10 February 2025
Promoting the provision of suitable financial products to consumers: substantial penalties ordered for breaching the Design and Distribution ObligationsRead moreTom JarvisChristopher SonesMadison Lardner
With the passage of the Scams Prevention Framework Act 2025 by both houses, Australian businesses in key sectors, including banking, telecommunications and digital platforms, will face significant new responsibilities in preventing, detecting and responding to scams.
While there are still several key steps required to fully implement the framework (including the formal designation of sectors, codes, rules and other guidance), the Scams Prevention Framework (SPF), established under Part IVF of the Competition and Consumer Act 2010 (as amended by the Act) (CCA), provides for:
- the overarching principles that apply to regulated entities, relating to the implementation of governance, and obligations regarding prevention, detection, reporting, disruption and responding to scams;
- a multi-regulator approach to enforcement and dispute resolution;
- sector-specific SPF codes for designated ‘regulated sectors’;
- SPF rules to support the effective operation of the SPF;
- dispute resolution mechanisms; and
- a two-tier penalty system for contraventions, among other regulatory and enforcement mechanisms.
The Bill will apply from the day after it receives Royal Assent.
What is a scam?
Under the SPF, a scam is any direct or indirect attempt (whether successful or not) to engage an SPF consumer within a regulated service that involves deception and, if successful, would result in financial loss, obtaining SPF personal information, or other harm.
An SPF consumer is a natural person or a small business operator who is provided or purportedly provided with a regulated service in Australia and includes those ordinarily resident in Australia who receive a regulated service while overseas from an Australian-based entity or one operating through a permanent establishment in Australia.
Scam prevention obligations
Regulated entities must implement governance in respect of scam prevention, being documented scam prevention policies covering:
- scam detection and response mechanisms;
- consumer reporting processes; and
- internal and external dispute resolution procedures.
A senior officer must certify compliance annually and records must be maintained for at least six years.
All regulated entities must take reasonable steps to fulfil their obligations under the SPF principles to:
- prevent scams through governance policies, consumer education and risk management;
- detect scams with real-time monitoring and investigation protocols;
- disrupt scams by blocking fraudulent transactions, accounts and advertisements;
- respond by offering consumer reporting and internal dispute resolution (IDR) mechanisms; and
- report actionable scam intelligence to regulators upon request.
Whether an entity has taken reasonable steps will depend on the size of the entity, the type of regulated service concerned, the consumer base, the kinds of scam risks those services face, and whether the regulated entity has complied with any relevant SPF code obligations (the last of which is the primary consideration). Despite this being the primary consideration, it will still be possible to fail to comply with a reasonable steps obligation in the SPF principles even if it has met the relevant obligations of an SPF code.
Regulated entities must use actionable scam intelligence to detect, prevent and disrupt scams affecting SPF consumers. Actionable scam intelligence is any communication, transaction or activity that raises reasonable suspicion of a scam, including reports from consumers, data analysis and intelligence from regulators.
The SPF also contains a limited safe harbour provision which provides a regulated entity will not be liable in a civil action or civil proceeding for taking action to disrupt the activity if the action is:
- taken in good faith;
- in compliance with SPF provisions; and
- reasonably proportionate to the activity.
The safe harbour is limited to actions:
- within a 28-day period from the receipt of intelligence (or until the activity is determined to be a scam, whichever is earlier); and
- actions that are promptly reversed if the activity is found to not be a scam.
Who does the SPF apply to?
The SPF applies to all regulated entities.
A regulated entity is any business operating within a regulated sector.
A regulated sector is a specific individual business, service, industry or group of businesses that the Treasury Minister (Minister) formally designates as requiring additional, industry-specific scam prevention measures.
The priority sectors for designation and the relevant regulators include:
| Sector | Regulator |
|---|---|
| Banking and financial services | ASIC |
| Telecommunications providers | ACMA |
| Digital platforms | ACCC |
The rationale for these sectors as the first to be designated is based on today’s ‘scam ecosystem’ – the environment that scams generate, transmit and reach victims, which are ‘overwhelmingly distributed through a publication on a social media platform, a call or message sent over the telecommunications network, and a transaction through a bank account’.[1]
The SPF is intended to be responsive and adaptable with the Minister having the power to designate new sectors in the future. For instance, the Government has put superannuation, insurance and cryptocurrency industries on notice that they will be fast followers.
Before designating a sector to be subject to the SPF, the Minister must:
- consider scam activity in the sector, the effectiveness of existing industry initiatives to address scams in the sector, the interests of consumers and the likely consequences (including benefits and risks) to the public and to the relevant businesses or services, and any other matter the Minister considers relevant; and
- consult relevant consumer groups and the businesses or services making up the sector (however, a failure by the Minister to consult does not invalidate a sector designation decision).
The SPF applies extraterritorially, meaning international businesses providing services to Australian consumers must also comply.
SPF codes and SPF rules
The Minister (or delegate) may, by legislative instrument, introduce SPF codes and SPF rules.
| SPF codes | SPF rules |
|---|---|
Sector-specific, prescriptive obligations for each regulated sector that are consistent with SPF principles. SPF sector regulators will be responsible for monitoring, investigating and enforcing compliance with the SPF code provisions (e.g. ASIC for banking, ACMA for telecommunications, ACCC for digital platforms). | Support the effective operation of the SPF. For example, SPF rules may:
|
| Failure to comply with SPF codes can be civil penalty provisions | Cannot create an offence or civil penalty, provide powers of arrest or detention or entry, search or seizure, impose a tax, set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in the CCA or directly amend the text of the CCA. |
Dispute resolution
The SPF requires regulated entities to have an internal dispute resolution (IDR) process in place and to become a member of a designated external dispute resolution (EDR) scheme, which will provide a pathway for redress, including compensation, for an SPF consumer of a regulated service where a regulated entity has not complied with its obligations under the SPF.
IDR guidelines do not have to be consistent with proportionate liability rules that apply in actions for damages.
The Australian Financial Complaints Authority (AFCA) will be the designated EDR scheme for the three initial sectors designated under the SPF.
This requirement to cooperate with the operator of the SPF EDR scheme includes:
- giving effect to any determination made in relation to the complaint; and
- identifying, locating and providing any documents and information required for the purposes of resolving the complaint within a reasonable time.
Failure to comply with the EDR obligations may attract a civil penalty.
Regulation and enforcement
Enforcement responsibility is divided between the general regulator (the ACCC) and sector regulators depending on the type of obligation:
- The ACCC enforces SPF rules and general scam prevention obligations under the CCA (however, note that the ACCC will also enforce sector specific obligations related to digital platforms).
- Sector specific regulators (e.g. ASIC, ACMA and other regulators) enforce SPF codes in relevant sectors.
Regulators can use their existing investigative and enforcement powers under their respective legislation to monitor compliance. For example, the ACCC can use its powers under s 155 of the CCA to monitor and investigate compliance.
The ACCC must enter into an arrangement with each SPF sector regulator relating to the regulation and enforcement of the SPF provisions. It may do so by having a single arrangement or a separate arrangement with each SPF sector regulator. These arrangements will be publicly available and, with respect to the regulation, enforcement and administration of the SPF provisions, the ACCC must publish a statement on its website that will summarise each SPF regulator, each operator of an SPF EDR scheme, and any other entity the ACCC considers appropriate.
Penalties
The SPF enforcement framework is based on a two-tier civil penalty system:
- Tier 1 contraventions are more serious and attract higher penalties, and include those related to the SPF principles of prevent, detect, disrupt and respond.
- Tier 2 contraventions apply to the civil penalty provisions, and include those related to the SPF principles of governance and reporting.
| Tier | Maximum penalty for corporations | Maximum penalty for individuals | Example contraventions |
|---|---|---|---|
| Tier 1 | The greater of:
30 per cent of the company’s turnover during the breach period. | Up to $2.5 million (7,990 penalty units) |
|
| Tier | Maximum penalty for corporations | Maximum penalty for individuals | Example contraventions |
|---|---|---|---|
| Tier 2 | The greater of:
10 per cent of the company’s turnover during the breach period. | Up to $528,000 (1,600 penalty units) |
|
Regulators also have a range of enforcement tools besides civil penalties, including:
- infringement notices;
- enforceable undertakings;
- injunctions;
- action for damages;
- public warning notices; and
- adverse publicity orders.
What’s next?
Once the Act receives Royal Assent, it comes into force the following day.
However, there are significant steps still needing to be taken in order for the SPF to be implemented fully, including:
- Formal designation of sectors: While the banking, telecommunications, and digital platforms sectors have been identified as the industries which will be designated as regulated sectors, the Minister must formally do so by legislative instrument.
- Development of SPF codes: Each regulated sector will be subject to SPF codes, which will outline prescriptive compliance obligations aligned with the SPF principles and will be developed and enforced by the relevant sector regulators (ASIC, ACMA, ACCC, or others as required).
- Implementation of SPF rules: To ensure the SPF functions effectively, SPF rules will be introduced to clarify obligations, support enforcement and provide additional guidance on aspects such as record-keeping, information sharing and dispute resolution procedures.
- Establishment of dispute resolution mechanisms: Regulated entities must set up IDR processes and become members of the EDR scheme (intended to be AFCA) to handle consumer complaints and redress.
- Regulator coordination: The ACCC, in combination with the other sector-specific regulators, will formalise and publish arrangements for compliance and enforcement of the SPF.
- Industry guidance: It is expected that these regulators, in particular, the ACCC, will also publish and provide additional guidance materials, templates and sector-specific recommendations to help businesses comply with SPF obligations.
The SPF is designed and intended by Parliament to be dynamic and adaptable to a scam ecosystem, including where new scams and scam techniques emerge. As a consequence, most of the substantive elements of the framework will be contained in subordinate legislation, rules and determinations. In that context, there is a significant degree of uncertainty about practical implementation, including the implications of the potential for selectively applying the SPF to some participants in a given sector and not others and the interactions between general and specific obligations and how regulated entities can most efficiently comply with both. There is also an open question about how these frameworks will interact with overlapping regulatory frameworks.
While banking, telecommunications, and digital platforms are industries that will be the first to be designated, the government will designate other high-risk sectors (particularly those that operate in superannuation, insurance and cryptocurrency related services).
[1] Commonwealth, Parliamentary Debates, Legislative Assembly, 7 November 2024 (The Hon. Stephen Patrick) (‘Scams Prevention Framework Bill 2024 Second Reading’).