The new Scams Prevention Framework (SPF) is now law and the next steps are for SPF Codes and SPF Rules to be prepared in consultation with industry, and for sectors to be designated. Looking abroad at other scam prevention regimes provides insights into how the details of the SPF might be developed.
What is the Scams Prevention Framework?
The SPF does not in itself impose any obligations on entities until a designation of their sector is made. Treasury has indicated that banks, telecommunication providers and digital platforms will be the first sectors to be designated for SPF regulation. Future sectors for designation may include superannuation, insurance, online marketplaces and cryptocurrency providers.
The SPF sets the foundations for the regime but the operational details are yet to be developed, including:
- Sector-specific obligations: Regulatory
requirements tailored to each regulated sector are to be developed
in SPF Codes.
- Apportionment: The SPF requires regulated
entities to develop accessible and transparent internal dispute
resolution (IDR) mechanisms to deal with customer
complaints about scams, and encourages the early resolution of
complaints, including for compensation to be provided where there
has been a breach of an SPF provision.
It also provides for an external dispute resolution (EDR) mechanism through the Australian Financial Complaints Authority. The SPF is largely silent on how liability for scams losses will be apportioned between regulated entities and/or the consumer at the IDR and EDR stages.
At the court action stage, proportionate liability under 'concurrent wrongdoer' provisions provides for apportioning liability based on what the court thinks justly reflects the responsibility of the regulated entities involved, excluding any proportion of loss for which the scam victim is contributorily negligent.
- Compensation: The SPF does not mandate compensation of scam victims. However, there is an expectation that scam victims will be able to seek compensation or 'another appropriate remedy' at IDR, a pathway to compensation at EDR, and a route to claim loss in court.
When will regulated entities need to comply?
Although the SPF is now law and does not provide for a transitional period, it is envisioned that regulated entities will not be required to adhere to the SPF's obligations until their sector is designated and the designation instrument for their sector is in force. Those instruments may include transitional arrangements.
What are other countries doing?
The United Kingdom, Singapore, and Malta have established regulatory regimes to combat scams, each with distinct approaches that provide insight into how the SPF might develop in practice. The Australian regime stands out for its comprehensive approach to disrupting the entire lifecycle of scams. It aims to regulate multiple sectors where scams originate and spread - banks, telecommunications providers and digital platforms.
In contrast, overseas frameworks have so far focused only on banks, payment service providers and in the case of Singapore, telecommunication companies. However, the approaches abroad were considered by Treasury in developing the SPF and may provide insights into how the SPF Codes may be developed, particularly in relation to apportionment of liability, scams controls and regulator intervention.
United Kingdom
The UK Authorised Push Payments (APP) regime commenced in October 2024 and differs from the SPF in key respects:
| Australia | UK | |
|---|---|---|
|
Sectors |
Banks, digital platforms, telecommunications |
Only banks and other payment service providers (PSPs) |
|
Scope |
Payments by Australian residents (including when abroad), visitors to Australia, small businesses |
Only UK-UK payments via Faster Payments and CHAPs |
|
Mandatory repayment |
No |
Yes |
|
Compensation cap |
No |
£85,000 (approx. $168,000 AUD) |
|
Mandated apportionment |
Not yet |
50:50 split between sending & receiving PSP |
|
Limitation period |
Six years |
13 months |
|
Mandated time to reimburse |
Not yet |
Within five business days (subject to exceptions) |
|
Scam prevention obligations |
Yes, to take 'reasonable steps' to prevent and detect scams |
No |
Insights from the UK for the forthcoming SPF consultations
include:
- Consumer standard of
caution: Payment Service Providers
(PSPs), including banks, do not have to reimburse consumers who
fail to meet any of four requirements: regard for interventions
(such as pop-ups or other warnings); prompt reporting; response to
reasonable and proportionate requests for information by the PSP;
or consent to police reporting. The failure must meet a high
standard of carelessness amounting to 'gross
negligence'.
- Compensation cap and
liability split: The UK regime is focussed on prompt
reimbursement of scam victims, facilitated by the mandatory
liability split between PSPs and a cap on compensation.
- Reasonable steps: The Financial Conduct
Authority, the financial services regulator in the UK, expects scam
prevention controls to include:
- enhancing anti-fraud control frameworks;
- improving checks at onboarding;
- ongoing customer, account and device level monitoring;
- improving use of intelligence, including behavioural biometrics
and use of risk-based, automated warning messages; and
- implementing manual intervention processes for high-risk payments.
- enhancing anti-fraud control frameworks;
Singapore
Singapore's Shared Responsibility Framework (SRF) came into effect in December 2024 and differs from the SPF in key respects:
| Australia | Singapore | |
|---|---|---|
|
Sectors |
Banks, digital platforms, telecommunications |
Banks (and PSPs) and telecommunications |
|
Scope |
Payments by Australian residents (including when abroad), visitors to Australia, small businesses |
Phishing scams where the impersonated entity has a Singapore nexus |
|
Mandatory repayment |
No |
No |
|
Compensation cap |
No |
No |
|
Mandated apportionment |
Not yet |
Yes |
|
Limitation period |
Six years |
No later than 30 calendar days after receiving a notification alert |
|
Mandated time to reimburse |
Not yet |
21 business days for straightforward cases/45 business days for complex cases |
|
Scam prevention obligations |
Yes, to take 'reasonable steps' to prevent and detect scams |
Yes |
Insights from Singapore for the forthcoming SPF consultations
include:
- Waterfall apportionment: If the bank does not
comply with its SRF duties, it must fully compensate the consumer.
If the bank is compliant and the telco is not, the telco must fully
compensate the consumer. If both the bank and telco have fulfilled
their respective SRF duties, the consumer bears the full
loss.
- Regulator intervention: Following internal
investigation by the bank and telco, a dissatisfied consumer can
complain to sector regulators who will assess whether the entity
has fulfilled its duties.
- Scam prevention obligations: The SRF contains
detail on the steps regulated entities are expected to take to meet
their obligations.
In particular, banks must:
- implement a 12-hour cooling off period after the activation of
a digital security token;
- provide real time notifications of transactions, including
activation of digital security tokens or high risk
activities;
- establish a 24/7 reporting channel and a self-service feature
through which consumers can immediately block their account;
and
- establish surveillance systems to detect unauthorised
transactions and block them until positive confirmation from the
customer is obtained.
Telcos must:
- block Sender ID SMS that are not from authorised aggregators;
and
- implement an anti-scam filter over SMS to block malicious URLs listed in a database.
- implement a 12-hour cooling off period after the activation of
a digital security token;
Malta
In Malta, scam complaints are managed by the Office of the Arbiter for Financial Services (AFS). The Maltese regime differs from the SPF in key respects:
| Australia | Malta | |
|---|---|---|
|
Sectors |
Banks, digital platforms, telecommunications |
Financial service providers (FSP) |
|
Scope |
Payments by Australian residents (including when abroad), visitors to Australia, small businesses |
Any type of scam involving an FSP, including PSPs under Directive (EU) 2015/2366 (PDS2) |
|
Mandatory repayment |
No |
Yes, for scams under PDS2 (except where gross negligence by consumer) No for other types of scams (but AFS can award compensation) |
|
Compensation cap |
No |
Yes, for PDS2 scams: €250,000 (approx. $420,000) No for other types of scams (AFS will award amount it considers appropriate) |
|
Mandated apportionment |
Not yet |
Yes, between PSP and consumer for PDS2 scams, via a 'reasonability allocation' model No for other types of scams |
|
Limitation period |
Six years |
Complaint must be raised in writing with the FSP within two years; and brought to the AFS within five years |
|
Mandated time to reimburse |
Not yet |
AFS specifies the period within which the FSP must provide compensation |
|
Scam prevention obligations |
Yes |
No |
Insights from Malta for the forthcoming SPF consultations
include:
- IDR: The AFS strongly recommends that all
major banks adopt the allocation model for their IDR procedures.
This has reportedly resulted
in more cases being resolved at the pre-mediation or mediation
stages, rather than progressing to external despite resolution
through the AFS.
- Responsibility allocation model: The model, introduced in December 2023, sets out mitigating or aggravating factors used by the AFS to calculate the percentage of the consumer's loss that the PSP must reimburse a scam victim (with the AFS empowered to depart from the model upon providing reasons):
| Allocation of responsibility criteria | PSP | Consumer |
|---|---|---|
|
Unquestionable gross negligence by consumer |
0% |
100% |
|
Fraudster used PSP's normal channels of communication giving the clear impression of being a genuine communication |
add 50% |
reduce by 50% |
|
Consumer actively participated in the fraud beyond disclosure of credentials |
reduce by 30% |
add 30% |
|
PSP notified consumer by direct communication to beware of such scams in: last three months |
reduce by 20% |
add 20% |
|
last six months |
reduce by 10% |
add 10% |
|
over six months |
no reduction |
no addition |
|
Special circumstances apply |
add 20% |
reduce by 20% |
|
Consumer made no similar genuine payments in last 12 months or payment amount is atypical |
add 20% |
reduce by 20% |
What's next?
Businesses within the sectors which are anticipated to be designated initially under the new Australian SPF regime (banking, telecommunications, and digital platforms) should take steps to prepare for the rollout of the SPF regime, including by considering the insights from abroad in:
- designing and implementing (further) scams controls to prevent,
detect, disrupt and report scams, as well as systems to gather
scams data and scams intelligence; and
- engaging in consultations on the development of the SPF Codes and potential models for apportionment of liability.
Harriet Codd, Jasper Rasmussen, Nicole Jackson, Ciara Lavendar and Sebastian Judge also contributed to this Insight.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
 |
 |
| Lawyers Weekly Law firm of the year
2021 |
Employer of Choice for Gender Equality
(WGEA) |
