[LINK] Questions about the New ePayments Code

Roger Clarke Roger.Clarke at xamax.com.au
Mon Oct 24 08:20:49 AEDT 2011

[This news is a month old, but it only just reached me, and I've not 
seen it reported.]

RIP the ETF Code of Conduct 1986-2013.

ASIC issued a replacement code on 20 Sep 2011, called the ePayments 
Code, said to follow "widespread consultation between ASIC, industry 
and consumers".

"A major objective of the review was to ensure the Code covers all 
consumer electronic payment products, not just those from traditional 
banking organisations".  The Media Release trumpeted the news that 
PayPal "has agreed to sign up ... by the end of the transition period 
which is 20 March 2013".

The Code encompasses "ATM, EFTPOS, debit and credit card transactions 
(including contactless transactions), online payments, internet 
banking and BPAY".

It's unenforceable.  But the EFTS Code of Conduct has been (almost 
entirely?) respected by those organisations that had signed up to it.

Media Release:

Access to the ePayments Code:

Changes incorporated into the Code include:
*   a tailored set of light touch requirements for low value products 
(with a maximum balance of $500);
*   a new regime to resolve mistaken internet banking payments; and
*   plain English drafting that is product and technology neutral.

I submitted to one of the rounds of the review, when the banks were 
trying to shift liability to consumers unless consumers (using 
unknown means) protected their devices.  I haven't been aware of 
developments since.

Questions that come to mind:

-   do "light touch reqiurements" mean that consumers are unprotected
     in the case of those ghastly Visa PayWave and MasterCard Paypass cards?

-   now that the 'technology-neutral' mantra has infected the Code,
     will it be clear enough, and will there be enough meat in it,
     to deal with the diversity of payment mechanisms?

-   the list of signatories comprises (all?) banks, building societies
     and credit unions, and is long:
     but the real question is 'what relevant organisations *aren't* there'?

-   when will providers of Internet Banking be required to validate
     the payee data? ( At present, consumers type in 6-char BSBs and
     c.9-char account numbers, accompanied by account-holder name, but
     FIs declare that they have no responsibility to check that the
     name corresponds to the account-number)

-   what does this mean: "A consumer is not liable for any unauthorised
     transactions on their debit card that were done without a PIN or
     signature"?  (Contactless card transactions, and even some
     contact-card transactions, e.g. at parking stations, are done
     without any form of authentication.  So does a consumer merely
     have to 'say no'??)

-   what does this mean: "subscribers need not provide receipts for their
     low value products, but must provide consumers with ways to check their
     balance and transaction history"?  (Merchants are the ones who must
     issue receipts)

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list