On 13 September 2024, Treasury launched a consultation on Australia’s proposed new scams prevention framework (Scams Framework). The Federal Government has pushed for this new framework in light of the significant increase in scam activity, evidenced by the fact that Australians lost $2.74 billion to scammers in 2023. 

In this article, we detail the proposed requirements of the Scams Framework in the exposure draft of the Treasury Laws Amendment Bill 2024: Scams Framework (Bill) and the explanatory materials as well as discuss the implications of the new framework for banks, telecommunications companies and digital platforms service providers. 

This Bill, if passed, will establish a new whole-of-ecosystem approach containing specific ‘principles-based’ legal requirements for addressing scams and liability for breaching these principles.

Summary of the framework

The Scams Framework introduces mandatory requirements to combat scams and would primarily be inserted into law via a new Part IVF into the Competition and Consumer Act 2010 (Cth) (CCA). 

The Scams Framework is part of a broader effort to modernise Australia's laws for the digital age and has the following key features: 

  • Overarching principles (governance, preventing, detecting, reporting, disrupting and responding to scams) that apply to regulated entities. 

  • Sector-specific codes that set out minimum standards for what each regulated entity in a sector must do to address scam activity on their regulated service and protect consumers. 

  • External dispute resolution schemes to provide consumers redress (including compensation) where regulated entities have not met their framework obligations. 

  • Enforcement by the Australian Competition and Consumer Commission (ACCC ) and its delegates including for contravention of civil penalties includes fines of up to $50 million, enforcement tools such as infringement notices, enforceable undertakings, adverse publicity orders as well as a private right of action for damages. 

The Bill provides the Treasury Minister will be empowered to designate a sector as being subject to the Scams Framework to respond to scam activity in the economy. 

Alongside the launch of the consultation, the minister has stated that he will initially delegate the following as being subject to the Scams Framework:  

  • Banks

  • Telecommunication service providers

  • Digital platform services relating to social media, paid search engine advertising and direct messaging services. 

Crypto asset platforms, superannuation firms and online marketplaces are not included (yet) in the list of regulated entities despite their involvement in the scams ecosystem.

The minister has also stated that it is the government’s intention to designate the Australian Financial Complaints Authority (AFCA) as the sole external dispute resolution (EDR) scheme for the first three designated sectors. 

The Scams Framework does not contain a mandatory reimbursement model of the kind about to go-live in October in the UK. Under the UK model, UK banks will be required to reimburse consumers up to a maximum of $166,000 unless the consumer acted with gross negligence. Instead, Australian consumers will be able to obtain compensation via the AFCA or by exercising their private right of action for damages against regulated firms where they can establish a breach of the relevant legal requirements. 

The ACCC will be the Scams Framework general regulator with responsibility for overseeing all regulated sectors to support an ecosystem wide approach. The ACCC’s powers include monitoring and supervising compliance with the Scams Framework as well as undertaking investigations and enforcement for breaches. The ACCC will also be able to delegate its powers to other sector-specific regulators (for example, the Australian Securities and Investments Commission (ASIC) for the banking sector). 

First legislative definition of a 'scam'

The Bill contains Australia’s first legislative definition of a scam:  

‘A scam is a direct or indirect attempt to engage a consumer of a regulated service that: (a) involves deception; and (b) would, if successful, cause loss or harm including obtaining personal information of, or a benefit (such as a financial benefit) from, the consumer or the consumer’s associates.’ 

According to the explanatory materials, this definition is deliberately broad to capture the wide range of activities scammers engage in and their ability to adapt and to adopt evolving behaviours over time. The concept of a ‘benefit’ includes non-monetary benefits and assets, such as cryptocurrency or loyalty and rewards points. A consumer’s associates include their relative, spouse, child, a partner of a partnership or a trustee of a trust.

Importantly, the definition covers ‘attempts’ to scam. An attempt involves deception if the attempt: 

  • Deceptively represents something to be (or to be related to) the regulated service.  

  • Deceptively impersonates a regulated entity in connection with the regulated service.  

  • Is an attempt to deceive the consumer into facilitating an action using the regulated service.  

  • Is an attempt to deceive the SPF consumer that is made using the regulated service.

This broad definition crosses over significantly with existing legal concepts such as misleading or deceptive conduct as defined in Schedule 2 of the CCA. 

Overarching principles

Subject to any amendments made to the final form of the Bill, all regulated entities will be required to comply with the six Scams Framework overarching principles. Compliance will be monitored and investigated by the ACCC as the general regulator. 

A number of the principles require regulated entities to take ‘reasonable steps’. ‘Reasonable steps’ are not defined in the Bill but should be objectively determined taking into account factors like the size, services, consumer base and types of scam risk relevant to the regulated entity. 

Banks are already taking a range of steps in complying with the Scam Safe Accord, such as the introduction of confirmation of payee and sharing scam intelligence via the Australian Financial Crimes Exchange. 

Each regulated entity must:

  • Develop and implement governance policies, procedures, metrics and targets for combatting scams. These must be reviewed and certified by a senior officer of the entity at least annually.

  • Publish information on how the entity is protecting consumers from scams but is not required to make its internal governance documentation publicly available. 

  • Produce their governance documents to the ACCC within five business days from the day the entity receives the request from the ACCC. 

The ACCC will provide guidance on how to comply with these obligations in due course.

Each regulated entity must take reasonable steps to prevent scams. For example, such reasonable steps could include providing direct warnings to consumers about scam activity observed and steps the consumer can take to minimise the risk of harm. 

Regulated entities must also:

  • Make resources accessible to consumers to assist consumers in identifying scams and minimise the risk of those consumers becoming victims of scams. 

  • Identify classes of consumers who may be a higher risk of being targeted by scammers and provide warnings to these consumers. This may involve identifying vulnerable cohorts based on characteristics like age. For example, the 2023 Targeting Scams Report found that Australians aged 65 and older lost more money than other age group to scammers and experienced no decrease in reported losses unlike other age groups. 

Regulated entities must take reasonable steps to detect a scam. It may detect scams through a variety of channels including consumer reports, actionable scam intelligence received from the ACCC and via its own internal mechanisms. Detection includes as the scam is happening and after the scam has happened as well as the consumers impacted the nature of the impact. 

The Bill contains a variety of requirements for actionable scam intelligence which may be challenging to operationalise. Failure to take action within a reasonable timeframe following receipt of actionable scam intelligence will expose the entity to potential liability (see below on liability). 

Obligations under this overarching principle flow through to other principles. For example, with respect to detecting scam activity, a regulated entity must then report actionable scam intelligence to the ACCC and take reasonable steps to disrupt the scam.

Regulated entities must give the ACCC reports of any actionable intelligence the entity has about suspected scams related to the entity’s regulated services. Any duty of confidence the entity owes under agreement has no effect to the extent that it would otherwise prevent reporting to the ACCC. The ACCC may disclose information shared with it about scams (including within the ordinary meaning of ‘scams’ as well as under the new legislative definition) to other regulators, law enforcement agencies and other regulated entities to assist the other person to disrupt similar scams.

Each regulated entity must take reasonable steps to disrupt scams and prevent losses from scams. A regulated entity must also share actionable scam intelligence with consumers to enable those consumers to act. Disrupting scams could involve the use of payment holds to enable a bank to contact a consumer and provide them with information that the account they are making a payment to has been identified as being associated with scam activity. 

Importantly, the Bill contains a safe harbour from liability. A regulated entity will not be liable in a civil action or proceeding when it has taken proportionate temporary disruptive action while it is investigating actionable scam intelligence. 

Qualifying for this safe harbour is subject to several conditions including that the entity:

  • The entity is acting in good faith and in compliance with the overarching principles.

  • The disruptive action is reasonable and proportionate to the suspected scam. 

  • The action was taken starting on the day the entity received the intelligence and ends when the entity identifies whether or not the activity is a scam (or 28 days later, whichever is earlier). 

  • The action is promptly reversed if the entity identified the activity is not a scam. 

Each regulated entity must have an accessible mechanism for consumers to report scams and an internal dispute resolution mechanism for consumers to complain about scams or the entity’s conduct relating to scams. Additionally, every regulated entity must be a member of the authorised external dispute resolution scheme (see below on external dispute resolution).

The Australian Banking Association (ABA) welcomed the Scams Framework, noting that Australian banks are already putting in place some of the strongest anti-scam protections in the world through the industry’s Scam Safe Accord. Rejecting the UK reimbursement model, ABA CEO Anna Bligh stated that it was appropriate that telecommunications providers and social media platforms along with banks compensate victims of scams.

The Communications Alliance has welcomed the Scams Framework and noted that its members are already blocking huge numbers of scam calls and texts and that it would do more. 

Acting CEO of Communications Alliance Christiane Gillespie Jones said, “Telcos will also implement the planned SMS sender ID register to help block scam texts, which will further reduce the number of scams reaching Australians”.

Consumer Action Law Centre, CHOICE, the Australian Communications Consumer Action Network and Super Consumers Australia published a joint statement also welcoming the Scams Framework, congratulating the government on imposing tough obligations on industry to protect consumers. The consumer groups are continuing to call for a bank reimbursement model and expressed concern that the new framework may result in delays in dispute resolution as banks, telcos and digital platforms argue over who should pay. 

The Digital Industry Group Inc (DIGI) Managing Director Sunita Bose stated DIGI looked forward to contributing to the consultation and stated the ”hard work lies ahead in determining the details, particularly as the approach departs from international models”. 

Practically, the overarching principles will require digital platforms to verify the identity of advertisers and ensure their content is legal. 

Google has warned it may not be feasible for a search engine to do so and warned the Scams Framework could therefore open Google up to a huge number of claims for compensation from individuals where Google cannot realistically control its exposure. The minister has rejected this argument noting that a newspaper cannot publish an ad which is criminal in its content. 

The minister has also stated that DIGI’s Australian Online Scams Code (which Google, Meta, TikTok and Snap have signed up to) as not being in line with community expectations or government expectations. 

Sector specific codes

The Treasury Minister (or their delegate, which may include the ACCC, ASIC or a sector-specific minister or regulator) is empowered to make sector-specific codes by legislative instrument. These codes are intended to ensure that there is robust and targeted action in each sector, recognising the different positions that banking, telecommunications and digital platforms play in the scams ecosystem. 

The sector codes must be consistent with the overarching principles (excluding reporting which will be covered in the CCA) but may also cover ancillary or incidental matters relevant to the particular sector. Obligations in the sector codes represent only minimum standards for what each regulated entity in a sector must do to address scam activity and protect consumers. While the banking code is yet to be developed, the explanatory materials include examples of what could be covered in the banking code. Examples of banking code obligations may include:

  • Governance: requirements for policies, procedures, metrics and targets which banks must have in place.

  • Prevent: requirement to implement at least one biometric check for all individual consumers opening a new bank account. 

  • Detect: requirement to develop processes to flag, slow down or pause higher risk transactions that appear out of character for a particular consumer, such as large amounts of money being transferred to a new payee or into a cryptocurrency.  

Further potential wording of a future banking code is listed in the first Treasury consultation

Compliance with the code is monitored, investigated and enforced by the relevant sector regulator (ASIC for the banking code).

External dispute resolution

The minister intends to authorise the existing AFCA scheme as the EDR scheme under the Scams Framework. While complaints relating to banks are already covered by AFCA, the Scams Framework will enable consumers to also complain and seek compensation from banks, telecommunication companies and digital platforms service providers under the AFCA scheme. 

It is anticipated that existing caps on the amount of compensation available under the AFCA scheme will apply under the Scams Framework. The current maximum a consumer may claim is capped at $1.2 million.  

Welcoming the Treasury consultation, AFCA stated that in 2023-24 it received approximately 11,000 scam-related complaints. AFCA Chief Executive, David Lock, said that businesses “should not wait until they are required by codes to take action but should now take all actions possible to prevent, detect and disrupt scams”.

Consumers can already raise a compliant to AFCA about scams associated with their bank. While the Government has said that the EDR scheme “will provide victims with a clear pathway for redress”, it remains unclear at this stage how the EDR scheme will improve on the existing EDR process. 

Consequences for breach

The ACCC (as general regulator) together with sector-specific regulators will be empowered to conduct investigations into possible contraventions of the principles and codes. The principles and codes are civil penalty provisions , breaches of which will result in liability for a civil penalty.

The Bill divides civil penalty provisions into tier 1 contraventions (being contraventions of the principles to prevent, detect, disrupt and respond to scams) and tier 2 contraventions (being breaches of a code or the principles relating to governance and reporting).

Tier 1 contravention maximum penalty - the greater of:Tier 2 contravention maximum penalty - the greater of:
159,745 penalty units (which is currently $50,000,185).31,950 penalty units (which is currently $10,000,350).
Three times the total value of the benefit that the body corporate has obtained directly or indirectly and is reasonably attributable to the contravention.Three times the total value of the benefit that the body corporate has obtained directly or indirectly and is reasonably attributable to the contravention.
If the court cannot determine the total value, 30% of the adjusted turnover over the body corporate during the breach turnover period for the contravention.If the court cannot determine the total value, 10% of the adjusted turnover over the body corporate during the breach turnover period for the contravention.

The civil penalty regime is supported by a range of other administrative enforcement tools as alternatives to litigation. These include powers to impose infringement notices, enforceable undertakings, seek injunctions, issue public warning notices, seek remedial directions, adverse publicity orders and other punitive and non-punitive orders. 

A regulator may seek multiple remedies for a single contravention . An important caveat is the civil penalty double jeopardy provision. If a person is ordered to pay a pecuniary penalty in respect of particular conduct, the person is not liable to pay another pecuniary penalty for contravention of another civil penalty provision of a principle or a sector-specific code in respect of that same conduct. 

The Bill also creates a private right of action . A person who suffers loss or damage by the conduct of another person which contravenes a civil penalty provision of a principle or code may recover the amount of the loss or damage by action against that other person or against any other person involved in the contravention. This private right of action creates the risk of private class actions, especially if the loss or damage from a new and successful scam campaign is considerable. 

Industry response

What comes next

The Treasury consultation on the Bill is open for public consultation until 4 October this year. Feedback will assist to ensure the explanatory memoranda for the Bill aids the Parliament’s consideration of the proposed new law. 

This short timeframe for consultation (three weeks) should support the government’s goal to introduce the final Bill to Parliament later this year. Despite the government’s ambition to establish the Scams Framework, the Bill will almost certainly be referred to Parliamentary committee for review. 

Amid a busy legislative agenda, further delay risks the Bill not making it through this Parliament before the next Federal Election.

Gilbert + Tobin advise a range of banks, telecommunications companies and digital platforms on scam risk management, including compliance with industry standards like the Scam Safe Accord and regulatory expectations set by the ACCC and ASIC. Please reach out to our experts if you require any assistance.