Scams Prevention Framework FAQs

Privacy
Written By Patrick Dwyer

What is the Scams Prevention Framework (SPF)?

The Scams Prevention Framework (SPF) is a new Australian legislative framework that will impose obligations on businesses to protect consumers from scams and give rights to consumers who have been impacted by scams.

What are the main features of the SPF?

The SPF:

  • enables the Minister to designate sectors of the economy to be regulated under the SPF;

  • imposes obligations on regulated entities, based on 6 scam prevention principles (SPF Principles);

  • empowers the Minister to make codes (SPF Codes) for particular sectors of the economy, imposing further obligations on businesses in that sector;

  • allows for rules to be made (SPF Rules) to support the effective operation of the SPF;

  • makes the Australian Competition and Consumer Commission (ACCC) the general regulator of the SPF;

  • provides for other authorities including ASIC to be assigned as regulators of specific designated sectors;

  • requires regulated entities to implement dedicated internal dispute resolution (IDR) to deal with scams; and

  • provides for external dispute resolution (EDR) if a scam complaint is not resolved at IDR.

Where can you find the legal requirements?

The SPF is created by the Scams Prevention Framework Act 2025 (Cth) (the SPF Act). The SPF Act amends the Competition and Consumer Act 2010 (Cth) (the CCA) to introduce a new Part IVF - Scams Prevention Framework in the CCA. The SPF Act also makes amendments to some other legislation to give effect to the SPF. 

The SPF Codes are under development and have not been finalised, and there are currently no SPF Rules.

Who does the SPF apply to?

The SPF Act will enable the Minister to designate particular sectors of the economy as sectors which will be regulated by the SPF, known as “regulated sectors.”

The Minister’s power extends to any sector of the economy, but the SPF Act lists some sectors as examples which could be designated by the Minister, including banking, insurance, and telecommunications services such carriage services, social media and broadcasting. These are expected to be the first sectors designated by the Minister.

The person who carries on or provides the business or service in a regulated sector will be a “regulated entity” and its business or service a “regulated service”.  

Who will be protected by the SPF?

The SPF will protect “SPF consumers”, which is broader than a “consumer” under the Australian Consumer Law in the CCA. 

SPF consumers include:

  • a natural person or a small business operator (i.e. a person or a body corporate who operates a business with less than 100 employees and an annual turnover of less than $10 million) and who is or may be provided or purportedly provided the regulated service in Australia; and

  • a natural person who is ordinarily resident in Australia and is or may be provided or purportedly provided the regulated service outside of Australia by a regulated entity that is either an Australian resident or is providing or purportedly providing the service through a permanent establishment in Australia.

This means that SPF consumers include people who are Australian residents or temporary visitors who use either an Australian-based or overseas-based regulated service that is offered in Australia, and also Australian residents who are overseas and use an Australian-based regulated service.

The concept of SPF consumer does not require regulated entities to have a contract or arrangement with the person, or know that the person is a natural person or a small business operator, or directly provide the regulated service to the person (i.e. the service can be provided indirectly). Regulated entities will have responsibilities not only to their own customers but also to anyone else who may come into contact with them in relation to a scam. For example, where a scam victim transfers money to an account nominated by the scammer at a bank where the victim does not have a direct customer relationship, the receiving bank may be liable to the victim if it has not met its SPF obligations.

When does it start?

The SPF Act commenced on 21 February 2025, but it will not apply to a designated sector until the Minister has designated that sector of the economy.

What is a scam?

The SPF Act defines a “scam” as a direct or indirect attempt (whether or not successful) to engage an SPF consumer of a regulated service where it would be reasonable to conclude that the attempt:

  • involves deception; and

  • would, if successful, cause loss or harm.

Loss or harm includes obtaining SPF personal information of an SPF consumer or the SPF consumer’s associates, and obtaining a financial or other benefit from the SPF consumer or the SPF consumer’s associates.

A key concept in the definition of a scam is that “deception” is involved. The SPF Act includes a definition of this term. An attempt will involve deception where:

  • there is a deceptive representation that something is a regulated service (for example, an invitation to invest in a non-existent investment product); or

  • there is a deceptive impersonation of a regulated entity (for example, a fake text message pretending to be from a bank); or

  • there is an attempt to deceive an SPF consumer into using a regulated service (for example, a person sends money from their bank account through a banking app to an account nominated by scammer); or

  • there is an attempt made using a regulated service (for example, text messages or phone calls are used to initiate contact between a scammer and an SPF consumer to deceive the consumer).

What is actionable scam intelligence?

The SPF Principles (explained below) require regulated entities to take various actions when they have “actionable scam intelligence”, so it is important to understand what this term means.

Under the SPF Act a regulated entity identifies or has actionable scam intelligence if and when there are reasonable grounds for the entity to suspect that a communication, transaction or other activity relating to, connected with, or using a regulated service of the entity, is a scam.

Whether there are “reasonable grounds” is an objective test. Relevant information for this test may include information about the mechanism or identifier being used to scam SPF consumers, information about the suspected scammer, and information provided by SPF consumers.

What are the 6 SPF Principles?

  1. Governance: Regulated entities must document and implement governance policies and procedures to combat scams in relation to their regulated services, and develop metrics and targets to monitor the effectiveness of the measures. These policies, procedures, metrics and targets are subject to annual certification by a senior officer of the entity, and must be maintained and shared with SPF regulators upon request.

  2. Prevent: Regulated entities must take reasonable steps to prevent scams relating to their regulated services from reaching or impacting SPF consumers. The steps can include providing education to consumers and staff members, and putting in place processes to prevent scammers from accessing or using the regulated services to perpetuate scams.

  3. Detect: Regulated entities must take reasonable steps to detect a scam relating to their regulated services. This includes taking reasonable steps to identify scams as they are happening or after they have happened, regardless of whether losses have been incurred by an SPF consumer. Scams detection could involve using information received from consumers, actionable scam intelligence from SPF regulators, or from internal systems flagging high risk or suspicious activity.

  4. Report: Regulated entities must share reports of any actionable scam intelligence with the SPF general regulator (the ACCC) and give an SPF regulator a report about a specific scam on request. The ACCC will also have the power to disclose information about scams to specified entities.

  5. Disrupt: Regulated entities must take reasonable steps to disrupt an activity suspected of being a scam that is underway and prevent losses or harm arising from such activity. The SPF has a safe-harbour provision: a regulated entity will not be liable in a civil action or proceeding for conducting disrupting action if, among other requirements, the entity acts in good faith and the action is reasonably proportionate to the suspected scam activity. The safe-harbour provision applies for a maximum of 28 days. If the regulated entity concludes that the activity is not a scam within the 28-day period, it must promptly reverse the disruption action to minimise impact on the consumer.

  6. Respond: Regulated entities must have an accessible mechanism for SPF consumers to report suspected scam activity, and an accessible and transparent IDR mechanism for complaints to be made about scam activities and the entity’s conduct regarding such activities. The SPF consumers who can access these services could be persons affected by a scam who are not customers of the entity. Regulated entities will also be required to be members of an authorised EDR scheme which deals with scam-related complaints regarding a regulated service. The Australian Financial Complaints Authority (AFCA) is expected to operate the EDR scheme for the initial three designated sectors.

What are the penalties for non-compliance?

There will be substantial civil penalties for breaches of the SPF Principles and SPF Codes. There is a 2 tier regime for penalty amounts.

Tier 1 contraventions include breaches of SPF Principles of Prevent, Detect, Disrupt, and Respond, while Tier 2 contraventions cover breaches of SPF Codes and the Governance and Report SPF Principles.

The maximum penalty for a Tier 1 contravention by a company is the greater of 159,745 penalty units (currently $52,715,850), three times the total value of any benefit to the company and related entities, or 30% of the adjusted turnover of the company during the breach turnover period.

The penalties for Tier 2 contraventions are lower but still substantial, with companies facing a maximum penalty of the greater of 31,950 penalty units (currently $10,543,500), three times the total value of any benefit to the company and related entities, or 30% of the adjusted turnover of the company during the breach turnover period.

There are also civil penalties with lower amounts for contraventions by individuals.

It is important to note that penalties can be incurred for breaches in relation to individual scam transactions, and not only for systemic conduct failures. For example, the Prevent SPF Principle says that a regulated entity contravenes the requirements if the entity fails to take reasonable steps to prevent another person from committing a scam relating to, connected with, or using a regulated service of the entity.

What do you need to do to prepare for the SPF?

Entities who will be in the expected initial designated sectors should:

  • review the SPF Act;

  • monitor any updates on the development and release of SPF Codes applicable to the designated sector;

  • review policies and procedures in relation to scams and ensure that they are aligned with the SPF Principles;

  • understand actionable scam intelligence and map how it is monitored, reported, assessed and acted upon in their business;

  • review and update IDR mechanisms; and

  • review and update privacy notices and consents to cover disclosures of actionable scam intelligence, reports to SPF regulators, etc.

Where can you get help on the SPF?

We can provide legal advice on your SPF obligations. Contact us for a confidential discussion.

Thanks to Phuong Nguyen for his assistance in preparing this article.

 

 

 

Patrick Dwyer
Next

Financial Services and Credit Monthly Update February 2025