New Zealand banks are under fire for failing to protect customers from financial frauds, with losses from scams estimated at close to $200 million a year.
Despite the increasingly large sums involved, and worries that what is reported is only a fraction of the financial damage being done, New Zealand banks haven’t followed moves in the United Kingdom or Australia to shield consumers from fraud, and criminals are exploiting systemic and regulatory gaps to target New Zealanders, critics say.
Government cybersecurity information service Computer Emergency Response Team (Cert NZ) reported on Tuesday that financial losses as a result of cyber crimes rose a staggering 66% in the first quarter of 2023.
Cert NZ reported financial losses amounted to $6m in the quarter, and “scams are on the rise”, increasing by 23% from the last quarter of 2022. It said 16 people lost over $100,000 in the first quarter of the year to scammers.
Cert NZ is one of the NZ regulators involved in protecting New Zealanders from financial cyber crimes, Commerce Minister Duncan Webb said.
The Financial Markets Authority (FMA) provides “guidance and information to consumers on scams” including issuing warnings, the Commerce Commission enforces fair trading requirements with powers to investigate traders who undertake fraudulent activities, and the Ministry of Business, Innovation and Employment's Consumer Protection unit provides guidance and information to consumers on their rights, and maintains the ScamWatch Facebook page.
The Reserve Bank is responsible for prudential bank supervision, including regulating and promoting a “sound and efficient” financial system. Cyber risks represented a “significant source of operation risk”, and it had been taking action to improve cyber resilience of the institutions it regulates, the Reserve Bank says.
Who's taking the lead?
In terms of regulating how banks respond to fraud, and the NZ bank payments system which commentators say is ripe for scams, it appears no single regulator is taking the lead.
Webb did not directly answer which regulator should be ensuring banks are protecting consumers from frauds and scams. He said staying safe from scams "was a partnership" between banks and consumers.
"It’s essential banks and consumers each play their part to mitigating the risks scams present. Scams are increasingly sophisticated and consumers in New Zealand have experienced financial losses as a result."
He said it was critical for banks to take all necessary steps to protect customers, but it remained important for individuals to be vigilant and to mitigate any risks they identify.
"New Zealanders should take a cautious approach when providing their personal details and banking information."
The banks say much the same; that the power to halt fraudsters rests with consumers.
They say cases where payments were made to criminal groups even after banks warned them not to shows even if they do intervene it's not necessarily enough, and consumers must be more cautious when making payments. They say they are working with regulators and telecommunications firms, for example, to combat scams, and are investing in fraud protections.
In response to the same question, the FMA said there was no single regulator for retail payments systems in NZ, like the UK equivalent.
It said in an emailed statement that it engaged regularly with the banking industry as part of its supervision of banks’ licensed activities (such as provision of financial advice, derivatives, manager of managed funds) and more generally in its role as a conduct regulator.
The FMA is set to see its functions expanded in March 2025 under the Conduct of Financial Institutions regime, which includes a “fair conduct” provision which means financial institutions such as banks would need to pay "due regard" to consumers' interests, act in good faith, and assist them to make informed decisions.
Not doing the basics
Personal finance commentator Janine Starks said NZ banks had failed to invest in basic anti-fraud measures, such as cross-checking account names with account numbers, and the only change that would force them to improve was making banks liable for fraud losses.
Cross-checking names with account numbers for transactions was introduced in the UK in 2020.
On June 7 this year the UK payments regulator went even further, announcing UK banks had to repay fraud victims tricked into sending money to scammers within five days.
The big four Australian banks hold the majority of the banking market in New Zealand through ANZ, BNZ, Westpac and ASB.
In April, the Australian Security and Investments Commission (ASIC), Australia’s equivalent financial services regulator to the FMA, released a critical report which found the big four Aussie banks only detected or stopped about 13% of scam payments.
ASIC found bank customers overwhelmingly bear the cost of scam losses, with low reimbursement and compensation rates at between 2% and 5%. The scale of the losses to customers of the Australian big banks almost doubled from 2021 to 2022, ASIC found, with more than 31,000 customers losing more than A$558 million from scams between July 1 2021 and June 20, 2022.
In May, the Australian Banking Association launched a Fraud Reporting Exchange platform which it said would help banks stop, and recover as much money as possible, when customers have paid scammers.
Banking Ombudsman Nicola Sladden told Parliament’s Finance and Expenditure Committee in 2022 that bank-owned Payments NZ, which looked after the EFTPOS system, had been "exploring" a move to real-time payments which may have account number and name checking capability built in.
Payments NZ wouldn’t comment, directing questions to its bank shareholders. Changes were made to the system in 2023, with the introduction of seven-day-a-week payments in May.
Not cross-checking meant scammers could impersonate others, or money could be sent to the wrong person, Sladden said.
She said bank data suggested nearly $200 million a year in scam losses in NZ, well ahead of those reported to Cert NZ, and what her office was seeing “was just the tip of the iceberg”.
Sladden noted Australia and the UK had strengthened consumer protections against financial scams, “making it timely for policy-makers to review protections here”. ASIC updated its e-payments code governing electronic transactions after a review in 2022, beefing up protections for consumers and pushing banks to help customers recover money transferred in error.
'A valuable measure as part of the industry’s wider approach to scam prevention'
ASB and BNZ, owned by Commonwealth Bank and National Australia Bank in Australia respectively, both said they would support moving to a standardised payments model such as in the UK to introduce name-and-account number checking. ANZ did not directly address the issue in its response.
ASB said it was important to note instances of fraud and scams had continued to increase in the UK despite this technology being introduced, however, "we see it as a valuable measure as part of the industry’s wider approach to scam prevention".
ASB said the NZ banking industry had strong communication channels in place already, and it didn't believe NZ needed a fraud reporting exchange.
BNZ said it would require a highly complex, standardised change across all NZ’s 27 registered banks. ASB said the best way to introduce name-checking would be through an "industry-wide initiative", where all banks confirmed account owners using a similar system to what had been introduced in the UK.
Webb said he was aware Payments NZ was working to modernise NZ’s payments system, including planned work to introduce a confirmation of payee system.
Text yes for fraud
It's the authorised push payment frauds the UK is targeting by putting the financial liability right back on the banks, Starks said.
In NZ, banks are usually not found liable for losses where someone has sent the money themselves, Starks said. When a consumer makes the payment, it's called an authorised payment scam.
Starks said the focus on unauthorised scam payments must change, pointing to a recent case which garnered media attention.
In May an Auckland scam victim came forward, ensnared by a faked term deposit offer purportedly from the US bank, Citibank N.A, which the FMA warned about in the same month.
Backed by an elaborate web of faked bank sites, Linkedin profiles using real Citi employee names, texts, calls, a detailed prospectus and online portal, the BNZ customer transferred $100,000 to a “Citibank” account – at ASB.
Starks said name and number checking could have prevented this fraud, and even worse, the fraud involved transactions across two NZ banks, with the ASB account used as a "mule" to shift the money.
The author said NZ banks should be forced to repay money scammed from their customers to incentivise them to take fraud prevention more seriously, such as in the UK.
The victim agreed with Starks, telling the NZ Herald the Citibank-branded invoice with an ASB account should have triggered the bank’s suspicion. She alleged she was not questioned about the $100,000 transfer.
NZ banks are being targeted by criminals, Starks said. She predicted they would likely change up their scam to keep it going, for example faking a NZ bank brand. Scammers were finding success within NZ's banking system, Starks said, making increased scam efforts worthwhile.
'A disproportionate level of caution'
ASB said this was a complex regulatory issue and it was seeing a range of different approaches from governments around the world.
"Ultimately it is for our Government to determine its approach to fraud and scams, but we believe the primary focus of any regulation should be on preventing money getting to criminals. The overwhelming majority of payments are not scams and moving to a model similar to that in the UK is likely to lead to a disproportionate level of caution, resulting in complexity and delays for customers making legitimate transactions."
ASB said while making banks liable may limit some instances of fraud, it was unlikely to lead to a positive overall customer experience and "we need to be careful not to erode the rights of New Zealanders when it comes to their own money".
Webb said the liability and reimbursement for victims of scams and fraud was complex, and would need to be carefully considered.
Starks also said the current Banking Code of Practice was too weak in terms of consumer protection, and the Banking Ombudsman needed wider powers to find against the banks when financial scams were perpetrated against their customers.
The NZ Banking Association has not responded to requests for comment.
What the banks are doing
ANZ said it was investing record amounts in fraud protection, “including on the latest biometric technology which we plan to have in market next year”.
It is understood the bank may have signed a deal with tech company BioCatch, which uses biometric data to identify fraudulent behaviour.
ASB said it had a number of systems and processes in place to help prevent fraud and protect its customers, and it was continually working to improve its ability to mitigate this activity through a combination of technology investment and ongoing training for teams who work in these areas.
"We have a multi-year investment plan which includes enhanced machine learning capability, as well as implementing other improvements such as behavioural biometric monitoring which can be used to flag any customer activity that differs from usual. BioCatch is one company that offers this kind of technology, but not necessarily the company we will use."
BNZ said it was always open to new ideas to tackle scams and would continue to collaborate with others to protect customers' money.
"For example, over the past year we’ve been working with New Zealand’s three largest telcos to stop scammers based overseas from spoofing our 0800 number. To date, through this work we’ve been able to reduce the cases of BNZ’s number being spoofed by 50%."
BNZ said scams were increasingly sophisticated and ever changing, and tackling this complex challenge required a collective approach, involving not just banks, but also government, regulators, police, telcos, and technology providers.
Banks, and NZ regulators, warn people to be wary of red flags from scammers like unexpected phone calls, text messages and social media interactions.
*This article was first published in our email for paying subscribers. See here for more details and how to subscribe.
7 Comments
BNZ told me that the VISA card scammer on my account was between me and the VISA people. I told the chap that I got through to after doing admin for 45 minutes with the speakerphone on that the card has BNZ VISA written on it, and if the money was not reimbursed to me overnight I would write up an article, with his name in it, and put it on my blog with a few thousand followers and also send it to quite a few media people. I told him that if BNZ pick incompetent and crooked people to be their business partners, it was not my concern. I then hung up. The money went in overnight. When I got around to closing my BNZ accounts and shifting everything to my Kiwi owned bank, the woman (adult human female) at the BNZ said, " I don't know why anyone banks with us!"
Banks are just bullies, who need to be bluffed and out bullied to make them behave honestly. That is the only way.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.