Telecommunications company Medion Australia Pty Ltd (Medion) has paid a $259,440 penalty for failing to comply with customer identification rules, resulting in a number of people falling victim to SIM-swap scams.
An Australian Communications and Media Authority (ACMA) investigation found Medion failed to complete a required customer verification check for more than 1,600 SIM-swap requests and one password reset request. These compliance failures led to nine known cases of people having their SIMs swapped illegally, five of whom suffered financial losses totalling over $160,000.
SIM-swap scams occur when a scammer takes control of a person's mobile number by using the individual's personal details to request a new SIM. Under industry rules introduced in 2022, telcos are required to conduct a multi-factor identity authentication check before undertaking high-risk customer requests such as SIM-swaps, changes to accounts or disclosure of personal information.
ACMA Chair Nerida O'Loughlin said that the rules had been very effective in stamping out SIM-swap fraud, which made Medion's non-compliance stand out.
"SIM-swap fraud can cause significant harm as scammers may then be able to gain access to your online banking accounts and other personal information. In this case, criminals have taken advantage of Medion's compliance failures," she said.
"The rules have now been in place for well over 12 months, so telcos have had more than enough time to ensure they have robust verification processes."
In addition to the financial penalty, the ACMA has accepted a comprehensive two-year court-enforceable undertaking from Medion committing the company to appoint an independent consultant to review its compliance with the customer ID rules and to make improvements where needed. Medion must also report regularly to the ACMA on its progress.
The Australian government is currently consulting on its Scams Code Framework which proposes new, mandatory industry codes for the private sector, including banks, telcos and digital platforms. This includes proposed obligations for regulated businesses and whether redress options should be available to consumers where a regulated business breaches a mandatory code.