ASIC ePayments Code
|
|
| Regulator |
ASIC |
| Jurisdiction |
AU |
| Status |
live |
| Applicability |
Platform |
The ASIC ePayments Code is a voluntary code of practice administered by ASIC that regulates
consumer electronic payment transactions in Australia. All major ADIs subscribe to the Code as a
condition of meeting community expectations and AFSL conduct obligations. The Code covers:
liability allocation for unauthorised transactions (zero liability for consumers who are not at
fault); mistaken payment recovery obligations (30-day recovery attempt); direct debit dispute
resolution (same-day reversal for valid disputes); and complaint handling.
The 2022 revision of the Code aligned it more closely with ASIC's IDR obligations and strengthened
the zero-liability framework for scam victims where the bank's fraud controls were inadequate. ASIC
may take action under s.912A of the Corporations Act if adherence to the Code falls below the
standard required for efficient, honest and fair conduct.
Compliance register
This register maps every material obligation under the ePayments Code to the platform control or
institutional process that satisfies it. It is the static traceability layer for the Totara
compliance report — dynamic data (module build status, test evidence, control test dates) is
overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Part A — Unauthorised transactions
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Clause 11 |
Bank is liable for losses from unauthorised EFT transactions unless the customer acted fraudulently or negligently (zero liability for blameless consumers) |
🤖 Automated |
PAY-005 |
MOD-149 (AUTO) — scam and unauthorised transaction reimbursement workflow applies liability allocation rules automatically; platform does not require customers to prove absence of fault; liability rules are applied programmatically, not agent-discretion |
🔨 |
| Clause 12 |
Where customer contributed to the loss through negligence (e.g. PIN disclosure), liability is shared — bank liable for excess above what customer should reasonably have protected |
📊 Evidenced |
PAY-005 |
MOD-083 (AUTO) — liability allocation rules surfaced to agent during dispute assessment; MOD-053 (LOG) — dispute assessment and outcome documented; human agent makes final liability allocation decision within the rules framework |
🔨 |
| Clause 16 |
Notify the customer of the investigation outcome within a reasonable time; if bank liable, credit account within 7 days of determination |
🤖 Automated |
PAY-005 |
MOD-149 (AUTO) — reimbursement case outcome notification dispatched automatically; MOD-053 (ALERT) — reimbursement deadline tracked with SLA enforcement |
🔨 |
Part B — Mistaken payments
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Clause 20 |
When a customer makes a payment to the wrong account (mistaken payment), the bank must attempt to recover the funds; initial recovery attempt within 30 days |
🤖 Automated |
PAY-005 |
MOD-149 (AUTO) — mistaken payment recovery workflow initiated automatically on dispute receipt; 30-day recovery deadline tracked; MOD-053 (ALERT) — recovery deadline SLA enforced |
🔨 |
| Clause 21 |
Notify the customer of the recovery outcome; if funds recovered, credit within 2 business days |
🤖 Automated |
PAY-005 |
MOD-149 (AUTO) — recovery outcome notification dispatched automatically; credit processed on confirmed recovery; MOD-083 (AUTO) — mistaken payment obligations surfaced to agent |
🔨 |
| Clause 22 |
If recipient bank's customer spent the funds in good faith, the sending bank may not be able to recover — customer bears the loss in that case after bank makes reasonable recovery attempts |
📊 Evidenced |
PAY-005 |
MOD-053 (LOG) — recovery attempts documented with outcomes; loss attribution decision made by compliance officer based on documented evidence; not a platform automation |
🔨 |
Part C — Direct debit disputes
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Clause 28 |
If a customer raises a valid direct debit dispute (no valid mandate, or amount differs), reverse the debit on the same business day as the dispute is raised |
🤖 Automated |
PAY-005, PAY-009 |
MOD-149 (AUTO) — same-day reversal processing for valid direct debit disputes; validity check automated against mandate records; MOD-114 (GATE) — direct debit mandate management gates all debits against active mandate; no mandate, no debit |
🔨 |
| Clause 29 |
Investigate direct debit disputes; inform biller; provide written outcome to customer |
📊 Evidenced |
PAY-005 |
MOD-053 (LOG) — direct debit dispute investigation documented; MOD-083 (AUTO) — Code direct debit dispute obligations and investigation steps surfaced to agent |
🔨 |
Part D — Complaint handling
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Clause 35 |
Handle ePayments complaints under IDR standard (RG 271 timeframes); provide AFCA referral right |
🤖 Automated |
PAY-005, CON-002 |
MOD-053 (ALERT) — IDR SLA enforced for ePayments disputes; MOD-083 (AUTO) — AFCA right-to-refer notice surfaced to agent at final IDR response step. See au-asic-rg-271 for full IDR register. |
🔨 |
The following obligations under the ePayments Code are the responsibility of the institution, not the platform.
| Obligation |
Owner |
Platform evidence input |
| Annual Code compliance self-assessment |
Chief Compliance Officer |
MOD-053 dispute data and MOD-047 audit logs provide evidence base |
| Staff training on Code obligations, liability rules, and dispute procedures |
Head of Customer Experience |
MOD-083 provides real-time in-workflow coaching; formal training is institutional |
| Code subscription renewal and ASIC notification |
General Counsel / Chief Compliance Officer |
— |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Unauthorised transactions |
3 |
2 |
1 |
0 |
0 |
| Mistaken payments |
3 |
2 |
1 |
0 |
0 |
| Direct debit disputes |
2 |
1 |
1 |
0 |
0 |
| Complaint handling |
1 |
1 |
0 |
0 |
0 |
| Total |
9 |
6 (67%) |
3 (33%) |
0 |
0 |
All attributed modules are currently build_status: Not started — the compliance position will update as modules are built and deployed.
| Policy |
Title |
| PAY-005 |
Payment Fraud Prevention Policy |
| PAY-009 |
Payment Exceptions, Returns & Reversals Policy |
| CON-002 |
Complaints & Internal Dispute Resolution Policy |
Official documentation
Policies referencing this standard
- PAY-005 — Payment Fraud Prevention Policy
- PAY-009 — Payment Exceptions, Returns & Reversals Policy
Compiled 2026-05-22 from source/entities/regulations/au-epayments-code.yaml