Sharing the burden of a scam: new banking protections and reimbursements for customers signal a shift in digital trust and accountability

Last week, New Zealand’s major retail banks announced new measures to protect customers from fraud and scams.

From 30 November 2025, the New Zealand Banking Association’s (NZBA) updated Code of Banking Practice (Code) will require its voluntary members (which include major banks such as ANZ, ASB, BNZ, Kiwibank and Westpac) to meet five new scam protection commitments.

The announcement signals a notable shift in expectations around accountability, incident response and customer protection in the digital economy. The NZBA, the Banking Ombudsman and regulators are now calling for telecommunication companies and digital platforms to make similar commitments.

 

New banking obligations and an evolving standard of care

The Code is only applicable to the NZBA’s thirteen members. Under the Code, members have agreed to:

1. ask customers the purpose of their proposed transactions and then provide customers with relevant pre-transaction warnings about known scams;
2. provide a confirmation of payee service which aims to ensure payment recipient accuracy;
3. identify and respond to high-risk transactions or unusual activity, including delaying or blocking these transactions and notifying customers of suspected scam activity within 24 hours;
4. run 24/7 reporting channels for suspected scams; and
5. share scam account information with other banks and freeze any identified “mule” accounts.

Where a customer has been scammed and the bank (or a recipient bank) failed to meet the new scam protection commitments, the bank will compensate all or part of the customer’s loss. However, the burden of responsibility is shared and there are some factors as to whether a customer is wholly eligible, partially eligible or ineligible for compensation:

• For unauthorised payment scam reimbursement, factors include whether a customer took reasonable steps to protect themselves, or was dishonest or negligent.

• For authorised payment scam reimbursement, as well as the above, there are additional factors, including whether a customer made an international or domestic transfer, or the payment to purchase goods on an online marketplace. If a customer’s authorised payment scam loss exceeds a combined total of NZ$500,000 or occurs more than three times within the banking relationship, any compensation will be at the bank’s discretion.

Although this framework is not mandatory or backed by statute, it reflects an increasingly interventionist stance by banks in protecting their customers. Going forward, will customers and regulators now expect similar protections from telecommunication and digital service providers?

 

Shifting expectations for digital platforms and tech providers

From a digital economy perspective, the broader trend is clear: providers that enable financial transactions, store sensitive user data, or operate digital environments where scams can occur are going to face greater scrutiny over how they allocate risk, respond to incidents and protect end-users.

While the Code does not apply directly to private-sector technology providers, its existence may influence:

• Consumer expectations: A growing presumption that intermediaries will take responsibility for fraud prevention or share liability for scams.
• System innovation: With increasing compensation obligations, banks and technology providers may seek other forms of digital innovation to protect their customers from scams.
• More industry-led codes: Regulators and consumer organisations have been strongly encouraging the NZBA to adopt increased consumer protections, like those in the new Code. We expect to see increasing pressure on other industries to proactively develop codes of practice that similarly protect customers from scams. Otherwise, protective measures could be imposed by regulation.
• Contractual negotiations: Counterparties may push harder on indemnities, liability limitations and obligations to implement fraud mitigation measures.

 

A potential precursor to regulatory change

The Code may serve as a future blueprint for formal regulatory frameworks, both for banking and other sectors. This would echo themes seen in other jurisdictions – such as the UK’s mandatory reimbursement for authorised push payment fraud (subject to exclusions for customer fraudulence or gross negligence), or Singapore’s mandatory text message scam filter and shared responsibility framework for companies involved in the chain of a scam.

 

How we can we help?

These new scam protection obligations for banks are a reminder that legal exposure and responsibility in the digital economy is not static. It is dynamic, reputational, and increasingly shaped by broader market expectations. We are here to help you stay ahead of that curve – contact one of our experts below.