Banks' practices

I heard on the ABC NewsRadio (16 May) that Banks announced a ‘crackdown’ on scams that cost Bank customers millions each year – (really? How?) … But does it help the situation if Banks do not ensure that money transfers are at least, being made to correctly named BSB and Account holder Names? Am I right in saying that this is somewhat hypocritical, given the following? …

I have seen a paragraph on more than one Bank’s Electronic Transfer Forms and online banking screens, giving a warning : (the wording varies, but this is my bank’s version from the online banking screen, before one finalizes the transfer :

"It is your responsibility to ensure that the account details you provide are correct. If you enter or select an incorrect BSB or account number, your payment may be unsuccessful or funds may be sent to the wrong account and it may not be possible to recover the funds from an unintended recipient. (This Bank) does not match, verify or check the account names and numbers and relies solely on the account number details to process payments.

It goes on to say that any mismatch means the Payee may not be able to retrieve their funds. (they may as well just declare …“we don’t provide assistance to you in this way”).

Needless to say, there is NO BENEFIT to the Payee in making a mistake: so any mistake will be just that – a mistake.

One of the widely assumed purposes of using a Bank, among other things, would be to facilitate the transfer of funds efficiently and safely – is it expecting too much to assume that Banks HELP (ie do what they can) to detect any errors in the process?

In general, most organisations’ boring, tight security and “ID” procedures often slow our day down somewhat – appearing long-winded and going way beyond what is reasonable. For Banks to more or less say, ‘BEWARE - WE DON’T CHECK YOUR ACCURACY’ seems ‘a bit much’. It doesn’t serve anyone’s interests except their own.

Spelling is paramount, but if we so much as add or forget to add a middle initial in our Passports, things will stall unpleasantly.

Solutions :

Would it be too much to ask that Banks write into their Computer processing software , that any mismatch be flagged for closer scrutiny? [God forbid, this means they must have a real person examine cases thrown up as mismatches]. Yes, there will be many, but should this not be part of Banks’ service to customers, whether they like it or not? I’m sure they could devise a way of charging a fee for sorting it out. That would be fair enough and without any great cost, someone learns from the error.

If this is not acceptable, then have the system reject it and “return-to-sender” until the customer gets it right (like errors with Usernames & Passwords).

To me, insisting that the full responsibility rest with customers ‘not to make mistakes’ is nothing more than cost-cutting, when Banks should be offering to do more, not less, to ensure a legitimate, smooth Funds Transfer process – at their cost, rather than ours.

When I questioned this ‘disclaimer’ paragraph in person, declaring that it seemed to be a strange, “lazy” and counter-intuitive statement from the Banks, I was given the explanation by one Branch Manager, that 'it is for your safety’For this to make any sense at all, we would have to conclude that the real meaning is more like …

‘the Bank will take (this rather serious) short-cut in transferring your Funds, so please don’t make a mistake, because we won’t detect it –meaning you’ve probably done your money’.

It seems highly improbable to me that Banks would be allowed to get away with such nonsense if this issue were better highlighted for customers’ or indeed Government, scrutiny.

Unashamedly more concerned with the Interest rates they CHARGE rather than pay out, it is widely known that Banks are not quick to raise Deposit Interest Rates when official interest rates rise. The Government has called them out more than once on this issue, only weeks ago summoning the Banks to account for this, in Canberra.

Customers like you and me provide a major source of the funds Banks use to make their obscene profits. If Banks refuse to even match a Name with an Account Number & BSB for those of us making a transfer of money, it is a sure sign that, like many commercial organisations in this computer-reliant age, they’re always looking for ways of doing less and less for us, that contribute any amount to their costs.

Vince

3 Likes

The banks have had in place for some time a more secure money transfer method using the New Payments Platform.

They would love more of their customers to start using it, rather than keep using the unsafe ‘pay anyone’ that you complain about.

Perhaps the Gov or RBA could help the banks by banning pay anyone transfers. That would force businesses to set up for NPP.

1 Like

Thanks mate: where would I find this? (doesn’t appear to be an option on online banking screens)…
VC

2 Likes

It would be called something like ‘PayID’. But using it to send money depends on the other end setting up a payid. It is slow on the uptake, but that is the fault of payees, not the banks.

1 Like

ING only shows that as an option when selecting a new payee during ‘pay anyone’.

Selecting ‘pay anyone’ shows a button for ‘new payee’ and selecting ‘new payee’ shows a ‘payid’ option.

There inexplicably does not appear to be a way to add a payid to an existing address book entry nor to associate an address book entry with a payid.

Strangely ING also promotes the use of payid while seemingly making it as difficult to use as they can.

1 Like

How would that be done? What are they going to check against? The bank’s records will know if the combination of BSB and account number are valid but that doesn’t help stop scams as presumably to steal your money scammers will supply a correct combination of those.

I agree that banks need to step up and do more but it isn’t as if they have left big holes in their systems that could be plugged easily.

There was a case in the news recently about a person who was scammed who relayed 31 authentication codes to the scammers over a period of 4 hours allowing them to grab over $300,000. Against that much misplaced trust what should the bank do?

If you keep adding more layers of authentication the next thing customers will be complaining that it is too cumbersome and time consuming and all they wanted to do was send a birthday present.

Find out who architected that and tell them to do it properly. My bank clearly separates transfer by pay anyone using bsb and account, and PayID using I presume OSKO.

1 Like

Nobody seems willing to admit it was architected or if it was that they did it :rofl:

3 Likes

I also read this and was lost for words.

Scammers have moved on from the UK introducing account name matching. Many successful scams now involve taking over a personal computer using remote access software. As such, account name matching becomes irrelevant as the scammers transfer monies out of an account, not the account holder. Account matching has zero effect in such cases and is a bit of a red herring to try to blame the banks.

Removing multiple instantaneous bank transfers like that planned in Australia may reduce number of successful transfers where a victim identifies they have been scammed soon after it occurs. It won’t stop all transfers to scammers/criminals.

Even with restricting transfers, the scammers will find a way to get around this one as well.

Now that is the total opposite of what the New Payments Platform is all about. Real time money transfer, with authenticated payee. And it is not planned. It has been around for five years and every major and minor bank that I know of supports it.

Apologies, I forgot to add the word multiple. What is proposed includes…

The ability to, where possible, halt multiple fraudulent transactions taking place as part of the same scam

Which is removing ability to carry out multiple instantaneous transfers. I have corrected the earlier post.

More information can he found here:

1 Like

This topic has been discussed numerous times in this forum. I recommend that you review those existing discussions.

Just putting it out there but (if we try to breath new life into an obsolete payment mechanism i.e. paying by BSB and account number - just stop it already) one different approach on this would be to require all banks to introduce a check digit or other redundancy into the account number (as well as perhaps standardising the length of the account number).

The cost of this would be that
a) every single account number would change (become longer and less wieldy), and
b) all existing paying arrangements would break.

This could be partially mitigated by simply adding the check digit(s) to the end of the existing account number.

This would stop accidental errors (which may be what the OP was concerned about) but will not help with scams.

This avoids having to go down the fraught road of checking the name against the BSB and account number.

I believe that the actual change announced was a new inter-bank communication system so that if a customer complains about a fraudulent transfer, it is possible to react more quickly to stop the funds moving out of Australia / out of the banking system. (I doubt that this will ever be really effective. This might even fall into the category of “theatre”.)

Surprisingly, with the proposals coming from some of the more excitable members of the Australian community, there would be a benefit in making a “mistake”.

Which is what I suggest in this forum each time this topic comes up - or, more accurately, I suggest that the government forces banks to have an end-date for when “pay by BSB+account number” will be accepted.

:+1:

Exactly what I was going to cite. (Banks must be tearing their hair out with the gullibility of some customers!) But bottom line is that all the BSB+account numbers used in this scam (30 x $10,000 transfers, or similar) must have been completely, exactly correct - and would still be correct even if the corresponding account name were being checked.

One small way that the government could improve things for this scam is change the law around how foreigner accounts are handled once the person leaves Australia.

That particular scam would also he helped by having authentication in the phone system (for all calls, not just overseas calls).

It might have prevented those particular accounts being used, but wouldn’t potentially stopped scam monies exiting through ‘legitimate’ bank accounts as evidenced here:

Many of us have received spam emails or social media adverts about making $1000s per month from home. Yes, $1000s being a money mule. Unfortunately making ‘easy’ money attracts victims which assist in perpetuating the scam.

It is extremely challenging environment as the scammers appear to be at least one step in front of systems to prevent scams. A door is shut and another opens.

I recall hearing something recently on why Australians are targeted. One of the reasons is Australians have moved by mass online including online banking. This means vulnerabilities in the system (Australian banking customers using online banking) are easy to scam/exploit. It would be good to remove the weakest link, but that may mean the end of online banking.

1 Like

It’s not only the customer who needs to be more careful?
Something we may have all done at one time in the past, and why it’s high risk relying on email communication for payment details.

Should Choice and the Community expect more of professional services when dealing with large amounts of money?

Unfortunately there are too many users of digital communications who do not realise email security is not assured.

In this instance one would wonder about the actions of the Conveyancer. In some states/territories they may be a qualified lawyer, hopefully with heightened security. It’s a broad issue? In recent years we’ve also had property dealings with Real Estate Agencies which seem not to understand the risks of providing account payment details through emails.

2 Likes

Very broad indeed. it is amazing how many businesses as well as at least one known foreign government department that send and ask to receive very personal information by email willy nilly. The alternative is post that fails the time sensitive test as well as it being as secure as [?] or the venerable fax that is rarely if ever acknowledged and is thus a black hole. There ‘ought to be a law’ that any organisation sending or receiving personal information should as a minimum have a secure upload/download facility under their URL. Scammers still would get a few careless or clueless types with ‘look-a-like’ web sites or persuasive phone calls but it would be a step. The latter admittedly being a learning curve for some demographics and the ‘device and access’ for others - but our banking world is making both imperative already.

2 Likes

When we last moved house a few years ago, almost everything associated with conveyancing was sent by express post including payment details. The only things sent by email were search results as they wouldn’t have potentially been received in the period before the contract went conditional.

I suspect that emails were not captured on route, but email servers hijacked by scammers. We receive about 5-10 scam emails a week phishing for email credentials. They are usually in the form of an email advising that some emails are held from sending/receiving because of some concocted reason, email account suspended due to some reason and the list goes on. A compromised email server allows for redirections and sending of emails.

If it is a compromised email account/server, it possibly raises the questions of who is ultimately responsible and assisted in the facilitation of the scam.

2 Likes

:slight_smile: Not in my experience. Legal practices can be stuck in the digital dark ages.

For the record, for property purchase payments, the advice is always to phone up, using an independently verifiable phone number, and confirm the BSB and account number before paying.

One phone call would have saved these homebuyers $200,000+. This is likely to be the largest purchase that most people will make - so just phone up already.

If for some reason phoning up is not possible then it is better to get the BSB and account number from the web site of the conveyancer / legal practice, rather than relying on the contents of email.

Verification of the account name by the bank would not necessarily have saved these homebuyers. If the BSB and account number can be altered then so can the account name - and the account name is not always obvious e.g. due to “trading as”, “franchise”, etc. etc. etc.

However clearly for the amount of money involved, the infrequent nature of such a transaction for any given customer, and taking into account the potential to delay the transaction1, it would be justified requiring the bank to verify the account name.

1In other words, if this is the settlement payment and the payment bounces because you had a slight error in the account name then you may get served with a notice to complete and you may be subject to financial penalties but those penalties will be much much smaller than the loss of the entire settlement amount to a scammer.

Or more likely email credentials obtained by scammers, as you also suggest.

The scammer.

One complication is that the compromise can be at the buyer’s end i.e. the buyer’s email credentials have been obtained by the scammer or the buyer’s computer has been compromised. So if you want to direct blame away from the scammer then you, as the buyer, would have to prove that your own account and your own computer are not compromised. If the scammers are any good, they won’t seek to leave traces that would make it easy to decide one way or the other.

A really good scammer could even alter the email back to the correct contents after you have made the payment to the scammer via the bad BSB and account number.

Just as a PS to this … it should be highlighted that … if you are going to make large electronic payments relating to the purchase of property then PayID is better than BSB and account number. If you use PayID then you will be shown the destination account name. This at least allows you to pick up obvious cases of fraud or might cause you to check more carefully.

I would go so far as to say that if you use BSB and account number and you are defrauded in the way described in the article or in a similar way then the bank should have zero liability. You can fight it out with the party whom you were paying.

Possibly, but in my experience very aware of the risks and how to ensure safe transfers. Which leaves it up to less aware consumers to learn which questions to ask and what not to accept? :wink:

In property matters our greater concerns have arisen from the dealings with Real Estate Agencies. I’ve yet to deal with one that has a secure portal in place as an alternative to direct email of any and all documentation. For whom in person on paper is how it needs to be.

Of course even the use of a secure portal relies on having a secure logging in procedure. Plus effective IT management and maintenance of the portal/product. Not that a printed document can be without error. Fraud however most likely requires the direct hand of someone in the business.

1 Like