The Australian Securities and Investments Commission (ASIC) today released a consultation paper requesting feedback on planned updates to the ePayments Code.
The regulator is looking to update the ten-year-old code to ensure it remains effective within the growing and evolving payment landscape.
Formerly known as the Electronic Funds Transfer Code of Conduct (EFT Code), the ePayment Code helps regulate electronic payments services in Australia.
This is ASIC’s second consultation on the ePayments Code after its first 2019 review.
The voluntary code bounds participating financial services to provide transparency around terms and conditions and assists with consumer payment issues.
Part of ASIC’s current proposal includes making the code mandatory through a legislative changes.
Current subscribers include the big four banks, American Express and PayPal.
In consultation paper CP 341 [pdf], the regulator also proposes defining “biometric authentication in the code and incorporate it into specific provisions… where it is relevant”.
ASIC noted pass codes will not be classified under the definition given they “represent different ‘factors’ of authentication: knowledge, possession and inherence.”
“In ASIC’s view, biometric authentication cannot be treated in a similar way to pass codes under the code,” the discussion paper states.
“A pass code is usually something the consumer knows (knowledge) or is delivered by means of something the consumer possesses, such as a phone (possession).
“Biometric authentication is based on something inherent to the consumer – e.g. their fingerprint or facial features (inherence).”
“We consider it would be unworkable to apply principles designed for a knowledge factor to an inherence factor– for example, we cannot ask consumers to ‘keep their fingerprints safe’.”
ASIC said since biometric authentication is generally linked to a consumer’s personal device it considers “that ongoing consumer education about device security has a role to play in responding to newer device-based methods of payment authentication.”
The paper adds ASIC will redefine the definition of the term ‘device’ to ‘payment instrument’ to avoid confusion with smart devices.
The proposed new definition will also extend to virtual debit and credit cards.
ASIC will also look to extend the code to New Payments Platform payments and “include electronic receipts in the code’s provisions relating to transaction receipts”.
Deadline for submissions is this July followed by a findings report in August before the final updated code is released in late 2021.
Once finalised the ePayment Code will be replace with the updated version with current subscribers required to reapply through ASIC.