ASIC updates the ePayments Code: and further changes are on the horizon

Steven Klimt, Craig Hine and Jason Shailer
24 Jun 2022
Time to read: 2 minutes

ASIC has made changes to the ePayments Code which subscribers must comply with by 2 June 2023. The Code is still voluntary and does not extend to small business, but more changes are coming.

ASIC has made changes to the ePayments Code following its interim review and industry consultation..

What is the ePayments Code?

The ePayments Code is a voluntary code of practice that regulates electronic payments. It applies to electronic transactions (eg. ATM, EFTPOS, credit and debit card transactions, online payments, and internet and mobile banking) by an individual who holds or uses certain facilities.

Subscribers must provide certain information to holders and users of payment facilities and follow specified processes in relation to unauthorised transactions, mistaken internet payments and complaints.

What's changed?

On 2 June 2022, ASIC modified the ePayments Code so that it now covers payments made using the New Payments Platform. It also made a number of other changes in relation to compliance monitoring and data collection, mistaken internet payments, unauthorised transactions, complaints handling and facility expiry dates.

The changes follow the release of ASIC Report 718: Response to submissions on CP 341 Review of the ePayments Code: Further consultation (REP 718) on 7 March 2022. ASIC noted in REP 718 that its aim was to address in the interim some of the key issues arising from stakeholders' submissions, ahead of further work to produce a mandatory Code.

Some of the more notable changes include:

Compliance monitoring and data collection

  • the obligation on subscribers to report annually to ASIC on unauthorised transactions has been removed;
  • ASIC’s power to monitor and obtain information from subscribers has been expanded. ASIC may now conduct targeted surveillance of any ‘matters relevant to subscribers’ activities relating to electronic payments’.

Mistaken internet payments

  • the definition of "mistaken internet payment" is now accompanied by a note which seeks to clarify that it is not intended to cover situations in which the user transfers funds to a recipient as a result of a scam;
  • if a sending ADI is satisfied that a mistaken internet payment has occurred, it must send a request for the return of funds as soon as reasonably possible and no later than 5 business days from the time of the user's report; and
  • both the sending ADI and the receiving ADI must keep records demonstrating the steps they took to comply with the mistaken internet payment obligations of the Code.

Unauthorised transactions

  • it has been clarified that an unauthorised transaction occurs only where a third party has made the transaction without the consumer's consent, not where the consumer has made the transaction themselves. These updates clarify the liability of subscribers and account holders or users for unauthorised third party activity on their accounts;
  • it has been clarified that the Code provisions dealing with the allocation of liability apply in addition to any other processes or rights available through a card scheme's chargeback rules.

When do the changes take effect?

The transition period for the updated Code started on 2 June 2022. Subscribers must comply with it by 2 June 2023.

More changes to come

Notably, ASIC has described the changes as an ‘interim measure’ in preparation for further work to produce a mandatory Code in the near future.

Currently, the Code is voluntary and subscribers to it must undertake to comply with it by contract with its customers. However, work is being done to develop and implement a legislatively mandated Code. On that basis, ASIC indicated in REP 718 that it is more appropriate that more significant policy issues be considered further during the process of developing and implementing a legislatively mandated Code. A particular issue flagged for further consideration at that time was the proposed extension of the Code to small business.

We anticipate more significant changes to the Code.

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.