ASIC vows crackdown on bank outages, data breaches and online fraud

Bank outages, spiralling online payments fraud and a slew of major corporate data breaches are set to feel the sting of regulatory leather after corporate and financial regulator the Australian Securities and Investments Commission revealed its four year hit list.

The corporate cop on Wednesday drew a line under the cuddly days of ‘light touch’ and industry initiated self-regulation, publishing its panned action and public to-do list that ASIC chairman James Shipton said is “underpinned by the ‘Why not litigate?’ operational discipline”.

The short, sharp message to banks, brokers and the consumer credit industry is that attempts to sweep shoddy behaviour and systemic deficiencies under the rug will be met with court action, public shaming, penalties and stiff fines.

Importantly, bank and digital payments outages, online and electronic card fraud, dodgy online consumer lending practices and lax IT and data security all make the cut on the list of activities set for a caning as ASIC moves to shake out escalating systemic risk from sectoral dependence on interconnected digital systems.

Rope and lamp-post methodology

“The aim of our enforcement work is to effectively bring wrongdoers to account through punishment and public denunciation, ASIC said in its corporate plan.

“In doing so, we not only seek to deter poor behaviour, but to also encourage a greater willingness among entities and individuals to act in accordance with the law and for the benefit of consumers and investors,” it continued, adding it “will target cases of high deterrence value and those involving egregious harm or misconduct (particularly towards vulnerable consumers).”

Serendipitously, ASIC’s hit list publication came on the same day as the ASX’s most popular digital payments and credit arbitrageur Afterpay lodged its results, trumpeting a new partnership with global giant Visa around debit cards.

The banking and venture cap sectors have been anticipating a dose of parasite control in the digital credit and fintech sector for at least a year, especially as speculative money piles into start-ups, effectively promulgating shadow lending to people with blotchy credit or poor credit ratings.

At a policy level, the fear is an unchecked proliferation of app-based low quality shadow lending could lead to a consumer and investor rout in the event of an economic shock because the evolution of the digital payments and fintech sector has outpaced laws and regulations.

Tech-led approach

Conspicuously heavy on the tech talk, ASIC’s corporate plan persistently weaves in current and emerging technologies like AI, data analytics, machine learning and automation in its enhanced approach to patrolling its beat, alongside some heavy spruiking of regtech opportunities.

“This technology has significant potential to help organisations build a culture of compliance and save time and money relating to compliance activities,” ASIC said, a line that tacitly acknowledges the steep cost of manual compliance burdens which have for years leached cash from IT budgets.

De-lousing digital payments and online fraud

With online payments fraud in Australia now at an all-time high of $478 million a year for 2018 – think about it as each of the big-four losing $100 million each – ASIC is finally showing signs it might bite the bullet in terms of making banks and credit card schemes clean up their act.

A key action listed as ‘new’ in the corporate plan is a review of the ASIC's infamously archaic ePayments Code that was literally developed in the pre-internet analogue era when electronic payments arrived in the 1980s under what was then EFTPOS (electronic funds transfer point of sale).

A still voluntary code – yes, voluntary – the mechanism has been sorely deficient in its protections for online merchants who cop the vast majority of online card fraud passed through to them as chargebacks by banks and credit card schemes.

These days, even the Governor of the Reserve Bank of Australia, Philip Lowe, is a victim of online card fraud, a point the central banker has very publicly pressed home to industry.

Banks and schemes have for decades kicked hard against any prospect of indemnifying merchants for online card fraud, despite a large proportion of it being caused by insecure, frequently defective cumbersome and expensive efforts by the likes of Mastercard and Visa to secure payments across their schemes.

Online liability shift

What’s less known is that most of the rules surrounding card-not-present transactions, which is how online payments are classified by industry self-regulator AusPayNet, were derived from rules surrounding telephone-based credit card transactions where a merchant never eyeballed a card.

The generous position that banks extracted, and which has never been reversed, is that merchants who accepted payments without seeing a plastic card, its cardholder or getting a signature to check could wear their own liability for fraud.

Which made initial sense in the 1990s, when a good proportion of e-commerce and web transactions were for pills, adult industries, remote gaming and wagering and the phenomenon known as ‘chat lines’.

Back to the future

Three decades later ASIC says its “reviewing the ePayments Code to take into account new market and industry developments, ensuring that it continues to be effective and relevant to consumers and Code subscribers, listing the initiative as new (it kicked off in March).

While the review is expected to be stinging, especially in terms of the huge digital liability shift back to merchants, the bad news is that because the ePayments Code is voluntary and not black letter law, legislative changes are out of scope for ASIC.

Which is not to say voluntary rules can’t be changed.

A report on submissions to the review is due October November with an amended ePayments code scheduled for release across December or January.

The outage economy

If online fraud is a pinpoint for Australian businesses, escalating payments outages are a material and potentially existential threat.

The RBA has already ordered banks to start handing over their online and payments system outage stats amid fears over what dud routers, switches and rubbish upgrades will do the economy when everything is online.

ASIC, as an enforcement agency, also wants a slice of the action making sure systems don’t go belly-up, especially when it comes to protecting access to consumer and business funds and savings from glitches.

Fine time?

While there’s no explicit callout for banks, telcos, schemes or platforms to be prosecuted or penalised for technical incompetence – outage control for ASIC falls under its mandate to “promote strong and innovative development of the financial system” – it’s clearly an issue it's ready to wade in on.

Under the action point of mitigating “the potential harms of technological change” ASIC has set itself the task of “identifying and addressing technology, security and operational failures that result in harmful outcomes for consumers, investors and markets, or expose them to fraud.”

Which, if considered, is a large and fertile regulatory pasture to plough.

Also on the task list is “identifying and addressing potential technological failures that may have a systemic impact on the market and/or the capacity of intermediaries and operators to comply with their obligations.”

Notably, that’s not just banks, payment systems and telcos – it’s also the ASX’s massive CHESS rebuild and a bunch of other transactional systems across property, superannuation and insurance.

Numbers up

But let’s face it, it’s the banks and telcos where the most immediate action is.

Just ask A2B, formerly known as Cabcharge that on Tuesday booked through a $5 million charge for a Telstra payment systems outage in its annual results.

If ASIC really does want numbers, costs and targets to go after to clean-up Australia’s booming digital sector they will not be that hard to find.