What do you do if someone steals your ATM card, hacks your internet banking account, skims your credit card or subjects you to some other form of electronic banking fraud?
First, if you suspect your credit or EFTPOS card has been misused, lost or stolen, or the security of your PIN or password breached, notify your financial institution immediately. Be aware that delays of even minutes may cost you thousands of dollars.
Of course, prevention is key. As well as being common sense, making your PINs and passwords hard to guess and keeping them a well-guarded secret will help you avoid liability for unauthorised transactions.
Clause 10 of the ePayments Code (see “ePayments Code”) deals with electronic payment transactions that are not authorised by the account holder. It attempts to answer the question: Who bears the loss?
a Where you will not be liable for losses
Generally, you will not be liable for any losses that are incurred after you notify your financial institution of a security breach. In addition, you will not be liable for losses:
•that are caused by the fraud or negligence of employees or agents of the financial institution or merchant, or a third party involved in networking arrangements;
•that are caused because a device, identifier or passcode that is forged, faulty, expired or cancelled;
•that occur before you receive the relevant access card and/or related PIN;
•that are caused when the same transaction is incorrectly debited more than once to the same account; or
•where it is clear that you have not contributed to the loss.
b Where you will be liable for losses
You may be liable for losses arising from an unauthorised transaction that occurs before you report the theft of your card etc., if your financial institution can prove on a balance of probabilities that you contributed to the loss through fraud or because you:
•voluntarily disclosed your PIN or password to another person, including a family member or friend;
•kept a record of your PIN together with your access card;
•acted with extreme carelessness in failing to protect the security of your PIN or password;
•chose a PIN or password that is your birth date or includes part of your name; or
•unreasonably delayed reporting the misuse, loss or theft of an access card, or that the security of your PIN or password was breached.
You may also be liable if you leave your access card in an ATM that incorporates reasonable safety standards that mitigate against the risk of you doing so.
However, the ePayment Code limits the amount of loss you can be liable for. Even if you are generally liable because of the circumstances above, you will not have to bear the loss of any amount:
•in excess of your daily transaction limit that is taken from your account on a single day;
•in excess of the balance of your account at the time of the transaction, including any pre-arranged credit; or
•taken from an account in relation to which you had not agreed could be accessed by the card, PIN or password.
c Where liability is split between you and the financial institution
If the financial institution cannot prove that you have contributed to losses in the ways described in section B above, but you cannot avoid liability for the reasons described in section A above, you will be taken to be liable for the least amount of the following:
•$150 or a lower amount as determined by the financial institution;
•the balance of the relevant account(s), if you agreed the account could be accessed by a PIN or password; or
•the actual loss at the time you notified the financial institution of the misuse, loss or theft of your card (or that the security of your PIN or password was breached), excluding any amount exceeding the daily transaction limit.
The ePayments Code is complex and has been presented here in a simplified fashion. If a dispute over unauthorised transactions arises you should consult the text of the ePayments Code in full. You can obtain a copy at www.asic.gov.au.