12 March 2024

Press conference, Global Fraud Summit, London

Note

Subject: scams and fraud

STEPHEN JONES:

By way of introduction, up here in London at the invitation of Home Secretary James Cleverly, for the first Global Fraud Summit. It was attended by a broad range of countries from Japan, South Korea, ourselves, the United States, Canada, of course Great Britain, the EU, Germany, France, Italy, together with Interpol and a range of the other security and specialist agencies. I want to congratulate the UK government for convening this first summit. Their motivation for doing it is the same as our motivation for attacking these issues. Little known fact: fraud is the most prevalent form of crime. When people think of crimes they might all go to violent crimes, but fraud is the most prevalent form of crime up here in the UK and down in Aus as well. And it just hadn't been treated as a priority by the law enforcement or governments and from opposition I looked at this and I was sitting in lockdown like all of us and bombarded by scam messages and emails and phone calls, and thought we've got to do better than this.

Australia became a honey pot for crime gangs during that period, so we put together a strategy which is about looking at the fraud, the scam ecosystem. How the scams get into the country: social media platforms, telecommunications companies, what are they after? The wallet at the end of it is the banking system, so our strategy was about working in that ecosystem and ensuring that we could get an uplift in standards and better protection for Australian consumers. The result of it being neglected as a policy area was that losses were doubling every year. So when we came into government, that was a little over $3.1 billion worth of losses. The trajectory would have been six billion dollars – we would have just followed the curve.

The good news today is that that hasn't happened – it hasn't happened because of the interventions that our government has made. Phase One: establishing the National Anti‑Scam Centre, setting up the first round of our telecommunication reforms to block malignant SMS messages and empowering ASIC, the corporate regulator, to pull down fraudulent investment websites. Millions of SMS messages have been blocked. We’ve pulled down over 4,000 fraudulent investment websites. The National Anti‑Scam Centre is bringing together a partnership of expertise between law enforcement, regulators, consumer groups, banks, telcos, social media platforms. They’re going after investment scams, they’re sharing information in real‑time, and they’re ensuring that consumers are advised about scams that are in the field and are better protected. How's it going? You'd have to say well. So instead of scams moving from the doubling from one year to the next, we’ve seen for the first time two consecutive quarters of reduction. The great news: 43 per cent reduction in the last quarter, that's on top of a 23 per cent reduction the year before. That's the curve; it's a good story.

What's most important – there’s so many important things – but an important thing is that for so long people thought – it doesn't matter what we do, scammers are going to reach their victim, money is going to be lost. This gives us hope that we can turn it around. This says with the right sort of strategy, the right sort of attitude, we can turn this around. We're only at phase 1. We've got phase 2 to roll out this year which is the new codes of practice which will be anchored in law, compulsory and lift the obligations upon banks, social media platforms, and telecommunications companies. They will place obligation, liability, and consequences of not meeting. Can I just say, before I throw open to any questions you might have, when we did our in‑country reports at the summit yesterday, there weren't many countries that could say that as a result of their interventions, losses are coming down. It was ourselves and Singapore who were able to say the things that we are doing are working and things that the Singaporean government have put in place are almost identical to what we’ve put in place. We know what works. It’s important to share ideas globally and to ensure we’ve got an international effort. The good news is decisive action by the government means this area of crime can be addressed and we can save Australians literally billions of dollars.

JOURNALIST:

You can’t actually really track down the fraudsters usually, you’ve just got to build big walls?

JONES:

So when we put our Strategy together we did this sort of thought experiment – how would you design a strategy if there was nobody in Australia, no perpetrator in Australia, that you could arrest. And it's not entirely true but it's mostly true because a lot of this activity is occurring overseas. That's how we came about the strategy that we put in place now. We'll complement this strategy with our traditional law enforcement activities and our international law enforcement co‑operation but any strategy which is predicated on kicking down doors and putting handcuffs on people, will leave 99 per cent of the problem untouched because so much of it's coming from overseas.

JOURNALIST:

So what has worked in your strategy?

JONES:

Great question. So the vectors for this at the moment – about 50 per cent telecommunications network, so your SMSs and your calls, so blocking the malignant calls and the SMS's has had a material difference. We're only at the first phase of what we're doing on that. Another phase to come, and I’ll explain that in more detail. So dealing with the vectors is absolutely critical, ahead of the compulsory stuff in the banking sector. Slowing down the off‑ramps so the traditional trail that a fraudster uses to get money out of a victim's account and then out of the country is from a bank account to a mule account to a cryptocurrency exchange. So cracking down on the mule accounts, identifying and closing mule accounts and slowing down the off‑roads to crypto currency exchanges has had a material impact. And it was a learning we were able to share with our colleagues yesterday. So telcos, slowing down the off‑ramps, and putting more friction in the payments system which is running against as you would know 15 years’ worth of momentum – let's make it all instantaneous – actually there are some things we need to slow down. And of course the work we’re doing on pulling down fake investment websites is material as well. But I reckon the real heavy lifting is what we do in phase 2, which is a significant uplift in the standards across the ecosystem.

JOURNALIST:

And what is phase 2?

JONES:

Phase 2 involves statutory based codes of practice which are new obligations on banks, telecommunications, social media platforms.

JOURNALIST:

One of those three isn't really going to cooperate with that probably. Social media platforms just aren't interested in the subject, I would say.

JONES:

Well here's a message to Meta in particular which is responsible for about 80 per cent of the losses: you're not above the law. And whether it's Australia, whether it's the UK, or any of the other countries that we've met with in the last 24 hours, we were very firm from the Australian point of view: no social media platform is above the law. Frankly disappointed in Meta’s response to the consultation that we held on the codes of practice where they say yes this is a big problem but it's all too hard, we can’t do anything about it. Give me a break. These guys are the biggest technologists in the world, they employ the best information technologists, the best engineers, the best process experts in the world, they are the biggest and the best. Don’t tell me they can’t do more.

JOURNALIST:

I mean it's just sort of opening a whole new front; we've got the media one on one hand, you know the government's already in a big fight with Meta, I suppose the others as well on that. And now this as well.

JONES:

Every company has a social licence and that includes social media platforms. Can you imagine any other business, say you’re a concert promoter, and you are regularly holding concerts in which 30 per cent or more of the participants became victims of crime. You would go sorry that's not okay, we're not going to let that continue. So the same thinking has to be applied in the online world as it does in the bricks and mortar world, and there is a real coalescence of views around the table yesterday that nobody gets a free pass.

JOURNALIST:

Given that Meta doesn't consider itself to be an Australian company and subject to Australian law, I mean I suppose it really requires the US to be on this? Presumably, they were with you yesterday – do they sort of get it? Or is this a State‑level thing in the US and every state…

JONES:

Good conversations with our counterparts in the US and Canada. Very good conversation with the Canadians about a similar experience they’re having around their media bargaining arrangements. There is a resolution amongst countries to ensure that we raise the bar and I see the social media platforms – and in particular Meta – they’re the elephant in the room. You know, whether it's tackling fraud or ensuring that we have a healthy ecosystem for news and journalism in any country, social obligations fly from social licence. They make a hell of a lot of money out of Australia and Australians. Social licence requires them to play by the rules and truly they have a responsibility to the local countries they are operating in.

JOURNALIST:

So when you talk about this coalition or I suppose the outcomes of yesterday, was there anything concrete that you will be doing or saying in conversing with social media platforms?

JONES:

The communique was clear and…

JOURNALIST:

We haven’t seen the communique.

JONES:

I’ll make sure you get a copy of it. I can point to a couple of areas where there will absolutely be sharing of intelligence and information. In particular, chasing down funds. We all experience that once the money leaves our country it’s impossible to get it back. We all experience that. We’re committed to work on fund recovery and repatriation, so – good outcomes. In relation to social media platforms, if you look at what’s happening around the world, all countries are looking within their own unique legislative system mechanisms to regulate and regularise their activities. All countries. In the UK, with its online safety, digital market regulations and the powers of their markets regulator. They’re using their tools. The EU has a very European approach to this which is setting out all of the obligations inside primary law. Us in Australia and Singapore we're all dealing with this. We're all in our view absolutely resolved to ensure we welcome your services, welcome your innovation, we welcome your technology, but you’ve got to play by local rules.

JOURNALIST:

How long do you think it will take for them to get in line?

JONES:

I just think that this is going to be an ongoing dialogue. I would make this point: they’re not all taking this attitude. Both of your companies for example – Google is entering into negotiations and reaching good faith commercial agreements. That’s the sort of behaviour we want to encourage.

JOURNALIST:

And the code you know is a consultative process right but if they’re not willing to engage in good faith, you’re just going to go ahead anyway.

JONES:

That’s right it's all done in the shadow of the law. But the absolute assumption is that the heavy hand of government should not be needed and commercial negotiation should occur in due course.

JOURNALIST:

Supposing Facebook says alright then we'll just shut down marketplace in Australia, you know, see how punters like that. Do you think people are sort of… where do you think the public is on this in terms of how they see companies like Meta? Are they willing to see those services downgraded or you know are they backing in the government?

JONES:

I think Australians are 100 per cent behind our strategy to take on the scammers. I want to take that up front and centre. Can you imagine commerce in Australia if Australian consumers stopped taking calls from a call centre run by any business because they couldn't be confident that it's actually their bank, their insurance company, that was on the other end of the call? Can you imagine a business in Australia no longer being able to use an SMS or an email to contact their customers because the customers couldn't be confident that it really was their bank, their insurance company, their superannuation fund, their financial adviser that was contacting them? We are not that far away from there, because consumers are deeply concerned of the ‘scamdemic’ and they want to see corporate action, they want to see government action. So Meta doesn't set – and I know they like to talk about the Metaverse – the metaverse exists on Earth – and you know it's entrenched in economies around the world and it has an interest in ensuring that consumers have confidence in the rails of modern commerce. If they don't have confidence in the rails of modern commerce, we’re winding the clock back 30 years.

JOURNALIST:

You mentioned that Australia was a honey pot during COVID. What was so attractive that the scammers all went for Australia?

JONES:

By international standards, a wealthy country, there was a lot of injection of public and private money into the economy, so people were cashed up, and they all have mobile phones and computers and internet connections and hundreds of thousands of Australians changed the way they did things including the way they shopped, the way they did their finances. They moved from turning up to their bank or the shop to doing it all online. There was a significant shift in consumer behaviour. They were all at home, so they were able to take the call. Things shifted and it probably brought forward trends that were already on their way by about a decade.

JOURNALIST:

Do you think Australia was targeted more than other countries?

JONES:

I don’t think, I know.

JOURNALIST:

How much more do you think Australians were targeted?

JONES:

I know from the advice that has been provided to me, Australia was seen as a very attractive place for criminals to do business for the reasons that I have outlined. And we were you know… Australia did not respond with the speed and seriousness that was required.

JOURNALIST:

I'm just curious about the banks as well because you mentioned they’re part of the ecosystem and I mean in Britain, basically the UK made the rather interesting decision that the banks are required to… if you lose money in a scam the banks will just put it back into your account even though it's gone and the banks aren’t ever going to get it back. That’s presumably not the road we’re going down, I mean it's kind of like massive moral hazard on the consumer.

JONES:

I think we've got to attach liability and responsibility; there's going to be a connection between those two things. I think banks should be on the hook if they don’t meet the standard that we set. If we clearly set out what's expected of them, putting in place anti‑fraud measures, putting in place confirmation of payee, slowing down the off‑ramps, closing down their mule accounts, putting in place dispute resolution procedures, having report and respond mechanisms. These are all the basic things that you know we should expect from a responsible banking system – they should do all of that. If they don’t, and people lose money then yeah, there's a consequence for the bank. But you'll take a lot of effort to convince me that banks should be liable when somebody goes to Facebook, loses their money on a puppy scam, and somehow it’s only the banks should be responsible for that when Meta has taken advertising revenue to promote that site. They've been the vehicle through which that crime has occurred, and they’ve financially benefited for it, and people are saying somehow the banks should be liable for that. That does not attach liability for responsibility. It creates no incentive for them to get their act into gear. So no we want to go down that approach we'll be saying liability should apply but it should be where responsibility lies.

JOURNALIST:

But you will be setting standards for the banks?

JONES:

Yep absolutely and if they don’t meet them, they’re on the hook.

JOURNALIST:

Wouldn’t the Australian banks meet these standards now anyway?

JONES:

So they’ve moved early. If you’d asked me that question two years ago, I’d have said no. So we were talking to them two years ago and we said ok confirmation of payee… if you've typed in the wrong number because there's no alpha‑numeric matching and you don't know whether you’ve sent the money to Hans instead of Jacquelin. That's a huge fault in their online applications. They were very resistant to rolling out confirmation of payee across the whole banking system, they've now agreed that has to be a core functionality. That’s good. They've come on a journey. The banks have prioritised this. When the government said we need you to lift your game, they said yeah that’s a priority. We’re not there yet but they're definitely moving in the right direction.

JOURNALIST:

They’re probably bricking it after they saw what happened in the UK.

JONES:

I have no doubt that there’s motivation to ensure that we have a sensible proposition in place in Australia.

JOURNALIST:

I mean it’s interesting, when you're trying to do anything here now with an online bank account, you actually have to click OK about three times before that they would… they say ‘are you sure? Are you being coerced?’ A message just comes up again and again, which is like what you were talking about – putting the grit in the system. I mean it's not a lot of grit but it’s…

JONES:

It’s got to be enough. I sat in on call centres in banks where they’ve attempted to do the interception. They’ve identified that somebody's trying to transfer money into a scam account and not once, not twice but several times they've tried to convince that person not to proceed with that transaction and they did. And they lost $200,000 or $1 million. At some point in time there has to be personal responsibility, but we reject totally that it's all personal responsibility and there's not corporate responsibility in there as well.

JOURNALIST:

Do the social media companies want the government – or law enforcement – to help them identify which the scam sites are? Is there supposed to be some kind of intel swap between the public and private sector?

JONES:

Absolutely and that's what the National Anti‑Scam Centre is doing. The Anti‑Scam Centre will be the information exchange point between all those participants in the ecosystem and a part of the legislation. So they’re up and running now, we'll take it up to a new level in phase 2 which will include mandatory information exchange, and common standards. We get every player operating. I've talked about banks and social media and telcos but we’ll move out from there because as soon as you tighten the defences in a certain area, they move somewhere else, so you know we will have to expand out.

JOURNALIST:

Where do you think that will expand to?

JONES:

Crypto. We’ve got a separate job going on working on cryptocurrency. You'll be aware that we’ve got a reform program there, which is about ensuring they’re brought inside the corporations law and required to operate under Financial Services Licence and big uplift in standards there, so that’s an obvious one. One of the great things about our superannuation system is that Australians have $3.4 trillion worth of funds under management. The average retirement balance is now $200,000. That’s real dough. People don’t necessarily have access to the information that they need – and that’s a risk point – so we’re going to have to move on that. There’s no doubt about that because once we lock down other areas – boom.

JOURNALIST:

Is it the private sector or the public sector’s job – or both – to get consumers to be more wary?

JONES:

I’ve seen it as a big part of my role to talk about this publicly and to put a spotlight on it. I think I've done about 60 plus community forums over the past 9 months, regularly attended by anywhere between 100 and 300 people. Just getting that message out there and giving people basic information. We’ll fund the National Anti‑Scam Centre to do some proactive educative work as well. So yeah there’s absolutely a role for everyone to be lifting awareness. One of the things I do want to do is ensure we destigmatise, because we want people to report. There's often a lot of shame in this. So a romance scam… and it was a prevailing view a few years ago that if you got scammed, you’re a mug. Now I don’t think that's true. The profile of these fraudsters – they’re more likely to have a uni degree than a prison sentence. We’d like to swap that around. They’re smart, sophisticated, this is an industrialised operation. So we've got to shift the thinking as well. Don't victimize the victim; encourage them to report and ensure that we have mechanisms in place so they’re not being re‑victimised.

JOURNALIST:

Having used your Scamwatch, a bit of feedback is that I find it goes into the ether – you just don’t hear whether it’s led to any result. And maybe – even if it's not on my individual situation – that maybe a message should come back to me at some point and say as a result of a hundred thousand people reporting, this is what we've done. It would make you feel a little bit better that you've actually done something.

JONES:

That's really great feedback and like we really are just at phase 1 on up‑lifting that IT capacity. But I think that’s a great idea. An annual report or quarterly report on what’s happened to all those reports that have been made.

JOURNALIST:

Or even just three months later because you kind of feel like you're not…

JONES:

… no it’s great feedback.

JOURNALIST:

And identity theft, is that also part of this?

JONES:

Can I just stretch the canvas a bit broader here? What I'm doing here is part of a broader government program. So Clare O’Neil is doing cyber. I’m doing fraud. Katy Gallagher and Mark Dreyfus have got a piece of work on Privacy Act and Digital ID. What’s the relevance of all that? Cyber is about keeping your information safe. The Privacy Act review is about us looking at the private data that is collected in the first place. And saying do we really need to be collecting 100 points of ID to buy a cup of coffee at a cafe through a QR code? Let’s wind back some of this collection and storage of data. And as we're asking people why you’re collecting that data and how are you storing it? Sometimes the answer is: well because the bloody government tells us we’ve got to. And we do that for good reason, it may be know your customer, anti‑money laundering. So that's where the digital ID stuff comes in. We need a safer way to verify identity that doesn't involve us photocopying our passport, our license our Medicare card, emailing it that to god knows who and having that stored god knows where and god knows how. So the digital ID is about tokenizing all of that so through trusted mechanisms your ID is verified. Nothing is stored on some hard drive or cloud drive somewhere… to get back to the question that you asked, well ID theft is huge. Medibank, Optus, Latitude. You’re getting close to two thirds of all Australians who had a touch point with those data breaches. And it all gets back to what information has been stored in the first place. That's what the digital ID process is about. It’s about safe verification. We’ve got to look at all these things holistically. I look at it from the fraud point of view and that’s kind of when everything else has gone wrong. There's been a cyber breach which captures or which steals the information that was stored somewhere imperfectly, maybe shouldn't have been collected in the first place. If you get all of those other links in the chain there will be less ID theft which is generating less fraudulent activity.

JOURNALIST:

So this stage 2, when will that be introduced?

JONES:

So I’ve just completed the consult. I’ll get a whole of government decision hopefully within the next month or two and that should leave us to have draft legislation out by mid‑year with a view to parliamentary introduction after. But I’m really keen on ensuring that with those participants in the ecosystem, they don’t have to wait. They can be doing things individually and collectively. Here in the UK they've got their code of practice signed up with major IT players who are the same players down in Aus. There’s things that they can be doing collectively and voluntarily.

JOURNALIST:

So you think there’s things that they’re already doing in other parts of the world that they should be doing in Australia?

JONES:

100 per cent. If they’ve agreed that it's a reasonable thing to do in Singapore, or in London, or in Berlin, or in Montreal then it's a reasonable thing to be doing down in Australia.

JOURNALIST:

Can you give me an example of something that they’re not doing in Australia that they are doing elsewhere?

JONES:

So, verification of advertiser identity.

JOURNALIST:

Meta’s doing that?

JONES:

There are obligations that the Singaporeans are working on a code which would require for that to occur. We think that’s core, it’s absolutely core and that's part of the British voluntary code.

JOURNALIST:

At the meeting yesterday, is there something that you learned or shocked you, or something that really stuck in your head about something that's happening in your world that you need to address?

JONES:

The fact that right throughout all of the countries represented; fraud was their biggest class of crime. We think of crime as violent crimes, but the biggest class of crime is an economic crime. And it’s often perpetrated by the same people who are doing drug smuggling, arms running, people smuggling. It’s not that they’re like the same people, they are the same people. And the money that they steal from victims through their economic crimes is capitalizing on human trafficking, drug running, gun running, so it’s all joined up. I was also astonished by the revelation here that Meta itself is the place where so much criminal activity is enabled. Facebook to be specific. And WhatsApp and Instagram and their encrypted messaging services. It is enabling criminal activity.

JOURNALIST:

That point you made about lack of trust in emails. How can Facebook not see that people will end up not trusting them?

JONES:

It’s existential. They have an interest. We operate in the real world and people have got to have trust. All good? Fantastic thank you for your interest.