Australian and regional regulatory responses to the key challenges of consumer protection in electronic commerce (March 2008)
3.1. Consumer protection
- 3.1.1. Trade Practices Act
- 3.1.2. Australian Guidelines on Electronic Commerce
- 3.1.3. Consumer Credit Code
- 3.1.4. EFT Code of Conduct
In Australia, the issue of consumer protection for electronic commerce is dealt with through a mix of legislation and the development of industry codes of conduct. However, the value and relevance of these Codes of Conduct varies widely.
3.1.1. Trade Practices Act
In Australia, the Trade Practices Act 1974 (Cth) (TPA) generally applies to corporations rather than individuals. It will apply to individuals who are engaging in interstate trade or commerce or aiding or abetting a breach of the Act by a corporation. The actions of individuals are otherwise covered by equivalent State or Territory trade practices legislation.[16]
If an organisation is incorporated in or carries out business within Australia it is bound by the trade practices legislation. Breach of the trade practices legislation by a corporation or individual may result in significant fines and in some cases criminal liability. The TPA defines a consumer as a purchaser of goods or services for less than A$40,000 or if the price exceeds A$40,000, where the goods or services are of a kind ordinarily acquired for personal, domestic or household use or consumption (section 4B).
The TPA impacts on the Internet in the following areas:
- Implies terms and warranties into certain transactions
The TPA implies into all consumer contracts a number of non-excludable conditions and warranties including that goods are supplied with a matching description (section 70); are of merchantable quality (subsection 71(1)); are fit for purpose (subsection 71(2)); and, any warranty of services will be rendered with due care and skill (subsection 74(1)). Any term of a contract that has the effect of excluding, restricting or modifying rights or liability under these implied terms will be void. - Prohibits unconscionable conduct and contracts
Generally, unconscionable conduct occurs whenever one party to a transaction is at a special disadvantage in dealing with the other party because of illness, ignorance, inexperience, impaired faculties, financial need or other circumstances affecting their ability to conserve their own interests, and the other party unconscionably takes advantage of this opportunity (Blomley v Ryan).[17] Whether a Court will identify conduct as unconscionable will depend on all the circumstances of the case. - Prohibits misleading or deceptive conduct
With regard to the Internet, it may be misleading or deceptive conduct where a consumer is or is likely to be mislead or deceived by a statement on the website or if it is unclear when you connect from one website to another. The use on websites of internal and external links, frames, meta-tags, the location and prominence of disclaimers and content generally must not be misleading or deceptive to the extent goods or services of A are passed off as those of B. Misleading and deceptive conduct is prohibited under section 52 of the TPA. A recent example of this type of investigation is the action by the Australian Competition and Consumer Commission (ACCC) against Google Australia and Trading Post for allegedly disguising paid advertising as a legitimate search result.[18]
3.1.2. Australian Guidelines on Electronic Commerce
The Australian Guidelines for Electronic Commerce were released by the Treasury Department in March 2006 with the aim of enhancing greater consumer confidence in e-commerce by providing guidance to businesses on how to deal with consumers when engaged in business to consumer e-commerce.[19] It replaces the e-commerce best practice model previously released by the Department in May 2000.[20]
The Guidelines contain provisions on a number of matters including:
- Fair business practices;
- Accessibility and disability access;
- Advertising and marketing;
- Engaging with minors;
- Disclosure of a business’s identity and location;
- Disclosure of a contract’s terms and conditions;
- The implementation of mechanisms for concluding contracts;
- Adopting privacy principles;
- Using and disclosing information about payment, security and authentication mechanisms;
- The establishment of fair and effective procedures for handling complaints and resolving disputes; and
- The law and forum for the resolution of contractual disputes.
The Guidelines have no enforcement provisions, complaints process or administrative structure. It is yet to be adopted or implemented by any industry body. In these circumstances it is best seen as a ‘virtual code’, which gives some useful guidance to business, but to date provides limited consumer protection.
Released at the same time as the Guidelines was a Checklist for Business-to-Consumer E-Commerce in Australia, which seeks to enhance business awareness of key issues to be considered when dealing with consumers through e-commerce.[21] The checklist contains a list of issues that should be considered by businesses when transacting with consumers online including that the contract terms are clear and easily accessible by the consumer and appropriate steps are taken to protect the consumer. Further details on how to implement these measures are contained in the Guideline.
3.1.3. Consumer Credit Code
The Uniform Consumer Credit Code applies to credit purchases generally, and is not restricted to electronic transactions. Consumers who purchase goods or services or other things using credit are protected under the Consumer Credit Code 1996.[22]
Despite what the title suggests, the Code actually is a legislative instrument; it operates Australia wide and each State has enacted mirror legislation (for example, the Consumer Credit (New South Wales) Act 1995 (NSW)).[23]
The Credit Code will regulate credit transactions when a consumer uses the credit for household or domestic purposes, the period for repayment exceeds 62 days and there is a charge made for the provision of credit (for example: interest). In most cases the Credit Code regulates credit cards, home loans, personal loans and also regulates associated mortgages and leases.[24]
In 2006 the Code was amended. A new section (164A) was added providing that any credit contract, mortgage or guarantee referred to in the UCCC could be made in accordance with the electronic transactions laws of the relevant jurisdiction. Through each state’s Electronic Transactions Act (ETA), electronic documents have the same legal status as their traditional counterparts, and the UCCC amendments would primarily serve to confirm this in the case of credit transactions. In Western Australia, South Australia and NSW, however, regulations currently exclude the UCCC from the effects of the ETA, and these exclusions would cease to operate under the UCCC amendments.
Additional consumer protection measures appear in the amended legislation, including a legibility requirement (at clause 6), and the possibility (in the inserted s 164A(3)) of excluding particular classes of transactions or information, so that these could not be handled electronically.
3.1.4. EFT Code of Conduct
The Electronic Funds Transfer Code of Conduct is the main regulatory instrument in Australia for providing consumer protection in electronic payment systems.[25] The EFT Code covers any business to consumer electronic transfer of value. Business to business electronic transfers of value will be excluded where the product being used was intended primarily for business use.
An ‘electronic transfer of value’ includes coverage of credit cards in some circumstances, but not where a signature is obtained. It certainly includes EFTPOS, ATM transactions, most Internet and telephone banking transactions, direct debits and direct transfers.
Stored value products, such as electronic purses and stored value smart cards, are currently included in a separate section of the Code – Part B.
Specific requirements of the Code include:
- Terms and conditions must be provided to consumers;
- Records of transactions must be available to consumers;
- Audit trails must be kept;
- Privacy provisions mirroring federal privacy legislation for the private sector must be complied with, plus some specific EFT industry privacy guidelines; and
- Complaint investigation and resolution procedures must be in place.
Of course, the most important section of the EFT Code is the section apportioning liability for unauthorised transactions. This includes coverage of:
- Access methods;
- Security and disguise of codes;
- Contribution to loss;
- Fraud and negligence;
- Lost and stolen cards or devices; and
- System or equipment malfunction.
While the EFT Code has always been voluntary, it has been a very successful and popular code with both business and consumers and has achieved a very high rate of industry coverage.
The EFT Code is currently undergoing a major review. During this review some financial institutions have sought changes to the liability for unauthorised Internet banking transactions. Two key suggested liability reforms are the subject of current debate:
- Increased liability for consumers who fail to secure their personal computers; and
- Increased liability for consumers who respond to social engineering attacks.
Although there have been some changes in the vulnerability of Internet banking since the last review of the Code (for example the growth in social engineering attacks), there is does not appear to be any justification for changing the overall liability regime in the Code. Financial institutions remain in the best position to address security issues in Internet banking and the responsibility of consumers is already fairly addressed in the Code.
Consumers will be seriously disadvantaged if they are required to accept any additional liability resulting from malicious software attacks and/or failure to adequately secure their computer.
Some financial institutions appear to support (either through submissions to the Review or in terms and conditions) an increase in consumer liability where there is malicious software on their computer. In the absence of clear direction from the EFT Code, terms and conditions are likely to be extremely harsh for consumers. For example, one bank (Westpac) has already included a Spyware Clause in their terms and conditions:
If you knowingly use a computer that contains software, such as Spyware, that has the ability to compromise access codes and/or customer information, you will be infringing our rules for access code security referred to above and we will not be liable for any losses that you may suffer as a result [emphasis added].
Enforcing such a Clause would be difficult, but its presence may be a deterrent to a consumer with a legitimate EFT complaint, if for example they believe their complaint may result in an intrusive investigation into the contents of their personal computer.
It is also difficult to envisage circumstances in which account holders have displayed such a degree of carelessness in ensuring their computer meets minimum security requirements that liability should be imposed upon them for any resultant financial loss from a malicious software attack.
In addition, the task of defining acceptable ‘minimum security requirements’ is problematic. Internet malware is a moving target. Security risks and technical attack vectors change. It is unreasonable to expect that end-users are aware of these risks and attacks, or that they are capable of monitoring and responding to changes. Financial institutions on the other hand have specialised security resources and processes that are dedicated to addressing these risks.
It would appear more practical and economically efficient for measures to be implemented at the financial institution end since the protection afforded would then diffuse from a central point to the entire base of consumers utilising Internet banking services. Moreover, many of the developments in security in recent years would not have occurred if the security effort was more diffuse – i.e. in the hands of consumers rather than financial institutions.
Also, the current liability regime for unauthorised transactions should not be modified so as to expand the situations in which account holders will be liable for financial losses flowing from phishing attacks. It is financial institutions who should bear the primary responsibility for implementing solutions to combat forms of online fraud including deception-based phishing attacks.
There are a host of potential solutions that are available to financial institutions to combat phishing and other attacks their customers may be subjected to online. These include:
- 1. Two Factor Authentication Solutions; and
- 2. Website Authentication Solutions which can be installed at either the server (financial institution) or client end.
Two-Factor authentication refers to the use of a dual-layered approach in order to verify the identity of an end-user to a server. For example, an end-user may be required to supplement a password they have memorised (something they know) with something they have (such as a hardware token that produces a random sequence of digits at pre-determined intervals) or something they are (such as a fingerprint or other biometric data).
Two-factor authentication generally represents the limits of what financial institutions in Australia are currently implementing in response to online fraud such as phishing attacks. However, the technology provides only marginally improved resistance against phishing attacks.
There is, for example, a significant possibility that the passcode displayed to a bank’s customer by their hardware token can be intercepted through the use of a spoofed website designed to falsely appear to belong to the customer’s financial institution. The website, if a convincing spoof, could cause the customer to provide the passcode displayed on their hardware token. The fraudulent party who created the spoofed website could then immediately use the passcode to login to the customer’s account as part of a replay attack (assuming they also know the customer’s password and username details). An example of this has occurred recently when account holders with Dutch bank ABN Amro had money stolen from their accounts by fraudulent parties using this very method to circumvent the bank’s use of two-factor authentication.[26]
[16] See for example the Fair Trading Act 1987 (NSW) and the Sale of Goods Act 1923 (NSW).
[17] (1956) 99 CLR 362 at 415 per Kitto J, <http://www.austlii.edu.au/au/cases/Cth/high_ct/99clr362.html>.
[18] <http://www.accc.gov.au/content/index.phtml/itemId/792088>
[19] Australian Government, The Australian Guidelines for Electronic Commerce, 17 March 2006, <http://www.treasury.gov.au/documents/1083/PDF/australian_guidelines_for_electronic_commerce.pdf>.
[20] Expert Group on Electronic Commerce, Building Consumer Sovereignty in Electronic Commerce – A Best Practice Model for Business, Treasury Department, May 2000.
[21] Australian Government, Checklist for Business-to-Consumer E-Commerce in Australia, 17 March 2006, <http://www.treasury.gov.au/documents/1086/PDF/ecommerce_factsheet.pdf>.
[22] <http://www.legislation.qld.gov.au/>
[23] <http://www.legislation.nsw.gov.au/>
[24] More information about the Code can be obtained from its website – <http://www.creditcode.gov.au>; see also the following fact sheets – <http://www.moneymanager.com.au/tools/factsheets/credit_code.html> and <http://www.oznetlaw.net.au/facts.asp?action=content&categoryid=216> (Part B).
[25] <http://www.asic.gov.au/fido/fido.nsf/byheadline/Electronic+Funds+Transfer+(EFT)+Code+of+Conduct?openDocument>
[26] Out-Law.com, Phishing attack evades ABN Amro's two-factor authentication, 18 April 2007, <http://www.out-law.com//default.aspx?page=7967>.