Please enable javascript in your browser to view this site

Fines for failing fraud protections

As regulators place a greater emphasis on facilitating switching between providers, protections against SIM swapping and similar scams will be all the more important

Telstra found to have breached anti-fraud rules regarding customer verification

On 17 July 2024, the Australian Communications and Media Authority (ACMA) announced it had issued a A$1.5m (£776,000) fine to Telstra for failing to comply with anti-fraud rules. According to an ACMA investigation into the operator’s operations between August 2022 and April 2023, Telstra failed to employ required customer authentication procedures for high-risk transactions. ACMA found that the operator had failed to comply with relevant consumer protection rules in 168,000 high-risk interactions, including 7,000 interactions involving vulnerable consumers. In addition to the fine, the regulator has agreed to a two-year enforceable undertaking through which Telstra will appoint an independent consultant to review its compliance with anti-fraud rules.

Operators must verify the identity of a consumer before performing a range of high-risk transactions on their behalf

According to the Customer Identity Authentication Determination from 2022, operators in Australia are required to use multi-factor authentication processes to verify a consumer’s identity when completing some transactions considered high-risk for scams or fraud. ACMA offers a number of likely high-risk transactions regularly undertaken by operators, including: 

  • SIM swaps;

  • Transfers of titles or changes of account ownership;

  • Adding additional phones to an account;

  • Activating an overseas service; and

  • Transferring from a postpaid to a prepaid service.

Operators can ensure compliance by requiring consumers who initiate high-risk transactions to authenticate their request by accessing a secure hyperlink or verification code delivered to their registered phone number or a verified app. When operators initiate the high-risk transaction, they must also complete a multi-factor authentication process by having consumers confirm at least two pieces of personal information relevant to the account, including their name or their registered phone number. Under the Determination, operators are also required to identify consumers who may be at particular risk of fraud and implement mitigation measures, such as pausing high-risk transactions related to their account and sending the consumer additional notifications about suspected fraud.

Preventing SIM swapping and other consumer account fraud will be more important in the context of easing the process to switching carriers

ACMA’s enforcement action against Telstra is unsurprising in the context of the country’s ambition to be the “world’s hardest target for scams”. However, other regulators from around the world, including the US Federal Communications Commission (FCC), have recently taken action to prevent SIM swapping as well as “port-out” fraud. Similar to ACMA’s rules on multi-factor authentication, operators in the US are now required to employ additional secure authentication measures to confirm a consumer’s identity before redirecting a phone number to a new device or carrier. As other countries, including the UK, work towards making the operator switching process easier for consumers, measures to prevent increasingly common types of fraud which rely on gaining wrongful access to consumers’ telecoms accounts will be all the more important.