Online settlements

In summary...

From 1 October 2018, the Victorian titles office will require all Victorian property transfers to be conducted online.  Currently the only online settlement platform is Property Exchange Australia (PEXA).

The press has recently reported two instances of fraud relating to the online settlement system that led to substantial losses for innocent vendors, and this has caused some alarm in the community about the security of the PEXA system.

In our view, online settlements are unavoidably less secure than physical settlements, but this can be overcome by proper care and internal risk-minimisation processes of the transacting solicitor or conveyancer.  What concerns us more is the instability of the online platform and the stretched technical support at PEXA.  With the full switch-over to online settlements coming in October, we see great potential for system-wide failures and more chaos for buyers and sellers.


As the mandatory switchover to online settlements draws closer, our clients and other solicitors often ask us what this means for them.  In this article, we will cover:

  1. Traditional settlements

    Briefly, how traditional property settlements work.

  2. Online settlements

    The differences between traditional and online settlements.

  3. The recent hacks

    How did the recent hacks happen?

  4. Other cybersecurity risks

    Other examples of cyber-attacks on conveyancers and property lawyers, and why the PEXA hacks were no different.

  5. The real problems with PEXA

    We outline signs of stress that suggest PEXA and the conveyancing industry will not cope when online settlements become mandatory from 1 October.

  6. Recommendations

    Some final thoughts on what vendors, purchasers and practitioners should do in the world of online settlements.


Traditional settlements

At a typical traditional property settlement, representatives from the vendor, purchaser and their respective banks attend.

Each party brings important documents (for example, the transfer of land and discharge of mortgage documents for the Titles Office, the certificate of title, and the forms used to calculate stamp duty at the State Revenue Office) and/or bank cheques.

The parties then check all the details on the documents to ensure that it is all correct and signed property, and ensure that the funds are all going to the right people.

There is minimal opportunity for fraud because a fraudster would need to impersonate and waylay one of the parties, produce convincing physical forgeries, and also have a way to deposit and clear a bank cheque that is not made out to them.


Online settlements

The basic concept behind an online settlement is the same, only that the settlement 'location' is an online platform called PEXA (think of it as for example, eBay or Amazon), the documents are created and signed online (think of it as pressing the 'check out' button) and the funds are all transferred electronically instead of being on bank cheques.  It is a bit like the difference between buying a book at a department store compared to buying it online.

Practitioners log into PEXA using a login and password.  The second layer of security is a physical USB key held at the solicitor or conveyancer's office with its own password, that must be inserted into the practitioner's computer when signing off the transaction documents or the financial figures.

Practically, the main differences when it comes to security are:

  • in traditional settlements relying on bank cheques, the name on the bank cheque is a security mechanism: the cheque can generally only be banked into an account matching that name;
  • online settlements rely on electronic fund transfers, and because Australian banks do not match account names for EFTs (they only match BSB and account number), funds can be transferred to the wrong account whether due to a typo or malicious interference from a fraudster; and
  • it is very difficult for a fraudster to impersonate one of the parties at a traditional settlement.  In electronic settlements, hackers who compromise a solicitor or conveyancer's email system can wreak havoc.  It would be even worse if a hacker or fraudster manages to steal the practitioner's physical security USB.


The recent hacks

There has been a lot of recent press about two vendors who lost over $1 million when their PEXA settlements were compromised by hackers.

From what we have read, these matters came about from hackers compromising the practitioners' email systems.

Once the fraudster had access to the practitioner's email accounts, they could log into the PEXA platform, change the account details for the destination funds, and relied on the practitioner not doing a final check of the account details before they inserted their physical security USB and signed off on those details.

Somewhat impressively, they pulled this off on a fairly technical platform without being detected.  I would guess that the fraudsters had someone on the team that was no stranger to property settlements.

PEXA has since introduced some extra measures to make this sort of attack a little harder: it is now more obvious if the account details have been changed, and it is more difficult to create new accounts on the platform.  After initially denying all liability, PEXA are also introducing a consumer guarantee to fully cover innocent buyers or sellers if this comes up again in future, but those details are not yet available as of the time of writing.


Other cybersecurity risks for practitioners

Cyber security is a hot topic amongst lawyers right now, particularly property lawyers who routinely deal with the transfer of client funds. I have heard that it is also of great concern to real estate agents.

A quick look through the recent publications by the insurer for solicitors reveals numerous articles and real examples of fraudsters impersonating clients or solicitors, with or without hacking an email system. A classic scenario is a hacker who gains access to a solicitor's emails, and knowing that the solicitor is holding funds on behalf of a client, sends an email that looks like it came from that client instructing the solicitor to transfer those funds to the hacker's account.  

I can tell you that we receive at least one phishing or suspicious email a week at Kai Legal.  Some are very obvious, but there have been some that impressed me in how close they looked to the real thing.  The time and effort that went into crafting these scams indicate that the success rate and expected pay-off for the fraudsters must be fairly good.

In our view, the recent attacks on PEXA are just a variant on numerous types of phishing and hacking attacks already targeted at conveyancers and solicitors.  Online settlements allow fraudsters a new avenue to attack, but good processes and proper care provide an adequate defence.  Practitioners must stay vigilant, and adopt sensible security policies such as always requiring verbal or face-to-face confirmations of account details for funds transfers.


Our concerns about PEXA

Our real concerns about PEXA are over whether the platform and the industry is ready to go all-digital from 1 October.

Our main concerns fall within a few broad categories:

  • Technical: around once or twice a month, we receive emails advising of technical issues with the processing of Titles Office documents, transfer of funds, or just logging into the system.  These all have the potential to delay settlement.  Property settlements are time-sensitive: purchasers want to move their families into their new home, vendors want to use the funds for their own purchase or something else.  Failing to settle on the agreed day will typically attract at least $500 of penalty interest and/or legal fees and add a lot of stress to all parties involved.  Adding the (in)stability of the PEXA as another risk is undesirable.  Here's an interesting scenario that is just waiting to happen: a buyer is already a couple of weeks late for settlement, but manages to get their funds ready on the last day allowed by the vendor.  That settlement then fails due to a PEXA system issue, and the vendor cancels the contract and retains the deposit.  Who will wear the cost?
  • Support: The PEXA system is technical, routinely spits out opaque or ambiguous error messages, and can be confusing even for a firm that has completed dozens of online settlements like us.  In your hour of most urgent need, if something goes wrong on a settlement, if you call the technical support line for PEXA (1300 084 515, option 1) between 11am and 3pm on any business day, you will be placed in a queue that will typically take 30 minutes to get through.  By then you will have probably missed the settlement time.  Hopefully your settlement was not an afternoon one, otherwise you may have missed the entire settlement day.  These wait times are more commonly associated with low-cost consumer services like telecommunications, and are too long for something as important as title transfers.
  • Lack of training: Kai Legal jumped on board with PEXA early in its launch in 2015, and had several face-to-face training sessions with PEXA staff, and a dedicated contact person to assist.  It has been relatively smooth sailing for us.  However, I have heard from firms that have only recently signed on that the training resources are stretched, and we have had recent transactions with firms who had very little idea of how to conduct an online settlement, and also did not have any dedicated support person at PEXA to guide them through the process.  When online settlements become mandatory on 1 October, we expect an influx of firms that are reluctantly only transacting online because they must, and will have very little idea how to do it.  Imagine the support line wait times on 1 October.
  • Frequent changes in the system: Like most modern software, the PEXA system is given ongoing updates, with changes implemented every month.  Of course we support and want to see continuous improvements to the system (it is certainly easier to use than it was three years ago!), but we query whether it is appropriate for a system that is mandatory and so fundamental to be updated so frequently.  We think the system needs to achieve a quasi-stable version before online settlements are mandatory.
  • Lack of fall-back: I worry that the electronic controls in my car are too advanced: if the electronic keys break down, I have no physical key or keyhole to unlock the door; if the electronic window controls breaks, there is no physical handle to wind them down.  Similarly, if PEXA breaks down in future, and the titles office is privatised as expected, will there be a fallback to paper forms and traditional settlement?  Even if there is, who will wear the cost for the delay?


Our recommendations

Online settlements are the inevitable future.  Overall, they are more efficient than traditional settlements, and the issues we raise here can be addressed.

However, as a practitioner on the ground, we are seeing real signs of stress in the system, and by making it mandatory on 1 October, there seems to be real potential for overload.  We advise caution, and encourage the government to push back the launch date and use more gradual measures to transition practitioners to online settlements.  For example, all transfers over a certain dollar value could be made mandatory from 1 October, and that threshold could be reduced every four months until all transfers are online.

In the meantime, if you are buying or selling property over the next year, we strongly recommend that you ask your solicitor or conveyancer how much experience they have with PEXA settlements.  There will be a major period of re-adjustment for the Victorian conveyancing industry over the next 6-12 months, and you do not want to be stuck with someone with little experience of this new world.


About the author

Kai Fu, competition and consumer lawyer, former Allens Linklaters senior associate

Kai is an experienced commercial and property lawyer. 

Kai signed his firm up to the online settlements system in 2015, making Kai Legal one of the first cohort of firms to transact online.  In the three years since, Kai Legal has conducted over 100 settlements and other caveat or mortgage registrations online, well before the Titles Office required that these transactions be processed online-only.

Find out more

Call us on +61 3 9041 7733 if you would like to find out more.

There are many helpful resources on the web to help property buyers. Always check when they were written, as the law and industry practices change frequently, and many articles are outdated.

You can see our related services for property purchases on our services page.

About this publication

Kai Legal publications provide general information, and are not legal advice. These are not complete summaries of the law, and only touch on select points and scenarios that may be relevant to our readers.

This article is current as of 5 July 2018.

© Kai Legal 2018