Scam-Safe Accord (ABA/COBA)
|
|
| Regulator |
Australian Banking Association / COBA |
| Jurisdiction |
AU |
| Status |
live |
| Applicability |
Platform |
The Scam-Safe Accord was announced by the Australian Banking Association and the Customer Owned
Banking Association in November 2023. It sets out a voluntary but publicly binding commitment by
all subscribing banks to implement a defined set of scam prevention controls by specified
deadlines. The Accord is not legislation but is enforceable through the ABA and COBA membership
obligations and is referenced by the Australian Government's Scams Prevention Framework (SPF)
legislation, which creates a statutory duty of care for banks on scam prevention.
The five key commitments are: (1) Confirmation of Payee — name-to-account matching before
outbound transfers; (2) scam detection layering — behavioural analytics and payment delay for
high-risk transfers; (3) intelligence sharing — participation in the ABA Scam Intelligence Hub;
(4) no-fault victim reimbursement framework — victims who acted reasonably are reimbursed within
10 business days; (5) staff and customer education programme.
Compliance register
This register maps every material obligation under the Scam-Safe Accord to the platform control
or institutional process that satisfies it. It is the static traceability layer for the Totara
compliance report — dynamic data (module build status, test evidence, control test dates) is
overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — training programmes, board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Commitment 1 — Confirmation of Payee
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Accord §2 |
Implement Confirmation of Payee (CoP) — display resolved account holder name to the sending customer before any outbound transfer is authorised; customer must confirm name match before funds are committed |
🤖 Automated |
PAY-005 |
MOD-020 (GATE) — payment processing gate applies payee confirmation check before every outbound transfer; transfer cannot proceed without confirmed CoP step; MOD-120 (AUTO) — PayID-addressed payments display resolved account holder name; confirmation of payee enforced before commitment |
🔨 |
| Accord §2 |
Where CoP returns a name mismatch, warn the customer and require explicit override; log mismatch events |
🤖 Automated |
PAY-005 |
MOD-020 (GATE) — name mismatch triggers warning screen requiring explicit customer override; override requires acknowledgement and is logged; MOD-149 (LOG) — name mismatch events are included in scam intelligence data |
🔨 |
Commitment 2 — Scam detection layering
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Accord §3 |
Apply behavioural analytics to detect scam patterns; delay or block high-risk payments (e.g. first-time high-value transfer to a new payee following social engineering indicators) |
🤖 Automated |
PAY-005 |
MOD-149 (AUTO) — scam detection engine applies behavioural risk scoring to all outbound payments; high-risk payments are delayed or challenged; risk scoring uses new-payee status, amount, channel, and velocity; MOD-023 (AUTO) — transaction fraud scorer provides real-time scam risk signal |
🔨 |
| Accord §3 |
For payments to new high-risk payees, introduce a friction step (e.g. 24-hour delay, scam warning screen) |
🤖 Automated |
PAY-005 |
MOD-149 (AUTO) — friction controls applied automatically based on risk tier; customers receive scam-awareness prompt before proceeding with high-risk payment; delay is enforced by the platform, not agent discretion |
🔨 |
Commitment 3 — Intelligence sharing
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Accord §4 |
Participate in ABA Scam Intelligence Hub; submit scam typology reports and mule account data on defined schedule |
📊 Evidenced |
PAY-005 |
MOD-149 (LOG) — scam typology reports and mule account intelligence submitted to the ABA Scam Intelligence Hub on schedule; intelligence sharing obligation met automatically; data assembly is automated but submission is a tracked obligation |
🔨 |
| Accord §4 |
Receive and apply shared intelligence from the Hub to real-time detection |
🤖 Automated |
PAY-005 |
MOD-149 (AUTO) — intelligence feed from the Hub ingested and applied to the scam detection engine automatically; no manual update of scam indicators |
🔨 |
Commitment 4 — No-fault reimbursement
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Accord §5 |
Reimburse scam victims who acted reasonably; reimbursement decision within 10 business days of claim; funds credited within 24 hours of determination |
🤖 Automated |
PAY-005, CON-002 |
MOD-149 (AUTO) — scam reimbursement workflow tracks all claims with 10-day SLA; determination triggers automatic credit processing; MOD-053 (AUTO) — scam reimbursement cases tracked through IDR workflow with statutory SLA timers; reimbursement decisions documented and communicated within required timeframes |
🔨 |
| Accord §5 |
Where bank's controls were inadequate and the customer acted reasonably, bank is liable regardless of customer behaviour |
📊 Evidenced |
PAY-005 |
MOD-149 (LOG) — reimbursement case outcomes and control adequacy assessments logged for each claim; MOD-047 (LOG) — agent decisions on reimbursement are auditable |
🔨 |
Commitment 5 — Education
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| Accord §6 |
Deliver in-app scam awareness education; display scam-awareness messages at high-risk payment points |
🤖 Automated |
PAY-005 |
MOD-149 (AUTO) — contextual scam-awareness messaging displayed to customers before high-risk payments; messaging is triggered by payment risk tier, not agent discretion |
🔨 |
| Accord §6 |
Staff training programme on scam detection and victim support |
🏛 Institutional |
PAY-005 |
Staff training is institutional. MOD-083 provides real-time coaching for agents handling scam disputes; formal training design is a People obligation. |
— |
| Obligation |
Owner |
Platform evidence input |
| ABA Scam Intelligence Hub participation agreement |
Head of Payments / Chief Risk Officer |
MOD-149 provides the data feeds |
| Annual Accord compliance attestation |
Chief Compliance Officer |
MOD-149 and MOD-053 provide evidence base |
| Staff scam awareness training programme |
Head of Customer Experience |
MOD-083 provides real-time coaching; formal training is institutional |
| Regulatory engagement on Scams Prevention Framework legislation |
General Counsel |
— |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Confirmation of payee |
2 |
2 |
0 |
0 |
0 |
| Scam detection |
2 |
2 |
0 |
0 |
0 |
| Intelligence sharing |
2 |
1 |
1 |
0 |
0 |
| No-fault reimbursement |
2 |
1 |
1 |
0 |
0 |
| Education |
2 |
1 |
0 |
1 |
0 |
| Total |
10 |
7 (70%) |
2 (20%) |
1 (10%) |
0 |
All attributed modules are currently build_status: Not started — the compliance position will update as modules are built and deployed.
| Policy |
Title |
| PAY-005 |
Payment Fraud Prevention Policy |
| CON-002 |
Complaints & Internal Dispute Resolution Policy |
Official documentation
Policies referencing this standard
- PAY-005 — Payment Fraud Prevention Policy
Compiled 2026-05-22 from source/entities/regulations/au-scam-safe-accord.yaml