This is one of the most misunderstood areas of Australian banking rights, because two very different situations get lumped together: someone stealing your card details or hacking your account without your knowledge, versus you being tricked into sending money yourself. The law treats these very differently — and knowing which one applies to you changes everything about what you're entitled to.
Genuinely unauthorised: this is covered
If a third party accesses your account or card and moves money without your knowledge or consent — cloned card, hacked online banking, a transaction made before you even received your card — this falls under the ePayments Code, which most major Australian banks, credit unions, and building societies subscribe to. Under the Code, you're generally not liable for the loss unless the bank can show you contributed to it through serious carelessness, such as writing your PIN on your card or handing over your one-time passcode to someone.
Important: if you were scammed into sending the money yourself, this is different
If you were deceived into authorising a transfer — a fake "grandchild in trouble" call, a fraudulent tech support request, a romance scam — ASIC has been explicit that this is treated as an authorised transaction under the current ePayments Code, even though you were deceived. The Code was not designed to cover scams, and this is a genuine, significant gap that has drawn criticism. Don't assume the ePayments Code protects you here — it generally doesn't, at least not yet.
What's changing
Australia is moving toward a dedicated Scams Prevention Framework, with draft rules released by Treasury in 2026 that would place stronger obligations on banks to prevent and respond to scams specifically. As of now this is still in draft form and not yet law — but regulators are already taking scam-response failures seriously under existing powers: ASIC recently secured a large Federal Court penalty against a major bank over scam-prevention failures, which signals the direction of enforcement even before the new framework takes effect.
What to do if your case is genuinely unauthorised
- Freeze the card immediately through your banking app and call the bank's fraud line for a formal dispute reference number.
- Ask explicitly for an investigation under the ePayments Code.
- Provide any evidence that you had physical possession of your card/device at the time (location data), or a police report if a card or device was lost or stolen.
If the bank refuses without proof
The Code puts the burden on the bank to demonstrate your negligence — not the other way around. If the bank rejects your claim based on assumptions like "your usual device was used" without concrete evidence you authorised it, you can escalate to AFCA, which can review whether the bank properly applied the Code.