PEXA bolsters security after high-profile fraud case reveals gaps

PEXA, the electronic property transfer system, has responded swiftly to “isolated incidents” of fraud after a former MasterChef contestant lost $250,000 from her house sale last month. The woman’s money was stolen from her conveyancer’s account, which was connected to the PEXA system, the Sydney Morning Herald reported on 22 June.

“While the PEXA system itself wasn’t compromised, we have also begun work developing additional alerts and processes to further enhance security in the system,” PEXA acting CEO James Ruddock said in a letter to members a couple of days later.

Ruddock said PEXA would introduce a number of changes to further enhance its security, including increased scanning measures to monitor password reset activity, new users and change of account details.

PEXA has also announced that it will provide a “consumer guarantee for transactions conducted on our platform”, with more information to be released shortly.

Dion Dosualdo, executive officer of the Australian Institute of Conveynacers – WA division, told MPA in an interview after the latest fraud was unveiled, that while he has a high degree of confidence in the PEXA platform itself, the conveyancer interface (login) creates the greatest opportunity for fraudsters.

“While there is a degree of sophistication in using the platform that only a trained conveyancer could navigate with confidence, conveyancers who use the platform pose a threat as they may directly or indirectly adopt processes that could facilitate a fraudster to gain access to sensitive information,” he said.

Dosualdo said the weak points exist when clients transfer funds to their conveyancer or when the conveyancer enters the account recipient details to transfer funds electronically into PEXA. “The issue is that electronic fund transfers generally don’t occur using any validation protocols as to who the recipient is,” he said.

“It’s no fault of PEXA or their platform; the banks need to implement and all agree to introduce account verification and matching for recipient names.”

Hackers and fraudsters are able to assume the identity of a conveyancer, request a password reset in PEXA and gain access, he said. Or they can assume the identity of the conveyancer to email the client and request funds be deposited into the fraudster’s account.

It also works in reverse where the fraudster can assume the identity of the client. “No one is the wiser until the funds don’t turn up and by then they have gone missing,” he said.

PEXA’s new measures, such as additional sign-in verification, and workspace time stamps, should deal with some of these issues.

Is more regulation required?
There’s not much borrowers and conveyancers can do to protect themselves when they use the PEXA platform, which is why Dosualdo said some conveyancers are scared about transferring funds through it electronically.

Conveyancers can take out a cybercrime insurance policy, but no such cover exists for homebuyers/sellers, he added.

“Consumers are left out in the cold by a soon-to-be mandated system that is flawed [and] to which the state government[s] and Landgate have repeatedly ignored the concerns of AICWA to improve.”

Dosualdo said the whole electronic conveyancing ecosystem needs greater oversight from the Australian Registrars' National Electronic Conveyancing Council (ARNECC).

“ARENCC needs to implement regulation for all stakeholders to ensure the safety of consumers and their funds. They are simply not listening to industry concerns and I feel they lack appropriate power, will and resources to do anything about implementing robust regulation.”

PEXA is owned by four state governments, the four major banks and a few other investors. The system will be made mandatory in Victoria in October, followed by NSW in July 2019.


Related stories:
Digital conveyancing to lower loan delays
Mike Cameron: why PEXA means business as usual