Monique Ryan (Kooyong, Independent) Share this | Hansard source

Australia is a honeypot for scams. Our lack of regulation and industry protection for consumers permitted more than 600,000 scams in 2023, a record number and an increase of 18.5 per cent on the previous year according to the ACCC. The National Anti-Scam Centre tells us that Australians lost $2.74 billion to scams in 2023, but its data is limited because it tells us only about those scams which have actually been reported to the ACCC's Scamwatch unit. Probably the best data is that from the Australian Bureau of Statistics, which, frustratingly, collects a much different dataset to that of the ACCC. The ABS reports that most scams are relatively low value, of the order of a few hundred or a few thousand dollars. It seems quite likely that scams of that size are underreported.

Almost 50 per cent of people affected by larger scale scams report them to their banks, but, critically, only 8.7 per cent report them to government organisations or departments. So the government's figures do not include scams that individuals only report their banks, to the telcos, to the police or to other government agencies like ASIC, the ACMA or the ATO. That means the figure we're given and often use—of almost $3 billion lost to scams in Australia last year—is more than likely a vast underestimation.

There are many reasons for the increasing prevalence of scams. The rapid digitalisation of the economy has had a dual edge. While online facilities and online banking have enhanced many of our individual conveniences, they have also facilitated the rise of scams. The reality is that for years the banks, telcos and digital companies have not taken the necessary steps to adequately protect customers. Australians have had to continue to experience serious financial and security harm in the face of this failed self-regulation. There is now a critical need for government and businesses to act effectively and with purpose to protect consumers from these increasingly devious and sophisticated schemes.

The Albanese government has taken a proactive stance to scams prevention, and it is appropriate to acknowledge the efforts of the Assistant Treasurer and his team and their deep engagement in this space. I have to say, as the co-chair and founder of the Parliamentary Friends of Scams Protection, that the Assistant Treasurer has been supportive and responsive, and I thank him for that.

Recent initiatives by this government have included the National Anti-Scam Centre, launching the SMS ID register and boosting ASIC's scam-disruption activities. These measures have decreased investment scams, but those on social media platforms continue to increase. Digital platforms, telcos and banks have not done enough to limit those losses. For example, the SMS ID registry needs to be mandatory. In Singapore, we've seen that a mandatory ID registry led to a 67 per cent reduction in scams. We have seen in this country what happens when institutions don't act on spoofed phone numbers. Probably the best example of that was HSBC's reckless and indifferent failure to respond to spoofing of many hundreds of Australians over many months. That led to a loss of millions of dollars by Australians, some of whom live in the electorate that I represent, Kooyong.

It is for this reason that the government is introducing mandatory industry codes for scam protection and detection and victim support and redress by banks, telcos and digital platforms. The government claims that, under this legislation, scam victims will have a straightforward path to securing compensation after a single complaint, even when their complaint involves multiple companies. The liability will theoretically be shared between the sending and receiving banks, digital platform and telco provider, depending on the scam. The first sectors to be designated under the Scams Prevention Framework will be banks, telecommunication providers and providers of digital platform services relating to social media, paid search engine advertising and direct messaging. Other sectors will be considered in time.

Under the legislation, banks will need confirmation-of-payee technology so that customers can check account names and other details to ensure that they're paying their money into the right bank account, and they will receive a warning if those details do not match. The Australian Banking Association says that this could be in place for all banks within 2025, although it is unclear why we can't have it immediately. After being informed of a scam, banks will have to report it to the authorities, and they will have to respond quickly, such as to stop payments going through. They will be required to identify and shut down money mule accounts used to receive and shift scam victims' money, usually offshore. We know that failure to do this has been a failure of many banks for some years. I've had a number of constituents contact me with horror stories related to our big and small banks, their willingness to transfer money too quickly, their inability to recover losses after the fact and the challenges of dealing with their networks.

This framework also covers telecommunication providers, telcos, who are required to ascertain who is sending text messages. They're required to block numbers making scam calls. It also applies to the digital platform service providers. Scam victims will be able to seek compensation from digital platforms and from telcos, as well as the sending and receiving bank. But they will have to do that by taking their case to the ombudsman, the Australian Financial Complaints Authority, or AFCA. In doing so, they can theoretically take a single action against multiple parties—banks, telcos and digital platforms, depending on the scam. The current maximal payout for a scam to be received by a consumer from AFCA is about $1.2 million.

The Australian Competition and Consumer Commission, or the ACCC, will oversee enforcement of this framework. Companies failing to meet their obligations face massive fines of up to $50 million, and they could be forced to compensate victims. The legislation provides for criminal and civil penalties if the legislation is breached.

It is very disappointing that the government has decided not to go ahead with the recommendation from experts and consumer groups that we follow the United Kingdom's approach of making banks primarily responsible for dispute resolution relating to scams. Since 2019, the United Kingdom has had a voluntary reimbursement model in place, which has recently become compulsory. Under the scheme, victims are protected while the industry has a financial incentive to improve its scam protection systems. Australian banks have claimed this approach would make us a honey pot for scammers, but that claim has been rejected by the UK regulator and by some banks. Nine senior consumer groups, including the Consumer Action Law Centre, CHOICE, the Financial Rights Legal Centre and Financial Counselling Australia, have repeatedly called for the Albanese government to adopt a modified version of the UK reforms.

The government's proposed Scams Protection Framework is well-intentioned and is a step in the right direction, but it falls down on this question of dispute resolution, which is, after all, the touchstone of protection from scams. The legislation sets up an unnecessarily complex multiparty case-by-case dispute resolution system. It would likely incentivise the industry to enforce a minimum standard compliance approach to obligations. It places the onus on scam victims to prove, presumably on the balance of probabilities, that the bank, the platforms and/or the telcos involved failed to meet their subjective and quite broad obligations under the Scams Protection Framework principles and codes, that the business's failure was the cause of the scam and that the scammer intended to deceive the victim. The problem is that, in many cases, the consumer has no access to the information required to prove the case. Banks refuse to hand over information at this point. Meta won't hand over its algorithms, and banks often won't release commercial-in-confidence data and systems. Given this information asymmetry, the task will likely be onerous and challenging for many individuals, especially older Australians and those from culturally and linguistically diverse backgrounds.

Consumer advocacy groups say the process will include a person reporting the scam, lodging a complaint with the companies involved, seeking advice, escalating the dispute to AFCA, participating in meetings and then getting an outcome—a process which could involve as many as 30 steps and take as long as two years. The Telecommunications Industry Ombudsman agrees; she says it is not reasonable that consumers have to jump through all those hoops while watching regulated entities blame each other for their failings. It's also unclear how apportionment could work in this context. There could well be protracted arguments, even litigation, between banks, telcos and digital platforms about which entity caused the loss and who is responsible for how much of the liability—all while the victim waits.

Take a toll scam. A consumer receives an SMS saying they have an overdue toll. The consumer thinks it's genuine because they travelled on a toll road two days before. They hit the link in the message and get scammed. Who's at fault? Is it the bank? Is it the telco? Is it the tolling company who sold the consumer's travel data through real-time bidding? Or is it the data broker? How is an individual to work through this issue? The reality is that, in most cases, they won't; they'll drop the issue and pay the money, and the scammer will continue unpunished.

The reality is that, without a presumption of reimbursement, there is no economic incentive for banks to improve their systems to prevent scams. A change to the Scams Protection Framework to introduce a presumption of reimbursement, within limits, would help the framework meet its stated objectives. It would significantly ease the burden on consumers by removing the onus to prosecute their case against multiple multinational corporations over what would likely be years-long disputes. Enabling faster reimbursements for scams victims would incentivise much more investment in scams protections.

The Consumer Action Law Centre and other expert groups have suggested an alternative model—a modified reimbursement framework which would lead the world on scams disruption and responses. This would be predicated on a presumption of bank reimbursement. In the model, the consumer would provide reasonable information to the bank. The bank would have five to 10 days to respond, and, in most cases, would then reimburse the scam victim. There would be limits to the presumption of reimbursement; for example, it would not be instituted where there is evidence of gross negligence or where a person knowingly took part in fraud. There would also be a backup option of a single-door external dispute resolution by AFCA where reimbursement is denied. The banks, telcos and digital platforms would then undertake apportionment after the consumer is reimbursed. That apportionment would be business-to-business at an industry level between SPF entities.

The model would create an incentive to drive industry action to innovate and invest in the technology and systems required to prevent scams. It would reduce the scam complaints process from as much as two years under the framework proposed in this bill to just a few weeks, with consumers, government regulators, dispute resolution bodies and businesses all set to benefit from the efficiency gained and the reduction in costs.

This country urgently needs a robust, well-enforced framework of consumer protections. For far too long, too many Australians have lost life-changing sums of money to scammers. For far too long, the businesses enabling scammers to conduct their activities have faced no consequences, leaving consumers to carry the burden of those crimes. It's a simple premise: consumers should be able to get their money back when businesses fail to protect them from scams.

This framework is well intentioned. It sets the scene for meaningful protection from scams. But it provides only half of the picture. We could do much better. Firstly, the government's SMS sender ID registry should be mandatory rather than voluntary. Secondly, the government should reverse the onus of proof for scams restitution—to institutions and away from individuals. Only by doing so can we maximise consumer protections and the incentives for institutions to improve their systems to stop scams and protect Australians from financial harm.

See this speech in context