ASIC has made changes to the ePayments Code following its interim review and industry consultation..
What is the ePayments Code?
The ePayments Code is a voluntary code of practice that regulates electronic payments. It applies to electronic transactions (eg. ATM, EFTPOS, credit and debit card transactions, online payments, and internet and mobile banking) by an individual who holds or uses certain facilities.
Subscribers must provide certain information to holders and users of payment facilities and follow specified processes in relation to unauthorised transactions, mistaken internet payments and complaints.
On 2 June 2022, ASIC modified the ePayments Code so that it now covers payments made using the New Payments Platform. It also made a number of other changes in relation to compliance monitoring and data collection, mistaken internet payments, unauthorised transactions, complaints handling and facility expiry dates.
The changes follow the release of ASIC Report 718: Response to submissions on CP 341 Review of the ePayments Code: Further consultation (REP 718) on 7 March 2022. ASIC noted in REP 718 that its aim was to address in the interim some of the key issues arising from stakeholders' submissions, ahead of further work to produce a mandatory Code.
Some of the more notable changes include:
Compliance monitoring and data collection
- the obligation on subscribers to report annually to ASIC on unauthorised transactions has been removed;
- ASIC’s power to monitor and obtain information from subscribers has been expanded. ASIC may now conduct targeted surveillance of any ‘matters relevant to subscribers’ activities relating to electronic payments’.
Mistaken internet payments
- the definition of "mistaken internet payment" is now accompanied by a note which seeks to clarify that it is not intended to cover situations in which the user transfers funds to a recipient as a result of a scam;
- if a sending ADI is satisfied that a mistaken internet payment has occurred, it must send a request for the return of funds as soon as reasonably possible and no later than 5 business days from the time of the user's report; and
- both the sending ADI and the receiving ADI must keep records demonstrating the steps they took to comply with the mistaken internet payment obligations of the Code.
- it has been clarified that an unauthorised transaction occurs only where a third party has made the transaction without the consumer's consent, not where the consumer has made the transaction themselves. These updates clarify the liability of subscribers and account holders or users for unauthorised third party activity on their accounts;
- it has been clarified that the Code provisions dealing with the allocation of liability apply in addition to any other processes or rights available through a card scheme's chargeback rules.
When do the changes take effect?
The transition period for the updated Code started on 2 June 2022. Subscribers must comply with it by 2 June 2023.