ARTICLE
14 May 2025

Combatting Payment Account Fraud: Australia's Scams Prevention Framework

AO
A&O Shearman

Contributor

A&O Shearman logo
A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
Explore Firm Details
On February 13, 2025, Australia passed legislation implementing its Scams Prevention Framework (SPF) aimed at protecting Australian consumers from scams.
Australia Finance and Banking
Jason Denisenko,Lisa Emanuel,Rory Copeland
+4 Authors
 Your Author LinkedIn Connections

On February 13, 2025, Australia passed legislation implementing its Scams Prevention Framework (SPF) aimed at protecting Australian consumers from scams. The design of the SPF was informed by a previous consultation which ran from November 30, 2023 to January 29, 2024 (please see our latest regulatory developments in Australia blog post for further information on this).

The Australian Treasury recognised in its November 2024 consultation on the SPF that a whole-of-ecosystem approach was required to reduce gaps which can be exploited by scammers, and that everyone, including industry, Government, and consumers, have a role to play to combat scams.

The SPF has a broad scope and will initially require mandatory participation from three business sectors: banks, telecommunications providers and digital platform services. It establishes overarching scam prevention principles that will guide industry specific, mandatory obligations applicable to firms in those designated sectors, and introduces a multi-regulator framework which will produce sector-specific codes of conduct and authorise an external dispute resolution (EDR) scheme.

The legislation inserts a new part IVF to the Competition and Consumer Act 2010 (CCA) which sets out the SPF and empowers the Australian Competition and Consumer Commission (ACCC) to regulate compliance it. Enforcement by the ACCC against businesses in designated sectors who breach their obligations can include penalties of up to AUD50 million for non compliance.

Scope of regime

In-scope Persons

The SPF will initially apply to:

  • Banks.
  • Telecommunications providers.
  • Digital platform services providers, including social media, paid search engine advertising and direct message services.

The Treasury Minister may use the designation mechanism in the SPF to designate further sectors and incorporate the relevant sectoral regulator into the framework, if for example scam activity shifts over time. This could include superannuation funds, digital currency exchanges, other payment providers, and transaction-based digital platforms like online marketplaces.

The SPF will protect "SPF consumers" who are defined as: (1) natural persons who are in Australia (e.g. visitors), ordinarily reside in Australia, or are an Australian citizen or permanent resident of Australia; or (2) businesses with fewer than 100 employees and which have a principal place of business in Australia.

What is a scam?

The SPF defines a scam as:

"a direct or indirect attempt (whether or not successful) to engage an SPF consumer of a regulated service that: (a) involves deception; and (b) would, if successful, cause loss or harm including obtaining personal information of, or a benefit (such as a financial benefit) from, the SPF consumer or the SPF consumer's associates."

An 'attempt' will involve deception if it:

  1. Deceptively represents something to be (or to be related to) the regulated service.
  2. Deceptively impersonates a regulated entity in connection with the regulated service.
  3. Is an attempt to deceive the SPF consumer into either performing an action using the regulated service or facilitating another person to perform such an action.
  4. Is an attempt to deceive the SPF consumer that is made using the regulated service.

Notably, however, the definition does not include unauthorized fraud (such as unauthorized payments), and the extent to which it strikes an appropriate level of consumer protection will likely be an ongoing point of discussion.

How does the SPF operate?

The framework will be administered and enforced via a multi-regulator model. The Australian Treasury has designated the ACCC as the general regulator for the SPF, and there will also be a regulator for each initial sector:

  • Banking: Australian Securities and Investment Commission (ASIC).
  • Telecommunications: Australian Communications and Media Authority (ACMA).
  • Digital Platforms: the ACCC.

Each regulator will need to create its own governance framework associated with the SPF, to structure how they apply the SPF to their sector's regulated entities. Each regulator will also be responsible for creating sector-specific SPR codes, monitoring firms' compliance and pursuing enforcement actions for suspected breaches.

If the SPF is extended to further sectors over time, additional regulators may be brought within the framework to enforce new codes where they have the relevant experience and expertise.

Figure 1 sets out the current overall make-up of the proposed SPF:

Figure 1: Proposed scams prevention framework

1623580a.jpg

Source: Scam prevention framework – Summary of Reforms document Australian Treasury September 2024

Core obligations

The SPF introduces a principles-based approach, including overarching obligations that will apply to all in-scope persons. In-scope persons will be required to proactively combat scams and adjust their business models if necessary to meet their principles-based obligations.

The six overarching principles are as follows:

SPF Principle 1: Governance

Each regulated entity must establish comprehensive governance policies to manage the risk of scams. This includes:

  • Documentation: Writing detailed policies for scam prevention, detection, disruption, response, and reporting.
  • Performance Metrics: Developing metrics and targets to measure the effectiveness of these policies.
  • Risk Assessment: Continuously assessing and addressing the risks of scams.
  • Consumer Information: Making information available to consumers on how to report scams and make complaints.
  • Annual Review: Ensuring that governance policies and procedures are reviewed and approved by a senior officer annually.
  • Record Keeping: Maintaining records of activities taken to comply with SPF obligations for six years.

SPF Principle 2: Prevent

This principle focuses on taking reasonable steps to prevent scams from occurring. Requirements include:

  • Consumer Resources: Providing information, warnings, and training to help consumers identify and avoid scams.
  • Targeted Warnings: Identifying high-risk customers and providing them with specific warnings.
  • Identity Verification: Implementing additional identity verification for new accounts.
  • Proactive Information Gathering: Actively seeking out information on emerging scam activities.
  • Staff Training: Training staff on the latest scam activities.
  • Platform Security: Introducing robust procedures to prevent scammers from accessing or using the platform.

SPF Principle 3: Detect

Entities must take reasonable steps to detect scams, including identifying potential victims. This involves:

  • Actionable Intelligence: Using both internal mechanisms and external intelligence to detect scams.
  • Real-Time Detection: Identifying scams as they happen.
  • Post-Event Detection: Detecting scams after they have occurred.
  • Timely Response: Acting on actionable scam intelligence within a reasonable time frame.

SPF Principle 4: Report

Regulated entities are required to report scam activities and provide actionable intelligence to regulators. This includes:

  • Timely Reporting: Reporting actionable scam intelligence to the SPF general regulator as soon as practicable.
  • Comprehensive Reports: Providing detailed reports on scam activities, including personal and bank account information, and descriptions of bogus ads or media platforms.
  • Information Sharing: Ensuring that the SPF regulator shares this information with other regulated entities while protecting personal identifiable information.

SPF Principle 5: Disrupt

Entities must have controls in place to disrupt scams. This includes:

  • Intelligence Sharing: Sharing actionable intelligence with consumers and regulators.
  • Investigation Reports: Providing reports on the outcomes of scam investigations.
  • Preventive Actions: Taking reasonable steps to disrupt scams based on actionable intelligence, such as blocking phone numbers, accounts, or content associated with scam activity.
  • Payment Holds: Introducing holds on payments and stopping payments in critical cases.
  • Content Removal: Removing content associated with scam activity.
  • Consumer Controls: Allowing consumers to freeze their own accounts or stop transactions.

SPF Principle 6: Respond

Entities must provide mechanisms for consumers to report scams and submit complaints. This includes:

  • Internal Dispute Resolution (IDR): Establishing an IDR unit to process complaints.
  • EDR: Being a member of the Australian Financial Complaint Authority (AFCA) to handle consumer disputes and compensation claims.
  • Fair Mechanism: Ensuring that the EDR is an independent, fair, and impartial mechanism for resolving disputes when consumers are not satisfied with the IDR response.

The SPF principles will be enforced by the ACCC as the SPF general regulator.

The Australian Treasury and each sectoral regulator can also add sector-specific SPF codes, with more detailed regulation and controls.

Dispute / reimbursement mechanism

When an SPF consumer loses money in a financial scam, they may seek reimbursement from an in-scope firm. The victim will first go to the relevant firm's IDR and, if not satisfied with the outcome, may proceed to the EDR.

Regulated entities will only be required to reimburse a SPF consumer who has lost money due to a scam being perpetuated against them if they have failed to comply with their obligations under the SPF and relevant sector-specific SPF codes. There seems to be some confusion as to whether full compliance is necessary or if a lower degree may suffice (e.g. if the area of non-compliance was irrelevant to the nature of the scam perpetrated against the complainant SPF consumer). Given the stringent new requirements, it may be an onerous exercise for regulators to decide whether regulated entities have complied to a satisfactory standard.

Enforcement

Regulated entities that fail to comply with the new regime will be subject to a two-tier penalty system, with higher penalties applying to more significant and egregious breaches of the framework:

Figure 2. Proposed Tiered penalty regime

Tier 1 Convtravention Tier 2 contravention

Breaches of the principles-based obligations in the primary law relating to preventing, detecting, disrupting and responding to scams

Breaches of the principles-based obligations in the primary law relating to reporting and governance and any breaches of the sector codes

Penalty for an entity

The greater of:

  • AUD50m
  • Three times the value of the benefit obtained, or
  • 30% of the turnover during the period in breach

The greater of:

  • AUD10m
  • Three times the value of the benefit obtained, or
  • 10% of the turnover during the period in breach

Penalty for an individual

AUD2.5m

AUD500,800

In addition, regulators will be able to issue enforceable undertakings, injunctions, public warning notices about an entity's contravention of the SPF, remedial directions where an entity is failing to comply with the SPF, adverse publicity orders, non-punitive orders and orders other than financial penalties. While the Australian Treasury is keen for firms to put in place scam prevention measures voluntarily, it is clear that the SPF allows for a more forceful approach if necessary.

Next steps

The establishment of the SPF contributes to the broader effort to modernize Australia's laws for the digital age, including reforms to Australia's privacy, money laundering and cyber settings, modernization of the payment systems, introduction of online safety measures, as well as the rollout of Digital ID and eInvoicing infrastructure for businesses. We therefore expect further policy development as the SPF is put into practice.

Acknowledgments to Josie Archer, trainee with A&O Shearman's Financial Services Regulatory team in London, for her contribution to this post.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Jason Denisenko
Jason Denisenko
Photo of Lisa Emanuel
Lisa Emanuel
Photo of Anna Lewis-Martinez
Anna Lewis-Martinez
Photo of Rory Copeland
Rory Copeland
Photo of Ben Regnard-Weinrabe
Ben Regnard-Weinrabe
Photo of Nikki Johnstone
Nikki Johnstone
Person photo placeholder
Rhiannon Jones
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More