Financial & Banking · Australia

Bank Charged Me an Unauthorised Transaction: What's Covered, and What Isn't

This is one of the most misunderstood areas of Australian banking rights, because two very different situations get lumped together: someone stealing your card details or hacking your account without your knowledge, versus you being tricked into sending money yourself. The law treats these very differently — and knowing which one applies to you changes everything about what you're entitled to.

Genuinely unauthorised: this is covered

If a third party accesses your account or card and moves money without your knowledge or consent — cloned card, hacked online banking, a transaction made before you even received your card — this falls under the ePayments Code, which most major Australian banks, credit unions, and building societies subscribe to. Under the Code, you're generally not liable for the loss unless the bank can show you contributed to it through serious carelessness, such as writing your PIN on your card or handing over your one-time passcode to someone.

Important: if you were scammed into sending the money yourself, this is different

If you were deceived into authorising a transfer — a fake "grandchild in trouble" call, a fraudulent tech support request, a romance scam — ASIC has been explicit that this is treated as an authorised transaction under the current ePayments Code, even though you were deceived. The Code was not designed to cover scams, and this is a genuine, significant gap that has drawn criticism. Don't assume the ePayments Code protects you here — it generally doesn't, at least not yet.

What's changing

Australia is moving toward a dedicated Scams Prevention Framework, with draft rules released by Treasury in 2026 that would place stronger obligations on banks to prevent and respond to scams specifically. As of now this is still in draft form and not yet law — but regulators are already taking scam-response failures seriously under existing powers: ASIC recently secured a large Federal Court penalty against a major bank over scam-prevention failures, which signals the direction of enforcement even before the new framework takes effect.

What to do if your case is genuinely unauthorised

If the bank refuses without proof

The Code puts the burden on the bank to demonstrate your negligence — not the other way around. If the bank rejects your claim based on assumptions like "your usual device was used" without concrete evidence you authorised it, you can escalate to AFCA, which can review whether the bank properly applied the Code.