The epayments Code February & March 2013
What is the epayments Code? Revision by ASIC of the EFT Code, reworded in plain English Comes into effect on 20 March 2013 Redraft does not diminish the consumer protections of the EFT Code [refer ASIC Consultation Paper 158 dated May 2011] Adds some new provisions, including mistaken internet payments and low value facilities
What s covered by epayments Code? Applies to transactions initiated using electronic equipment that are not authenticated by comparing manual and specimen signatures [clause 2.4]. Examples in clause 2.5 include: - card transactions, including PIN-authorised, contactless card payments and no PIN low value spends - internet banking, telephone banking and BPAY - direct debit arrangements and mail order transactions - online transactions using card number and expiry date
What s not covered? epayments Code does not apply where: Facility is designed primarily for use by business and established primarily for business purposes [2.1(a)] Facility is one where the holder and subscriber do not have a contractual relationship [2.1(b)] Transaction is intended to be authenticated by comparing manual and specimen signatures (such as credit card purchase in presence of merchant) [2.4(b)]
New provisions in epayments Code In addition to what was already in the EFT Code, the epayments Code also addresses: Mistaken internet payments Low value facilities Minimum expiry dates Book-up arrangements Leaving a card in an active ATM
Mistaken Internet Payments (MIPs) Definition Clause 23.2: main elements of that definition are: Payment by user through Pay Anyone internet banking facility Funds paid into account of unintended recipient; because: user enters or selects a BSB and/or identifier (account number) that does not belong to named and/or intended recipient; as a result of user s error or user being advised of wrong details Does not include payments made using BPAY
Mistaken Internet Payments Cont d Compliance requirements Disclosure requirements in T&Cs about process, when funds will be recovered and when holder liable [clause 24] On-screen warning about risk of MIPs, including that it may not be possible to recover funds [clause 25] Reporting process must be effective, convenient and either free or local call cost only [clause 26] Investigation requirements [clause 27] mean: sending ADI (S-ADI) must investigate report from user and, if satisfied MIP occurred, request return of funds receiving ADI (R-ADI) must acknowledge request and advise S-ADI if there are sufficient funds to cover MIP
Mistaken Internet Payments Cont d Summary of return process Whether or not funds will be returned to holder after user has made an MIP depends on: The period of time that has elapsed between making the MIP and reporting the MIP; Whether or not sufficient funds remain in the account of the unintended recipient; and In some circumstances, whether or not the unintended recipient agrees to return the funds.
Mistaken Internet Payments Cont d Funds available Report within 10 business days of MIP Clause 28 sets out process R-ADI must return funds to S-ADI within 5 business days of receiving request, if practicable, but no longer than 10 business days No requirement for consent of unintended recipient If not satisfied MIP occurred, R-ADI may seek consent of unintended recipient to return funds S-ADI must return funds to holder asap
Mistaken Internet Payments Cont d Funds available Report between 10 business days and 7 months Clause 29 sets out process R-ADI must complete investigation within 10 business days R-ADI must prevent unintended recipient from withdrawing funds for 10 further business days and notify it will withdraw funds if recipient does not establish entitlement to funds within 10 business days of date of freeze If unintended recipient does not establish entitlement, R-ADI must return funds to S-ADI within further 2 business days If not satisfied MIP occurred, R-ADI may seek consent of unintended recipient to return funds S-ADI must return funds to holder asap
Mistaken Internet Payments Cont d Funds available Report made more than 7 months after MIP Clause 30 sets out process If satisfied that MIP occurred, R-ADI must seek consent of unintended recipient to return funds If not satisfied MIP occurred, R-ADI may seek consent of unintended recipient to return funds No timeframes are specified If unintended recipient consents to return of funds, R-ADI must return to S-ADI, and S-ADI must return funds to holder asap
Mistaken Internet Payments Cont d Funds not available Clause 32 sets out process where an MIP has occurred but there are not sufficient funds in account of unintended recipient to full value of the MIP R-ADI must use reasonable endeavours to retrieve funds, e.g. by facilitating repayment of funds by unintended recipient in instalments Applies at any time after the MIP is reported No timeframes are specified
Mistaken Internet Payments Cont d Complaints User can complain to S-ADI (and FOS) about how a report was dealt with. S-ADI must not require user to complain to R-ADI S-ADI and R-ADI must co-operate with S-ADI s EDR scheme, including complying with any decision
Low value facilities A low value facility is a facility that is capable of having a balance of no more than $500 at any one time. Provisions regarding low value facilities are shaded throughout the Code Liability provisions for unauthorised transactions do not apply [clause 9.2]
Low value facilities T&Cs only have to be provided if practicable; otherwise, a notice that highlights key terms and advice how to obtain full T&Cs [clause 4.4] Changes to T&Cs have to be provided if subscriber able to contact holder directly [clause 4.15]. Otherwise, in a way reasonably likely to come to attention of holder [clause 4.17] Usual requirements about receipt and statements do not apply. Must give process to check balance and transaction history [clause 5.8 & 7.7]
Minimum Expiry Dates Clause 18 provides for facilities with expiry date Non-reloadable facility expiry date must be at least 12 months from date of activation Reloadable facility expiry date must be at least 12 months from last reload date Minimum expiry date does not apply if holder is entitled to refund on expiry Subscriber must not bring forward the expiry date and must give user a way to check it Expiry information must be disclosed on a device
Book up arrangements book up arrangement is defined in clause 2.6 to mean...credit offered by merchants for the purchase of goods or services commonly used by Aboriginal people in remote and regional areas of Australia. It is common for merchants to hold a consumer s debit card and/or pass code as part of a book up arrangement. If a subscriber and a merchant have a merchant agreement, the agreement must prohibit the merchant from holding a user s pass code as part of a book up arrangement [clause 20.1]
Leaving card in an active ATM Holder is liable if user leaves card in an ATM, as long as ATM incorporates reasonable safety standards that mitigate risk of card being left in ATM (e.g. card capture after reasonable time) [clause 11.4] Clause was added by ASIC at FOS s request, because not adequately covered by the EFT Code. Long-standing practice of FOS was to allocate liability to the holder, because user is in control of the card when using an ATM.
Liability Provisions of epayments Code February & March 2013
Liability provisions Reflect legal principal of mandate - FSP may debit unauthorised transactions only in exceptional circumstances where user contributes to loss Apply to unauthorised transactions only. Do not apply to transactions performed by a user or with the knowledge and consent of a user [clause 9.1] No liability in specified circumstances Full liability only in specified circumstances In other circumstances, limited liability of $150
Definitions clause 2.8 facility means an arrangement through which a person can perform transactions holder means an individual in whose name a facility has been established, or to whom a facility has been issued identifier means information that a user knows but is not required to keep secret and must provide to perform a transaction (card number, expiry date, customer number) pass code means a password or code that user must keep secret that is used to authenticate a transaction user means a holder or an individual who is authorised by a subscriber and a holder to perform transactions using a facility held by the holder
Time limit Clause 38 provides that subscribers must accept complaint received within 6 years from day user first became aware, or should reasonably have become aware, of the circumstances giving rise to complaint FOS can consider a delayed dispute provided it is lodged: within six years of Applicant becoming aware they suffered a loss; or within two years of date of the FSP s IDR response.
No Liability Provisions Holder is not liable for loss where: Fraud or negligence by employee or agent of subscriber or merchant [clause 10.1a] Device, identifier or pass code that is forged, faulty, expired or cancelled [clause 10.1b] Transaction requiring device and/or pass code that occurred before received by user [clause 10.1c] Transaction incorrectly duplicated [clause 10.1d] Unauthorised transaction performed after loss of device or breach of pass code security is reported [clause 10.1e] Unauthorised transaction made using an identifier without a pass code or device [clause 10.2] It is clear user had not contributed to loss [clause 10.3]
When holder is liable for losses Where clause 10 does not apply, holder is only liable where subscriber can prove on balance of probability that: User contributed to loss through fraud or breach of pass code security requirements. Holder is liable for actual losses before loss, theft or misuse of device or breach of pass code security is reported to subscriber [clause 11.2a] User contributed to loss by unreasonably delaying reporting misuse, loss or theft of a device or that security of all pass codes has been breached. Holder is liable for actual losses that occur between when the user became aware of the security compromise (or should reasonably have become aware in case of lost or stolen device) and when the security compromise was reported [clause 11.5a] But...
Liability Provisions (Even if otherwise liable) holder is not liable for: Losses exceeding daily transaction limit Losses exceeding periodic transaction limit Losses exceeding balance on facility, including any prearranged credit Losses incurred on any facility that the subscriber and the holder had not agreed could be accessed using the device or identifier and/or pass code Exceptions to full liability above are set out in: - clause 11.2(b) for breach of pass code security requirements - clause 11.5(b) for unreasonable delay in reporting
Liability Provisions Limited liability Where pass code was required to perform unauthorised transaction and Full liability clauses do not apply, then Holder s liability is limited to no more than $150 [clause 11.7]
Liability Provisions Credit cards, scheme debit cards, charge cards [clause 11.10] Liability of holder cannot be greater than if the subscriber had exercised any rights (e.g. chargeback) it had under scheme rules at the time the report was made. This applies even if subscriber did not exercise its rights The clause does not require the subscriber to exercise its rights
Liability Provisions Transactions using a device but not a code Unreasonable delay in reporting can apply to a transaction that uses a device, or a device and identifier, but does not require a pass code [clause 10.2] Proof that user contributed to losses All reasonable evidence and explanations must be considered The fact that facility was accessed with correct device and/or pass code, while significant, does not constitute proof on balance of probability that user contributed to losses Use of non-secret information is not relevant to user s liability [clause 11.8]
Liability Provisions Cont d Discretion to reduce liability Where subscriber has not applied a reasonable transaction limit, an EDR body may reduce the holder s liability by such amount as it considers fair and reasonable, taking into account: prevailing industry practice regarding reasonable limits; security precautions in the absence of reasonable transaction limits; and if unauthorised transaction involved a credit facility (including a redraw facility), whether at time of making credit facility available, subscriber had warned holder of the risk of unauthorised transactions [clause 11.9]
Liability Provisions Cont d Pass code security requirements Where a pass code is needed, a user must not: voluntarily disclose a pass code to anyone, including a family member or friend [clause 12.2a] keep a record of a pass code on a device or liable to loss or theft simultaneously with a device, unless user makes a reasonable attempt to protect the security of the pass code [clause 12.2b] where a device is not needed to perform a transaction, keep a written record of a pass code without making a reasonable attempt to protect the security of the pass code [clause 12.2c]
Liability Provisions Cont d Pass code security requirements continued Where a pass code is needed, a user must not: act with extreme carelessness in failing to protect the security of all pass codes. This involves a degree of carelessness that greatly exceeds what would normally be considered careless behaviour [clause 12.4] on or after 1/4/02, select a pass code that represents the user s birth date or name, if subscriber has specifically instructed the user not to do so and warned the user of the consequences of doing so [clause 12.5] Onus is on subscriber to prove compliance with clause 12.5 [clause 12.7]
Liability Provisions Cont d Pass code security requirements Reasonable attempt to protect security of a pass code record includes: making any reasonable attempt to disguise pass code within the record; or preventing unauthorised access to the record, such as - - hiding or disguising the record among other records - hiding or disguising the record in a place where pass code record would not be expected to be found - keeping the record in a securely locked container - preventing unauthorised access to an electronically stored record [clause 12.3]
Security guidelines Subscriber may give a user guidelines in T&Cs for ensuring security of devices and pass codes [clause 13.1] Guidelines must: - be consistent with pass code security requirements in clause 12; - clearly distinguish the circumstances in which the holder is liable for unauthorised transactions; and - include a statement that liability for losses from unauthorised transactions will be determined by the Code rather than the guidelines [clause 13.2]
Complaints Procedures of epayments Code February & March 2013
Complaint procedures Subscriber must have IDR procedures that comply with ASIC RG165 and ISO10002-2006 For complaints about unauthorised transactions, clause 38.2 lists information the subscriber must make reasonable efforts to obtain
Time frames for complaints Within 21 days of receipt, subscriber must either complete investigation and advise user in writing of the outcome; or advise the need for more time [clause 38.4] Unless there are exceptional circumstances, subscriber must complete investigation within 45 days [clause 38.5] If subscriber cannot resolve complaint within 45 days, it must explain the reason, provide monthly updates and give user a date when they can reasonably expect a decision (but does not apply where the subscriber is waiting for a response from the user) [Appendix A3.3]
Explaining outcome of complaint Subscriber must inform the user about the outcome of a complaint and the reasons for the outcome, including references to the relevant clauses of the Code [clause 38.7] If a complaint is resolved within 5 business days, the outcome need not be advised in writing [clause 38.6] If resolved after 5 business days, the information must be given in writing [clause 38.9]
Compensation for non-compliance Where subscriber does not comply with the Code and non-compliance contributes to: - a decision that is against the user; or - delay in resolution of the complaint, EDR scheme may decide subscriber must pay part of the amount in dispute, even if subscriber is not otherwise liable [clause 38.10] EDR will take into account all the circumstances when deciding on the amount of compensation [clause 38.11]
Credit card complaints Where the complaint is about a credit card, scheme debit card or charge card and the subscriber exercises its rights under scheme rules: Timeframes under scheme rules apply [clause 39.1a] If subscriber can t resolve within 60 days, it must give reasons for delay and provide updates every 2 months [clause 39.1b] Subscriber must suspend payment on amount in dispute until dispute is resolved [clause 39.1d]
Questions?