Will banks start reimbursing scam victims? 

Can fraud victims get reimbursement from banks in Australia or New Zealand?

Let’s start by establishing what current approaches actually are.

In a 2023 report, the Australian Securities and Investments Commission concluded that banks’ customers overwhelmingly shoulder scam losses, accounting for 96% of total scam losses. Across three banks with available data, the ASIC analysis found that compensation happened in only about 11% of the cases where there was a scam loss.

Meanwhile, in New Zealand, customers are generally only eligible for reimbursement if they’ve lost money through unauthorised transactions. This doesn’t usually include scams where victims have been duped into sending money to cyber-criminals or fraudsters. Consumer advocates have pushed for banks to do more to help these types of victims, while Banking Ombudsman Nicola Sladden has said she’s open to reviewing scam liability and reimbursement.

In short, despite some exceptions and different approaches, Aussies and Kiwis who’ve fallen victim to a scam are rarely reimbursed by their banks. That’s not the same in other countries.

How do UK banks handle scam losses?

Refunding scam victims is a common bank policy in some countries. The reasoning is that, even if the bank is saving money by withholding reimbursement for a defrauded customer, their bottom line will still take a hit through lost loyalty and customer churn.

For instance, UK banks like TSB Bank implemented a reimbursement policy years ago. Widely considered successful, the rest of the nation’s banks are set to adopt the same policy by next year. The initiative aims to protect customers and underscores the divergent approaches in a landscape where digital transactions are the norm.

So why haven’t banks in other countries adopted similar practices?

‘A honeypot for scammers’: Banks resist scam liability

The obvious answer is that no profit-seeking entity is in a rush to lose money or create a slippery slope in which they’re increasingly on the hook for others’ actions. But the other reasons are multi-faceted – and not all of them are simply self-interest.

For starters, some banking leaders are worried about creating perverse incentives. In a recent Financial Review summit, NBA’s chief of financial crime risk, Paul Jevtovic, warned that focusing too much on bank reimbursements could “create a honeypot for organised crime.”

Explaining that this might actually increase overall losses, Jevtovic urged other leaders and the public sector to also consider the “root cause” of criminal activity – that is, sophisticated cybercrime groups and attacks backed by nation-states.

It isn’t a new sentiment. In 2022, Financial Services Minister Stephen Jones also cited the risk of creating “a honeypot for scammers” as a reason for opposing bank liability.

Alongside that concern is usually a call for greater collaboration and shared liability. These same voices often point to the need for telcos and social media platforms to share the cost of scam losses – after all, banking loopholes aren’t the only tools in a cyber-fraudster’s arsenal. And governments may be in a better position to fight certain types of cybercrime.

Others note the possibility of consumers taking less responsibility for poor investment decisions if they know banks will cop the cost no matter what. New Zealand Banking Association’s chief executive, Roger Beaumont, has said adopting policies like those in the UK could lead to bigger fraud losses because “customers have little incentive or responsibility to protect their money.” And, at the end of the day, if scammers are making more money, it’s a net loss for everyone.

However, the status quo sees everyday consumers and businesses bearing most of the financial burden of surging cybercrime. Some leaders have indicated they don’t see this as sustainable or fair.

What kind of financial compensation might scam victims expect in the future?

While some prominent figures have voiced openness to reassessing scam liability and reimbursement for victims, it’s unclear whether governments in Australia or New Zealand will force any changes.

Still, there are a few signs that a sea change might be on the horizon. For example, Risky Business podcaster and journalist Patrick Gray recently asked Australian Cyber Security Minister Clare O’Neil whether Australia might adopt a banking reimbursement policy like that of the UK. Although Minister O’Neil was careful not to make any committal statements and demured to other ministers’ jurisdictions, she did note that Australia’s impending cybersecurity strategy – and the Federal Government’s approach more broadly – aims to shift burdens toward entities with greater resources and defensive capability.

A shift toward collaborative cybersecurity and preventive approaches

From our vantage point, those comments don’t necessarily mean the government will be forcing banks to pay out scam losses anytime soon. However, there might be growing pressure for both the private and public sectors to absorb more of the sting rather than allowing the full cost to fall on individual consumers or small businesses.

It’s an iteration of a concept regularly touted by Eftsure Chief Executive Officer, Mark Chazan, who has called for “collaborative cybersecurity.” This can happen within organisations and between internal functions, as well as across different industries and sectors. After all, no single organisation is equipped to fight cybercrime by itself, especially since cyber-criminals tend to face very few of the limitations carried by legitimate businesses. Read more in our submission to the 2023-2030 Australian Cyber Security Strategy Discussion Paper.

Still, prevention is generally preferable to restitution, regardless of which groups are responsible for the latter. Most major banks have touted new advancements and products that help prevent scams before they happen, with CBA even announcing that scam losses had fallen by one-third. However, it’s important to note that banks are dealing with some structural barriers and a huge influx of scam attempts. According to ASIC’s analysis, banks detected and stopped a low proportion – approximately 13% – of scam payments made by their customers.

The bottom line is that organisations can’t wait around for big policy changes. The risks and potential costs of cybercrime demand preventive action now.