Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)
Q9 – Do you have any suggestions as to how the scope of Part A of the Code might be defined more simply? Should Part A include a non-exhaustive list of the main types of transactions to which it applies?
The definition of scope in Part A appears to remain sufficiently broad enough to cover all target transactions. However, the drafting might be improved if the entire scope was described in Clause 1.1 without any need to refer to later provisions (e.g. 1.3 and 1.4).
Also, Clause 1.1 (B) appears to include a substantive regulatory requirement rather than a statement of scope – in that it requires financial institutions to be responsible for the actions of some third party providers. This Clause has always appeared out of place in a scope section.
A further issue relates to the definitions of some terms. These may need to be reviewed to ensure technology neutrality is maintained. One issue here is that modern access methods now include two-factor authentication approaches resulting in a plethora of new devices – smart cards, one-time password generators, mobile phones, USB tokens – all of which might play a role in providing access.
As a result, some of the definitions (e.g. ‘device’ and ‘electronic equipment’) may need to be reviewed for technology neutrality. Some initial observations show the complexity of these definitions in practice:
- A mobile phone is currently defined as both a device and electronic equipment.
- The definition of code means that it must be known to the user, but modern codes (e.g. one-time passwords) are generated by devices and only ‘known’ to the consumer for a short period.
It may be useful to conduct a thorough Technology Neutrality Review of the definitions in the Code once other clauses are agreed in the Review process.