The Law Handbook 2024

Chapter 5.10: Unauthorised transactions and ePayments Code 459 applies to transactions authorised using a PIN or a password. Among other things, the ePayments Code: • deals with recovering mistaken internet payments (cl 24–36); • sets out the rules for determining who pays for unauthorised transactions (cl 9–19); • requires subscribers to give consumers terms and conditions, information about changes to terms and conditions (e.g. fee increases), receipts and statements (cl 4–8). The ePayments Code is a voluntary code that almost all banks, credit providers and building societies follow. A list of code subscribers is available on the website of the Australian Securities and Investments Commission ( ASIC ). In addition, external dispute resolution schemes consider it to be good industry practice. A copy of the code is available on ASIC’s website. Clause 10 of the ePayments Code deals with electronic payment transactions that were not authorised by the account holder, but were authorised using a PIN or password. The clause attempts to answer the question: Who is responsible for the loss? Where you are not liable for losses Generally, you are not liable for any losses that are incurred after you notify your financial institution of an unauthorised transaction. In addition, you are not liable for losses: • that are caused by the fraud or negligence of employees or agents of the financial institution or merchant, or a third party involved in networking arrangements; • that are caused because a device, identifier or passcode that is forged, faulty, expired or cancelled; • that occur before you receive the relevant bank card and/or related PIN; • that are caused when the same transaction is incorrectly debited more than once to the same account; • where it is clear that you have not contributed to the loss. Where you are liable for losses You may be liable for losses arising from an unauthorised transaction that occurs before you report the theft of your card if your financial institution can prove on the balance of probabilities that you contributed to the loss through fraud or because you: • voluntarily disclosed your PIN or password to another person; • kept a record of your PIN with your bank card or where it was liable to be lost or stolen at the same time as your bank card (e.g. in your bag or wallet); • acted with extreme carelessness in failing to protect the security of your PIN or password; • chose a PIN or password that is your birth date or includes part of your name; or • unreasonably delayed reporting the misuse, loss or theft of a bank card, or that the security of your PIN or password was breached. You may be liable if you leave your card in an ATM that incorporates reasonable safety standards that mitigate against the risk of you doing so. However, the ePayments Code limits the amount of loss you can be liable for. Even if you are generally liable because of the circumstances above, you will not have to bear the loss of any amount: • in excess of your daily transaction limit that is taken from your account on a single day; • in excess of the balance of your account at the time of the transaction, including any pre- arranged credit; or • taken from an account in relation to which you had not agreed could be accessed by the card, PIN or password. Where liability is split between you and the financial institution There may be a situation where the financial institution cannot prove that you have contributed to losses in the ways described in ‘Where you are liable for losses’ above, but you cannot avoid liability for the reasons described in ‘Where you are not liable for losses’ above. In this situation, you will be liable for the least amount of the following: • $150 or a lower amount as determined by the financial institution; • the balance of the relevant account(s), if you agreed the account could be accessed by a PIN or password; or • the actual loss at the time you notified the financial institution of the misuse, loss or theft of your card (or that the security of your PIN or password was breached), excluding any amount exceeding the daily transaction limit.