Optus mobile virtual network operator (MVNO) Circles.Life has been fined $199,800 by the Australian Communications and Media Authority (ACMA) for not running enough customer identity checks to prevent scams.
The company has also offered some $100,000 in compensation to customers that have had their services compromised by scammers.
An ACMA investigation found Circles.Life contravened industry rules for phone number transfers 1,787 times between August to December 2021, resulting in 42 customers experiencing fraud-related issues like compromised emails accounts and loss of access to banking accounts. The agency said at least seven customers experienced financial losses.
ACMA chair Nerida O’Loughlin said that the multi-factor identification rules are designed to prevent these types of fraud – and the rules work when telcos comply.
“Since the rules were introduced by the ACMA in 2020, there has been a significant drop in mobile fraud reported to banks and government agencies,” O’Loughlin said.
“Combatting these types of scams requires concerted action by all telcos and one weak link exposes all consumers to harm.
“It is the customers of other telcos who have fallen victim in this case by having their number transferred to Circles.Life without their knowledge.”
O’Loughlin added that Circles.Life did respond quickly after it was made aware of the breaches by implementing the required identity checks, appointing regulatory staff to oversee its activities and to compensate the 42 affected consumers.
“Some of the victims have experienced significant stress due to Circles.Life’s failure and we are pleased to see the company is providing recompense to acknowledge the profound emotional toll and disruption often caused by these scams,” O’Loughlin added.
Circles.Life, which was founded in Singapore in 2016, arrived in Australia in 2019. The telco offered its Circles-X platform as its main selling point, a propriety “telco-in-the-cloud” technology stack that allows the company to automate the bulk of its systems to quickly spin up new products or make changes to its existing portfolio.
In June, ACMA found MVNO Lycamobile also did not comply with customer identity rules, finding that it did not undertake proper ID checks when activating prepaid mobile services.
Updated 10:30am 9 August: Circles.Life provided the following statement:
“In line with the Telecommunications (Mobile Number Pre-Porting Additional Identity Verification) Industry Standard 2020, we were required to implement a one-time-password verification process for all port-ins by 30 April 2020. While this was done for all online port-ins, which represent the vast majority of our business, it was not done for port-ins done through our retail channels. While other verifications and security measures were in place, it represented a vulnerability in our process and breach of the Industry Standard," Circles.Life Australia chief executive Nicholas Demos said.
"42 customers were impacted when their numbers were ported incorrectly. All 42 numbers were returned to their rightful owners some time ago and new processes and policies have been implemented to ensure that this never happens again. In fact, within 2 weeks of becoming aware of the situation we had designed, tested and deployed a fix which closed the vulnerability permanently.
"This is a first for us and we are deeply sorry to our customers, and the industry, as we know this represents a loss of trust. We have an enviable record and have established telco operations in five very different countries around the world and successfully navigated five unique regulatory landscapes with their own rules, processes and legislation. We have never made an error like this before and we’re committed to ensuring it never happens again.”
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
