POLi Payments: How it affects and breaches your banking security

Martin, who banks with Kiwibank, told us that using POLi payments “invalidates the Bank Guarantee of Kiwibank, not just for the payment in question but for all subsequent internet banking with Kiwibank.”

Yet, banks let us use POLi payments on a daily basis. If they weren’t secure, or breached their terms and conditions, they’d stop us using them, right? Or they’d at least let us know that using POLi might be leaving us vulnerable?

Incredibly, this is not the case, and the issue goes beyond Kiwibank.

According to POLi, POLi payments are used by almost half of the banking population in New Zealand, helping people make payments instantly, without a credit card or the surcharges that come with them. While other countries have developed infrastructure to enable payments to be made quickly, securely and cheaply online, a lack of innovation in New Zealand’s banking system means that if you want to avoid surcharges, POLi remains your best option.

But our research shows that using POLi is likely to breach your bank’s terms and conditions, compromising the little protection you have if you become a victim of fraud.

What are POLi payments?

POLi payments allow people to make payments directly from their bank account to a merchant without the need for a payment services provider (a “middleman”, like Visa or Mastercard, that will charge a fee to process a payment). As a result, both the consumer, and the merchant, can save some money.

But the service comes with considerable risks, with consumers required to provide their internet banking log-in details – including their customer number and password – to allow the merchant to generate the payment.

As a relatively recent arrival to New Zealand from the UK, my jaw hit the floor when a colleague told me how the service works.

Banks repeatedly stress to never, ever give away your personal banking information, and yet here is a widely accepted payment method, used by well-known retailers and government agencies, encouraging consumers to do just that.

Using POLi can breach banks’ terms and conditions

We asked New Zealand’s major banks where they stand on POLi payments. Across the board, banks warn their customers against using the service, with several banks saying that using POLi or a similar service is a breach of their terms and conditions.

If you are a customer of ASB, BNZ or Westpac, using POLi payments is a breach of your bank’s terms and conditions.

If you are a customer of ANZ or Kiwibank, using POLi payments may represent a breach of your bank’s terms and conditions.

While Kiwibank told us that using POLi ‘may’ breach their terms and conditions, the bank’s Internet Banking Guarantee mentions POLi specifically, and says “the use of third-party services like this invalidates our internet banking guarantee, not just for the affected transaction, but for all subsequent internet banking use too.”

Co-operative Bank and TSB did not respond to our questions about POLi payments.

TSB’s terms and conditions say “Do not enter your PINs or passwords on a third-party website or mobile app”. Co-operative Bank’s terms and conditions do not appear to cover POLi payments or other third-party access but they advise not to share your password with anyone.

What’s the problem?

POLi payments as a potential breach of a bank’s terms and conditions is a significant issue.

New Zealand consumers do not have good protections from fraud, with coverage coming largely from a small section of the New Zealand Banking Association Code of Banking Practice. The code states you’ll be reimbursed for losses sustained if someone accesses your electronic banking if you weren’t dishonest or negligent, if you took reasonable steps to protect your banking, and if you complied with terms and conditions for electronic banking use.

We asked Nicola Sladden, the banking ombudsman, for her views on POLi payments in relation to banks’ terms and conditions.

She said that third-party systems like POLi were outside the ombudsman’s jurisdiction, so they saw relatively few complaints about them, “however, we recommend customers do not share their banking credentials, including entering their internet banking log-in credentials into a third-party system. Sharing banking credentials can expose customers to a greater risk of fraud and scams, including a likely breach of banks’ terms and conditions and could invalidate any potential reimbursement by banks.”

Scams are a significant problem in New Zealand, and using POLi could compromise the little protection you do have.

What do merchants that accept POLi payments say?

On its website, POLi displays the logos of numerous major retailers and government agencies that it is ‘trusted by’ that presumably offer POLi as a means of payment. So, how do those organisations feel about potentially contributing to their customers’ banking breaches?

Bunnings told us that POLi is a payment method available for special order or trade purchases, and that it was not aware of individual customers’ banking terms and conditions. Bunnings encouraged customers to speak directly to their bank about whether they can use POLi payments.

Air New Zealand and Jetstar said they offer POLi as a fee-free option for customers to make payments. Air New Zealand said POLi is also used widely by local authorities and utility companies.

Waka Kotahi, Bluebridge Ferries, Spark, InterCity and PB Tech were all identified on POLi’s website as organisations offering POLi payments but did not respond to our requests for comment.

Is POLi safe?

Jeff Skidmore is the director of POLi payments. He is adamant that POLi is safe, telling us that there have been “40 million POLi transactions processed in the last 15 years, and to our knowledge no bank has taken a single customer to task for misuse of their account for using POLi or any other similar service. Nor has any customer suffered a financial loss as a consequence of using POLi.”

Yet, while POLi itself might be secure, it sets a dangerous precedent for consumers around giving away their personal information.

In March 2024, NZ Herald columnist Sasha Borissenko became the victim of a scam orchestrated via Facebook Marketplace. She received what looked like an official email from NZ Post, which took her to what looked like a portal to make a POLi payment. She entered her log-in details, as is usual with a POLi payment, then scammers used that information to access her internet banking and steal $12,500.

Borissenko was with Kiwibank, and after what she describes as “forty-odd calls and emails and two days’ worth of clown-crying” she received a reimbursement as a “goodwill gesture” – an action a bank can choose to take when it does not consider itself obligated to reimburse the victim of a fraud. She is incredibly lucky. Under the Code of Banking Practice, a bank would not be obligated to reimburse her lost funds.

This was not a case of a customer suffering financial loss as a consequence of using POLi. But it is a case of a customer suffering financial loss because reputable retailers use the service, and because banks allow us to make transactions using it.

The presence of POLi has contributed to an expectation among consumers that there are certain circumstances in which it is safe to give away your online banking log-in details. POLi may be safe, but the bad habits of data hygiene it creates among consumers are definitely not.

What does POLi say?

POLi’s website does not draw attention to the fact that using its service could represent a breach of your bank’s terms and conditions.

Each of the banks who provided a comment for this article warns its customers against using POLi. You could be forgiven for thinking, though, that the banks have endorsed the payment provider, with POLi proudly displaying the banks’ logos on its homepage.

Skidmore explained that “these are the banks that POLi supports with its technology”. When we asked whether POLi had any concerns that putting these logos on its website could mislead consumers, for example by leading them to think that POLi is endorsed by their bank, Skidmore said, “No, it’s an informational page for consumers who are unsure if POLi supports their bank.”

We don’t agree. We think it is potentially misleading to have banks’ logos displayed on the POLi website, because customers could take that as an endorsement or approval for using the service.

While the banks claim they warn customers against using POLi, Skidmore said they regularly work together and this issue is never discussed.

“Breaches of terms and conditions is not an issue under discussion with any bank … We often discuss upcoming bank technology changes that might affect availability of POLi with banks which they initiate, and we collaborate with some banks and share transaction data to improve fraud detection. Surely these are opportunities for banks to table their concerns about terms and conditions, and yet this doesn’t happen.”

POLi payments shut down in Australia

In July 2023, POLi announced that from September that year it would be shutting down its Australian operations. There were a few key reasons for the shutdown.

In 2018, the New Payments Platform was launched in Australia. The platform is a piece of technological infrastructure that lets consumers and businesses transfer money to each other in real-time, without requiring a payment provider, and without providing sensitive personal information. The platform’s introduction drove significant innovation, and POLi, according to its then general manager, Susan Nicholson, was “unable to effectively compete given the significant ongoing investment required to keep up.”

Security, and the upgrades made by Australian banks to improve it, was another key driver according to Nicholson. “Globally, fraud and scams have increased and are becoming more sophisticated. To prevent financial crimes, institutions have now adopted new software that is incompatible with traditional POLi vectors.”

Following the news that from mid-July 2023, three of Australia’s major banks would no longer accept POLi payments, it was decided that POLi was “no longer financially viable”. The service was shut down in Australia, with the New Zealand side of the business sold to Merco and continuing to function.

If the service is not good enough for Australian banks, why is it good enough for New Zealand?

The answer is that New Zealand’s payment infrastructure lags badly behind other nations. Australia’s banking infrastructure has evolved in a way that has made POLi redundant. New Zealand’s hasn’t.

Real-time (or fast) payment systems are a vital piece of the puzzle here, allowing a customer to pay money, and for a merchant to receive it, instantaneously, without the need for a payment services provider like VISA or Mastercard, and without giving away vital personal information.

A World Bank report released in 2021 explored the global rollout of these systems. Most of Europe, and much of the Americas, Middle East, Asia and Sub-Saharan Africa were listed as having fast payment systems already up and running. New Zealand’s fast payment system was listed as “under development”, alongside economic powerhouses like Georgia, the Maldives and Yemen.

Yet, New Zealand might still be some way from catching up. Payments NZ, the bank-owned company that governs New Zealand’s core payment systems, has estimated that New Zealanders will be able to make real-time payments by 2030.

The banks must step up

The banks clearly have an uneasy relationship with POLi. On the one hand, they rely on the service to offer a payment option without surcharges. On the other, they are unwilling to accept the risk that comes with their customers sharing their log-in information.

This is an abdication of responsibility, and it is not one that New Zealanders should have to accept.

Once again, New Zealand’s ancient banking infrastructure means that customers cannot access the benefits available to consumers in other countries. Further, our banks are apparently not sophisticated enough to spot POLi payments and prevent customers from making them. We asked all the banks why, if POLi was a breach of their terms, did they allow customers to use it. Only BNZ responded, saying, “it is difficult to completely block these services without a potentially significant impact on customers.”

Skidmore said, “POLi fills a gap in the payment market which is unmet by banks, i.e. a means to make an online payment from your bank account to a merchant.” And he’s right. Unfortunately, due to the failure of New Zealand’s banks to develop a modern, secure system for making real-time payments, POLi is often a consumer’s best option, even if it breaches their bank’s terms and conditions.

When releasing the draft report on its recent market study of personal banking in New Zealand, the Commerce Commission said it had been, “surprised by the limited investment by the major banks and Kiwibank in their core banking systems and the low prioritisation given to this.”

The continued relevance of POLi payments in New Zealand is a tangible outcome of this issue. It’s consumers who pay the price – whether through surcharges or by taking on risk

Both Skidmore and the banking ombudsman, Nicola Sladden, have pointed to Open Banking as a potential solution, giving New Zealanders the ability to instruct their bank to share information with third-parties so they don’t have to. ANZ, ASB, BNZ and Westpac should be able to offer their customers the ability to make payments via Open Banking by May 2024. Kiwibank is unlikely to offer the service until May 2026. Open Banking has been in operation in Europe since May 2018.

The desire to use POLi payments is understandable. Times are tight, and surcharges can really add up, particularly when making large purchases. But if something goes wrong – either with POLi, or a scammer impersonating it – you’ll be on your own. I would not use it.

If banks allow – or cannot stop customers using – POLi, it should be covered in their terms and conditions.