gray recently asked Australian Cyber Security Minister Clare O’Neil whether Australia might adopt a banking reimbursement policy like that of the UK. Although Minister O’Neil was careful not to make any committal statements and demured to other ministers’ jurisdictions, she did note that Australia’s impending cybersecurity strategy – and the Federal Government’s approach more broadly – aims to shift burdens toward entities with greater resources and defensive capability.
From our vantage point, those comments don’t necessarily mean the government will be forcing banks to pay out scam losses anytime soon. However, there might be growing pressure for both the private and public sectors to absorb more of the sting rather than allowing the full cost to fall on individual consumers or small businesses.
It’s an iteration of a concept regularly touted by Eftsure Chief Executive Officer, Mark Chazan, who has called for “collaborative cybersecurity.” This can happen within organisations and between internal functions, as well as across different industries and sectors. After all, no single organisation is equipped to fight cybercrime by itself, especially since cyber-criminals tend to face very few of the limitations carried by legitimate businesses. Read more in our submission to the 2023-2030 Australian Cyber Security Strategy Discussion Paper.
Still, prevention is generally preferable to restitution, regardless of which groups are responsible for the latter. Most major banks have touted new advancements and products that help prevent scams before they happen, with CBA even announcing that scam losses had fallen by one-third. However, it’s important to note that banks are dealing with some structural barriers and a huge influx of scam attempts. According to ASIC’s analysis, banks detected and stopped a low proportion – approximately 13% – of scam payments made by their customers.
The bottom line is that organisations can’t wait around for big policy changes. The risks and potential costs of cybercrime demand preventive action now.
All the news, tactics and scams for finance leaders to know for November / December 2024.
Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all …
Learn how finance leaders can protect their organisations from AI-driven cyber threats like deepfake scams and system vulnerabilities with proactive cybersecurity strategies.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.