The magazine of the Melbourne PC User Group
Electronic Funds Transfer -
The New Code of Conduct
Mark Sneddon
 msneddon@claytonutz.com

On 5 April 2001 the Australian Securities and Investments Commission (ASIC) released the new Electronic Funds Transfer Code of Conduct. This Code aims to create a world-best practice consumer protection regime in a technology-neutral form for users of electronic banking and payment products. The new Code becomes operative on 1 April 2002 but may be adopted by account institutions before that date. The decision to adopt the Code is voluntary but once adopted the Code is contractually binding on account institutions. The new Code followed a discussion paper released in July 1999 and a draft Code document released in January 2000. Further information is available at http://www.asic.gov.au

The old EFT Code of Conduct provided consumer protection for transactions initiated by an individual through an electronic terminal using an EFT card and a PIN and was effectively limited to ATM and EFTPOS terminal transactions. The old Code will cease to operate when the new Code comes into effect.

The new expanded Code has a much broader scope. It covers:

  • All means of remote access to accounts, for example, telephone, Internet, kiosk, television.
  • All types of access methods, for example, magnetic strip card, chip card, customer ID number, password, PIN, digital signatures and biometric identifiers.
  • Credit card and charge card payments by telephone and over the Internet.
  • Transactions involving the use of stored value facilities, including stored value on chip cards and digital coins used for Internet payments.
In addition, the range of bodies to which the Code is directed has been broadened. The old EFT Code was directed to EFT card issuers (essentially the conventional depository financial institutions). Although these bodies will continue to be the principal category of subscribers to the Code, Part A (which deals with remote access to accounts) now covers "account institutions", which include all bodies that maintain accounts that a customer can transfer funds from or to using electronic equipment. This could include organisations such as Telstra, Australia Post and large retailers. However, to avoid catching every retailer's customer account, Part A does not apply to payments from "biller accounts" to pay the biller for goods or services provided by the biller to the customer, for example, a retailer's store account, which affords trade credit to customers but does not permit payments to third parties.

Part B of the Code applies to stored value operators - organisations that issue stored value facilities (stored value cards) or that agree to make payments initiated by a user with a stored value facility. These organisations will often hold the real money that is paid by a user in exchange for the stored value. 

Part C of the Code deals with privacy, electronic communication and administration matters.

As noted, the decision to subscribe to the Code is voluntary, so it is up to each account institution or stored value operator to decide whether to subscribe to it. Almost all the depository financial institutions subscribed to the old EFT Code. There has been a lengthy process of detailed consultation with industry and user stakeholders in the formulation of the expanded Code of Conduct and it is expected that practically all account institutions and stored value operators will subscribe to the new, expanded EFT Code. 

Some of the main features of the new, expanded Code are discussed be1ow.

Remote Access To Accounts

Part A imposes obligations on account institutions to make their terms and conditions and general information on EFT transactions available to users. Notice needs to be given of certain changes to charges and terms and conditions of use. Receipts must be provided for EFT transactions, but the form and content will vary according to the medium by which the transaction is conducted. A telephone EFT transaction requires a receipt number and less detail than an ATM or EFTPOS transaction. Periodic statements must be supplied at least every six months but account holders may request more frequent statements.

Unauthorised Transactions

An account holder is liable for losses resulting from unauthorised transactions only in three circumstances:
  • Where the account institution can prove that the user's fraud or the breaching of certain security requirements by the user in relation to the user's secret codes contributed to the losses.
  • The account institution can prove that the user contributed to the losses by unreasonably delaying notification of the misuse, loss or theft of a device or breach of the security of secret codes (such as a PIN or password).
  • Where a secret code was required to perform the transaction and neither of the first two circumstances applies, the account holder is liable for no more than $150 of the losses.
The security requirements mentioned above are that the user must not:
  • Voluntarily disclose one or more of the secret codes to anyone.
  • Indicate one or more of the secret codes on an access device or keep a record of one or more of the secret codes (without making a reasonable attempt to protect the security of the code records) such that they are liable to loss or theft simultaneously.
  • After the new Code commences, self-select a secret code which represents the user's birth date or a recognisable part of the user's name after having been warned by the account institution not to select such a code.
  • Act with extreme carelessness in failing to protect the security of all the secret codes.
Complaint investigation and dispute resolution procedures under the Code have also been revised.

Stored Value Transactions

Part B obliges stored value operators to provide users with terms and conditions of use and certain advance information on stored value products. In addition, with some changes to charges and terms and conditions, users must be notified in advance.

Stored value facilities include stored value chip cards such as the Mondex or Visacash card and software that manages digital coins on the user's personal computer. Stored value operators must ensure that the stored value facility enables a user to ascertain the amount of stored value available for use at any time.

Users have the right to require a stored value operator to exchange the stored value for the equivalent amount of money, or a credit towards providing replacement stored value, for example, the remaining stored value on a card plus a cash contribution may be used to get a new card. A stored value operator may charge a reasonable fee for these exchanges unless the stored value facility is no longer able to be used to make a payment, for example, because it is defective or the amount of value left on the facility is less than the minimum amount required to make a transaction or that value has expired.

Depending on the technical features of the system, a stored value operator may have to provide a way for the user to notify the operator of the loss or theft of a stored value facility. A stored value operator may also have to pay the user the amount of stored value that could have been "frozen" after the notification.

Privacy, Electronic Communication and Administration

Part C contains provisions obliging Code subscribers to comply with the National Privacy Principles in the Privacy Act 1988. Some guidelines are provided on the application of the principles to EFT transactions. 

Electronic Communications

Part C of the expanded Code permits users and Code subscribers to agree that Code subscribers can provide by electronic means any information (including changes to terms and conditions and charges) to a user's nominated electronic device or address or by making it available at the Code subscriber's electronic address for retrieval. The user's agreement must be informed and be by a specific positive act (eg. clicking "I Agree") after receiving an explanation of the implications of such an act. Users may vary their electronic device or address or terminate the agreement by notice to the Code subscriber.

Provisions are made for dealing with overlapping requirements for disclosure under the Code and legislation, for example, the Financial Services Reform Bill 2001. ASIC will have certain powers to modify the application of some provisions of the Code in relation to Code subscribers or prospective Code subscribers after a process of consultation with relevant stakeholders, including user representatives.

Conclusion

The new EFT Code represents a substantial expansion of the old EFT Code and should provide world-best practice protection for consumers in a technology-neutral form for a wide variety of EFT and stored value products.

The close involvement of industry and user representatives in the drafting of the Code is likely to ensure a high degree of adoption by financial institutions and other organisations as a way of enhancing customer confidence in the wide array of new payments technologies that are being offered, and will be offered, to consumers.

About the Author: 
Mark Sneddon, partner, e-commerce and privacy at Clayton Utz, Melbourne (msneddon@claytonutz.com). Mark was a member of the ASIC EFT Working Group and drafted the Code.

Reprinted from the May 2001 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[About Melbourne PC User Group]