Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)
7. EFT Code, Part A (Liability)
- Q28 – Should account holders be exposed to any additional liability under cl 5 for unauthorised transaction losses resulting from malicious software attacks on their electronic equipment if their equipment does not meet minimum security requirements? Do the benefits and costs of extending account holder liability justify such an extension of cl 5? What implementation issues would have to be addressed?
- Q29 – Should an additional example be included in cl 5.6(e) specifically referring to the situation when an account user acts with extreme carelessness in responding to a deceptive phishing attack?
- Q30 – Apart from this possible clarification, should account holders be exposed to any additional liability under cl 5 for unauthorised transaction losses because of a deception-based phishing attack? Do the benefits and costs of extending account holder liability justify such an extension? What implementation issues would have to be addressed?
- Q31 – To what extent has the restriction on using a user’s name or birth date under cl 5.6(d), been relied on?
- Q32 – Should the restriction on users acting ‘with extreme carelessness in failing to protect the security of all the codes’ under cl 5.6(e) be further elaborated or extended in some way? Should additional examples of extreme carelessness be given?
- Q33 – Should the EFT Code specifically address the situation when an unauthorised transaction occurs after a user inadvertently leaves their card in an ATM machine?
- Q34 – To what extent is unreasonable delay in notification of security breaches by account users currently an issue? Please provide on the frequency and cost of such delays, if possible. (You may wish to provide this information on a confidential basis.)
- Q35 – Should the circumstances when the account holder is liable on the basis of unreasonably delayed notification under cl 5.5(b) be extended to encompass unreasonable delay in notifying online security breaches of which the user becomes aware?
- Q36 – Should the standard of ‘unreasonably delaying notification’ under cl 5.5(b) be replaced by a specific time after which the account holder is liable? What would be an appropriate time, if such a change were introduced?
- Q37 – To what extent do subscribing institutions currently use the other ‘no fault’ liability provision in cl 5.5(c)?
- Q38 – Is there a case for increasing the current ‘no fault’ amount of $150? If so, on what basis and what should the new amount be?
- Q39 – Should subscribers prohibit in their merchant agreements the practice of taking customers’ PINs or other access codes as part of a ‘book up’ arrangement? If so, should this be subject to any exceptions; and, if it should, what should those exceptions be?
- Q40 – Should cl 6 be reformulated to clarify that the subscribing institution is liable for any failure resulting from equipment malfunction when they have agreed to accept instructions through that equipment?
- Q41 – To what extent, and how, should the Code address the issue of mistaken payments? Discuss the usefulness, practicality and cost of implementing some or all of the measures outlined, as well as any other measures you consider appropriate.