In reflecting on the regulatory changes that have been implemented or proposed in 2023, a consistent priority has been protecting consumers from bad actors. The Federal Government has undertaken measures to introduce a whole of ecosystem approach to preventing scams. Australia's unfair contract terms regime has been updated to introduce civil penalties and give the framework significantly more weight.

At the same time, Australia's anti-money laundering and counter-terrorism financing (AML/CTF) regime is under review with the aim of ensuring Australia's international obligations are met and the regime is modernised and fit for purpose. Also during 2023, a topical case that affects the provision of services to customers has been delivered by the New South Wales Supreme Court.

While each regulatory development has its own standalone operation, there is a consistent thread running through them all – how to manage your obligations to your customer while meeting your regulatory obligations?

The Proposed Scams Code Framework

The Federal Government issued its "Scams – Mandatory Industry Codes" Consultation Paper in November 2023. That Consultation Paper proposed a Scams Code Framework (Scams Framework). You can listen to our podcast about that consultation here.

Risk assessment and mitigation

The proposed Scams Framework would introduce principles-based obligations in a manner similar to the approach required under Australia's AML/CTF regime. It would require businesses to:

  • undertake an assessment of its risk in the scams ecosystem;
  • develop, maintain and implement an anti-scam strategy based on its assessment of risk;
  • implement oversight at a senior level (such as Board or similar);
  • undertake ongoing review of the effectiveness of the strategy against the risk assessment; and
  • undertake ongoing monitoring and reporting of effectiveness to senior levels in the business.

Information sharing requirements

The proposed Scams Framework would require businesses to share and act on information to ensure that all businesses within the scams ecosystem have quality information to enable them to detect and prevent scams. This would include requiring businesses to share information with other businesses, as well as share information about individual scam instances in reports to the National Anti-Scam Centre (NASC) or other relevant regulators.

AML/CTF reform, fairness and case study

Modernising Australia's AML/CTF regime

The AML/CTF regime is currently the subject of consultation. You can read more about that consultation here. The reform is a key step in Australia's preparedness for its FATF Mutual Evaluation review. The consultation also considers updating the regulatory regime more generally to ensure that it is modernised, simplified and fit for purpose. We are waiting to see the extent to which the reform will include steps to modernise the framework and address areas that currently cause compliance challenges.

Case study – account closure, risk management and fairness

During 2023, the New South Wales Supreme Court handed down a decision affecting a bank's ability to unilaterally close a customer's account facilities (Beyond Bank Case). You can read more about that decision here. The Beyond Bank case found that the termination provisions in the bank's terms and conditions did not strike a fair balance between the account holder and the bank. As a result, the bank's purported termination of the bank account services under the relevant clause was invalid.

Tipping off considerations

A key aspect of the AML/CTF framework is the intelligence that AUSTRAC receives as part of suspicious matter reports. These are reports of suspicious matters that financial institutions identify as part of providing services under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). The entity must report the suspicious matter to AUSTRAC.

Alongside this obligation to make the report to AUSTRAC is the "tipping off" offence – it is an offence for a financial institution to disclose that it has made a suspicious matter report under the AML/CTF Act. This prevents information about the report being disclosed or any information from which it could reasonably be inferred that the report has been made being disclosed. There are very limited exemptions to this criminal offence.

The judgment in the Beyond Bank Case included some discussion of "tipping off" considerations which highlighted the practical difficulties in navigating the provisions through adversarial court processes.

Interaction with ML/TF risk and AML/CTF Programs

The AML/CTF Act requires financial institutions to have adopted an AML/CTF Program. The AML/CTF Program should have appropriate risk-based systems and controls in place to identify, mitigate and manage money laundering and terrorism financing (ML/TF) risk. The AML/CTF Act makes it a civil penalty provision to fail to act in accordance with the AML/CTF Program that the financial institution has adopted.

In making its decision that it was not fair to terminate the services, the Court in the Beyond Bank Case did not consider the interaction between a financial institution's obligation to maintain an AML/CTF Program and act in accordance with that Program. Debanking and the interaction with the AML/CTF Act has been an area that AUSTRAC is sensitive to and has issued guidancein June 2023.

Unfair contract terms

Also not considered in the Beyond Bank Case was Australia's unfair contract terms regime. However, unilateral termination rights under customer contracts have been subject to significant attention during 2023. The regime was updated in November 2023 to make it a civil penalty provision to enter into a standard form consumer or small business contract with a term that is unfair. While not prohibited, the regime includes, as an example of a term that may be unfair, a term that permits a party to unilaterally terminate the contract.

How do these regulatory considerations sit together?

How might a conflict arise in practice?

There are real circumstances where it is difficult to identify how these regulatory regimes can be satisfied while meeting all applicable obligations. For example, a suspicion of scams related activity in connection with a bank account would require information to be shared under the Scams Framework and, potentially, a suspicious matter report to be made under the AML/CTF Act. This could arise where a bank account of a customer has received a large number of payments in a manner that the bank suspects are connected to an organised scam.

A suspicious matter report under the AML/CTF Act would mean that information could not be shared more broadly without careful consideration of the tipping off prohibition. This would need to include a consideration of information sharing requirements under the proposed Scams Framework.

Impact of risk assessment and account closure

In addition, a bank that believes that its customer is receiving the proceeds of criminal activity, being the relevant scam, may well determine that the relevant account holder sits outside the financial institution's ML/TF risk tolerance as reflected in its AML/CTF Program. As such, the provision of services to that customer may be outside the acceptable parameters reflected in the institution's AML/CTF Program. Compliance with the AML/CTF Act would therefore require the financial institution not provide services to that customer.

How a unilateral termination right should be framed having regard to AML/CTF Act requirements, unfair terms considerations and the overlay of the Beyond Bank Case requires careful consideration.

Opportunity for coordinated, considered reform

As the Scams Framework is being developed at the same time that the AML/CTF regime is under review, there is a real opportunity to ensure that consumers are protected and there is confidence in the financial system. This should be done in a manner that ensures that the regulatory requirements of financial institutions can be satisfied with certainty. This will require regulation that takes into account the relationship between obligations to customers, the importance of data sharing between businesses and regulators, and decision making that mitigates and manages ML/TF risk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.