The system works exactly as designed, which is the problem
New Zealand’s direct debit infrastructure runs on trust, and the trust is misplaced. Under the Preferred Initiator Direct Debit model, banks delegate responsibility for verifying account authority to third parties like utilities, telcos and government agencies. Those organisations typically collect account details over the phone, without independent verification. When the debit instruction arrives at the bank, it gets processed. No call to the account holder. No second check. No friction at all.
For businesses, this means anyone who knows your account number can pull money out of it. That is not an exaggeration. It is how the system is built.
$19,000 from a dual-signatory account, and nobody noticed
The Campaign Against Foreign Control of Aotearoa discovered in May that more than $19,000 had been fraudulently withdrawn from its Westpac account through unauthorised direct debits set up by multiple large organisations including 2degrees, Orcon, Mercury, Watercare and the IRD. The account had a unique organisational name and a dual-signatory requirement. Neither safeguard stopped a cent from leaving.
The fraud only surfaced when IRD contacted CAFCA after a $15,000 direct debit failed. Complaints with Westpac and the Banking Ombudsman remain unresolved.
This is not an isolated incident. Earlier this month, Z Energy debited the wrong business account for $7,650, with 16 commercial Z Card holders also overcharged. For an SME running tight on cashflow, a surprise $7,650 hole can mean missed payroll, bounced supplier payments, or a damaged banking relationship, even if the money eventually comes back.
The foxes guarding the henhouse
CAFCA spokesperson James Ayers described the structural flaw plainly: “the current framework has created a third-party transaction loophole with multiple points of failure that can be readily exploited by fraudsters.”
The body responsible for overseeing New Zealand’s direct debit rules is Payments NZ, a company owned by the banks themselves. Ayers called this arrangement “akin to a skulk of foxes guarding the hen house” and an “unacceptable conflict of interest.” CAFCA is calling for mandatory bank-level verification of all direct debit transactions, independent oversight of Payments NZ, and penalties paid by banks to customers when unauthorised debits are processed.
The banking industry earns approximately $10 billion in pre-tax profits annually. The cost of verifying a direct debit before processing it is not zero, but it is rounding error for institutions of this scale.
Fifteen years of the same vulnerability
This is not a new discovery. In 2011, the Serious Fraud Office prosecuted Steven John Roberts, who used a direct debit kiting scheme to dishonestly obtain $39.6 million over 10 months by drawing funds from accounts at ASB and Westpac. The scheme ran until a processing error exposed it. Fifteen years later, the structural conditions that enabled it remain in place.
The broader fraud picture
In November 2025, an MBIE report found Kiwis lost a gross total of $265 million to fraud over 12 months. Of that, $139 million came from unauthorised transactions where scammers accessed accounts without the holder’s knowledge. Against the $8.6 trillion that moved through New Zealand’s payments system in 2025, the fraud numbers look small in percentage terms. But percentages do not pay your suppliers.
The New Zealand Banking Association acknowledged in 2025 that banks are “unable to catch all mistaken transfers through human error.” That is the industry’s own representative body conceding its safeguards are structurally insufficient.
Archaic by international standards
Personal finance columnist and former fund manager Janine Starks, writing in NBR today, characterised New Zealand banks’ response to scams and fraud as “Archaic, five years behind Australia, 15 years behind the UK”. Commerce Minister Andrew Bayly has signalled pressure on the sector to strengthen anti-scam measures, but signalling is not legislating.
Meanwhile, the Commerce Commission flagged in 2024 that bank API pricing of 5c to 30c per transaction remains a barrier to fintech competition. The banks are happy to modernise infrastructure that generates revenue. They are less enthusiastic about modernising controls that cost money.
What businesses should do now
CAFCA is urging all bank customers to request written confirmation from their bank that no third-party direct debit can be established without explicit approval. For businesses with dual-signatory accounts, the CAFCA case proves that protection is cosmetic, not functional.
The practical risk for SMEs is asymmetric. Even when funds are returned, the business absorbs the cashflow disruption, the time cost of investigation, and the reputational risk with suppliers and lenders. Banks bear no mandatory penalty under the current framework. Until that changes, businesses are funding the cost of banks’ weak controls out of their own working capital.
Sources
- Z Energy $7,650 wrongful debit exposes direct debit risk for SMEs (2026-05-10)
- ‘Industry turning on itself’: Banks’ anti-scam response ‘archaic’ (2026-05-16)
- 2025 Report – Payments NZ (2025)
- New Zealand banks unable to catch all mistaken transfers through human error (2025-05-14)
- Retail Payment System Update on open banking progress (December 2024) (2024-12-10)
- Director Pleads Guilty to SFO charges (2011-05-24)
- CAFCA Exposes Systemic Bank Direct Debit Failures (mobile) (2026-05)