Australia's police agencies have convinced a parliamentary committee that the country's banks should make contactless payments an opt-in service, in order to combat fraud.
In its report into financial-related crime, tabled today, the parliamentary joint committee on law enforcement said it shared concerns that banks rolling out new technology without consulting law enforcement had the potential to drive up crime in the sector.
It said banks and other financial service providers should consider law enforcement issues "more carefully" and discuss new technologies with law enforcement before they are rolled out.
"While banks have argued the fraud risk of new technologies is accounted for in their banking systems, the committee believes that consumers should have the option of disabling contactless payment features," the committee wrote.
It therefore recommended that providers issuing debit and credit cards require customers to consent to contactless payment technology on their cards before it is activated.
Law enforcement agencies had argued to the committee that such technology had expanded the scope of credit card fraud, where criminals conducted multiple low-value purchases from different cards to escape detection.
Contactless payment technology allows customers to pay for products or services worth under $100 by waving or tapping their card to a terminal.
But in its submission to the inquiry, Victoria Police said the technology had contributed to the rise of 100 extra credit card deceptions weekly in the state, and criticised financial institutions for not engaging with police prior to rolling out such features.
Banking representatives denied contactless payment technology posed a significant fraud threat.
Audit ASIC's tech skills
The committee also raised concerns about the Australian Securities and Investment Commission's technological ability to detect and deter financial-related crime.
It highlighted a submission by the National Credit Providers Association which criticised ASIC's reaction to a scam that misused a member's AFS license information.
The NCPA said ASIC did not act until 101 days after the association notified it of the scam, and even then only issued a media release. Similarly, the NCPA said it later found out ASIC had known about the scam for four months before the NCPA's notification.
"I had a fairly frank conversation with one of the investigators, who said that basically ASIC does not have the technology to try and track down these scams, does not have the resources to do this and the processes of ... deciding whether this even falls within ASIC's gamut to investigate .. appear to be based…on paper, fax and letter-type dealing with the process rather than the fact that we are in a global economy and these scams are over and done with very rapidly," National Financial Service Federation CEO Philip Johns said.
When questioned on the delay by the committee, ASIC said it had determined that the most appropriate regulatory response was to issue a media release to "educate members of the public" and to "disrupt the scam".
The committee labelled ASIC's response "extremely tardy" and said it appeared to be indicative of ASIC's usual response timeframe - meaning its typical reaction for similar types of financial-related crimes was between 65-110 days.
It also said issuing a media release did not send a "sufficiently robust deterrance message to future internet scammers".
"As many witnesses have observed, the use of modern technologies makes the transacting of internet scams incredibly rapid. If ASIC is to deal with internet-based financial related crimes in an effective manner into the future, it must improve its response times to preventing and disrupting such criminal activities," the committee said.
ASIC needs to have the technology capacity to effectively and appropriately respond to such issues, the committee said, recommending that the National Audit Office (ANAO) undertake a performance audit of ASIC's technological abilities.
The ANAO report would outline ASIC's IT requirements and capabilities as well as any deficiencies that would prevent the agency from performing its regulatory role.
ASIC famously blocked 250,000 websites accidentally in 2013 in an attempt to shut down just 1200.
The committee also recommended that ASIC make its response to internet-based financial crimes "far more expeditious".
ATO should be able to access metadata
The Australian Tax Office should be designated a criminal law enforcement agency to allow it to better protect public finances from criminal activities like major tax fraud, the committee said.
Classifying the tax office as such under the TIA Act would allow the agency to access non-content data (or metadata) - stored as part of the data retention scheme - without a warrant, and provide it telecommunications intercept powers.
The ATO is not currently listed among the agencies desginated as criminal law enforcement agencies under the recently-passed data retention act.
The committee said the ATO should be able to access intercepted telecommunications information to protect public finances from serious criminal activities.
"In the committee's view, the multiple prosecutions and recovery of billions of dollars in tax liabilities resulting from Project Wickenby, clearly establishes the demonstrated need for the ATO to become a criminal law-enforcement agency under the TIA Act," the committee said.