David Niven

Legal Consultant

Unauthorised transactions and credit disputes

Last updated

1 July 2022

Unauthorised transactions

What do you do if someone steals your ATM card, hacks your internet banking account, skims your credit card or subjects you to some other form of electronic banking fraud?

First, if you suspect your credit or EFTPOS card has been misused, lost or stolen, or the security of your Personal Identification Number (PIN) or password has been breached, notify your financial institution immediately. Be aware that delays of even minutes may cost you thousands of dollars. 

Prevention is the key; for example, keep your PINs and passwords secret and make them hard to guess.

For consumers who do encounter unauthorised transactions, their rights fall under contract law, the ePayments Code (see ‘ePayments Code’ in ‘Who is responsible for unauthorised transactions?’ below) and the Mastercard and Visa card Rules.

Who is responsible for unauthorised transactions?

General principles

A financial institution is only allowed to deduct money from your account if you have authorised the transaction. You can authorise a transaction by:

  • signing a withdrawal slip; or
  • using a PIN or password; or
  • providing authorisation over the phone; or
  • giving someone else authority to access your account.

A financial institution does not have a general duty of care to its customers, but it is not entitled to turn a ‘blind eye’ to known facts that indicate a customer is being defrauded or that funds are being misappropriated (see Lipkin Gorman (A Firm) v Karpnale Pty Ltd & Lloyds Bank [1991] 2 AC 548).

Financial institutions usually have a term in their contracts stating that you are liable for unauthorised transactions when you contributed to the transaction; (e.g. by sharing your PIN with another person). In these disputes, your rights are determined by the ePayments Code.

ePayments Code

The ePayments Code applies to ATM, EFTPOS and credit transactions, online payments, internet and mobile banking, and BPAY transactions. The code applies to transactions authorised using a PIN or a password.

Among other things, the ePayments Code:

  • deals with recovering mistaken internet payments (cl 24–36);
  • sets out the rules for determining who pays for unauthorised transactions (cl 9–19);
  • requires subscribers to give consumers terms and conditions, information about changes to terms and conditions (e.g. fee increases), receipts and statements (cl 4–8).

The ePayments Code is a voluntary code that almost all banks, credit providers and building societies follow. A list of code subscribers is available on the website of the Australian Securities and Investments Commission (ASIC). In addition, external dispute resolution schemes consider it to be good industry practice. A copy of the code is available on ASIC’s website.

Clause 10 of the ePayments Code deals with electronic payment transactions that were not authorised by the account holder, but were authorised using a PIN or password. The clause attempts to answer the question: Who is responsible for the loss?

Where you are not liable for losses

Generally, you are not liable for any losses that are incurred after you notify your financial institution of an unauthorised transaction.

In addition, you are not liable for losses:

  • that are caused by the fraud or negligence of employees or agents of the financial institution or merchant, or a third party involved in networking arrangements;
  • that are caused because a device, identifier or passcode that is forged, faulty, expired or cancelled;
  • that occur before you receive the relevant bank card and/or related PIN;
  • that are caused when the same transaction is incorrectly debited more than once to the same account;
  • where it is clear that you have not contributed to the loss.

Where you are liable for losses

You may be liable for losses arising from an unauthorised transaction that occurs before you report the theft of your card etc., if your financial institution can prove on the balance of probabilities that you contributed to the loss through fraud or because you:

  • voluntarily disclosed your PIN or password to another person;
  • kept a record of your PIN with your bank card or where it was liable to be lost or stolen at the same time as your bank card (e.g. in your bag or wallet);
  • acted with extreme carelessness in failing to protect the security of your PIN or password;
  • chose a PIN or password that is your birth date or includes part of your name; or
  • unreasonably delayed reporting the misuse, loss or theft of a bank card, or that the security of your PIN or password was breached.

You may be liable if you leave your card in an ATM that incorporates reasonable safety standards that mitigate against the risk of you doing so.

However, the ePayment Code limits the amount of loss you can be liable for. Even if you are generally liable because of the circumstances above, you will not have to bear the loss of any amount:

  • in excess of your daily transaction limit that is taken from your account on a single day;
  • in excess of the balance of your account at the time of the transaction, including any pre-arranged credit; or
  • taken from an account in relation to which you had not agreed could be accessed by the card, PIN or password.

Where liability is split between you and the financial institution

If the financial institution cannot prove that you have contributed to losses in the ways described in section B above, but you cannot avoid liability for the reasons described in section A above, you will be be liable for the least amount of the following:

  • $150 or a lower amount as determined by the financial institution;
  • the balance of the relevant account(s), if you agreed the account could be accessed by a PIN or password; or
  • the actual loss at the time you notified the financial institution of the misuse, loss or theft of your card (or that the security of your PIN or password was breached), excluding any amount exceeding the daily transaction limit.


A ‘chargeback’ is where a cardholder reverses an unauthorised transaction under the Visa card and Mastercard Rules.

Chargebacks apply to disputes where the unauthorised transaction relates to the use of a Visa card or Mastercard and the transaction was not authorised by a signature, PIN or password. Chargebacks often apply to transactions made over the telephone and to mail orders.

You can ‘chargeback’ an unauthorised transaction and obtain a refund on the basis that you did not authorise the transaction. This regularly occurs where a person’s Visa card or Mastercard details have been used for internet or telephone purchases by someone other than the cardholder.

You may also be able to chargeback a transaction you did authorise if you were the victim of a scam. This may be possible where you made an internet or telephone purchase of goods or services using a Visa card or Mastercard and the goods or services were:

  • not received by you; or
  • not as they were described to you; or
  • defective.

Most banks are required to consider ‘chargeback’ disputes under the Banking Code of Practice (see ‘Credit and finance industry codes of conduct‘). However, strict timeframes apply, so contact your financial institution as soon as possible.

If a financial institution fails to properly process a chargeback dispute, you can make a complaint to the Australian Financial Complaints Authority.

Back to
Managing your money

Buy the chapter ‘Unauthorised transactions and ePayments Code’