• forIndividuals
  • forBusiness
  • forCommunity
search
About usFact sheetsPrimary legislationWhat's new?
DictionaryTeachingContact usSite mapLinks
click to go home


Our Fact Sheets provide a detailed account of 29 areas of law as they apply to the Internet

Fact Sheets



IIA releases draft Cybercrime Code of Practice in July 2003

Electronic Payment Systems

Updated as at 1/8/2001.

1. Payment systems

(a) Internet banking

Current internet banking only permits cash deposits and cash withdrawals to be made using existing ‘non-internet’ methods such as cheques, cash or electronic funds transfer. Future personal computers or telephones with smart card readers will permit the transfer of value from an account onto a stored smart card, using the internet or telephone lines.

(b) Credit cards

Credit card details are entered into a merchant’s web form on the internet. The details may be manually sent by e-mail and verified by the merchant as a mail-order/telephone-order (MOTO) transaction; or encrypted using secure socket layering (SSL,) techniques and then automatically processed by the relevant bank. Transactions using SSL are more secure but also more costly. Credit card systems are generally too costly for small transactions owing to high fees. Access to credit card processing facilities is also limited to larger merchants due to credit ratings, cost and size.

(c) Virtual credit card

Appearing as an icon on a computer screen, the card is used to purchase products using secure electronic transaction (SET) protocol to authenticate the buyer and seller by use of digital signatures. When an order is placed with an internet merchant accepting SET, credit card information is encrypted at the customer’s terminal and sent to the merchant. The merchant passes this information to an acquirer who decodes the information, verifies the identities of both parties and places a request for payment to the card issuer. Under the SET mechanism, the merchant cannot read and does not store credit card details, increasing confidentiality and security.

(d) Digital cash

Digital cash (also known as electronic money, digital currency, network money or cyber money) is a payment or transfer of value initiated and processed electronically within current inter-bank payment systems. Digital cash is effectively money stored as computer code.

The bank issues a ‘digital coin’ message ‘signed’ or encrypted with its private key. The message gives the bank’s identity, its internet address, the amount of the coin, its serial number and an expiry date (if applicable). A customer wishing to receive the digital coin sends a request to the bank encoded with the customer’s private key. The bank decodes the message with the customer’s public key to authenticate the request.

A coin is issued to a customer encoded with the customer’s public key. The customer decodes the coin using a private key. The customer stores the coin on their system to make payments on the internet. On making a payment, a digital coin message is sent to a merchant encrypted with the merchant’s public key to prevent interception. The merchant decodes the message with a private key and verifies the payment message and details using the bank’s public key. The merchant requests the bank to verify the currency of the serial number of the coin. The bank credits the merchant’s account and cancels the serial number to prevent double spending.

(e) Digital cheques

Electronic cheques and bills of exchange may be sent across the internet using similar mechanisms to digital cash. The internet cheque message sent to a payee contains the same information as a paper cheque and is digitally signed (encrypted with the drawer’s private key). When the payee’s bank collects the cheque, this is marked on the cheque message and encoded with the drawer bank’s private key, providing proof of payment.

(f) Stored value cards (SVCs) (including smart cards)

A SVC is a plastic card that can contain a microprocessor chip (more commonly known as a smart card) or a magnetic strip. The chip stores more information than magnetic strip cards and can perform simple computing operations. The SVC is inserted into a terminal with a read/write mechanism that allows information to pass between the card and the terminal. Unlike current credit cards and EFTPOS terminals, a SVC does not require the merchant terminal to be hard wired to a computer network. The SVC represents a value of prepaid funds with a counter that keeps track of the amount which reduces with each payment until exhausted and then is either recharged or thrown away. The SVC issuer pays the merchant the dollar value of the SVC value spent by the customer. A SVC has a low cost structure and is ideal for small transactions with remote vending machines or telephones. SET compatible SVCs may soon be available. Value can be loaded onto an SVC at an issuing institution, an automated teller machine (ATM), a home banking terminal, a telephone or by device at a participating retailer.

SVCs may have one or more of the following features:

* limited life (expiry date) or indefinite life;
* personalised or anonymous;
* disposable or rechargeable;
* secured by PINs or unsecured by PINs (lockable or unlockable);
* accounted or non-accounted systems (transaction details are transmitted to system operator but not necessarily to user and not necessarily including the identity of the cardholder);
* single currency or multi-currency; and
* multi-functional (SVC function, ticketing function, a loyalty scheme and credit and debit function).

(g) E-wallet

A digital wallet ("e-wallet" or "e-purse") is a secure software program on a bank’s computer or on a personal computer containing a customer’s financial and accounts details. Large financial and computing institutions have joined to launch the Electronic Commerce Modelling Language (ECML), a digital wallet standard to ensure websites accepting e-wallet payments will be compatible with e-wallets from different developers.

(h) Other electronic payment systems

Some financiers offer customers the ability to pay bills electronically by instructing the financier to debit the customer’s account and pay an amount to a third party (biller) using the telephone or internet. A biller enters into one agreement with one financial institution to accept electronic payments made by customers from participating institutions.

2. Jurisdiction

Parties to an electronic payment system (or scheme) (EPS) may be located in different jurisdictions giving rise to the following issues:

* which law applies to transaction disputes;
* how the transaction is enforced by a party in one jurisdiction against a second party in another jurisdiction;
* how regulators protect the integrity of the payments and financial systems;
* how the laws of one jurisdiction apply to a party outside that jurisdiction offering EPS products to residents in the former jurisdiction; and
* how the risk of technical failure and fraudulent activity can be reduced.

The conflict of law rules in the jurisdiction in which the payment dispute is brought will determine the law that governs a cross-border electronic payment. Generally, a transaction occurs offshore if an Australian resident remits funds to an account with a foreign bank with no presence in Australia. Provided the payment is not a reportable transaction under the Financial Transaction Reports Act 1988 (Cth) , the deposit would be regarded as a foreign deposit and not regulated by Australian law.

See Jurisdiction fact sheet for more information.

3. Regulation of electronic payment systems (EPS)

An EPS may be regulated by statute, codes of conduct and the common law as follows:

(a) Reserve Bank Act 1959 (Cth) and Currency Act 1965 (Cth) )

These Acts pre-date the existence of electronic payments. An EPS can be structured and implemented in a way that avoids infringement of these Acts.

(b) Corporations Law

Proposed amendments to the Corporations Law by the Financial Services Reform Bill (FSRB) (not yet operational) will impact on EPS issuers as follows:

* A facility or arrangement through which a person makes non-cash payments (includes making a payment by direct debit or by means of a purchased payment facility (PPF)) is a financial product under the Corporations Law . An EPS is likely to fall within this category.(1)
* A person providing advice about or dealing in financial products is a provider of financial services and must be licensed or obtain an exemption from ASIC. An EPS operator is likely to be a financial services provider.(2)
* A person must not operate a financial products market (in which financial products are acquired or disposed) without a licence or exemption from ASIC.(3)

The holder of a financial products market licence must:

* comply with ASIC, the Corporations Law and licence conditions;
* make adequate arrangements to supervise the market including dispute resolution procedures, monitoring conduct and enforcing compliance with the market’s operating rules;
* have sufficient financial, technological and human resources to properly operate and supervise the market in a fair, orderly and transparent way;
* have adequate clearing and settlement facility arrangements; and
* provide compensation arrangements where required.(4)

The holder of a financial services licence must:

* comply with ASIC, the Corporations Law and licence conditions including the handling of client funds, assets, and the keeping and lodgment of financial records;
* monitor and supervise the activities of its representatives;
* have sufficient financial, technological and human resources to properly provide the services and supervision in an efficient, fair and honest way;
* maintain relevant skills and experience to provide the services; and
* provide dispute resolution and compensation arrangements in relation to services provided to retail clients.(5)

* The FSRB amendments would impose extensive and stringent point disclosure obligations on licensees.(6)

(c) Banking Act 1959 (Cth)

It is unclear whether an EPS operator is carrying on a banking business and requires an authority (or exemption) because of the issue of digital cash or SVCs alone.

Regulatory authorities in Australia and overseas are still considering whether EPS operations constitute taking money on deposit.

If an EPS constitutes a banking business, an authority or exemption from the Australian Prudential Regulation Authority (APRA) is required. An authority to conduct banking business is typically granted subject to conditions, including the condition to consult with and conform to APRA on matters relating to prudential supervision. An institution authorised by APRA to carry on banking business is an authorised deposit-taking institution (ADI).

APRA may revoke an ADI’s authority for failure to comply with the Banking Act 1959 (Cth) conditions in its authority, the national interest, the interests of depositors, failure to pay financial sector levies, insolvency and cessation of banking business.

APRA may exempt a person from all or part of the Act (eg some Merchant Banks) and has the power to make prudential standards, issue directions and oversee the protection of depositors.(7) ADIs must hold assets in Australia at least equal to their Australian dollar denominated liabilities. If an ADI is unable to pay its debts, its assets must be first used to repay depositors (in priority to all other debts). It is unclear if this provision prevails over the Corporations Law which enables debtors and creditors to set-off mutual obligations.(8)

A holding company operating an EPS through a subsidiary that is an ADI may be required to obtain an authority from APRA.

(d) Payment Systems (Regulation) Act 1988

The Payment Systems (Regulation) Act establishes the Payment Systems Board (PSB) (within the Reserve Bank of Australia (RBA)) with powers to regulate payment systems such as an EPS. The PSB implements policies to improve payments system efficiency and enhance competition in the market for payment services.

The RBA (through the PSB) regulates payment systems (including clearing and settlement systems). A payment system is a "funds transfer system that facilitates the circulation of money" between participants in the system. Smart cards are considered a payment system.

A payment system will be regulated by the Act if designated by the RBA by notice in the Gazette after satisfying a public interest test. No existing or proposed EPS has been designated by the RBA at the time of writing.

The RBA has power to:

* vary an access regime to a payment system (entitlement of a person to become a participant or user of the system on a commercial basis on fair and reasonable terms) and undertake enforcement action;
* direct a participant in a payment system to undertake or refrain from certain specified conduct;
* determine standards to which designated payment systems must adhere (eg impose inter-operability or authentication standards on a dominant EPS); and
* arbitrate disputes arising from an EPS with the consent of the parties provided issues of financial safety, efficiency or competitiveness of the EPS are involved.

If an EPS becomes a dominant payments system and access by potential participants is restricted, the RBA may use its powers in the public interest to regulate such a system.

A corporation is not permitted to hold the store of value for a purchased payment facility (PPF) unless it is an ADI or has an authority or exemption under the Act.(9) A PPF includes SVCs and internet cash facilities.

It is likely a facility must involve a facility provider and third party merchant to constitute a PPF. The regulation of payment systems and PPF under the Act are similar. The issuer of a SVC may be subject to regulation as the holder of the store of value for a PPF and further regulated by the RBA as the operator of a payment system.

(e) Financial Sector (Shareholdings) Act 1998 (Cth)

Financial Sector (Shareholdings) Act 1998 (Cth) regulates shareholdings in ADIs, general insurance companies, life insurance companies and their holding companies to minimise the risk of a financial sector company exclusively serving the interests of one or a few large shareholders.

A person, together with his or her associates, may not have a stake greater than 15 per cent in a financial sector company without obtaining the approval of the Treasurer. The Treasurer may consent if he or she is positively satisfied it is in the national interest. A person’s stake is based on the control that the person has over the decision-making process of a company.

(f) Financial Transactions Report Act 1988 (Cth)

The Financial Transaction Reports Act obliges certain defined organisations to verify the identity of account signatories and to report certain suspect transactions (defined in the FTRA) and cash transactions of $10,000 or more.

Internet bankers who take deposits and open accounts for that purpose must comply with the account opening requirements of the Act.

(g) Unclaimed moneys legislation

Unspent electronic cash may constitute "unclaimed moneys" for the purposes of the Banking Act 1959 (Cth)(in relation to ADIs) or State and Territory unclaimed moneys legislation. A company must:

* identify and record details of unclaimed moneys or other property in a register;
* keep this register open for public inspection;
* provide statements to a government authority or publish the register; and
* pay all unclaimed money to a government authority after a certain period.

(h) Telecommunications Act 1997 (Cth) and Broadcasting Services Act 1992 (Cth)

Internet financiers may be subject to licensing and other obligations imposed on the telecommunications, radio communications and broadcasting industries depending on the technology used to deliver the banking service.

(i) Taxation legislation

See Taxation fact sheet.

(j) Consumer Credit Code (CCC)

The CCC regulates the provision of credit to individuals or strata corporations wholly or predominantly for personal, domestic or household purposes. Obligations are placed on lenders concerning the form and content of contracts, the charging of fees and administration of loans. It is currently unclear whether the CCC requires credit contracts to be paper based and not in electronic form.

(k) Finance industry Codes of Practice (Banking Code of Practice; Building Society Code of Practice; Credit Union Code of Practice)

Australian banks, building societies and credit unions are subject to codes of practice. The codes apply to certain services provided by financial institutions to individuals wholly and exclusively for their private and domestic use. Although pre-dating EPS, the codes are likely to apply to digital cash and SVCs offered wholly and exclusively for individuals’ private and domestic use by the institutions to which they apply. The Banking Code would clearly apply if an institution offered internet banking services.

Under the Codes, a bank has a general duty of confidentiality towards a customer and must take reasonable steps to protect personal information it holds against unauthorised loss, access, use, modification or disclosure.(10)

(l) Electronic Funds Transfer Code of Conduct (EFT Code)

The current EFT Code provides protection for certain consumers by governing what happens in relation to an unauthorised EFT transaction, an EFT transaction error, who is liable for EFT transaction losses and against whom claims can be made. It only applies to transactions that are initiated by a consumer through an electronic terminal by the combined use of an EFT plastic card and a PIN.

The EFT Code (revised version 2001) goes further and covers all forms of electronic transactions (including the use of credit cards for online payments), SVCs and digital cash and all forms of access methods, including digital signatures and biometric identifiers.(11) The revised EFT Code comes in force on 1 April 2002 and addresses:

* the availability, disclosure and variations to product terms and conditions;
* transaction receipts and balances;
* liability and procedures to deal with lost and stolen cards, breaches of security and system malfunction;
* refunds of unused stored value;
* dispute resolution; and
* the obligation of issuers and subscribers of the Code to comply with National Privacy Principles in the Privacy Act 1988 (Cth).

For more information, see the Consumer Protection fact sheet .

(m) Credit Union Privacy Code

The Credit Union Services Corporation (Australia) Limited Privacy Code (CUSCAL Code) regulates the relationship between credit union members and the Quicklink SVC as follows:

* the purposes for which information collected can be used;
* the separation of information;
* storage and security of information collected by both credit unions and Quicklink; and
* the rights of SVC holders to access and correct their own details.

(n) Smart Card Code of Conduct

The voluntary Smart Card Code of Conduct of the Asia-Pacific Smart Card Forum (a special purpose industry association) sets out principles applying to SVC transactions, including notification of the loss, theft or unauthorised use of personalised cards, information acquisition and confidentiality, dispute resolution and penalties.

(o) Common law duties of bankers

A banker has the duties of confidentiality, to exercise reasonable care and skill in obtaining and carrying out instructions, to exercise reasonable care and skill in giving advice, and a duty not to make payments to a third party from a client’s account in cases of fraud. This duty may apply to EPS operators.

(p) E—records: evidence and admissibility

See Keeping Electronic Records fact sheet for more information.

4. Managing legal risk

An EPS is typically governed by contracts between scheme operators, issuers and users. A person entering into an EPS agreement should identify how losses arising from payment errors and the loss or theft of electronic payment instruments are allocated between the parties, subject to obligations imposed by regulation. Contract terms which attribute all loss liability to customers may be unjust or unconscionable contracts under State legislation or may breach the non-excludable warranties provisions.(12)

To minimise the above risk, an EPS should implement procedures that:

* accept whether a credit card is stolen;
* utilise secure E-commerce systems such as SET which verify a party’s identity;
* verify the account name, number and available funds when electronic cheques are used;
* only accept online payment forms which the issuer guarantees to offer;
* require consumers to provide full address, phone and email particulars;
* refuse orders from web based or email forwarding addresses or where shipping address is different from billing address;
* accept orders after checking customer phone number;
* institute further checks on transactions from geographical areas or jurisdictions with high incidence of fraud;
* refuse to accept large orders before instituting checks on such orders; or
* require a digital signature to complete an online payment.

5. Consumer friendly EPS

A consumer friendly EPS operating over the internet should:

(a) be easy to use and offer a level of security appropriate to the transaction and method of payment;

(b) provide consumers with information on:

* the available methods of making payments;
* the level of risk associated with those methods; and
* how to effectively use those methods,

(c) provide consumers with a confirmation process that allows the consumer to buy, review and accept or reject the contract terms, identify and correct any errors and confirm acceptance or rejection of the offer and allows the vendor to acknowledge receipt of the order.

6. Privacy

Privacy issues arise from the collection, storage and use of personal information derived from new electronic technology and the prevention of unauthorised access to that information.

Under the common law and the various finance industry codes of conduct above, a duty of confidentiality is imposed on information received when providing financial services. Federal privacy legislation has been enacted for the public and private sector that may apply to information used in the operation of an EPS. See Privacy fact sheet .



Other relevant Fact Sheets:

Sources of Law
Financial Transaction Reports Act 1988 (Cth)
Reserve Bank Act 1959 (Cth)
Currency Act 1965 (Cth)
Banking Act 1959 (Cth)
Payment Systems (Regulation) Act 1988
Financial Sector (Shareholdings) Act 1998 (Cth)
Financial Transaction Reports Act
Telecommunications Act 1997 (Cth)
Broadcasting Services Act 1992 (Cth)
Consumer Credit Code
Electronic Funds Transfer Code of Conduct
EFT Code (revised version 2001)
Privacy Act 1988 (Cth)
End Notes
1. Corporations Law sections 762B, 763A, 763D

2. Corporations Law sections 766A, 881A

3. Corporations Law sections 767A, 791A

4. Corporations Law sections 792A-792H

5. Corporations Law sections 883A-883G

6. Corporations Law sections Pts 7.6, 7.8

7. Banking Act 1959 (Cth) section 11, Divs 1A, 1BA, 2

8. Banking Act 1959 (Cth) section 13A ;
Corporations Law section 553C

9. Payment Systems (Regulation) Act 1988 sections 9, 23, 25

10. Banking Code clause 12.10;
Building Society Code clause 11.10;
Credit Union Code clause 12.10

11. Refer to the definition of “biometric identifiers” in the dictionary.

12. See for example, Trade Practices Act 1974 (Cth), equivalent State legislation or the Australian Securities and Investment Commission Act 1989 (Cth)

"Failure is no disgrace in this new age of new technology. It's being tested all over the world.", Lee Kuan Yew
FactSheets/