On 13 February 2025, the Scams Prevention Framework Bill 2025 (the Bill) passed both Houses of Parliament. The new Scam Prevention Framework (SPF) is the first specific legislative attempt to combat scams and has significant implications for banks, telecommunications companies and digital platforms service providers (including social media and search engines).
As we reported here and here, the SPF is part of a broader effort to modernise Australia's laws for the digital age and follows significant industry and regulatory attempts to combat scams including the Australian Banking Association’s Scam Safe Accord and the establishment of the National Anti-Scam Centre (NASC) within the Australian Competition and Consumer Commission (ACCC).
The SPF will establish a new whole-of-ecosystem approach with broad ‘principles-based’ legal requirements applying across industries and underlying sector-specific codes made by the relevant Minister following consultation. Considerable penalties will apply for breaching the requirements of the SPF. The SPF will also contain mandatory requirements for in-scope firms to have in place internal and external dispute resolution mechanisms. However, it did not introduce a mandatory scam reimbursement scheme similar to that of the UK.
The ACCC has welcomed the passage of the Bill in Parliament and said it will closely monitor regulated entities’ compliance with principles to prevent, detect, disrupt, respond to and report scams, under the new legislation. ACCC Deputy Chair Catriona Lowe said, “This Bill is a critical step in the fight against scams - creating overarching principles that all members of designated sectors must comply with. We know scammers will exploit weak links in the system – so these principles are key to a consistent approach”.
The Bill now awaits Royal Assent. The new Scam Prevention Framework will commence the day after it receives Royal Assent.
Final form of the legislation passed by Parliament
There were only a few Parliamentary amendments to the Bill as compared with the exposure draft first published by Treasury. In particular, the Senate made the following amendments, which have been agreed to by the House of Representatives:
Reasonable steps: Amendments to specify that in determining whether a regulated entity has met an obligation under the SPF to take reasonable steps, the primary consideration must be whether the entity has complied with any corresponding SPF code obligations.
Guidelines for apportioning liability: Amendments to clarify the guidelines for apportioning liability at internal dispute resolution (IDR) do not need to be consistent with the proportionate liability rules that apply in court actions for damages.
ACCC roles and responsibilities statement: Amendments to require that the ACCC (as the SPF general regulator) publish a statement summarising the roles and responsibilities of certain entities with respect to the regulation, enforcement and administration of the SPF.
While these amendments are welcome, the Parliament did not make further changes to the Bill following a public consultation by the Senate Standing Committees on Economics, which would have eased the potential burden on entities within the ambit of the SPF.
Among other matters, industry calls for a 12-month transitional period, more clarity on ‘actionable scams intelligence’ and limiting the scope of the private right of action to avoid the risk of abuse by vexatious or speculative litigants were not heeded.
Summary of the SPF
When introducing the Bill in November 2024, the Minister for Financial Services stated that the proposed SPF would:
impose significant fines of up to $50 million for banks, social media platforms and telecommunications companies if they do not take ‘reasonable steps’ to report, disrupt and respond to scams and attempted scams in their businesses
provide victims of scams with ‘clear pathways’ to compensation if the business fails to meet the new standards
provide the ACCC with new powers to direct businesses to take specific steps to keep their customers safe from scammers
mandate a coordinated intelligence sharing ecosystem that requires timely reporting of actionable scam intelligence by regulated entities
empower the Australian Financial Complaints Authority (AFCA) to resolve consumer claims over scams in these sectors.
Practically, the legislation will:
introduce the following features of the SPF:
overarching principles (SPF Principles) that apply to regulated entities
sector-specific codes (SPF Codes) that apply to regulated entities in certain regulated sectors
rules (SPF Rules) to support the effective operation of the framework
a multi-regulator framework with the ACCC as lead SPF regulator (for example, the Australian Securities and Investments Commission (ASIC) will enforce the SPF Code for the banking sector)
regulatory and enforcement mechanisms, including a two-tier civil penalty framework
internal and external dispute resolution mechanisms.
enable the Minister to establish SPF Codes, which will impose mandatory obligations on Minister designated sectors (currently planned to be banks, telecommunication service providers and social media platforms but further sectors such as superannuation and crypto-asset exchanges may be designated in the future). The codes will mandate designated sectors to have internal dispute resolution mechanisms that are clear, accessible and transparent for consumers
impose the following maximum penalties for contraventions of the civil penalty provisions of the SPF by a regulated entity:
Tier 1 contravention | Tier 2 contravention | ||
Contravention | A tier 1 contravention is a contravention of a civil penalty provision of an SPF principle, being:
| A tier 2 contravention is a contravention of a civil penalty provision of:
| |
Maximum penalty for contravention by a body corporate | The greater of the following:
| The greater of the following:
| |
Maximum penalty for contravention by a non-body corporate | 7,990 penalty units (which is currently $2,636,700). | 1,600 penalty units (which is currently $528,000). |
enable an inspector of the SPF regulator (being the ACCC) to issue an infringement notice to a person for an alleged contravention of a civil penalty provision of an SPF Principle or SPF Code. The penalty specified in an SPF infringement notice must be: 60 penalty units for a body corporate or 12 penalty units for a non-body corporate
allow the Minister to make SPF Rules setting out guidance on how to apportion liability at IDR between one or multiple businesses who are at fault to assist victims seek redress
enable a single external dispute resolution (EDR) scheme for scam complaints made under the SPF where a dispute cannot be resolved at IDR which is currently planned on being the scheme operated by the Australian Financial Complaints Authority (AFCA)
build a mandatory coordinated intelligence sharing ecosystem that requires timely reporting and information sharing across industry and government.
Changes to the Bill made by Parliament
Amendments to clarify how to determine that a regulated entity has taken ‘reasonable steps’
As the SPF Principles are designed to be overarching whole-of-ecosystem obligations, a number of the obligations require a regulated entity to take ‘reasonable steps’ with respect to preventing, detecting and disrupting scams.
The Parliamentary amendments updated section 58BB of the Bill to specify that in determining whether a regulated entity has met a reasonable steps obligation, the primary consideration must be whether the entity has complied with any relevant SPF code obligations. The intent of section 58BB and the amendments is to assist regulated entities, the SPF general regulator, the operator of the SPF EDR scheme and the courts in understanding and applying the reasonable steps obligations in the SPF principles.
Guidelines for apportioning liability
Regulated entities are required to have regard to guidelines for apportioning liability (as prescribed under section 58BZE(1)(b)(ii) of the Bill) when undertaking IDR. New subsection 58BZE(1A) provides that, for the avoidance of doubt, these guidelines do not have to be consistent with the proportionate liability rules that apply in actions for damages (set out in sections 58FZD to 58FZK of the Bill) where there are multiple regulated entities involved in the scam. This change is welcome as it gives regulated entities more flexibility in developing their IDR regimes and allows for coordinated industry approaches to IDR to resolve complaints satisfactorily, instead of moving to EDR.
Roles and responsibilities statement
The purpose of the roles and responsibilities statement is to explain in general terms how the SPF is regulated, enforced and administered in practice by these entities. As explained in paragraph 1.27 of the Supplementary Explanatory Memorandum, the statement is intended to support the operation of the multi-regulator framework and assist community understanding of the various roles played by relevant entities in the SPF. For example, this statement is expected to cover details about the role and responsibilities of the NASC with respect to the information-sharing aspects of the SPF.
New subsections 58EFA(1) and (2) of the Bill require the ACCC (as the SPF general regulator) to publish a high-level statement on its website summarising the roles and responsibilities of each SPF regulator, each operator of an SPF EDR scheme (at this stage, only expected to be the AFCA) and any other appropriate entity, with respect to the regulation, enforcement and administration of the SPF provisions.
The ACCC must consult with the entities included in the statement before publishing this statement. The statement is merely declaratory and does not confer additional power on the ACCC to determine the roles and responsibilities of relevant entities under the SPF.
Building compliance with the SPF
With the passing of the Bill by Parliament, the more granular required actions to develop the SPF may commence. While the obligations of the SPF will only apply once a sector is designated and we expect such designation to be subject to further construction of the SPF infrastructure, our recommendation to firms is to start building and enhancing their anti-scam strategies and frameworks today.
This message is reinforced by the AFCA’s chief ombudsman and chief executive, David Locke who has said that firms “should not wait for the development of the sector codes but should do everything in their power now to protect consumers”.
Given that banks, telecommunications companies and digital platform service providers are expected to be designated first, these firms should augment their existing strategies and frameworks by building policies, procedures, systems and controls that satisfy the SPF Principles of prevent, detect, disrupt, respond to and report scams and potential scams. These strategies and frameworks should be augmented when aspects of the SPF come online, for example when fully completed and operational SPF Codes apply (noting that compliance with these SPF Codes will support compliance with SPF Principle obligations).
These include the Minister designating sectors, the SPF regulators consulting on the development of SPF Codes, the authorisation of the EDR scheme and the development of the SPF Rules including the authorisation of any third party data gateways, portals or websites that give access to actionable scam intelligence.
What’s next
As set out in the Bill, there are many significant details that will need to be established in due course, including:
legislative instruments confirming sectors of the economy that will be designated by the Treasury Minister to be subject to the SPF principles (noting the Minister has indicated that he will initially delegate banks, telco service providers and digital platform services relating to social media, paid search engine advertising and direct messaging services as being subject to the framework)
consultation on exposure drafts of the proposed sector-specific SPF Codes
authorisation of the EDR scheme
development of SPF Rules including the authorisation of any third party data gateways, portals or websites that give access to actionable scam intelligence
consultation on the proposed new guidelines for apportioning liability.
ACCC Deputy Chair Catriona Lowe said, “In reaching this important milestone, we acknowledge that there is considerable work ahead to implement the Framework, including the formal designation of sectors, development of sector codes, consumer and industry guidance… We will continue to work closely with government, fellow regulators, industry and community agencies to make sure these elements of the Framework work for all stakeholders, most especially consumer”.
We will keep you informed on further developments of the SPF and will soon be publishing an article on operationalising compliance with the SPF.