Mistaken and unauthorised payments

Protecting your bank accounts

There are a number of steps you can take to protect your bank accounts:

• use strong passwords and PINs
• increase the security for your account
• keep your account details safe – use your free hand to cover your other hand when it enters your PIN
• check who you’re speaking to when giving out your card details over the phone
• consider your payment limits – if you don’t need to make large transfers or payments, consider reducing your payment limits
• lock your card if it is lost or stolen
• regularly check your transaction history
• keep your contact details up to date, so your bank can contact you if it notices suspicious activity on your account.

For more information, see Protect yourself – Securing your accounts on the Australia Cyber Security Centre website.

Your bank account is compromised if your login details have been shared without your knowledge or permission, even if no unauthorised payments have been made yet. If you think your account has been compromised, you should:

• check all your bank accounts for authorised activity
• change your passwords and PINs
• notifying your bank as soon as you notice unauthorised activity
• lock your card
• check that your devices are protected by security software. 

Mistaken payments

Made a mistaken payment

If you have paid money to a wrong bank account, by putting in the wrong BSB or account number or choosing the wrong payee, you can contact your bank or credit union to see if they can get the money back for you. It’s important to notify your bank or credit union as soon as you make the mistake. This is called a mistaken internet payment.

A mistaken internet payment does not include entering the wrong BPAY number. There is a different process to resolve mistaken BPAY payments. You can contact your bank or credit union for more information.

Almost all banks and credit unions, and even some other organisations, are subscribers to the ePayment Code. Under the ePayment Code, what your bank can do will depend on:

• the amount of time that has passed from the date that you report the mistaken payment to the date of the actual payment
• if you can satisfy the bank or credit union that there was a mistaken internet payment, and
• if the unintended recipient has enough money in the account.

You can confirm if your bank or credit union is a subscriber by:

• contacting your bank or credit union, or
• searching the full list of ePayments Code subscribers on the Australian Securities & Investments Commission (ASIC) website.

For more information, see ePayments code on the ASIC website.

If you are trying to recover money that you sent to the wrong account and your bank or credit union is not a subscriber to the ePayment Code, you should contact your bank to get their rules and policies in dealing with mistaken payments.

For more information, see the factsheet Mistaken internet payments on the Australian Financial Complaints Authority (AFCA) website.

Time limits

There is no time limit to report a mistaken payment, however, the procedure changes depending on the amount of time from the date of the payment to the date that you report the payment. It’s important to report the mistake as soon as possible.

If you report the mistake:

• within 10 business days, it is likely the money will be returned to you.
• between 10 business days and seven months, the bank or credit union can freeze the money and request the recipient to show proof that they are entitled to the funds before deciding whether to return the money to you.
• after seven months, the funds will be returned only if the recipient agrees.

For more information, see the fact sheet Reversing Bank Transactions on the Financial Rights Legal Centre website.

Reasonable efforts to recover your money

If you have satisfied the bank or credit union that you made a mistaken internet payment but there is not enough money left in the intended recipient's account to pay you back, the bank or credit union must make reasonable efforts to recover the money for you. Reasonable efforts can include arranging a repayment by instalment plan with the unintended recipient.

Bank won’t reverse a transaction

If your bank is refusing to reverse the transaction, you should complain directly to the bank.

For help on how to make a complaint to your bank, see Internal dispute resolution tips on the AFCA website.

If you are unhappy with the banks response to your complaint, you can make a further complaint to AFCA.

You have two years to apply to AFCA about a dispute regarding an unauthorised payment, from when the bank responded to your complaint. In special circumstances, AFCA may accept a complaint outside of this time limit.

Generally, you can’t complain to AFCA about fees, charges or interests rates.

For more information, see Banking deposits and payments products and issues on the AFCA website.

Received a mistaken payment

If money is incorrectly transferred into your account, you should notify your bank. 

You should not spend or withdraw the money transferred into your account by mistake because you will have to pay it back.

For more information, see the factsheet Mistaken internet payments on the AFCA website.

Unauthorised payments

An unauthorised payment is a transaction that you didn’t perform or didn’t agree to someone else performing for you.

You should check your bank account statements regularly for unauthorised payments.

If there has been an unauthorised transaction on your account, you should report this transaction to your bank or credit union as soon as possible.

You may be able to get your money back from an unauthorised transaction if:

• there was fraud or negligence by an employee or agent of a bank or credit union, or another third party
• a forged, expired, faulty or cancelled PIN/password or card was used
• the transaction took place before you received your card or PIN/password
• the transaction involved incorrectly debiting you more than once in relation to a single transaction, or
• the transaction happened after you told the bank or credit union that your card was lost, stolen or had been misused, or that someone else may know your PIN/password.

You must report the unauthorised transaction as soon as possible. Banks or credit unions can consider any unreasonable delay in reporting when deciding your responsibility for the loss.

If your bank or credit union is unhelpful, you can complain to the Australian Financial Complaints Authority (AFCA).

For more information, see Make a complaint on the AFCA website.

Banks are not responsible for identifying and blocking every scam or fraudulent transaction.

In limited circumstances, your bank may be responsible for the money you lost to a scam. This will depend on whether the bank was aware of the scam, and what role the bank played in the unauthorised payment. Some situations may include where:

• your bank had been warned that an account was fraudulent and failed to close the account before an authorised payment was made
• a clearly suspicious transaction occurred in a local branch
• you were left on hold while trying to notify the bank of a security breach, and unauthorised payments occurred while you were on hold
• your bank didn’t lock your card, or allowed more transactions, after you reported an unauthorised payment
• you disclosed passcodes to the scammer but it was not voluntary because it was not the exercise of your free will and choice due to the scammer's manipulative, deceptive or coercive tactics, for example bank impersonation scams.

For more information, see the fact sheet Scams on the Financial Rights Legal Centre website.

If your bank or credit union is unhelpful, you can complain to the Australian Financial Complaints Authority (AFCA).

For more information, see Make a complaint on the AFCA website.

If you think that your bank acted unfairly or played a role in the unauthorised payment, you should get legal advice.

For more information, see Unauthorised and mistaken transactions on the Moneysmart website.