Need to know
- Most Australian banks don't check that BSB and account numbers match the name of the account customers are sending money to
- Account name matching is a basic anti-scam measure that has blocked many fraudulent transactions in other countries
- In July 2022, the ACCC called on the banking sector to establish an industry-wide account name checking system, but that has yet to happen
The phrase 'like money in the bank' conjures images of trustworthy institutions whose integrity and reliability is ironclad. But that image has been tarnished in recent years, as many banks have made it all too easy for scammers to take advantage of their customers.
How so? It may come as a surprise that most Australian banks don't check that BSB and account numbers match the name of the account customers are sending money to, a basic anti-scam measure that has blocked many fraudulent transactions in other countries.
Most Australian banks don't check that BSB and account numbers match the name of the account customers are sending money to
That's probably why bank transfers are the most common method for paying scammers in Australia. And a lot of scammers have been well paid.
Australians lost over $210 million in fraudulent bank transfers in 2022, an increase of about 63% over the previous year.
No industry-wide system in place
The technology to check that recipients are who they say they are exists, but much of the banking industry in Australia has yet to take it on board.
Many people wish they would, including government agencies.
In July 2022, the Australian Competition and Consumer Commission (ACCC) called on the banking sector to establish an industry-wide account name checking system, but the industry is still in the early consultation stage on the issue.
As it stands we're in a situation where we could be sending our money to anyone.
Big banks implementing their own systems
While an industry-wide system isn't yet in place, three of the big four banks currently have their own systems – CBA 'name check', Westpac 'verify', and NAB 'payment prompts'.
A spokesperson from the fourth big bank, ANZ, told CHOICE "we're in support of a whole of industry solution to name checking, and continue to work with government, regulators, banking and other industries, on a coordinated approach".
[Australia needs] cross-industry standards that are mandatory, enforceable and have the coverage to ensure scammers can't exploit weak linksNational Anti-Scam Centre spokesperson
In July this year, NAB announced that its 'payment prompts' system had been activated in about $270 million worth of payments since March. About 12% of the payments were ultimately cancelled. According to the bank, customers have been putting a stop to approximately $290,000 worth of payments every day after receiving a payment prompts message questioning the validity of the transaction.
Banks are often involved in the process of transferring money to scammers, yet very few agree to compensate victims.
Mandatory, enforceable standards are needed
The ACCC says the steps three of the big four banks have taken won't be enough to stop the onrushing tide of scams across the banking sector.
A spokesperson for the ACCC's National Anti-Scam Centre told CHOICE in October that Australia needs "cross-industry standards that are mandatory, enforceable and have the coverage to ensure scammers can't exploit weak links".
Such standards would "lift the bar across the scams ecosystem", the ACCC says.
Other countries have already lifted the bar.
What are other countries doing?
The 'confirmation of payee' system was adopted by the six largest banks in the UK in 2019, for instance, covering 92% of bank transactions. After the first year, transactions to the wrong account, including scammers' accounts, fell by 35%.
When Dutch banks introduced the IBAN-name check service in 2017, reported scams and fraud ended up falling by 81%
When Dutch banks introduced the IBAN-name check service in 2017, reported scams and fraud ended up falling by 81%.
The UK also has the 'contingent reimbursement model code', which requires banks to take various steps to prevent scams and reimburse victims in some circumstances when they happen.
The banking sector in Australia currently has none of these protections in place.
No incentive for banks to stop fraud
Simon Smith, a cybersecurity expert who has served as an expert witness on behalf of victims in a number of bank payment scam cases, says the reason Australian banks have yet to adopt an account name matching system is because they're not legally required to do so.
"They actually don't make money out of stopping fraud, so there's no incentive," Smith tells CHOICE.
"So unless they are penalised and held accountable, there's no benefit for them and their shareholders in stopping fraud. There's no incentive and no government regulation. It just shows that the wheels in motion are only there to produce a result for shareholders. They're not there to save someone's mum or grandma from getting scammed out of a million dollars."
Change may be on the horizon
Meanwhile, the Australian Banking Association (ABA) tells CHOICE that the process has begun to prevent bank customers from sending money to scammers.
A spokesperson says the ABA has applied for ACCC authorisation to hold industry-wide discussions "about initiatives to prevent, detect and disrupt scams", adding that the authorisation "referred specifically to the topic of payee verification solutions".
The ABA says industry discussions are focusing on how the big bank models "could be extended across the whole industry", but there's no firm indication of when that might become a reality.
They actually don't make money out of stopping fraud, so there's no incentiveSimon Smith, cybersecurity expert
It'll be too late for octogenarians like Ron and Judy, who recently lost $40,000 in a Telstra bond scam. The payment was facilitated by Suncorp bank, which the couple attended in person. Neither the account nor the BSB number matched the name of the account the money was sent to.
Smith says the fact it's taken this long for the banks to consider applying such a basic anti-scam check speaks for itself.
"Hotdog stands have to comply with food, health and safety regulations. Yet, you can send a million dollars to another account, and then it's just gone. There's no actual duty of care on the part of the banks. And that's a big problem."
Stock images: Getty, unless otherwise stated.