Transcript: Anna Bligh ABC Radio Melbourne Drive – cybersecurity

ABA CEO Anna Bligh spoke with ABC Radio Melbourne Drive’s Raf Epstein, on what banks (and customers) are doing to be more secure from scammers.

Raf Epstein Anna Bligh, the CEO of the Australian Banking Association. And I wanted to know, that thing the ACCC boss wants, are any of the banks doing anything like that right now?

Anna Bligh  Well, I think most customers will know that when they make a transfer of funds to accounts that they haven’t used in the past, many banks will actually hold that transfer for 24 hours. And they’ll send you a message to that effect. It is an extra check to make sure that you really did mean to send money to that merchant. But I don’t want to pretend that there’s not more that can be done all the time.

There are very, very, very sophisticated criminal gangs out there for whom scamming is big business. And every time banks close the door on one scam, many of these criminals go around and find another one. And it’s a constant investment by banks in IT, upgrades in cybersecurity, in forensic software, in educating their customers. You know, the bank robbers of the 21st century do not use sawn-off shotguns – they are sitting at a computer trying to get into your account and trying to trick you into letting them in. And that’s a constant upgrade for banks.

“The bank robbers of the 21st century do not use sawn-off shotguns – they are sitting at a computer trying to get into your account and trying to trick you into letting them in.”

ABA CEO Anna Bligh

Raf Epstein  If I can break this bank account issue into two separate issues. The ACCC Chair was saying, if someone feels like maybe they’ve had a problem with Medibank, they’ve had a problem with Optus, then the banks should make extra checks. Once that person’s told you “hey, my details have been hacked” –  the ACCC want the banks to do extra checks when someone sets up an account. Do the banks do that?

Anna Bligh Well they’ve certainly flagged those customers who they know have been the subject of a data breach. Remember, banks can see into your account. So if you’ve made a payment to either of those companies (Optus or Medibank) that have suffered a data breach, they’ve already got a flag. And if you’re suddenly transferring a big amount of money, they would be holding that.

Raf Epstein So can I interrupt Anna Bligh, because I just wasn’t aware of that. So if I’ve got a regular account, even after I’ve just got a regular payment, going to Optus, my account might already have been flagged at the bank, just in case? Okay.

“Remember, banks can see into your account. So if you’ve made a payment to either of those companies (Optus or Medibank) that have suffered a data breach, they’ve already got a flag. And if you’re suddenly transferring a big amount of money, they would be holding that.”

Anna Bligh  And that’s just a precaution because, you know, banks certainly want to protect their customers. But the checking of your identity when you open an account, it’s already very rigorous as people would know, it’s 100 points of identification. And these are government documents that, well, I suppose nothing is beyond forgery, but it’s very hard to forge an Australian passport or a licence and something like a birth certificate. You’ve got to have all of those. Can criminals sometimes do that? maybe.

Banks have very strict requirements on what’s required, when they open an account for anybody whether they’ve been an Optus customer or not. But you know, the ACCC’s got ideas that they think the banking industry should be looking at. I think banks would be very, very open-minded, because this is something that governments should be concerned about. It’s something banks need to be concerned about, telecommunications companies, as well as all the online payment platforms, more and more and more of us are doing our banking online, and we are buying our goods and services online. We are paying each other online. We’re transferring money online at rates never before seen. So this is something that requires millions and millions of transactions every day.

Raf Epstein And you mentioned the 24 hour block if I’m paying money to a new account. I’ve had plenty of feedback from listeners on the phone and on texts. People take more than 24 hours to realise they’ve been scammed. And a lot of people are very upset that once they’ve paid money effectively to a criminal who happens to have a legitimately held bank account, they can’t do anything about it. Do you think the banks need to do more than just hold the money for 24 hours?

Anna Bligh Well, of course, they let you know they’re doing that when you go to make the transfer, you’ll get a message saying this is a new payee. So we will hold it and that gives you an opportunity to think “oh, did I really send it to the right one?”

Raf Epstein People don’t think that’s enough Anna Bligh, they’re upset.

Anna Bligh It may not be, but it’s still, I think, worth doing. But one of the things that I think is really important for customers to understand is that there are some services that can help protect you better so many, many customers are now registered on a thing called PayID, which is where you can pay to someone’s phone number or to their personal email, or their company email so it doesn’t rely on a name of an account or a BSB number. Our mobile phone numbers are almost unique identifiers.

Raf Epstein Although Anna Bligh, can I interrupt, because I guess the problem with that is that people who are au fait about and understand and are savvy about these issues, the people that get scammed haven’t put those protections in. So I’m asking you specifically, is there something else that banks can do? I’ve let it go for more than 24 hours, I realise I’ve been scammed, tonnes of people complain. The banks say, “right, I can’t help you anymore”. Don’t the banks need to do more in that sort of situation?

“banks, you’re absolutely right, need to do as much as they possibly can. They built an entirely new payment system for the country that allows for this self-service called PayID. And you’re right, it’s still a pretty new thing out there. But that’s why I think it’s important customers know, that it’s very easy to set up. And people should certainly talk to their bank about it.”

Anna Bligh Well, I think, banks, you’re absolutely right, need to do as much as they possibly can. They built an entirely new payment system for the country that allows for this self-service called PayID. And you’re right, it’s still a pretty new thing out there. But that’s why I think it’s important customers know, that it’s very easy to set up. And people should certainly talk to their bank about it.

But as I said earlier, this is a constant effort. Are there more things that banks can be doing? Yes, no doubt. And there are things right now that don’t exist, but in six months’ time may well exist, that banks will be looking at. This is, as I said, a constant investment from banks in more secure systems, systems that keep people’s money safe.

But this is Scams Awareness Week, and I think it’s also important for all of us as customers, to be aware of what we can do. And there are some things that, unfortunately, people do get tricked into, you know, you’ll get a text message that says, go on to a certain link, and it’ll look like it’s quite legitimate. There’s one going around at the moment saying that you’ve got unpaid toll road fees, click on this link.

Raf Epstein Oh yes, I got that one.

Anna Bligh And if you click on links in those SMS texts, you are more than likely going to a scam site. Increasingly, businesses and government departments are not sending those kinds of messages. Never give your pin number out, you know, some really basic things – think twice before you click, particularly on a large transaction. You know, take every possible measure that we can.

Other things – are there new technologies out there that will get ahead of the scammers? I hope so, because these are very sophisticated criminal gangs. Banks want to keep their customers’ money safe. It’s one of the things that banks have always done. That’s why banks exist, it’s one of the reasons they exist. And I know there’s lots of very bright software, fintech companies that are working right now on, as I said, things that currently don’t exist, but which one day banks will hopefully be able to invest in.

Raf Epstein Just a final detail question if I can Anna Bligh, the ability to pull the money back. More than 24 hours has passed. I appreciate the new PayID system and everything, but do you need new laws or direction from government? Because there’s a lot of people that get scammed that can’t get their money back after they realise they have been scammed. Do you need a greater ability or legal power to suck some of that money back?

Anna Bligh It really depends on where the money’s gone. Unfortunately, all too often, the money goes pretty quickly into things that are impossible to trace, such as crypto exchanges, and they’re offshore crypto exchanges. And that money is almost impossible. 

It’s not legislation that stops banks from being able to track that money. It literally goes into the dark web. So it’s not necessarily legal powers. But certainly time matters. So if you have any concerns that your money might have gone to the wrong place, the faster you get to the bank, the faster they can get it. And, you know, some of these payments are real time, but many of them go through several steps. And banks certainly have, you know, they would all have examples of money that they either got all of it back or some of it back because they were able to sort of stop it halfway on its way somewhere. But yes, it is true that if you once you’ve got 24,48 hours gone, that money’s gone somewhere that’s untraceable and it’s offshore.

Raf Epstein  It’s clearly getting worse. I just wonder, do you have a way of measuring how much worse? How many more times people are getting scammed, how much extra money they’re managing to grift off people this year compared to previous years? Are there indicators for you that show how much worse this is?

Anna Bligh The ACCC has a Scam Watch program where people can report a scam. Now, I think everybody would understand that, not everyone’s going to report.

Raf Epstein I guess I’m wondering if the banks add up the totals like a dollar total?

Anna Bligh Well, banks can certainly, I know last year they (banks) refunded customers more than $300 million for money that had illegitimately gone out.

“I know last year they (banks) refunded customers more than $300 million for money that had illegitimately gone out.”

Raf Epstein 300 million?

Anna Bligh Yes, but, there’s certainly lots more money going. And I think the most recent data I saw from the ACCC, I know, just off right off the top of my head in terms of the farming sector, a 20% increase in scams in that sector this year. And that’s likely to be the tip of the iceberg. Many people don’t report it. I know I get scam attempts, sometimes it feels like daily, but, you know, thankfully, touch wood. I haven’t been trapped yet. But I think for all of us, it could happen at any time.

Raf Epstein And you’re confident banks are doing all they can, they are doing enough?

Anna Bligh I’m very confident that this is one of the number one issues for every bank CEO I speak to. This, and a data breach. These two things are what keeps them awake at night. I know they all significantly increased IT protections in the last two years, I think we’ve seen $19 billion dollars, go into protecting systems, better systems, building financial crime teams… If you took all the financial crime staff across all of our banks, that are spending hours every day, tracing these sorts of transactions, you know, numbers into the thousands. So these are very big investments that banks are making.

“Because often, by the time the money has gone out of a bank, the customer has already been in contact on their phone or online with these criminals. They’ve unwittingly given them access to information that allowed that criminal to get into their account. The bank is at the end of the line.”

Does that mean that between all of us we couldn’t do better? I think you never want to think like that, no one’s resting on their laurels. In fact, this week, the Federal Government announced they’re funding a new national scams centre that will bring together, in real-time, telecommunications companies, online payment platforms, banks, and law enforcement agencies.

There’s a lot of good information sharing, but we could do a lot better across that whole landscape. Because often, by the time the money has gone out of a bank, the customer has already been in contact on their phone or online with these criminals. They’ve unwittingly given them access to information that allowed that criminal to get into their account. The bank is at the end of the line.

We need to work right across the ecosystem and make sure that we’re all doing as much as we can. Exchanging real-time data between law enforcement agencies and other parts of that ecosystem, I think will go a long way to making Australia a safer place.

Raf Epstein Anna Bligh is the CEO of the Australian Banking Association. Thanks so much for your time.

---

---

Anna Blighbank branchesCybersecurityScamsTranscripts