Police are investigating allegations detainees at Canberra's jail were able to defraud a man of thousands of dollars while incarcerated.
Greg* said he was contacted by ACT Policing last month and was told more than 20 withdrawals from his account of amounts up to $150 over a four-week period had been made from Canberra's jail, the Alexander Maconochie Centre (AMC).
Greg's home was burgled last year, and the offender was caught and pleaded guilty to stealing property from several homes and cars in February.
Greg believes the same person behind for the break-ins was responsible for the fraudulent charges using his bank account.
"I'm absolutely stunned they are able to do this. I think anyone I've mentioned it to is gobsmacked," he said.
"Essentially a system in a jail full of career criminals doesn't have enough strong controls to stop fraud happening."
When he contacted ACT Corrective Services (ACTCS) to find out how a detainee had been allegedly able to withdraw sums of money without authorisation, Greg was told it was a "known issue".
In emails to the alleged victim from ACTCS, obtained by the ABC, they told him they were working with ACT Policing and the bank to investigate the transactions.
ACT Corrective Services utilises the Australian Bulk Electronic Clearing System (BECS) through their banking provider, something they said was a standard "utilised across the Australian banking industry".
They then went on to encourage Greg to report any other suspicious transactions directly to his bank, to follow their advice and not share personal bank details with anyone else.
Greg said all he believes the detainee, or detainees, needed was his BSB and account number, and possibly his address, to take money out of his account.
That was all but confirmed by the AMC, who said in their email that a direct debit facility, for any service provided by a public or private entity, only needs to validate the BSB and account number to process a payment, as per BECS guidelines.
Detainee access to internet 'limited and controlled'
In a statement, ACT Policing said it was aware of the particular incident.
"ACT Policing received a referral earlier this year regarding alleged fraudulent transactions associated with deposits into detainees' commissary accounts at the Alexander Maconochie Centre.
"This matter remains under investigation and anyone with information about this activity is urged to contact Crime Stoppers."
Greg doesn't feel like enough has been done to figure out how the detainee was allegedly able to access his funds. He described the response from the ACTCS as a "dead bat play".
"Months later they are still not closing off the system, they are still not improving the controls or providing any assurance this can't continue happening," he said.
"It concerns me greatly."
The direct debit system is one Greg said he personally trusted to do his own banking nearly every day.
"I think it's a system that works perfectly well when it's implemented correctly but it sounds like there needs [to be a system] with due controls or measures to prevent this from happening."
ACTCS assured Greg that detainee access to the internet was "limited and controlled" and they were not able to access internet banking or any online payment systems from within the AMC.
The officer said detainees could only receive up to $150 per week.
BECS is used by dozens of governments and financial institutions — including the Reserve Bank of Australia — both in Australia and New Zealand and is commonly used by businesses for recurring payments.
There have been ongoing discussions within the banking industry about how BECS can be retired in favour of the New Payments Platform (NPP), an open-access infrastructure for fast payments.
In a statement, an ACT Government spokesperson said that ACTCS was aware of the allegations and they had been referred to ACT Policing and the banking service provider.
"ACT Corrective Services continues to discuss with the banking provider ways to improve the balance between accessibility, security and reliability of the payments system for detainees," the spokesperson said.
*The alleged victim's name has been changed for privacy.