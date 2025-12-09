Banks knew their systems were flawed but refused to act, leaving scam victims to bear the cost, writes Dr Kim Sawyer.

ON 12 MARCH 2024, former Assistant Treasurer Stephen Jones gave an interview on scams.

Jones expressed what many scam victims have expressed:

I think we've got to attach liability and responsibility; there's going to be a connection between those two things. ...liability should apply but it should be where responsibility lies.

In the same interview, Jones reflected on the failure of banks to adopt confirmation of payee.

“We were talking to them two years ago and we said okay confirmation of payee... if you've typed in the wrong number because there's no alphanumeric matching and you don't know whether you’ve sent the money to Hans instead of Jacquelin. That's a huge fault in their online applications. They were very resistant to rolling out confirmation of payee across the whole banking system, they've now agreed that has to be a core functionality.”

The Minister highlighted what scam victims have been saying for the last two years: that the failure to roll out confirmation of payee was a major flaw in banks' online systems. The banks knew of its importance. They knew what scam victims have come to understand.

Authorised push payment (APP) scams had been identified nearly ten years earlier in Europe. APP scammers induce bank customers to transfer money from their accounts to mule accounts for laundering. There was a simple remedy, confirmation of payee, where the customer sees the name on the payee’s accounts to which they are transferring their money.

Confirmation of payee had reduced fraud in the Netherlands by 81 per cent and in the UK by 35 per cent, and had become mandatory in the UK in March 2020. It was recommended by the Australian Competition and Consumer Commission (ACCC) in 2020 and 2022 and suggested by the Australian Securities and Investments Commission (ASIC) as early as 2011.

However, the banks were resistant. They failed to act in the best interests of their customers. They exposed customers to risk. Their failure led to hundreds of thousands of Australians scammed, billions of dollars lost.

Confirmation of payee is now being rolled out at a cost of only $100 million to all the banks, when combined bank profits exceed $40 billion. But it could have been done five years ago. Banks were forcing customers to go online when they knew they had a fault in their systems. Banks were exposing customers to unnecessary risk.

Let us return to the words “liability should apply but it should be where responsibility lies”. When a car manufacturer recognises that there is a fault in one of their models, there is a recall. They recognise that they are liable. In 2024, Honda recalled 16,000 cars citing a potential fault with the vehicle's electronic power steering system. They recognised that they were at fault. The one who is responsible is the one who is liable; the one liable is the one who should pay.

If banks are responsible for a fault, they are liable and, if liable, they should reimburse victims. However, they are not reimbursing victims; they are allowed to deny liability for a fault they knew to be a fault, that the ACCC knew to be a fault, that the Government knew to be a fault. They are also allowed to deny liability for not monitoring laundering from mule accounts.

What many have not appreciated is that the scam problem that emerged in the last five years in Australia is analogous to the British Post Office scandal. The Post Office was found liable for installing the faulty Horizon system, both contractually and through its abusive actions.

A 2019 High Court ruling confirmed that the Horizon IT system had “bugs, errors and defects” that caused financial shortfalls wrongly blamed on sub-postmasters. The court determined the Post Office had imposed an unreasonable burden of liability on sub-postmasters, ruined lives and covered up the system's problems. The Post Office was at fault and was deemed liable.

The scam problem is analogous, but most do not understand. The banks had a fault in their systems, knew of the fault, knew it would mean that many customers would lose money as they had in Europe before confirmation of payee and knew customers could not mitigate the risk, yet resisted introducing confirmation of payee until 2025, at minimal cost to the banks. And the Government allowed them.

The Government has allowed banks to deny their liability and to shift liability onto the victims. The Government knew of the fault in 2022 but gave in to the Australian Banking Association rather than listen to the advice of the ACCC in 2020 and 2022, and the best practice overseas. The Government failed to regulate what should have been regulated.

That failure justifies a second royal commission.

In delivering his final report in April 2019, Royal Commissioner Justice Kenneth Hayne observed that:

“Throughout the work of the Commission, I paid close regard and given great significance, to the Commission conducting a public inquiry so that there might be public exposure of misconduct and the vindication those affected by misconduct derive from its being exposed.”

Justice Hayne observed that banks are the central artery of the economy. Everyone wants the banks to be strong; everyone also wants the banks to protect customers from unnecessary risk.

Scam victims are being compelled to pursue legal processes at great cost and risk to themselves, an uneven contest of the powerless against the powerful. A royal commission is like a discovery process where misconduct is exposed and not rewarded; where faults are revealed. A royal commission would be vindication that the victims were not the only ones to blame.

Dr Kim Sawyer is a retired Associate Professor, University of Melbourne.

