‘Every crook … will try it on’: The loophole used to syphon thousands from a bank account

Sunday, 17 May 2026

The Campaign Against Foreign Control of Aotearoa is calling for urgent, independent regulation of New Zealand’s Direct Debit system after more than $19,000 was fraudulently withdrawn from its Westpac bank account under industry‑approved processes.

A total of $19,740 was taken from a non-profit organisation through eight unauthorised direct debits involving multiple organisations and the IRD.

The withdrawals were made via a 'Preferred Initiator Direct Debit model' which does not require an authority form signed by the customer before taking payment.

Treasurer James Ayers says banks do not independently verify that the account holder has authorised the transactions when receiving instructions from these third parties.

Payments NZ says the sector is aware of the issue and is considering tools like Confirmation of Payee and Open Banking APIs to help close the gap.

Solving stuff is where we investigate reader complaints and push for answers. You can read more about the project here, and submit your story for consideration at the end of the article.

In this instalment: A Westpac customer who had to recoup thousands in unauthorised direct debits taken from his non-profit organisation’s account is calling for an overhaul of the system to stamp out fraud. But as Natalie Akoorie reports, changing technology might be the answer.

The problem

When James Ayers got a phone call from Inland Revenue (IR) to say a $15,596 direct debit on his organisation’s account had been dishonoured, he was perplexed.

The forensic accountant, who is the treasurer for lobby group Campaign Against Foreign Control of Aotearoa (CAFCA), says he pointed out that CAFCA was a non-profit organisation and didn’t pay tax.

He wanted to know how IR got its bank account and who had authorised the direct debit when the CAFCA account required two signatories - including himself - for withdrawals.

“They wouldn’t reveal who their customer was - presumably it was someone who owed tax and provided an account number to direct debit,” Ayers said.

“So when I checked the bank account, to my horror I saw there were several direct debits from a variety of organisations that hit the account over the previous week or two.”

This was in June last year, and in total there were eight direct debits - including two to IR - totalling $19,740, though the final one was debited after Ayers had already complained to Westpac about the unauthorised string of direct debits.

“If it was a one-off I would have dismissed it as perhaps a genuine mistake,” Ayers said.

“But because it was coming from multiple organisations suggested to me there was some sort of systemic issue, other than the fact they were all fraudulent and none of them had been organised by us.”

What went wrong

After eventually getting the money back, Ayers spent the next nine months trying to get to the bottom of how it happened.

James Ayers is calling for urgent, independent regulation of New Zealand’s preferred initiator direct debit model after more than $19,700 was fraudulently debited from its Westpac bank account under industry‑approved processes.

What he found out alarmed him so much he issued a press release last month to warn other unsuspecting New Zealanders.

“CAFCA’s investigation has identified fundamental verification weaknesses in what the banking industry refers to as the Preferred Initiator Direct Debit model,” he wrote in the release dated May 4.

As revealed by Stuff last Sunday in this story about Jaron Phillips having $7650 taken from his account by Z Energy, a preferred initiator doesn’t have to provide an authority form signed by the customer before taking a payment.

We found larger, established organisations such as electricity and gas companies, councils and phone and broadband companies could qualify as preferred direct debit initiators.

In CAFCA’s case, the direct debits were loaded on its Westpac account by IR ($17,626 in total), and four other companies totalling another $2114.

Ayers noted the third party preferred initiators relied on unverified customer‑supplied information and did not confirm that the customer providing the bank account number to direct debit was entitled to operate that account.

“Critically, when banks receive direct debit instructions from these third parties, they do not independently verify that the account holder has authorised the transaction,” Ayers said.

The burden was then on bank customers to detect and dispute unauthorised direct debits, usually after the funds had been withdrawn, he said.

Ayers contacted Stuff after reading Phillips’ story.

He wanted accountability and an overhaul of the framework.

“At the core of any bank-customer relationship is the understanding that customers’ money is protected by effective systems that prevent unauthorised withdrawals.

“Instead, the current framework has created a third‑party transaction loophole with multiple points of failure that can be readily exploited by fraudsters.”

CAFCA has called for:

CAFCA got all the money back, including a dishonoured payment to IRD which failed due to insufficient funds, but James Ayers says customers shouldn’t have to detect and dispute a fraud that’s avoidable.

Mandatory bank-level verification of all direct debit transitions from third party organisations;
Independent oversight of the banking industry framework operated by Payments NZ;
And fines for banks when unauthorised direct debits are loaded against a customer account.

Ayers said he was worried that if the “loophole” wasn’t closed, fraudulent direct debits would become a widespread problem.

“Every crook and his dog will try it on.”

He said he believed someone found CAFCA’s bank account number on its website, where it was located to enable donations from supporters.

In emails between Ayers and Westpac, seen by Stuff, the bank suggested CAFCA could remove the account number from the website.

“Every charity, every non-profit, in fact every business has their bank account number in the public domain,” Ayers said. “So that’s not an excuse for this happening.”

He said closing the account and getting a new one was also not an option because CAFCA would likely lose long-time donations paid by automatic payment.

Ayers said it was unfair to expect customers to police their bank accounts every day.

“You’re relying on customers to be the ambulance at the bottom of the cliff. To bring a fraud to the bank’s attention when the fraud shouldn’t happen in the first place.”

In the end Ayers put a direct debit block on the CAFCA account and complained to Westpac, police and the Banking Ombudsman Scheme.

What we did

Westpac, along with other banks, allows large organisations such as electricity companies and councils to set up direct debits as preferred initiators.

Stuff contacted Payments NZ, whose general manager of clearing systems, Jamie Wood, said the sector was aware of the issue and that Payments NZ was considering how to fix it.

“Technology has changed just even over the last 18 months so there are now tools available that can perhaps help with this and help close the gap that weren’t available some time ago.

“There’s an industry conversation that’s already begun about can these tools be used in a practical way to help close this gap.”

These tools included Confirmation of Payee and Open Banking APIs, that is, a request for information to a bank for verification checks, available to payment service providers or direct debit initiators.

Wood said the Confirmation of Payee service became available to individual online customers first and was only newly available to preferred initiators and not widely used yet.

Confirmation of Payee was a direct result of increasing fraud, Wood said.

He said rather than dismantling the preferred initiator system, the aim was to improve it.

We also sent questions to Westpac NZ and a spokesperson said the issue affected a “tiny number” of customers and the bank encouraged anyone affected to make contact to have funds returned.

“At present direct debit initiation is governed by an industry framework and any changes to the rules need to be made at an industry level.

“While the system generally works well, we agree with Mr Ayers that this issue warrants discussion and we are actively taking this up with Payments NZ and Get Verified, which operates New Zealand’s Confirmation of Payee system.”

An IR spokesperson said it could not discuss a taxpayer’s private tax affairs.

However, she said IR was what’s known as a paperless initiator; a specific type of preferred initiator.

The spokesperson said the two ways customers could initiate direct debits were through MyIR and IR’s contact centre.

Minister of Commerce and Consumer Affairs Cameron Brewer.

“Through MyIR we have robust registration processes and multi-factor authentication, which gives a high level of confidence that we know who our customers are when engaging with IR.

“We have models to validate amounts owed to IR, which we can’t share for security reasons.”

She said where fraud or identity theft was used to debit an account not owned by the requesting customer, IR had processes with banks to return funds quickly.

“Over the past 12 months we have had 26 direct debit recalls, from 3.6 million direct debit payments.”

Minister of Commerce and Consumer Affairs Cameron Brewer said he expected the banking sector to ensure direct debit safeguards are fit-for-purpose.

“Preferred initiator arrangements are an established part of the direct debit system, but they do not remove the requirement for customer authority.

“I understand there are very few reported incidents of unauthorised debits.

“However, I expect the industry to continue to identify and address any weaknesses to minimise the opportunities for fraudsters to act.”

In response to CAFCA’s calls for action, Brewer said he was unconvinced legislative change was the answer.

“It may be that any weaknesses can be addressed through Payments NZ’s rules, bank processes, stronger verification requirements and existing complaints and regulatory channels like the Banking Ombudsman Scheme.

“If I do become aware of a systemic gap that cannot be addressed within the current framework, I will consider whether further action is needed.”

Consumer NZ chief executive Jon Duffy said he wasn’t aware of preferred initiators.

“I’m surprised that this loophole has been allowed to persist, given all the efforts banks have made at an individual customer level to introduce technology like confirmation of payee.

“It seems like it’s a bit of an oversight if that isn’t currently being rolled out to these preferred initiators given the economic situation that the country finds itself in and the pressure that’s on people that could lead to more attempts at fraud.”

The Banking Ombudsman Nicola Sladden said she couldn’t comment on specific cases under investigation but that her office had received a small number of complaints about unauthorised direct debits.

The Banking Ombudsman’s quarterly report to March this year said fraud and scam complaints rose for the first time in 18 months, and “most notably” complaints about unauthorised transactions increased 26% on the previous quarter to 97.

So have we solved it?

Stuff has highlighted the potential for fraud, reinforced the need for a solution and publicised the possible ways to combat the loophole.

In doing this we’ve alerted the Minister of Commerce and Consumer Affairs to the issue, who says if the proper protections aren’t put in place he will consider further action.

We’ve also put it on the radar of Consumer NZ, while Payments NZ, the banks, police and the Banking Ombudsman know we are following the outcome.

The New Standard: If it’s unfair to you, it’s fair game for us

Use the form below to tell us who is giving you the runaround. Or email natalie.akoorie@stuffdigital.co.nz