Telstra has been slapped with a $1.5 million penalty for putting customers at risk of being scammed and falling victim to fraud.
Telecommunications companies are required to verify identities before certain high-risk actions are performed — but the communications watchdog found it failed to do so more than 150,000 times.
The telco giant is supposed to protect customers by verifying identities through multifactor ID authentication ahead of transactions that could compromise their accounts, such as password resets or requests for a replacement SIM card.
Know the news with the 7NEWS app: Download today 
However, the Australian Communications and Media Authority (ACMA) found Telstra failed to require ID authentication for more than 168,000 high-risk customer interactions between August 2022 and April 2023.
More than 7000 interactions included customers in vulnerable circumstances.
The non-compliance put consumers at risk of real harm as mobile fraud victims lose $28,000 on average, ACMA member Samantha Yorke said.
SIM-swap scams — where bad actors take control of a person’s number and use it to steal money from the original SIM owner — can be particularly devastating as victims can lose personal information and, in the worst-case scenario, their life savings.
“While there is no direct evidence anyone suffered losses because of these breaches, customers need to be able to trust that their telcos are protecting their accounts from fraud,” Yorke said.
“It is unacceptable that Telstra did not have proper systems in place when the rules came into force.”
Telstra has committed to having an independent consultant review its compliance with customer ID rules and make improvements where needed.
According to a Telstra spokesman, the non-compliance occurred when updates to 2022 security obligations meant the telco had to design and deploy multifactor authentication processes across all channels, while maintaining its ability to service customer requests.
“We needed to take the time to get the implementation right for our customers, and while we made the changes as quickly as possible, we were not able to meet the initial commencement date for some aspects of the new rules,” it said in a statement.
“We kept the ACMA informed, took measures to minimise the risk to customers, and the ACMA investigation did not uncover any evidence of losses throughout our phased implementation.
“We have a strong track record in investing to keep our customers’ data and transactions safe and secure, and the delay was largely due to the care we took to ensure there were no poor outcomes for our customers through the changes.”