Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Law Enforcement
09/09/2014
Financial related crime

JOHNS, Mr Philip Keith, Chief Executive Officer, National Financial Services Federation

[11:27]

CHAIR: Welcome. Would you like to make an opening statement?

Mr Johns : Thank you for asking us to give some feedback on our submission. Our submission, we believe, is along the lines of the high-level objectives of the financial system inquiry, which is: consumer confidence and integrity in the credit marketplace. Our submission deals with the issue of straight out online fraud and unlicensed credit activity. We address some of the key solutions for which we think the committee may be able to put forward recommendations. The crux of it is in the modern day that although we have the National Consumer Credit Protection Act, consumers are exposed to a global economy and global markets and, or course, to global criminals.

CHAIR: In your submission you make that comment in paragraph (B) on page five:

It appears that the ‘prime directive’ for the regulator (ASIC) is to focus on the licensed lenders (who are continually bending over backwards to comply with the law) and not the illegal unlicensed entities which were in, or have entered, the market.

You preface that with a story about all of the information that somebody can collect on a website.

I am assuming you have raised that particular issue with ASIC and others. What has ASIC's response been when you have raised that issue with them, and have there been any recent improvements?

Mr Johns : Yes, we have raised it with ASIC. Also, we have raised it, pounding the boards, around parliament house. ASIC's response at this time—and we had a recent meeting with Deputy Chair Peter Kell on this very issue—is that they simply do not have the resources to deal with the volume of illegal scamming activity in regard to the credit sector, which we represent for our members. They now are simply at the stage where they have to go after the biggest bang for their buck, so to speak, in the protection of consumers. Our members find that a little frustrating, because, as licensed lenders, they have spent tens to hundreds of thousands of dollars to get a credit licence, the same as a bank, but the regulator, from our members' point of view, is not able to protect the sector and consumers.

CHAIR: In relation to the incidence of fraudulent activity, or people being financially disadvantaged, how much of that activity would occur with licensed lenders as against those who are unlicensed? Do you have any stats comparing the two?

Mr Johns : We do not have any statistics, but the point we make is that the penalties now for noncompliance by licensed lenders is horrendous. No-one dares look sideways—for those who have done the right thing. But with the legislation, the policy and the fundamentals when Treasury developed the scope to draft the National Consumer Credit Protection Act, they made the almost incorrect assumption that all the players in the marketplace would be licensed. This is reflected in the penalties, which are something the committee may be able to effect some change on. The penalty for unlicensed activity, if someone is caught—let's just call it one penalty unit—is one penalty unit for unlicensed activity. The legislation says that you will be fined this amount of money. However, a licensed lender who is doing the right thing and who may unintentionally get it wrong through incorrect legal advice or incorrect interpretation can be fined many times that single penalty unit, even though they are licensed and attempting to do the right thing. We say that the penalty for unlicensed activity needs to be many times that of what an entity trying to do the right thing can be fined. That is a legislative change. It would give ASIC more power and more impetus to make an example in the market when they do go to court with a case. Also, it would provide a disincentive for those looking to try to operate unlicensed or operate a credit scam in the marketplace.

CHAIR: Are you aware of any instances where ASIC has prosecuted an unlicensed activity?

Mr Johns : Yes, there are some. You can look at them through the ASIC enforcement actions. We do not quite understand why in the cases that have gone through the full force or full ability of the penalties has not been used, which frustrates the licensed entities even further. Because it is now four and a bit years after the commencement of the National Consumer Credit Protection Act, which was 1 July 2010, we really expect to see significant penalties applied in the marketplace. There is no excuse for unlicensed credit activity by any entity, especially an Australian based entity.

CHAIR: You make a comment in your submission about the level of regulation in the industry. That comes at enormous cost to the licensed lenders. How could you reduce that regulation yet ensure there is a proper level of protection for consumers? Or, have you put some thought into that and made any recommendations on it?

Mr Johns : The level of compliance is probably just a little over what it needs to be. The issue in the nonbank sector or the nondeposit-taking sector is that there are different rules in the National Consumer Credit Protection Act for deposit-taking lenders and non-deposit taking lenders in the market place. Our members are nondeposit-taking lenders. They are private firms right down to mum-and dad-operators who, as a business model, have a credit licence and a licence by ASIC to give consumer credit in the marketplace.

The restrictions on nondeposit-taking lenders is far greater. Even though there is the same regulator, there is no market neutrality, especially for consumer loans under $10,000. Specifically, there are price controls on lower-value loans that the banks do not have to comply with. For example, it is a combination of high compliance but also fixed income level built into the National Consumer Credit Protection Act. So there are fixed fees for different types of loans. There are fixed types of interest built in. It is the combination with the current compliance level which is the issue in the marketplace.

To give an example, I was looking at some historical figures: in 2006, there were more independent lenders in Queensland alone than there are in the entire Australian market today. We have seen nearly a 90 per cent reduction in the small-to medium-sized operators in the marketplace because of the combination of compliance and the low margins, which is in there. So with that reduction in the marketplace, some have simply shut, some have merged and some have sold out.

It is almost similar numbers to what we saw the credit unions go through prior to the massive regulatory shake-up. Many years ago there were about 1100 credit unions; they have dropped back to about 116. There is a similar drop-off in numbers for our sector. There has been about a 90 per cent reduction in the actual businesses or visible shopfronts offering—

CHAIR: Has that led to an improvement in what is available to consumers or to a deterioration of what is available; and, more importantly, in terms of this inquiry, the security of the information that consumers are providing to these lenders that it is not then ultimately being used for fraudulent purposes down the track?

Mr Johns : The feedback from our members is that there is a rapid decline in retail offering credit while the online take-up is going through significant growth every month.

To answer the second part of your question, the security of that information with the licence lenders with all of the updated Privacy Act is not an issue. Again, when ASIC does come through the door, this becomes part of the regulatory guidance and they also look at consumer security. It is the unlicensed and scammers who purport to be credit or insurance providers—it does not matter—right across financial services where the issue lies.

CHAIR: That is more likely online than it is through a shopfront.

Mr Johns : Yes. I would say almost without a doubt, almost 99 per cent would be online.

CHAIR: Hence your opening little story in your submission.

Mr Johns : We wanted to do something different. That is the first time we have down something like that on the front page of a submission; it was just to get everyone's attention that this is a real issue in the marketplace.

I will just run through the time line of a scam we recently went through. It goes to the point that we believe ASIC needs some assistance or high integration with the Australian Federal Police and the Australian Crime Commission. They need a crack a technical team to shut down these scams very quickly, which they do not have. Currently, if you lodge an issue via the ASIC online portal, there is a single entry portal for all ASIC complaints. It does not matter what it is; you end up in a single web page form. ASIC's response to that form, as per their current mandate, is, 'We will get back to you within 28 days to see whether it falls within our mandate to investigate it.' Some of these scams are over and done with in seven days, such is the speed and the technology of the scam.

I have an example here which involved an overseas entity which ASIC did not get to trace. It started around November last year. One of our members sent us in details of a scam where their information, their credit licence, had been used. The guts of the scam was that a rogue overseas company was running a Google pop-up ad. That ad had a virtual phone number in it, a virtual IP number. So, if you looked at this ad in Perth, it would have a local Perth number on it; if you looked at it in Brisbane, it would have local Brisbane number. The person answered it as a branch of the Commonwealth Bank, so you thought you were talking to someone at the Commonwealth Bank. They took all the details over the phone. As part of that process, they said, 'Being this type of consumer loan, we will fund this through one of our subsidiary companies.' The details they gave were that of a valid licensed lender, which was one of our members in three of the cases we came across. They would then send the consumer a credit contract—which was not a valid contract, of course. They would then ask the consumer to deposit an establishment fee, credit insurance, into a Commonwealth Bank account. The largest amount which ASIC reported in their media release 14-040, from a consumer, was $33,000 in one hit for one contract. Probably hundreds of thousands of dollars went through this single account.

On the day I found out about it, we informed the credit team. We informed by email the ASIC credit team in Sydney. Our organisation lodged on behalf of our member. We called ASIC and reported it via their complaint line. We also send the details of the scam to the ASIC email address: feedback@ASIC.gov.au. We informed our members of the mechanics of the scam. That was on day zero as far as we were concerned. Three days later, the second member reported the same scam. Again, details were sent to ASIC regarding that. On day 3, because the information we had was live data—it had the actual Commonwealth Bank BSB, the account number, the account name and what appeared to be local phone numbers, I passed the information on to the Australian Bankers' Association, who assigned a person to assist with this. The ABA contacted the Commonwealth Bank to give them notice that these couple of accounts were being used in the scam. I am not sure of the time line the Commonwealth Bank shut that down. On day 6, after I put that in, ASIC rang one of our members and sent an email with receipt of what they called 'concerns received'. From our point of view, it was not concerns; this was hard, cold factual information, including the BSB and account number, of where consumers were depositing money with regard to this scam. That email on day 6 was to set up a teleconference further down the track for the investigators to talk to the members and me.

On day 18, I got an email from the ABA saying he had been advised by ASIC that they had been aware of this type of scam since July. So it had run from July to November before one of our members had picked it up, but ASIC had been aware of it since July. We showed our members the tools on how to scan the internet to see whether their logos, names, licence numbers were being used by other entities on the net. Then a third member picked up their live Australian credit licence number and details being used in a scam. That was also sent to ASIC. On day 101 after we made contact with ASIC, ASIC issued media release 14-040, but, based on the information we got from the ABA, this public warning notice—and it was titled 'ASIC warns Australian borrowers about overseas lending scam'—was 223 days after ASIC supposedly became aware of the issue, which goes to the crux of what we tried to highlight in here.

I had a fairly frank conversation with one of the investigators, who said that basically ASIC (1) does not have the technology to try and track down these scams, (2) does not have the resources to do this and (3) the processes of natural justice, of deciding whether this even falls within ASIC's gamut to investigate then allowing all this, appear to be based—the commissioner spoke earlier—on paper, fax and letter-type dealing with the process rather than the fact that we are in a global economy and these scams are over and done with very rapidly. And they can scam thousands of details very quickly once they are up and running. So that is the time line, and this is why it is a concern.

CHAIR: Before I go to further questions, are you able to provide us with that document?

Mr Johns : I can provide you with the document, and I have actually gone to the trouble of PDFing all the emails in and out around that case which support the time line I have created. So, yes, I would be happy to provide that to you.

CHAIR: Thank you.

Senator SINGH: Mr Johns, that is obviously a very startling example. Are you aware of any kind of overseas legislation or activities of equivalents of ASIC in other countries that actually are tackling these identity fraud issues better than Australia?

Mr Johns : No, not at this point.

Senator SINGH: I am just wondering whether there is any learning that can be done from other jurisdictions.

Mr Johns : ASIC in some cases wants to assist out, but you may recall—it was about two years ago—ASIC using the powers. ASIC has the power to shut down a website today, via the Telecommunications Act. They have got a plug into the Telecommunications Act which allows them to shut down a website if our members or anyone reports a rogue website. ASIC says, 'We've got to carefully consider this whole issue,' but, if you see someone—and I am using a very extreme example here—shooting someone in the street or speeding down the highway at 200 kilometres an hour, you do not need a degree or any measurement tool to know that there is something wrong there. It is in those cases where it is absolutely blatantly obvious that a website is a rogue, scam website—it does not have a licence number; it may not even have a privacy statement attached to it; the details are very scant—that we are saying, 'Give ASIC the power, the tools, the resources'—not only for credit but I am sure these scams happen across insurance, anything to do with financial services where people hand over their details—'and a crack team to go in and shut those sites down.'

As I mentioned, ASIC does have the power to do that. However, when they did use their powers about 18 months or two years ago, they accidentally shut down about 300 websites because they did not quite give the quite right instructions to the internet service providers, and some of the people in ASIC are still feeling the pain of that action. But my point is: just because they got it wrong that time does not mean they should not look, refine it and get a better process in place, because that is a solution. If industry right across the board can send an email or whatever to a crack team, saying, 'We think this is a scam website,' and a crack team of people can shut that down within minutes, that is sort of where we need to end up to protect the consumers at the end of the day.

Senator SINGH: So the identity fraud that you have outlined is not just the identity fraud that happens by way of a consumer applying for a loan and giving over his or her details in that way; it is also the identity fraud of the lender—in this case, your members?

Mr Johns : Yes, and so we have tried to give our members tools to look for instances of their name and logo. We have even given them descriptions of tools that will scan for their logos and images across the net to see whether they are being used illegally somewhere else. We were disappointed as a board for an industry association. If ASIC did know about this many months before and it was related to credit businesses, ASIC should have gone out through the industry associations to start warning members earlier and maybe this would have been picked up.

Senator SINGH: If I go online to borrow money and come across one of your members' websites, would I see that they identify themselves as being part of your federation, comply with various legislation and are of a reputable standard?

Mr Johns : Yes, they do.

Senator SINGH: And if I were to go to a different website of a nonmember, who was more of the dodgy lending variety, I presume I would not find any of that information on there.

Mr Johns : That is correct. As an organisation we also monitor our own name and logo across the media.

Senator SINGH: So there has not been the fraudulent use of your logo and saying they are licensed when they are not licensed and those types of things?

Mr Johns : You touch on another core part of our submission and that is to be able to differentiate yourself in the marketplace. As most businesses would do for credibility, they would say they are a licensed motor mechanic in Queensland and are part of the MTAQ and would display that logo. ASIC and now the external dispute resolution schemes have withdrawn the use of their logos. Originally to help consumers differentiate themselves our members would say they are an ASIC licensed lender—'Here is our licence number'—and display the ASIC logo and say we also have free external dispute resolution, which is mandated by law, and this is our external dispute resolution company's logo. Our members, even though they hold an ASIC monitored and regulated credit licence in Australia, cannot display the ASIC logo. ASIC feel—and we have had this discussion quite a few times with them—they are giving some credibility to that business. We say: 'Hell, yes. They have jumped through hoops beyond belief to get and then maintain a credit licence and you are the regulator who gives that.' There is that problem in the marketplace of differentiation in the online environment.

Senator SINGH: Obviously since March there is a new Privacy Act. Hopefully, in time we will be able to see the benefits of people's privacy—their personal information and credit information—being protected under that act. I similarly have a private member's bill, which is a privacy alerts bill, that adds to that. How do you see that act, which you mentioned favourably, having any benefit for the nonlicensed lender providers who will try to interact online and say, 'Give me all of your information,' and then fraudulently take that identity and take the money?

Mr Johns : The NCCP Act and the Privacy Act only work for those entities who are out there doing the right thing. They provide no protection to a scamming entity. I saw a scam website not that long ago whose privacy statement was, 'We will look after your private information.' That is a very quick heads up that this is not valid. That was their privacy policy.

Senator SINGH: Oxymoron!

Mr Johns : Yes. It is only those who are licensed and looking to do the right thing who offer that protection. It does not provide any protection unless the Privacy Commissioner can, of course, actually catch the entity in question.

Mr MATHESON: Mr Jones, obviously you would suggest that all lenders should be licensed through ASIC. I do not know how you can be an unlicensed lender. Surely ASIC should be jumping on top of those sorts of people.

Mr Johns : We could not agree more. I will give you a specific example. I will try to make sure I get the year right because I am giving evidence. There was a situation where ASIC was doing field visits to physical locations. ASIC was doing that field visit in Sydney, off their database. They walked in to see one of our members and yet literally 60 metres down the road was a business providing unlicensed credit and there was nothing our member could do to persuade the ASIC people to walk 60 metres up the road, because it was not on the list.

Senator O'SULLIVAN: Mr Johns, we are not dealing here, are we, with a problem where ASIC's brief is to regulate or have a role in regulating licensed providers versus a role that investigates, detects and prosecutes unlicensed providers? Are you satisfied it is under their legislative bailiwick? Do you understand my question? It is a subtle—

Mr Johns : Yes, there is a subtle difference. I have tried to gain that clarity from both parliamentarians and ASIC directly. ASIC appears to have a scope of operations and also, if you are looking to do enforcement action, it is easier to walk through the door when you know where they are. I do not want to make this come out wrongly. ASIC appears to have a process at this time of tackling the low-hanging fruit rather than the really tough cases.

Senator O'SULLIVAN: I accept that. I come back to the core of my question. Again, the answer to this question could prove valuable to this committee as it deliberates on changes to legislation, regulations or other recommendations. If you do not know the answer, say so and we can agree for you to take it on notice and perhaps provide the committee with the answer later. Do you understand my question—that there may be a firewall between their ability to detect, investigate and prosecute unlicensed operators versus their clear regulatory role to ensure that licensed operators operate within the legislation and regulations; whether they are undertaking it to your satisfaction at the moment?

Mr Johns : I am not sure that the firewall exists or where it goes. As for detection, industry players will provide that detection because they get the feedback on a daily basis, whether it is from consumers walking through the door and saying they had a bad experience with someone—

Senator O'SULLIVAN: The chair asked the question in a different way earlier. In your report, on page 7, in the third paragraph, you talk about there being 10 to one with these online websites claiming to be lenders. I assume they are unlicensed lenders. Have you any evidence that ASIC has ever prosecuted an unlicensed lender for being unlicensed?

Mr Johns : Yes, they have.

Senator O'SULLIVAN: That would answer the first part of my question—that they do accept that it is part of their responsibility and they have the power to do it. If we accept the value of your evidence, you are suggesting it is not just low-hanging fruit but they are more interested in the category of 'easier'. They know who the licensed lender is, they know where they live and they know where they operate, so it is somewhat simpler to appear to discharge their duties by supervising regulatory breaches with licensed lenders than to go after the other nine who are unlicensed.

Mr Johns : Those examples have, if my memory serves me correct, all been physical locations. It is this technical issue in the online environment. I will give you an example of a firm which is no longer in existence but one we made ASIC aware of many years ago. They were operating with Australian domains. The main firm or the bodies appeared to be domicile in Malta. The Australian domains were registered in the US, hosted in South America and the owners lived in Canada. But the processing for that entity was done in Estonia. That is a nightmare for an Australian regulator to try and shut down that type of activity and that is what we are up against. These are not simple scams that target the Australian consumer. They are very complex. They require a lot of regulatory work with other countries to try and protect Australian consumers.

Senator O'SULLIVAN: Are you saying that Mr and Mrs String Bag would have no way, on face value, if they pursued an opportunity online to be able to determine any if it were a licensed operator or a not licensed operator? Do they prima facie look the same?

Mr Johns : That is correct. The only way a consumer would be able to do that would be to take the credit licence number, go to the ASIC website and look up the licensed product providers in Australia to see whether that licence number related to that provider.

Mr MATHESON: Would you say that the penalties are higher for licensed than it is for unlicensed lenders?

Mr Johns : That is correct. We give the specific example that if you are unlicensed there is a penalty unit converting back to one for unlicensed activity. However, if you are a licensed lender and after legal advice you may get it wrong, ASIC may then say they have found a couple of breaches. You could be up for multiple penalty units even though you could have spent $1 million getting a licence and it was unintentional.

Senator O'SULLIVAN: Your response was not apples to apples there. If a licensed operator commits a breach of 11.2 subsection 1 and an unlicensed operator commits a breach of 11.2 subsection 1, you are not suggesting there are two different penalties regimes for exactly the same offence?

Mr Johns : The unlicensed lender would get a penalty for unlicensed credit activity.

Senator O'SULLIVAN: That is correct. And the other would be breached on the specific regulatory breach. It is not apple and apple.

Mr Johns : We say that the monetary value, the fine for unlicensed activity, is the same.

Senator O'SULLIVAN: I get that. I hear what you are saying but I am just trying to clarify that it is not an apple for an apple. It is not the same breach, the same circumstances. A licensed operator is penalised $10,000 and the unlicensed is fined $2,000.

Mr WATTS: What Commonwealth legislation changes, if any, would you be recommending to this committee?

Mr Johns : Under the NCCP, we would ask that the penalty for unlicensed credit activity be increased multiple fold. That is a legislative change you could push through. We really need to get to a point where ASIC and the EDR schemes—it is not legislation but just policy—allow licenced lenders to use, for differentiation in the marketplace, their logos. We suggested many years ago that there are several key gates or barriers that could be put up to really hamper illegal or licensed credit activity. If you are an online lender, you are getting your money back via direct debit out of a consumer's bank account. We would suggest legislation that says that any deposit-taking institution that hosts or facilitates a direct debit out of a consumer's bank account—and that entity says, 'we are a lender'—should be a licensed lender. If you take the ability away from an illegal entity to take the money out of the consumer's bank account, then you go a long way towards stemming that type of activity.

Mr WOOD: But at the same time, if you have someone who is setting up false websites, that is already criminal behaviour. To me, that person is already committing other, more substantial offences. It may look nice and pretty, but is it actually going to solve the problem?

Mr Johns : As we said, there are two types. If they are a scammer, just going after your identity, it will not address that issue. But if it is someone who is in the second bucket, of unlicensed credit activity, and they can't get the money out of the consumer's bank account, then they don't have a business model to work with.

Mr WOOD: Okay. Thank you.

Mr Johns : Sorry; there would be one other legislative change we would suggest. It is our opinion that the use of and the ability to register the Australian high-level domain, the '.au', could go through a significant legislative review. There is the ability for overseas entities, or an entity who says, 'we are not a lender', to register a website called, for example, personal loans.com.au—but the entity who takes on that domain name is overseas, and not a licensed lender. We think there is some scope for a review of the security of the asset, if you like, of the Australian .au domain, in protecting consumers.

CHAIR: Thank you, Mr Johns, for your time today and for your submission. There is a lot of detail in there that we will review. A copy of the Hansard transcript will be made available to you to check, and come back to us with any corrections. As we discussed earlier, if you could provide us with the time line of that case that you mentioned, it would be greatly appreciated.

Mr Johns : Thank you. A clarification: is PDF format fine for that purpose?

CHAIR: Yes.

Mr Johns : Okay. And I will supply all of the underlying emails and documentation for each of the events on the time line. Thank you for your time

CHAIR: Thank you.

Proceedings suspended from 12 : 07 to 13 : 06