NZ banks stepping up moves to protect customers from scams with reimbursement for victims of up to $500k, but warn they can't take on full liability for scam losses beyond their control

Banks are rolling out a range of responses over the next seven months that aim to better protect their customers from scams.

Bank lobby group the New Zealand Banking Association (NZBA) said five commitments are being introduced to the NZ Banking Associate Code of Banking Practice. These include the previously announced Confirmation of Payee service for customers to check the name of the person they're paying matches the account number.

The other four are;

• pre-transaction warnings to consumers based on the payment purpose.
• identification of and response to high-risk transactions or unusual account transaction activity, and the ability to block or delay transactions in some cases.
• providing a 24/7 reporting channel for customers who think they’ve been scammed, and responding to protect accounts.
• sharing scammer account information with other banks to help prevent criminal activity, and freezing funds where appropriate.

The Code of Banking Practice amendment, and the new measures, will come into force on November 30. NZBA says the time lag is to allow banks time to get the protections in place.

NZ banks have been criticised for responding too slowly and not doing enough to combat a rising wave of scams in recent years. A report from Netsafe and the Global AntiScam Alliance released last November, which surveyed 1,071 people, estimated New Zealanders suffered annual losses to scams of about $2.3 billion.

Following an inquiry by Parliament’s Finance and Expenditure Committee into banks’ processes and consumer protections against scams in 2023, in February 2024 previous Commerce and Consumer Affairs Minister Andrew Bayly asked banks to come up with a voluntary reimbursement scheme for customers who have been scammed.

In September last year NZBA announced a series of anti-scam initiatives including; introducing the confirmation of payee service, supporting the establishment of a centralised, co-ordinated, multi-sector Anti-Scam Centre, and removing weblinks from texts to customers.

Reimbursements of up to $500,000

Commerce and Consumer Affairs Minister Scott Simpson said banks had now responded to the Government’s expectation to better protect customers from scams by introducing stronger safeguards and a compensation scheme.

"New commitments from banks mean that if a bank fails to adequately warn and protect a consumer from a scam, they will reimburse the victim up to $500,000," Simpson said.

"This is an important win for bank customers, who have been advocating for some time for better recognition from banks of the role they play as the final gate between a consumer and a scammer."

"Banks will also take a more active role in preventing scams, by participating in information sharing agreements across industry and government and educating people. Stopping scams before they happen is the best strategy," said Simpson.

"I have been clear with banks that the journey doesn’t stop here. I expect banks to continue to prioritise security and adapt to the ever-evolving scams environment...I have made similar expectations clear to telecommunications companies and digital platforms and look forward to progressing a cross-industry approach with them."

NZBA said if a bank fails to meet the five new scam protection commitments, it'll compensate all or part of the loss for eligible customers. Additionally banks will "retain the discretion" to pay compensation beyond what is set out in the Code of Banking Practice if they consider this appropriate.

Banks 'can't take on full liability for scam losses beyond their control'

NZBA Chief Executive Roger Beaumont said whilst banks are stepping up customer protections and will be accountable for those measures, "they cannot take on full liability for scam losses that are beyond their control" and may, for example, start with a fake ad or chat on social media, or a fake search engine result.

"Consumers are also encouraged to take reasonable care to protect their banking," Beaumont said.

The November timeframe "reflects the considerable time and effort" needed to put stronger customer protection measures in place across more than a dozen banks, he added.

"Banks will use this time to ensure the new consumer protections work well from the start. That includes designing and implementing changes to each bank’s systems, processes, and staff training, alongside other change priorities. The updated Code of Banking Practice will go live on 30 November 2025 once all the new measures are in place."

Meanwhile, Beaumont said banks are calling on telcos, social media companies and global technology platforms to introduce their own scam protection measures.

Neither Simpson nor NZBA's announcement mentioned any progress towards the introduction of an anti-scam centre.

NZBA provided the following examples of how the new scam loss compensation approach will work.

Example One | Investment Scam (Full compensation) 

A customer searches investment rates online and receives a call back after entering their details into a website. The customer has many interactions with the scammer and agrees to pay $100,000 to a domestic bank account for a 6-month term deposit. The customer initiates the payment online and does not have a history of paying large amounts in this vicinity.

The bank fails to identify the transaction as high-risk (high transaction size to a new payee, with a self-identified investment purpose), and does not respond appropriately to the payment. 

The bank will compensate the customer fully, as it failed to meet its commitments, and the customer’s interactions suggest they took reasonable care when deciding to make the payment.  

Example Two | Bank Impersonation Scam (No compensation) 

A customer is contacted by a spoofed number purporting to be the customer’s bank. The bank has previously notified the relevant telco of the spoofed number, but the telco delayed any blocking activity. The impersonator claims the customer’s account is at risk and that $50,000 must be moved urgently to a safe account. The customer is coached through making the payment online. 

The bank does not provide an educational warning about the scam risk, because the customer is coached by the scammer to select a payment that does not trigger the warning.  

The bank provides a correct Confirmation of Payee check response of “no match”, but the customer pays anyway after being coached. 

The bank identifies the transaction as high-risk and responds appropriately by calling the customer to discuss the payment and provide warnings. The customer pays anyway after being coached by the scammer that the bank staff member is involved in the threat. 

In this case the bank met all its scam protection commitments. The bank:

• Did not need to provide an educational warning before the payment because the customer provided a false payment purpose
• Provided a correct Confirmation of Payee response
• Identified the payment as high-risk and notified the customer
• Provided a 24/7 reporting channel for the customer (not used in this case)
• Shared information with the bank that received the payment about the use of a mule account (and there were no previous reported instances of that account being used as a mule account).

The bank will not compensate the customer, as it met all its protection commitments, and could not have identified the payment was a scam based on the information provided by the customer.

Example Three | Romance Scam (Partial compensation) 

A customer develops an online relationship with someone pretending to be a New Zealand celebrity. The customer makes several low value payments for various reasons to accounts provided by the celebrity. The celebrity asks for $50,000 for a particular activity, to be sent to the celebrity’s “business partner”. 

The bank provides a correct Confirmation of Payee check response of “no match”, but the customer pays anyway. 

The bank failed to identify the transaction as high-risk (high transaction size to a new payee). 

The bank will partially compensate the customer, as it failed to meet its commitments. The customer did not take reasonable care when deciding to make the payment by failing to respond to a Confirmation of Payee “no match” and accordingly is considered partially responsible for the loss.