Photo by Thomas Coker on Unsplash
In cybersecurity, we often talk in terms of attack vectors, vulnerabilities, threat actors, and response frameworks. The tone is frequently urgent — sometimes grim.
So when something genuinely positive happens, it's worth taking a moment to highlight and reflect on it.
New Zealand’s major banks have agreed to begin reimbursing victims of authorised payment scams — up to $500,000 in some cases. This development isn’t just a gesture of goodwill. It marks a watershed moment in the relationship between consumers, financial institutions, and cybercrime response. In short, the banks have finally come to the party.
The Shift: From "You Clicked It, You Own It" to Institutional Support
Historically, victims of scams — whether investment cons, romance frauds, or cleverly constructed phishing campaigns — were left to pick up the pieces. Even if a scammer clearly manipulated them through sophisticated social engineering, banks took a firm stance: “You authorised the transaction. We are not liable.”
The result? Tens of millions lost annually, along with reputational harm, broken trust, and emotional trauma for (potentially) thousands of New Zealanders.
This new move challenges that paradigm.
Led by banking sector agreements and sector-wide coordination with the Ministry of Consumer Affairs, certain scams will now fall under a reimbursement scheme. Victims will no longer sholder the entire burden.
For the first time, financial institutions are publicly recognising that cybercrime is not just a personal failure — it’s a collective problem.
Why This Feels Different . . .
In cybersecurity, most of our wins are invisible: an attack thwarted, a vulnerability patched, a potential compromise detected and contained. They're important but often abstract.
But this — this is tangible. It’s visible support. It’s a victim being told, “You didn’t deserve this, and we’re going to help.”
Make no mistake, this shift is not born of sudden altruism.
Banks have been under increasing pressure from regulators, the media, and the public. Scam volumes have skyrocketed, and the reputational fallout of “cold shoulder banking” became too heavy to ignore. But motivation aside, the change is meaningful.
What’s Covered, and What’s Not
Before we all start celebrating wildly, let’s be clear: this isn’t a blank cheque.
The scheme applies primarily to authorised push payment (APP) scams, where the victim is tricked into sending money to a scammer, believing it to be a legitimate transaction.
• There are eligibility criteria:
• Customers must not be complicit.
• There must be no gross negligence.
• There must be sufficient evidence of fraudulent inducement.
In plain terms: if you willingly transferred funds to a known scammer, or ignored all warning signs (or had 12 fake bank alerts over two weeks and transferred anyway), reimbursement may not be forthcoming.
That said, this is a vast improvement from the previous model, where “you clicked it, you own it” was the default response.
Education Still Matters
This change should not be seen as a licence to ignore personal responsibility. The best-case scenario remains not falling for the scam in the first place.
Banks and consumers still share a responsibility to be vigilant:
• Verify before you send.
• Don’t trust urgency or fear-based tactics.
• Report suspicious activity immediately.
The banks’ willingness to support victims should enhance cybersecurity education, not replace it.
The Global Context
This move also brings New Zealand closer to what we’re seeing overseas. The UK, for example, has had a voluntary reimbursement scheme in place since 2019. Australia’s conversations around scam recovery and mandatory bank accountability are also heating up.
While New Zealand’s policy doesn’t yet have the weight of legislation, it is a sign that industry standards are evolving.
And they must. Because cybercrime isn’t slowing down. It’s shifting, adapting, automating. And most importantly — it’s exploiting the human element.
Changing the Narrative
The most profound shift here isn’t financial — it’s psychological. For too long, victims have been made to feel foolish. Worse, they’ve often been told it was their fault.
This reimbursement scheme says:
"You were tricked, not because you’re weak, but because someone exploited trust. And we’re going to help set that right."
In a world full of cynicism, this feels… well, good.
Where To From Here?
This change doesn’t replace due diligence, strong security practices, or 2FA. But it adds something essential to the mix: institutional compassion.
Let’s encourage continued progress — not just for reimbursement, but for scam prevention, incident response coordination, and victim support services.
Because if we’re going to keep talking about resilience in cybersecurity, we’d better start acting like it — together.