ePayments Code 2022: ASIC's Updated Consumer Protections for Electronic Payments

Status and scope

The ePayments Code was published by ASIC on 2 June 2022, with subscribers required to comply by 2 June 2023. It is a voluntary code of practice administered by ASIC under its Regulatory Guide 185. The Code aims to provide consumer protections for electronic payments. Vulnerable customer protections in financial services are a key consideration within the Code’s framework.

Major subscribers to the Code include all four major banks, Macquarie, Bendigo/Adelaide, ING, HSBC Australia, and most credit unions and building societies. This broad adoption ensures a significant portion of the Australian electronic payments industry adheres to the Code’s principles.

The scope of the Code was extended in 2022 to cover payments made using the New Payments Platform (NPP) and PayID. Currently, the Code operates as a voluntary framework, although a Treasury review is proposing making it mandatory; however, legislation to enact this change has not yet been passed.

Mistaken internet payments (MIP) protocol

The ePayments Code 2022 addresses mistaken internet payments (MIP), which are defined as payments made through a pay-anyone banking facility where funds are directed to an unintended recipient due to user error or incorrect information. It’s important to note that the MIP protocol does not apply to payments made to scammers; it is intended for situations where a user has genuinely entered incorrect payment details. ASIC RG 271 internal dispute resolution outlines further guidance on dispute resolution.

When a payer reports a MIP to their sending ADI, the sending ADI must contact the receiving ADI within 10 business days. If the receiving ADI does not dispute the payment and the report is made within that 10-day timeframe, the receiving ADI must return the funds within 5 business days.

If a MIP is reported to the sending ADI within 10 business days to 7 months, the receiving ADI must use reasonable endeavours to retrieve the funds. This obligation to retrieve funds is less stringent than the immediate return required within the initial 10-day window.

Unauthorised transaction liability

Subscribers to the ePayments Code 2022 are required to clearly define the liability allocation for unauthorised transactions, adhering to the Code’s established framework. This framework outlines the circumstances under which liability for losses resulting from fraud or negligence falls on either the subscriber or the holder. Notably, holders are not liable for losses stemming from fraud or negligence by the subscriber’s employees or agents. Similarly, holders are not liable where a device or passcode was forged, faulty, expired or cancelled. Vulnerable customer protections in financial services should be considered when applying these rules.

However, the liability framework can shift. If a holder unreasonably delays reporting the loss, theft, or unauthorised use of a device or passcode, liability for the loss transfers to the holder. In situations where a passcode is required and the holder is not at fault, the maximum liability for the holder is the lesser of $150, the balance of the account, or the actual loss.

Finally, holders are liable in full for losses if they voluntarily disclosed a passcode or maintained a record of a passcode associated with the device.

Complaints handling and review

Subscribers to the ePayments Code 2022 are required to handle complaints in accordance with ASIC RG 271 internal dispute resolution standards. This includes adhering to the default 45-day timeframe for resolution, with a shorter 30-day timeframe applying to credit complaints. If internal dispute resolution is unsuccessful, consumers can escalate matters to the Australian Financial Complaints Authority (AFCA) under its standard jurisdiction.

ASIC published modifications and operating guidance following the 2 June 2022 update to address industry feedback concerning New Payments Platform (NPP) transactions, mistaken payments, and reporting requirements. This guidance assists subscribers in meeting their obligations under the Code.

Subscribers must report data related to Code compliance to ASIC. While the Code itself is voluntary, ASIC can take action regarding breaches under the general conditions of a licensee’s Australian Financial Services (AFS) or credit licence.