Title Parliamentary Joint Committee on Law Enforcement
Financial related crime
Database Joint Committees
Date 09-09-2014
Source Joint
Parl No. 44
Committee Name Parliamentary Joint Committee on Law Enforcement
Page 1
Questioner CHAIR (Mr Van Manen)
Singh, Sen Lisa
Matheson, Russell, MP
O'Sullivan, Sen Barry
Wood, Jason, MP
Responder Mr Stacey
Mr York
Mr Boyd
Mr McMeekin
System Id committees/commjnt/5d40dc1b-c28b-49fa-8ed2-0244072200c6/0001

Parliamentary Joint Committee on Law Enforcement - 09/09/2014 - Financial related crime

BOYD, Mr Guy, Global Head of Financial Crime, Australian and New Zealand Banking Group Ltd

MCMEEKIN, Mr Damian, Head of Group Security, Australian and New Zealand Banking Group Ltd

STACEY, Mr Paul, Policy Director, Australian Bankers' Association

YORK, Mr Steven Noel, Head of Groups Security and Business Resilience, Bank of Queensland

Committee met at 09:04.

CHAIR ( Mr Van Manen ): I declare open this public hearing of the inquiry by the Parliamentary Joint Committee on Law Enforcement into financial related crime. This is a public hearing and a Hansard transcript of the proceedings is being made. The hearing is also being broadcast via the Australian Parliament House website.

Before the committee starts taking evidence I remind all witnesses that in giving evidence to the committee they are protected by parliamentary privilege. It is unlawful for anyone to threaten or disadvantage a witness on account of evidence given to a committee and such action may be treated by the Senate as contempt. It is also contempt to give false or misleading evidence to the committee.

The committee generally prefers evidence to be given in public but, under the Senate's resolutions, witnesses have the right to request to be heard in private session. If a witness objects to answering a question, the witness should state the ground upon which the objection is taken and the committee will determine whether it will insist on an answer, having regard to the ground which is claimed. If the committee determines to insist on an answer, a witness may request that the answer be given in camera. Such a request may of course be made at any other time.

I welcome representatives from the Australian Bankers' Association. Thank you all for coming along and being part of the inquiry. I thank the Australian Bankers' Association also for their submission. I invite you now to make a brief opening statement and then the committee will ask you any questions we may have.

Mr Stacey : The Australian Bankers' Association is very pleased to have this opportunity to address the committee today. The ABA is the peak national body representing banks authorised by the Australian Prudential Regulation Authority. The finance and insurance industry is Australia's second largest industry, contributing $129.4 billion, or around nine per cent of the economy, in 2013-14. The banks provide around 5.6 million loans to home owners and investors, totalling over $1.2 trillion.

A total of 17 million Australians use banks as their main financial institution. Australian banks are in a fiduciary sense custodians of their depositors' wealth, with an obligation to take reasonable steps to safeguard that wealth. It is an obligation that all our members take very seriously and invest significant resources in. Those resources include my colleagues today: Mr Steven York, Head of Groups Security and Business Resilience, Bank of Queensland; Mr Guy Boyd, Head of Financial Crime, ANZ; and Mr Damian McMeekin, Head of Group Security, also for the ANZ.

We would be pleased to answer any questions the committee may have in relation to the Australian Bankers' Association's submission to the committee on paragraphs (a), (c) and (e) of the committee's terms of reference for the inquiry into financial related crime to the extent that we are able.

CHAIR: Thank you, Mr Stacey. In your submission you noted that there is an increase in the incidence of fraud. How has that been picked up?

Has that been picked up through the significant improvement in security processes of the various banks involved? What has been the investment by the banks to achieve that and to pick up more instances of fraud and minimise the loss to clients?

Mr Stacey : I will perhaps respond with an introductory comment before passing to my expert colleagues to answer further. We would simply note as a prelude the changing nature of financial crime that our banks are encountering and the move away from physical crime to internet/remote crime and personal credit card and other frauds. That changing environment in which customers do business and in which crime does business has informed bank responses. I will pass to Mr York.

Mr York : I would say that over the last five years every bank in Australia has invested significantly in electronic monitoring. There are various electronic means and various vendors—a combination of vendors—to do different things. I do not think there would be a single defence mechanism across every bank; it would be different in every bank. But even the license fees on these range to the millions of dollars. It is a significant investment. If you purchase something according to the nature of a crime, it very quickly becomes out of date because with the nature of the criminals they seem to be able to get through what they perceive as the closed windows or closed doors very quickly. I would like to hear Mr Boyd's position on that.

Mr Boyd : I would echo that. The investment levels, I think, particularly in the major four banks would be in the multi-millions of dollars in technology and people, because the technology alone will not do it. At ANZ, we also have several hundred people who work for us on running these tools and running various other controls, which I obviously will not go into detail on, to prevent, detect and then manage what we do detect every day.

CHAIR: In your submission you raise the issue of superannuation as a new avenue for financial fraud and crimes. Please expand on your concerns in relation to superannuation and the specific threats you may be seeing at present or what threats you potentially see in the future.

Mr York : One of the things with especially the self-managed super funds is that you have a large amount of money seemingly sitting dormant. With my self-managed super fund, I really rarely look at it in the sense of asking if it is still there—there is an assumption that it is there. I do not have to go to it very often. Most of my deposits to it are electronic and I have electronic statements, so you have to actually physically go and check. With those sorts of funds there is a large opportunity for criminals if they get access to that account and there is the risk that it will go undiscovered for a long period of time. That is where we are relying on our electronic detection to pick anomalous behaviour up, but it is not perfect. There are ways around it. That is one of the things that I think is a growing area, and, of course, the criminals would see this as well. They understand that people are saving money in these locations and they are sending out letters saying, 'Roll over your super into this account.' I have received several letters saying, 'This person has left employment and could you please transfer her superannuation fund to this fund.' That was for a member of my family, so I knew it was not real, but there are just phishing expeditions going on to probably all superannuation funds.

CHAIR: It sounds like it is not just self-managed super funds; it could happen to anybody with any type of super fund.

Mr Stacey : There is another potential weakness in the current SMSF space on a slightly different tack that can be exploited by criminals. Australia's current anti-money-laundering and counterterrorism financing rules do not apply to accountants and lawyers. Accountants are the people who set up SMSFs and, as with any system, criminals go to the weakest link. In the AML-CTF space, the weakest link is the accountants and lawyers because they are not regulated. There is a significant amount of money going into SMSFs and, therefore, there is the potential for those investments to be exploited for that reason for money laundering rather than fraud.

Senator SINGH: Mr Stacey, in your submission you talk about the ABA's Financial Crimes Steering Group. Who makes up the steering group?

Mr Stacey : The Financial Crimes Steering Group is made up of senior officers from member banks who are involved with supervising their banks' anti-crime and fraud activities—people such as my colleagues here today.

Senator SINGH: So the information sharing occurs and the commonality of various financial crimes is revealed and so forth through that steering group?

Mr York : And trans-modus operandi changes.

Senator SINGH: How long have you had that in place?

Mr Stacey : Certainly since before my time—2008, I think.

Mr York : No, before that—2004 or something like that.

Senator SINGH: And that works well as far as sharing information is concerned?

Mr Stacey : Sharing information, absolutely. We also have another working group which is much more focused on physical crime, the securities issues task force, which regularly meets with members of the police—state police, federal police and also representatives of the FSU. That is much more focused on physical crime, which, as noted in our submission, has been declining relative to virtual crime.

Senator SINGH: You outline those statistics of the physical crime dropping in comparison to the financial statistics, which have been increasing. They are really interesting. In (a), the number of suspicious transactions reported by your members went up dramatically between 2005 and 2013. This is where this steering group would obviously share information. A bank would say, 'This is what we're seeing; this looks suspicious.' Presumably, you have some kinds of characteristics that work out what looks suspicious. I am just trying to work out whether that figure is a conservative figure or whether—

Mr York : It would be conservative.

Senator SINGH: there are other kinds of transaction reports that perhaps will not necessarily, on the face of it, seem suspicious but may also be part of this crime.

Mr York : One of the things we have to consider that in about 2005 or 2006 the AML monitoring tools came in place.

Senator SINGH: What are they?

Mr York : The anti-money-laundering monitoring tools, which had similar but different rules than the fraud tools. You could pick up the structuring and the attempts to get $9,800 through et cetera. So you would have got an increase after that. As we understand more and more about the methodologies, those rules are added to the various tools. I expect that that will increase because we are getting more sophisticated but also because electronic transfers are the mode of payment now; there is not too much cash being handed over, because of the AML rules.

Senator SINGH: Obviously, the AML rules would be helpful, but this is where it gets tricky, isn't it? If you are talking about identity fraud, for example, it must be very difficult to detect. If someone is assuming someone else's identity or using their credit card details, passwords, access codes and what have you, how do you know it is not that person?

Mr York : We have behavioural analytics sitting behind the primary rules, if you like. If I showed normal behaviours—buying a coffee, spending something there and going to this restaurant—but all of a sudden I am in Western Australia, it scores higher. We have a cut-off of X scoring that we look at. For anything above that score, we stop it. We look at it, ring the customer, verify it and allow it to go. There are a whole lot of geographical, spatial and behavioural rules that go with that. It is quite sophisticated. But, of course, criminals understand that as well and so they will make purchases based on their understanding of who you might be et cetera. They might buy hi-fi equipment from a store that the customer may have used—they try and guess. A recent more troubling thing is that emails have been hacked, and going into the storage of emails you can pretty much reconstruct a person's life. If they can do that, then they socially engineer changes of address and changes of telephone numbers and assume the identity completely.

Senator SINGH: This is going on?

Mr York : I would say that in the last two years that has really started to pick up.

Mr Boyd : One of the challenges, I think, for our community is around identity. How do we work to assure each other that we are who we say we are? At the moment, there are legitimate privacy constraints around uses of various information sets that exist around the country. We have made good steps, for example, with the Document Verification Service being made available to private sector participants to be able to get better source data to verify details—not identity but details of documents. One of the suggestions we have put forward is that we would like to see more work with government and industry around creating a secure digital identity.

Senator SINGH: That is that mechanism that you allude to in your submission that you would like developed.

CHAIR: The question that arises from that for me is: how secure is any digital identity?

Mr Boyd : I suppose I would answer that with another question: how secure is a drivers licence nowadays? We know that there is a high volume of false documents and it is relatively easy to buy them on the internet or manufacture.

Senator SINGH: In fact, banks are kind of making it easier, though, to be honest, to use credit cards. I am not doubting that, at the same time, you are looking at these issues of security. For example, I know, when I have used my credit card online or something or maybe transferred money to a new account that I have not transferred to before, that I have to get a text message from the bank to put in a code to use on the internet. Obviously, it is my phone, but presumably there are ways around all of that for criminals as well. But it is easier these days to use your credit card, for example. I know there has been a move to go to the four-digit PIN system, which is a good thing, but, then again, you can actually purchase anything under $30 or whatever it is with no PIN or anything. It is a catch 22, in a way, isn't it? There is this rise in your statistics of these IT criminals or whatever we call them—cybercriminals—but at the same time we live in an IT world and we all want to access and use these tools.

Mr York : I think we have to balance that against the personal crime. You have to really look at the statistics. I believe—and this is only my belief—there has been a displacement from this personal crime; violence has moved to fraud. Is that better? I do not think we are going to stop criminals.

Mr McMeekin : Could I step in there. I am the cautionary tale at this table. As head of security for ANZ my mandate is to manage threats to the security of the bank from the external environment. We have an obligation to maintain a safe, secure and healthy environment for our people and to maintain control of our assets. And that is very heavily regulated. There are compliance obligations, and expectations are very heavy. They are transnational; they are stringent.

I do not contest the direction of the conversation here; there is a heavy move towards the modernisation of crime; to take technology-enabled crime away from people-to-people violent crime. Unfortunately, that violent crime—foundational crime, if you will—still exists. It is still a very heavy threat and it is a threat to the safety and welfare of people. Just coincidentally I ran across, in my recreational reading last night, a figure for the UK: 22 per cent of households said that they had suffered an attempt on their bank account over the net. That is like someone walking along the street and trying your door. It also said that 10 per cent of people still recorded they had actually suffered personal crime; someone actually went through the door—burgled them, assaulted them, picked their pocket, attacked them—and these crimes continue. Unfortunately there is no going away from it.

These crimes are getting more complex in our transnational world. Partly it is because there are still people who commit armed robbery, extortion, assault. We had a shooting in a bank last week in South Australia. Two shots were fired in a BankSA branch during an armed robbery. It continues. It grows. Organised crime has a very physical manifestation, far beyond what we are discussing here. It does go to a very personal confrontation with people and their safety. It goes to kidnapping and extortion. The new-age spates of terrorism manifest themselves not only in the financial crime aspects but in the violent crime aspects too.

Against this, we are also expected to be first responders. We are expected to maintain our regulatory obligations, our social obligations. We are expected to be the first investors in establishing and maintaining a protected environment; responding to threats and carrying forward people's interests. To do this, we spend tens of millions of dollars annually to meet our obligations.

So, while this is growing and while my colleagues are looking forward, I am the 'ghost of Christmas past'—as we were discussing outside before—in that these things are still happening and they are still going forward. They are still very real issues that we need to understand when we are dealing with regulation and legislation with our police colleagues; working out ways of managing ourselves going forward and protecting our people. It is their safety that is involved.

Senator SINGH: I think that is where it is interesting for this committee—your recommendation at the end of your submission in relation to this early intervention and early identification; connecting with Interpol and Customs and Immigration and so on—as legislators and committee members of the Joint Law Enforcement Committee. Can you elaborate on how you would see the Commonwealth law enforcement agencies playing some kind of role in this idea you have of early intervention?

Mr York : If that is of interest to you, I would like to do an additional submission on that, because there is a bit to go through. But can I say that two or three years ago I was at the Australian Crime Commission, working as a senior member of the organisation, with access to a whole bunch of tools. One of my tools was financial organisations. I could demand information from them. The other side is: we give information but we cannot add value because we cannot be told any context. We might know a hell of a lot. Between us, we would know a lot about where things go—even second- and third-level transactions. But, unless we know what the situation is, we cannot add value at all. This inability to share information—from all the agencies, basically; I do not think there is any agency that can share information—is one of the things that frustrates us because we are seeing it at the front line.

Mr McMeekin : Trusted information sharing is absolutely essential to our line of work. It is not an instinct in the Australian system, I think, because of the separation of agencies from corporate life. Corporations do employ people like us to make sure we manage it on our side, but the instinct is not sharing. It has developed. If you look at the resilience sector, for example, the Commonwealth has recognised that the private sector owns and operates 94 per cent or 97 per cent of Australian critical infrastructure and it has started to react accordingly; to understand and to share. But the instincts still are not there.

For example, I am on the board of the International Security Management Association—with a great number of American colleagues; a lot of the meetings are in the US. The instinct there is far more about sharing. I will sit at a forum in the US and have a far more active engagement from federal authorities, a far more open and trusting engagement, than instinctively might be the case here, simply because of the rules that are set in place; properly to protect public information, but there are ways around that; managed, structured, legitimate ways to ensure that we do have the information we require to proactively play our roles.

Mr MATHESON: Chair, I would just like to reflect on what Mr York said in relation to having the tools to obtain information from financial institutions. Police or law enforcement agencies are suggesting that there are substantial delays in relation to the information being supplied and that sort of hinders our investigations. Do you think there should be some sort of legislative reform to put time frames on when financial institutions should supply that information? It does seem like the lag hinders investigations.

Mr York : I will preface this by saying we get requests, warrants and court orders from family law courts, from other parts of the government, from private solicitors—there is a gamut of things relating to our clients in their normal day-to-day business. On top of that, there are the law enforcement type inquiries. Just recently there has been some law reform that they can serve a notice on us without going to warrant. I am not sure but that might be in every state now. It is definitely the case now in Queensland. I think that sort of reform has to go through which makes it easier for us to have a discussion with law enforcement about what they need rather than having a warrant that says, 'we want everything'. That costs both parties time. But again you run into this part about: what can they share? And, if you have a prudent law enforcement officer, they are more likely not to share as much as they probably could share, and that increases our time. But, if there is a quicker way, we are interested to look at it, because it is dead money for us. You look at our work—for our shareholders, it is dead money.

Mr Stacey : I would like to amplify those comments.

Mr Boyd : I have heard those suggestions by law enforcement agencies. In my experience they are the exception rather than the norm. I think the norm is that we have a number of people in the organisation responding to literally hundreds of 'notices to produce information' every day; be it from the ATO, Centrelink, law enforcement agencies or other bodies. Of course we are trying to respond, and many of those notices or requirements will already have time frames specified in them to respond. So I would counsel against suggesting any reforms required there.

In my experience the best exchanges occur when there is the ability to exchange information around what law enforcement are actually after. The worst scenario is when you get broad warrants and notices because either law enforcement either do not know what they are after or do not know what might be available. If the notices are tailored to the particular evidentiary or investigation needs, the response time can be much quicker because we can target the search of our records. Also, with law enforcement we have worked on real-time information sharing under particular notices as well. I think we have had some very good examples of that bearing fruit recently with Victoria Police. I have read their submission to the committee. My experiences with Victoria Police are somewhat different, in that they worked very well in real time with us recently on arrests of Romanian criminal gangs targeting ATMs with skimming devices. Using real-time information sharing with VicPol led to a number of arrests recently.

I think there is a willingness there with law enforcement and industry to disclose and to share as much as possible as quickly as possible to the right outcome. I think we need to perhaps get away from this suggestion that banks are part of the problem. We are part of the solution, if you equip us and enable us to be part of that solution.

Senator O'SULLIVAN: I want to go right back to the beginning and put some things into perspective. Fraud with financial institutions has been there forever; I think it is the oldest profession. In the last 30 years, financial transactions have increased in terms of volume. I imagine it has been an exponential increase. Traditionally, 30 years ago, we might have taken an amount of cash out on pay day and that would have lasted us for the week. In terms of the ratio of people committing fraudulent events with financial institutions versus our general population, for example—do you have any statistics on that? Has anybody done any research on that over the last 30 years?

Mr Stacey : I would be surprised if we had 30 years of statistics that we could use to correlate the two. Also I would note that one of the differences since the start of the real growth of the internet is that you are no longer looking at a localised population. Financial crime now is transnational and goes across borders; it is stateless. In that sense, you are looking at two different population pools; from your domestic population pool pre-internet, to a global population pool. So I suspect, even if we had the data, it would not be a true comparison as to whether—

Senator O'SULLIVAN: You would have to break it up. Okay. I understand that. Going to your notices, do you have any policy hierarchy when those notices arrive? For example, does a notice from law enforcement get priority over one from a family court? Or can it?

Mr York : It could be. But they are prioritised around the date that the information needs to be sent back. Would law enforcement go over an ATO request? Where there was contact from law enforcement, we would oblige as much as we could.

Senator O'SULLIVAN: There is some discretion?

Mr York : There is discretion about prioritisation, and that would be done at manager level. That is all recorded, and all those decisions could be reviewed. But I think that, if there was a communication and some understanding of the priority, my team would deal with it that way.

Senator O'SULLIVAN: My final question is in two parts. Do you accept that banking credentials are probably the most common method for individuals to prove identity versus passport? If I am asked for proof of who I am—I am not talking in a banking or financial sense now—if I am about to board a plane, and they want to know that I am the ticket holder, mostly people would produce some sort of financial credential, a credit card or something.

Mr York : Usually, around the world, it has to have a photograph on it, and it usually has to be government issued. So, a licence is the most—

Senator O'SULLIVAN: No, I am not going there. Let me ask the second part of my question, and you will understand my thrust. Do you have any figures, in terms of where identity theft occurs, on the extent to which the intent of the offender is to exploit that for financial gain from the individual whose identity they have exploited, versus the use of that identity to commit other offences or to conceal other offences away from financial fraud offences? Does that make any sense?

Mr Boyd : I think I understand the question. I think the primary driver for identity theft is still financial gain from that individual's credentials.

Senator O'SULLIVAN: Which has a life, though, doesn't it—that has a life?

Mr Boyd : Correct. So, what you will see in the internet underground, for example—what they call the dark web—are sites that sell compromised identities and/or credentials. And their value drops over time, quite quickly, because people know that once the information is compromised and sold it will be exploited and/or turned off, because we actually have ways of identifying what has been compromised and turning off access or use of those credentials too. So, the credentials have a diminishing time value.

Senator O'SULLIVAN: Does it follow, then, that you would not know of other events where that identity has been used to commit another offence or for some other purpose, other than when it impacts on the financial arrangements of the person whose identity has been stolen? That is the crux of my question.

Mr Boyd : That is possible.

Mr McMeekin : Perhaps I could add that there is a very interesting follow-on here in that identities in this modern world can now be very thoroughly compromised and stolen. So, a victim of identity theft can find their entire modern life taken from them. We worry about the financial aspects—that their money is stolen from them—but there is everything built around that, and it is all interconnected, such as their driver's licence, their passport, their home; there are houses being stolen now. So, it is a very comprehensive matter. And this has been recognised in the establishment operating from Queensland of a not-for-profit group called ID Care: Australia and New Zealand's National Identity Theft Victim Support Centre, which is trying to deal with this. They would have a very comprehensive view of what happens to the victim and how difficult it is for the victim to get their life back after a very comprehensive identity theft has taken place.

Senator O'SULLIVAN: This is my point: as people who will be asked perhaps to consider legislative changes to deal with this, we seem to have an idea that where identity threat occurs there is data there about its impact in terms of this thing that has a beginning, a middle and an end—that is, 'I am going to financially exploit my position, I'm going to be financially rewarded and I know this has a life of hours or days or not much longer.' My interest lies in what you have just said, Damian: outside of that. Does anybody have any sense of the sheer volume of identity theft application away from this strict financial fraud circumstance?

Mr McMeekin : I think we are on a learning curve there ourselves. We can see only what see can see, and we see the financial loss. It goes beyond a number of mandates and jurisdictions.

Senator O'SULLIVAN: Would you regard it as substantial?

Mr McMeekin : Potentially, yes—very substantial. But actually I think it is limited by the ambitions of the criminals who take it, and those ambitions can be quite limited, an immediate—

Senator O'SULLIVAN: Obviously I am coming from an angle of state security, in my own mind, in the sense that one of the ways to function in a modern world if someone is looking for you is to be somebody else, obviously. But one final question—because each of us on the committee has limited time—would be, have you ever looked at the number of times there has been identity theft that could have been exploited for financial gain but was not? So, out of the incidents that you have where you realise there has been a breach, some of them go to the conclusion of committing fraud, and others do not. Is there any sense of that?

Mr York : We had an example of the target hacking in our submission. I think the conclusion was that there was not a great deal of fraud out of that. So, what happened to the information? Where is it being used? That is the sort of unknown area. We do know that fraud was committed, but certainly not outside what was expected.

Senator O'SULLIVAN: I would have thought that that example was difficult, because it would be like falling into a truckload of Smarties—you could eat only so many of them before the truck stopped. I am talking about a general-trend effect whereby clearly you have had, on average, 200 security breaches a day that you learn of and you realise that for only 30, 40, 50 or 70 of them they have activated on someone's account or committed fraud. But I get the picture.

Mr York : One thing about your Smarties analogy is that criminals share the information, and they can quickly share it through the internet. So, it is not just you eating the Smarties; it is everybody out there in the market. It is criminal sharing of information that is a new trend.

Mr WOOD: Every single day members of parliament will receive in our inboxes emails from someone purporting to be a bank, such as ANZ; 'We need your credit card details'. And I know in my electorate every day someone gets one of those. I assume it has got to the stage where the targeting is so massive that it is not investigated. Or do you have a certain section that starts trying to work out where the source is? I know most of the time it is from 15 countries overseas.

Mr Boyd : It is a prolific problem, but we are tackling it daily. So, we do have people in the bank whose job it is to detect that phishing email production, trace it back to the site where they are seeking the credentials, which is trying to mimic the bank's site, and getting that site taken down.

Mr WOOD: So, do you want to be notified by customers? Or do your guys pretty much already have the techniques to find out what is happening?

Mr Boyd : We proactively look for it, but we also of course listen to our customers. One thing we have been doing more recently is alerting customers to the latest scams using Twitter and Facebook and other social media, and likewise customers give us real-time feedback through some of those channels around what they are seeing—getting that flow of information, which is part of the other challenge here: how do we keep educating the community around these things? The ACCC's recent SCAMwatch campaign, for example, is exactly what we need more of—helping to educate our community around these things as well.

Mr MATHESON: I have a question about the PayWave system that financial institutions have thrown out there into the community. It seems that you do not have to obtain anybody's identity but you can take their card and spend up to $100 at any one given place. It seems that banking institutions have made it easier for people to access credit without showing any identity and using the card on a regular basis. Is there any feedback on fraud in relation to that PayWave system? Damian, I think you touched on social obligation. Even on that PayWave system, you can be overdrawn and get charged fees for being overdrawn and not know that you are overdrawn. So, I think there is a real problem in relation to that. I have a 23-year-old daughter, and she can be overdrawn on her PayWave system and she does not even know about it and gets hit with fees. To me, that social obligation is lost a little bit. I know that is off on another tangent, but do you have any thoughts on the PayWave system in relation to fraud?

Mr Boyd : The overdrawing part is I think a separate issue. That will be around the particular institution and its agreement with the customer around what the limits are for that customer. But the PayWave mechanism itself is not a large driver of fraud losses for consumers or the banks. It is actually very popular with consumers too, because it is very convenient, and it is popular with merchants because it is fast. And at the moment with the low thresholds on that mechanism I do not think it is a realistic large threat to fraud losses. I think some of the other issues we have been discussing are much bigger threats in terms of financial loss and customer inconvenience.

CHAIR: Does that have the potential to expand with the proliferation of near field communication with your mobile devices and those sorts of things, not just your card?

Mr Boyd : That remains to be seen, but I think what we are seeing is that that is not the biggest threat right now. I think it is technologically very interesting and therefore attracts a bit of attention. Whether it is a significant threat I think remains to be seen at the moment.

Mr McMeekin : I think it needs to be known too that the protective algorithms that run across any credit card transaction or debit card transaction run across these transactions too. So, any unusual behaviours will be picked up and will be acted on and you will get a phone call, and the banks will reimburse you in Australia if you are being defrauded.

Mr Stacey : And perhaps I could make a big-picture comment on that, in that the banking market is a very competitive market. We may be here together today as members of the banking industry, but the competition is ferocious, and banks compete on customer experience and reputation. So, regarding the comments in terms of PayWave and the advances in technology, this is all about making the banking experience for customers more convenient, more accessible, and better from a customer perspective. But if at the same time you compromise—and by 'compromise' I mean that you do not take appropriate protective measures to protect the customer's financial relationship with the bank—you actually risk your reputation. And if you risk your reputation, you risk your business. So, at a base level it is in banks' financial interests to make sure that there is commensurate protective safeguards to protect customers' money in relation to these new channels of accessing it.

Mr York : And also where there is a general fraud of course we reimburse the customer. It is overriding, so we become the victim.

Senator O'SULLIVAN: There is that wonderful old saying that a fool and their money will soon be parted. How do you deal with that aspect of what happens? I do not want to make light of this, but it still amazes me that some people will send $5,000 to a Spanish lawyer in response to a letter that has 800 spelling mistakes and only 700 words in the letter. How do you deal with that? Sometimes in society if someone cuts their finger with a bread knife we are all buttering our toast with our thumb for the next 12 months. And this is a serious question, because sometimes we regulate to help in these situations. How do you deal with that within your policy settings?

Mr Boyd : I think the answer to that has to come back to that consumer awareness. It is helping to bring our community up to an understanding of these risks that are out there. And banks have a role to play in that. For example, I received an email from an online financial provider with a notice around educating me on things I should and should not do. So, I think we have a role, and I think government has a role and the agencies have a role to keep that awareness and education campaign out there, because, as you correctly state, Senator, you cannot regulate for everything. But information and education is power.

Senator SINGH: The problem with that is that sometimes the education could be dodgy itself. It could be a fake bank identity, and you get this email and you think it is whatever bank telling you to take these steps or change your security or do whatever, and you have to kind of weigh up whether it is real or not: 'I don't think this is from my bank.' But your average Joe out there may just take it as given that it is from their bank.

Mr Boyd : That is why we have the other steps as well. So there are other things around take-downs and around having the Facebook communication channels, the customer hotlines and the other controls in the back of operations as well. A layered and holistic solution is required, but I still think we can do more and continue to do more to things like SCAMwatch, a trusted place for the community to go to for education. We need to keep pointing the community back to that trusted place.

Senator O'SULLIVAN: I think we should legislate ourselves back to the 1950s, when the entire family had one passport between them.

Senator SINGH: I don't agree with that!

CHAIR: Thank you all for your time today. A copy of the Hansard transcript will be made available. If we have any further questions, we will certainly come back to you to get the answers to them. We greatly appreciate your time and your appearing before us today.