37
The ePayments Code Laurence O’Keefe and Karen Guerinoni FOS National Conference 16-17 October 2012
The ePayments Code
Laurence O’Keefe and Karen Guerinoni
FOS National Conference 16-17 October 2012
This presentation focuses on the following five aspects
of the ePayments Code:
1. What is the ePayments Code?
2. What’s covered and not covered?
3. New provisions added by ASIC
4. Provisions governing the allocation of liability for
unauthorised transactions
5. Provisions governing complaint procedures
Snapshot
Revision by ASIC of the EFT Code, reworded in
plain English
Comes into effect on 20 March 2013
Redraft does not diminish the consumer
protections of the EFT Code
[refer ASIC Consultation Paper 158 dated May 2011]
Adds some new provisions, including mistaken
internet payments and low value facilities
Applies to FSPs that subscribe to the Code
What is the ePayments Code?
Applies to transactions initiated using electronic
equipment that are not authenticated by comparing
manual and specimen signatures [clause 2.4].
Examples in clause 2.5 include:
- card transactions, including PIN-authorised, contactless
card payments and ‘no PIN’ low value spends
- internet banking, telephone banking and BPAY
- direct debit arrangements and mail order transactions
- online transactions using card number and expiry date
What’s covered by ePayments Code?
ePayments Code does not apply [clauses 2.1 and 2.4]
where:
Transaction is intended to be authenticated by comparing
manual and specimen signatures (such as credit card
purchase in presence of merchant)
Facility is designed primarily for use by business
and established primarily for business purposes
Facility is one where the holder and subscriber do not have
a contractual relationship
What’s not covered?
In addition to what was already in the EFT Code, the
ePayments Code also addresses:
Mistaken internet payments
Low value facilities
Minimum expiry dates
Book-up arrangements
Leaving a card in an active ATM
New provisions in ePayments Code
Definition
Clause 23.2: main elements of that definition are:
Payment by user through ‘Pay Anyone’ internet banking
facility
Funds paid into account of unintended recipient; because:
– user enters or selects a BSB and/or identifier (account number) that
does not belong to named and/or intended recipient;
– as a result of user’s error or user being advised of wrong details
Does not include payments made using BPAY
Mistaken Internet Payments (MIPs)
Compliance requirements
Disclosure requirements in T&Cs about process, when
funds will be recovered and when holder liable [clause 24]
On-screen warning about risk of MIPs, including that it
may not be possible to recover funds [clause 25]
Reporting process must be effective, convenient and
either free or local call cost only [clause 26]
Investigation requirements [clause 27] mean:
sending ADI (S-ADI) must investigate report from user
and, if satisfied MIP occurred, request return of funds
receiving ADI (R-ADI) must acknowledge request and
advise S-ADI if there are sufficient funds to cover MIP
Mistaken Internet Payments Cont’d
Summary of return process
Whether or not funds will be returned to holder after
user has made an MIP depends on:
Whether or not sufficient funds remain in the account of the
unintended recipient;
The period of time that has elapsed between making the MIP
and reporting the MIP; and
In some circumstances, whether or not the unintended
recipient agrees to return the funds.
Mistaken Internet Payments Cont’d
Funds available
Report within 10 business days of MIP
Clause 28 sets out process
R-ADI must return funds to S-ADI within 5 business days of
receiving request, if practicable, but no longer than 10
business days
No requirement for consent of unintended recipient
If not satisfied MIP occurred, R-ADI may seek consent of
unintended recipient to return funds
S-ADI must return funds to holder asap
Mistaken Internet Payments Cont’d
Funds available
Report between 10 business days and 7 months
Clause 29 sets out process
R-ADI must complete investigation within 10 business days
R-ADI must prevent unintended recipient from withdrawing
funds for 10 further business days and notify it will withdraw
funds if recipient does not establish entitlement to funds within
10 business days of date of ‘freeze’
If unintended recipient does not establish entitlement, R-ADI
must return funds to S-ADI within further 2 business days
If not satisfied MIP occurred, R-ADI may seek consent of
unintended recipient to return funds
S-ADI must return funds to holder asap
Mistaken Internet Payments Cont’d
Mistaken Internet Payments Cont’d
Funds available
Report made more than 7 months after MIP
• Clause 30 sets out process
• If satisfied that MIP occurred, R-ADI must seek consent of
unintended recipient to return funds
• If not satisfied MIP occurred, R-ADI may seek consent of
unintended recipient to return funds
• No timeframes are specified
• If unintended recipient consents to return of funds, R-ADI
must return to S-ADI, and S-ADI must return funds to holder
asap
Funds not available
Clause 32 sets out process where an MIP has occurred but
there are not sufficient funds in account of unintended
recipient to full value of the MIP
R-ADI must use ‘reasonable endeavours’ to retrieve funds,
e.g. by facilitating repayment of funds by unintended recipient
in instalments
Applies at any time after the MIP is reported
No timeframes are specified
Mistaken Internet Payments Cont’d
Limited requirements apply to low value facilities
that can hold no more than $500 at any one time:
Usual T&C requirements do no apply.
T&Cs only have to be provided if practicable; otherwise, a
notice that highlights key terms and advice how to obtain full
T&Cs [clause 4.4]
Changes to T&Cs have to be provided if subscriber able to
contact holder directly [clause 4.15]. Otherwise, in a way
reasonably likely to come to attention of holder [clause 4.17]
Low value facilities
Other Requirements
Limited requirements for low value facilities include:
Usual requirements about receipts do not apply. Must
give process to check balance and transaction history
[clause 5.8]
Usual requirements re statements do not apply
[clause 7.7]
Liability provisions for unauthorised transactions do not
apply [clause 9.2]
Low value facilities Cont’d
Clause 18 provides for facilities with expiry date
Non-reloadable facility – expiry date must be at least
12 months from date of activation
Reloadable facility – expiry date must be at least
12 months from last reload date
Minimum expiry date does not apply if holder is entitled
to refund on expiry
Subscriber must not bring forward the expiry date and
must give user a way to check it
Expiry information must be disclosed on a device
Minimum Expiry Dates
‘book up arrangement’ is defined in clause 2.6 to
mean –
“...credit offered by merchants for the purchase of goods
or services commonly used by Aboriginal people in
remote and regional areas of Australia. It is common for
merchants to hold a consumer’s debit card and/or pass
code as part of a book up arrangement”.
If a subscriber and a merchant have a merchant
agreement, the agreement must prohibit the merchant
from holding a user’s pass code as part of a book up
arrangement [clause 20.1]
Book up arrangements
Holder is liable if user leaves card in an ATM, as long as
ATM incorporates reasonable safety standards that
mitigate risk of card being left in ATM (e.g. card capture
after reasonable time) [clause 11.4]
Clause was added by ASIC at FOS’s request, because
not adequately covered by the EFT Code. Long-standing
practice of FOS was to allocate liability to the holder,
because user is in control of the card when using an
ATM.
Leaving card in an active ATM
Liability Provisions of ePayments Code
Laurence O’Keefe and Karen Guerinoni
FOS National Conference 16-17 October 2012
Reflect legal principal of mandate
- FSP may debit unauthorised transactions only in
exceptional circumstances where user contributes to loss
Apply to unauthorised transactions only. Do not
apply to transactions performed by a user or with
the knowledge and consent of a user [clause 9.1]
No liability in specified circumstances
Full liability only in specified circumstances
In other circumstances, limited liability of $150
Liability provisions
Holder is not liable for loss where:
Fraud or negligence by employee or agent of subscriber or
merchant [clause 10.1a]
Device, identifier or pass code that is forged, faulty, expired or
cancelled [clause 10.1b]
Transaction requiring device and/or pass code that occurred
before received by user [clause 10.1c]
Transaction incorrectly duplicated [clause 10.1d]
Unauthorised transaction performed after loss of device or
breach of pass code security is reported [clause 10.1e]
Unauthorised transaction made using an identifier without a
pass code or device [clause 10.2]
It is clear user had not contributed to loss [clause 10.3]
No Liability Provisions
Where clause 10 does not apply, holder is only liable where
subscriber can prove on balance of probability that:
User contributed to loss through fraud or breach of pass code
security requirements. Holder is liable for actual losses before
loss, theft or misuse of device or breach of pass code security
is reported to subscriber [clause 11.2a]
User contributed to loss by unreasonably delaying reporting
misuse, loss or theft of a device or that security of all pass
codes has been breached. Holder is liable for actual losses
that occur between when the user became aware of the
security compromise (or should reasonably have become
aware in case of lost or stolen device) and when the security
compromise was reported [clause 11.5a]
But.....
When holder is liable for losses
(Even if otherwise liable) holder is not liable for:
Losses exceeding daily transaction limit
Losses exceeding periodic transaction limit
Losses exceeding balance on facility, including any pre-
arranged credit
Losses incurred on any facility that the subscriber and the
holder had not agreed could be accessed using the device or
identifier and/or pass code
Exceptions to full liability above are set out in:
- clause 11.2(b) – for breach of pass code security requirements
- clause 11.5(b) – for unreasonable delay in reporting
Liability Provisions Cont’d
Limited liability
Where pass code was required to perform unauthorised
transaction and other full liability clauses do not apply,
holder’s liability is limited to no more than $150 [clause 11.7]
Credit cards, scheme debit cards, charge cards
Liability of holder cannot be greater than if the subscriber had
exercised any rights (e.g. chargeback) it had under scheme
rules at the time the report was made. This applies even if
subscriber did not exercise its rights [clause 11.10]
Liability Provisions Cont’d
Transactions using a device but not a code
Unreasonable delay in reporting can apply to a transaction
that uses a device, or a device and identifier, but does not
require a pass code [clause 10.2]
Proof that user contributed to losses
All reasonable evidence and explanations must be
considered
The fact that facility was accessed with correct device and/or pass
code, while significant, does not constitute proof on balance of
probability that user contributed to losses
Use of non-secret information is not relevant to user’s liability
[clause 11.8]
Liability Provisions Cont’d
Discretion to reduce liability
Where subscriber has not applied a reasonable transaction limit,
an EDR body may reduce the holder’s liability by such amount as
it considers fair and reasonable, taking into account:
prevailing industry practice regarding reasonable limits;
whether security and reliability of means used to verify transaction
was authorised adequately protected holder from losses in absence
of reasonable limit; and
if unauthorised transaction involved a credit facility (including a
redraw facility), whether at time of making credit facility available,
subscriber had warned holder of the risk of unauthorised
transactions [clause 11.9]
Liability Provisions Cont’d
Pass code security requirements
Where a pass code is needed, a user must not:
voluntarily disclose a pass code to anyone, including a
family member or friend [clause 12.2a]
keep a record of a pass code on a device or liable to
loss or theft simultaneously with a device, unless user makes
a reasonable attempt to protect the security of the pass code
[clause 12.2b]
where a device is not needed to perform a transaction,
keep a written record of a pass code without making a
reasonable attempt to protect the security of the pass code
[clause 12.2c]
Liability Provisions Cont’d
Pass code security requirements continued
Where a pass code is needed, a user must not:
act with extreme carelessness in failing to protect the security of
all pass codes. This involves a degree of carelessness that
greatly exceeds what would normally be considered careless
behaviour [clause 12.4]
on or after 1/4/02, select a pass code that represents the user’s
birth date or name, if subscriber has specifically instructed the
user not to do so and warned the user of the consequences of
doing so [clause 12.5]
Onus is on subscriber to prove compliance with clause 12.5
[clause 12.7]
Liability Provisions Cont’d
Pass code security requirements
Reasonable attempt to protect security of a pass code
record includes:
making any reasonable attempt to disguise pass code
within the record; or
preventing unauthorised access to the record, such as -
- hiding or disguising the record among other records
- hiding or disguising the record in a place where pass
code record would not be expected to be found
- keeping the record in a securely locked container
- preventing unauthorised access to an electronically
stored record
[clause 12.3]
Liability Provisions Cont’d
Subscriber may give a user guidelines in T&Cs for
ensuring security of devices and pass codes [clause
13.1]
Guidelines must:
- be consistent with pass code security requirements in
clause 12;
- clearly distinguish the circumstances in which the holder
is liable for unauthorised transactions; and
- include a statement that liability for losses from
unauthorised transactions will be determined by the
Code rather than the guidelines [clause 13.2]
Security guidelines
Complaints Procedures of ePayments Code
Laurence O’Keefe and Karen Guerinoni
FOS National Conference 16-17 October 2012
Subscriber must have IDR procedures that comply
with ASIC RG165 and ISO10002-2006
Subscriber must accept complaint received within 6
years from day user first became aware, or should
reasonably have become aware, of the
circumstances giving rise to complaint [clause 38.1]
For complaints about unauthorised transactions,
clause 38.2 lists information the subscriber must
make reasonable efforts to obtain
Complaint procedures
Within 21 days of receipt, subscriber must either
complete investigation and advise user in writing of the
outcome; or advise the need for more time [clause 38.4]
Unless there are exceptional circumstances, subscriber
must complete investigation within 45 days [clause 38.5]
If subscriber cannot resolve complaint within 45 days, it
must explain the reason, provide monthly updates and
give user a date when they can reasonably expect a
decision (but does not apply where the subscriber is
waiting for a response from the user) [Appendix A3.3]
Time frames for complaints
Subscriber must inform the user about the outcome
of a complaint and the reasons for the outcome,
including references to the relevant clauses of the
Code [clause 38.7]
If a complaint is resolved within 5 business days,
the outcome need not be advised in writing [clause
38.6]
If resolved after 5 business days, the information
must be given in writing [clause 38.9]
Explaining outcome of complaint
Where subscriber does not comply with the Code and
non-compliance contributes to:
- a decision that is against the user; or
- delay in resolution of the complaint,
EDR scheme may decide subscriber must pay part of
the amount in dispute, even if subscriber is not
otherwise liable [clause 38.10]
EDR will take into account all the circumstances when
deciding on the amount of compensation [clause 38.11]
Compensation for non-compliance
Where the complaint is about a credit card, scheme
debit card or charge card and the subscriber exercises
its rights under scheme rules:
Timeframes under scheme rules apply [clause 39.1a]
If subscriber can’t resolve within 60 days, it must give reasons
for delay and provide updates every 2 months [clause 39.1b]
Subscriber must suspend payment on amount in dispute until
dispute is resolved [clause 39.1d]
Credit card complaints
Questions?
