Chapter 2Provisions of the bill
2.1This chapter sets out the provisions of the Scams Prevention Framework Bill 2024 (the bill):
Division 1: introduces the Scams Prevention Framework (SPF) into the Competition and Consumer Act 2010 (Competition Act) and provides an overview of the relevant provisions.
Division 2: establishes the overarching principles of the SPF and the application of those principles.
Division 3: allows for sector-specific SPF codes.
Division 4: establishes external dispute resolution mechanisms.
Division 5: outlines the framework to regulate the SPF.
Division 6: establishes the enforcement framework for the SPF.
Division 7: contains additional provisions, such as those to ensure a consistent treatment for the purposes of the SPF obligations across different types of entities.
Defining scam activity
2.2The bill introduces key terms to support the operation of the SPF, outlined below.
Scam definition
2.3To provide certainty on the scope of harms intended to be captured by the SPF, a scam is defined as:
… a direct or indirect attempt (whether or not successful) to engage an SPF consumer of a regulated service where it would be reasonable to conclude that the attempt:
involves deception; and
would, if successful, cause loss or harm including the obtaining of SPF personal information of, or a benefit (such as a financial benefit) from, the SPF consumer or the SPF consumer’s associates.
2.4The conduct covered within the meaning of scam may interact with other regulatory frameworks, such as the ePayments Code, to ensure that key scam typologies including remote access scams and phishing scams are appropriately covered by the SPF and to also ensure a regulated entity should not be required to compensate for the same loss or damage twice, under two different regimes.
2.5A scam attempt will involve deception if the attempt:
deceptively represents something to be, or to be related to, the regulated service;
impersonates a regulated entity in connection with the regulated service;
is an attempt to deceive the SPF consumer into either performing an action using the regulated service or facilitating another person to perform such an action; or
is an attempt to deceive the SPF consumer that is made using the regulated service.
2.6The definition of scam includes successful scams which have caused loss or harm as well as scam attempts which have not yet resulted in loss or harm, reflecting the SPF obligations on regulated entities to take action against scams regardless of whether the scam has resulted in loss or harm.
2.7The definition of scam is objective and does not require the scammer’s state of mind to be established. It is deliberately broad to capture the wide range of activities scammers engage in as well as being able to capture scam activity that may adapt and evolve over time to include new behaviours. The SPF rules will also be able to exclude conduct that is not intended to be captured under the SPF.
2.8The Australian Competition & Consumer Commission (ACCC) noted that the incorporation of an objective, reasonableness element in the definition of scam was, at least in part, due to input from the ACCC during the consultation phase of drafting the bill.
SPF consumer definition
2.9The bill introduces the concept of an SPF consumer to clearly set out the scope of obligations under the SPF and who they are designed to protect. An SPF consumer of a regulated service is:
a natural person, or a small business operator, who is or may be provided or purportedly provided the service in Australia; or
a natural person who is ordinarily resident in Australia and is or may be provided or purportedly provided the service outside of Australia by a regulated entity that is either an Australian resident or is providing or purportedly providing the service through a permanent establishment in Australia.
2.10The Explanatory Memorandum outlines that a person can be an SPF consumer of a regulated service even if they do not have a direct customer relationship with the regulated entity, reflecting that an individual’s experience with a scam is often not limited to entities the individual has a direct customer relationship with. For example:
where an individual makes a payment to the scammer which is received by a banking service that the individual does not have a direct customer relationship with; or
where an individual is deceived through an impersonation scam involving an entity that the individual does not have a direct customer relationship with; or
where an individual receives a phone call or text message from a scammer, from a carriage service provider or intermediary that the individual does not have a direct customer relationship with.
2.11Further, SPF personal information means personal information as defined in the Privacy Act 1988 and information relating to a person that may be used to access a service or an account, or funds, credit or other financial benefits, including one-time passwords and verification codes that may be used to access a bank account or social media account.
Actionable scam intelligence definition
2.12Several obligations in the SPF relate to a regulated entity having actionable scam intelligence, which occurs when there are reasonable grounds for the entity to suspect that a communication, transaction or other activity relating to, connected with, or using a regulated service of the entity is a scam. This intelligence can come from range of sources, including (but not limited to):
a report about a scam made to a regulated entity;
information provided by SPF regulators; or
a regulated entity’s own investigation into suspected scam activity.
2.13A regulated entity has several obligations under the SPF in relation to actionable scam intelligence, including to provide the SPF general regulator with reports of and about actionable scam intelligence and taking reasonable steps to disrupt scams on receipt of actionable scam intelligence. Gathering and reporting this information is intended to minimise the harm to SPF consumers from scams.
Reasonable steps definition
2.14An entity must take reasonable steps to prevent, detect and disrupt scams. As the SPF is a principles-based framework, determining whether a regulated entity has taken reasonable steps includes consideration of:
the size of the entity;
the regulated services of the entity;
the consumer base of those services;
the kinds of scam risks those services face; and
whether the entity has complied with any relevant SPF code obligations relating to the provision concerned.
2.15The Explanatory Memorandum notes that the factors in determining reasonable steps are to be considered collectively, rather than in isolation, and will also involve consideration ‘of what is practical in the circumstances based on, for example, the regulated service provided by the entity’.
Overarching principles of the SPF
2.16Division 2 of the bill establishes the overarching principles of the SPF and provides that:
All regulated entities must comply with the overarching principles of the SPF.
Each regulated entity is required to document and implement governance arrangements to combat scams and take reasonable steps to prevent, detect, report, disrupt and respond to scams on its regulated service.
Compliance with the SPF principles will be monitored, investigated and enforced by the ACCC as the SPF general regulator, with civil penalties attached to the obligations contained in the SPF principles.
2.17The principles of the SPF are outlined below.
Governance requirements
2.18Regulated entities are required to establish governance policies about how they will prevent, detect, disrupt, respond to and report scams, and then once implemented, are required to create performance metrics and targets assessing the effectiveness of their policies. Entities must also keep governance records for six years.
Prevention requirements
2.19Regulated entities must take reasonable steps to prevent scam activity, beyond merely acting on actionable scam intelligence as defined in proposed section 58AI.
2.20The Assistant Treasurer and Minister for Financial Services (Minister), the Hon Mr Stephen Jones MP, advised that this would require banks to provide enhanced verification procedures, such as confirmation of payees for transactions. Digital platforms would be required to implement strict advertising policies and to verify and validate their advertisers to ensure that business are legitimate and the person placing the ad is authorised to act on their behalf.
Detection requirements
2.21Regulated entities must take reasonable steps to detect scams related to regulated services, including, but not limited to, taking reasonable steps to detect scams as or after they happen. Additionally, an entity may be deemed to have contravened requirements if it fails to take reasonable steps to investigate (within 28 days) actionable scam intelligence it has relating to a regulated service.
2.22The Minister advised that reasonable steps may include:
… implementing systems and processes to identify suspicious activity, timely investigations of actionable scam intelligence and identifying consumers that may be impacted. Under this principle, a hands-off, 'it's not our responsibility' approach will not be acceptable.
Reporting requirements
2.23An entity must report any actionable intelligence it has about scams to the SPF regulator. The SPF general regulator may disclose information relating to scams with prescribed entities, including Commonwealth agencies, law enforcement agencies, and relevant agencies of foreign countries if the SPF general regulator is satisfied that certain conditions have been met relating to the storage and use of such information, and that it is appropriate to disclose the information to the foreign agency.
2.24As noted by the Minister, reporting ‘is a key part of this framework because it involves us collecting that information and enabling real-time intelligence sharing amongst designated sectors’.
Disruption requirements
2.25Entities that possess actionable scam intelligence are required to take reasonable steps to disrupt the scam activity or prevent loss or harm, and failure to take reasonable steps could result in civil penalties. The bill notes that the reasonable steps ‘should be proportionate to the actionable scam intelligence’.
2.26Further, a regulated entity will be provided safe harbour for up to 28 days (meaning the entity will not be liable in civil action or civil proceedings) for taking action to disrupt a scam activity, so long as the actions are undertaken in good faith, in compliance with the SPF provisions, and are reasonably proportionate to the scam activity.
2.27The Minister noted that regulated entities ‘must take reasonable steps to disrupt an activity suspected of being a scam and prevent losses to their consumers’. This ‘will require investment in advanced monitoring systems and prompt content removal or other relevant disruptive action’ and ‘will also involve providing consumers with better education and awareness activities’.
Response requirements
2.28Each regulated entity must have an accessible mechanism for consumers to report scam-related activities to the entity.
Internal dispute resolution
2.29Each regulated entity is required to have an ‘accessible and transparent internal dispute resolution (IDR) mechanism’ to manage complaints about scams or scam related activity on the entity’s regulated services.
2.30The Minister advised that IDR processes ‘are intended to provide regulated entities with an opportunity to assess their conduct and resolve the consumer's complaint in a timely manner’ and further noted that while banks and most telecommunications companies have these in place, such systems are almost entirely lacking in social media platforms for scam victims.
Which sectors will be included
2.31As outlined above, Division 2 of the bill provides for SPF principles that must be met by all sectors designated as a regulated sector. Additionally, Division 3 allows for sector-specific codes to be developed that provide detailed and specific obligations to individual sectors.
2.32The Minister advised that initial sectors intended to be regulated include:
telecommunication providers;
banks; and
digital platform services relating to social media, paid search engine advertising and direct messaging.
2.33The Minister also advised that the government had ‘put the superannuation, insurance and cryptocurrency industries on notice that they will be fast followers’ and further, that those additional sectors ‘do not have to wait for government designation to start the hard work of improving their consumer protections’.
2.34The Explanatory Memorandum notes that the commencement of the SPF does not in itself impose any obligations on entities until a designation is made with respect to a regulated sector, and the designation instrument is in force.
Sector-specific codes
2.35The Explanatory Memorandum outlines that the bill, in Division 3, provides for a Treasury Minister to make an SPF code for each regulated sector including civil penalty provisions, with a requirement that those codes must comply with the overarching SPF Principles. Additionally, the relevant SPF sector regulator will monitor, investigate and enforce compliance with these provisions.
2.36While sector codes are intended to support the SPF principles to prevent and respond to scams, the SPF is designed to operate even if a sector code is not made for a specific sector, ‘as the overarching SPF principles will generally apply when an entity becomes a regulated entity’. This means the SPF takes effect on an entity when it is declared a regulated entity, not when a relevant sector code is enacted.
2.37The bill requires that an SPF sector code:
be consistent with the SPF principles;
only deal with the themes or matters covered by the SPF principles of governance, prevent, detect, disrupt, and respond; and
if applicable, include provisions about matters prescribed by the SPF rules.
2.38Each SPF sector code is expected to set out the obligations specific to that sector, in recognition of the ‘differing roles each regulated sector has in the broader scams ecosystem and the unique scams-related challenges faced by regulated entities in different sectors’. The obligations within sector codes will generally be only the minimum standards, and it is acknowledged that in order to comply with the SPF principles, regulated entities may need to go further than those sector code standards.
2.39The Minister provided further advice on how sector-specific codes will be developed and implemented:
An SPF code will set out detailed obligations specific to a regulated sector. This recognises that each regulated sector faces unique challenges with respect to scams and enables obligations to reflect those relevant circumstances. I've already reflected upon some of the contents of those codes. They'll be different for banks to telecommunications companies to social media platforms because the vectors are different, the threats are different, but the obligation to ensure that they are keeping their customers safe will be the same.
The obligations in an SPF code are not intended to be an exhaustive list of requirements that an entity must follow to comply with SPF principles.
SPF codes create only minimum standards for that sector, which an entity may be required to go beyond to comply with the SPF principles where it is facing a specific, targeted, and heightened risk of scam activity related to its regulated services.
2.40Additionally, a sector code may not apply to all regulated entities within that sector.For example, within the telecommunications sector, different obligations may apply to carriage service providers than apply to transit carriers, given their different roles in the sector.
2.41Further, the Treasury Minister’s power to make an SPF code ‘may be delegated in writing to another Minister, the ACCC, or the entity that is, or will be, the SPF sector regulator’. This can occur when the Treasury Minister considers the other person or entity ‘has the necessary industry knowledge, understanding and information to best address scams in that sector and to make an appropriate SPF code’ and ‘may also have strong stakeholder relationships and industry expertise that could be leveraged during the instrument development process’.
External dispute resolution
2.42A key component of the SPF is to provide an external mechanism to resolve a dispute relating to scams that could not be resolved through IDR, and to provide a pathway for redress where regulated entities have not met their SPF obligations. The bill, in Division 4, provides that:
One or more external dispute resolution (EDR) schemes may be authorised for dealing with complaints about scams in designated sectors.
An existing EDR scheme such as the Australian Financial Complaints Authority (AFCA) could be authorised, or new schemes could be developed and authorised.
Initial EDR
2.43The intention is that AFCA will be initially designated as an SPF EDR, which would enliven the Australian Security and Investment Commission’s functions and powers relating to the AFCA scheme for the purposes of the SPF.
2.44The Minister advised that AFCA would ‘offer an independent, free, impartial and fair mechanism for consumers to escalate their complaints and seek redress’ and it would be ‘required to report serious and systemic scam issues to regulators, as well as report circumstances where parties fail to give effect to a determination in a complaint case’.
SPF regulators
2.45Division 5 of the bill establishes a multi-regulator framework:
The ACCC will oversee and enforce the SPF principles as well as the digital platforms SPF code.
The Australian Securities and Investments Commission (ASIC) will oversee and enforce the banking SPF code.
The Australian Communications and Media Authority (ACMA) will oversee and enforce the telecommunications SPF code.
2.46It is expected that the ACCC, ACMA and ASIC will be sector regulators. The Explanatory Memorandum states that it is ‘intended’ that these regulators ‘would have access to their existing monitoring and investigation powers under their respective legislation’, arguing that ‘those tools are most effective in monitoring and investigating compliance within their respective sectors’. Further detail on enforcement powers set out in this bill is set out below under Division 6.
Arrangements for regulators
2.47According to the bill’s Explanatory Memorandum, the ‘multi-regulator model is intended to deliver a whole-of-ecosystem approach’ that will ‘support and harness each regulator’s mandate and leverage existing supervision, surveillance and enforcement frameworks already established by regulators’.
2.48Commonwealth entities would be designated as sector regulators by legislative instrument. Initially, the ACCC would be the regulator for a specific sector if and while no instrument designates another Commonwealth agency and would be required to enter into arrangements with sector regulators about the regulation and enforcement of the SPF.
2.49Under section 58EB of the bill, the functions and powers of the SPF general regulator (the ACCC) would include:
reviewing, and advising, the Minister about the operation of the SPF provisions;
the ACCC’s existing powers to obtain information, documents and evidence, as outlined in section 155 of the Competition and Consumer Act 2010, to the extent that the section relates to the SPF provisions or a designated scams prevention framework matter;
developing and publishing non-binding guidance material relating to the SPF provisions; and
the functions and powers of the SPF general regulator conferred by any other SPF provisions.
2.50Functions and powers for SPF sector regulators would include those conferred:
by the SPF code for that sector;
by any other SPF provisions; or
if the ACCC is regulating that sector, the functions and powers set out in section 155 of the Competition and Consumer Act 2010.
2.51Proposed section 58EF sets out how the ACCC and sector regulators would enter into arrangements. The arrangements are intended to manage risks associated with the multi-regulator model, such as:
unclear roles and responsibilities;
an inconsistent regulatory and enforcement approach; and
duplication in regulatory or enforcement action.
Information sharing between regulators
2.52SPF regulators would be able to share information or documents relevant to the operation of the SPF ‘to support the effective administration and enforcement of the SPF and the practical operation of the multi-regulator model’. Information shared should be ‘either for the purpose of notifying another SPF regulator that action is being taken to avoid dual action’, or because the information ‘will be acted upon or used in some way to support the relevant SPF regulator’s role in administering and enforcing the SPF’.
2.53SPF regulators would also be able to disclose particular information or documents to another SPF regulator where the information or documents would be ‘relevant to the operation (including enforcement) of the SPF provisions’.
2.54Information between regulators could also be shared where the information is personal information because it ‘may be necessary for the SPF regulator to carry out its functions and powers under the SPF’. According to the Explanatory Memorandum, having ‘sufficient information to undertake effective monitoring, investigation and enforcement action … is therefore critical’ to achieve the objectives of the SPF and ‘prevent and respond to scams impacting the Australian community’.
2.55Under proposed section 58E1, SPF regulators are not required to notify any person that they have:
collected SPF personal information;
plans to make a disclosure of information or documents;
made such a disclosure;
plans to use information or documents disclosed; or
used such information or documents, where these and all of the above are relevant to the operation of the SPF provisions.
Enforcing the SPF
2.56 Division 6 of the bill sets out enforcement powers for SPF regulators. In short:
the ACCC may use its powers under the Competition and Consumer Act ‘to monitor and investigate compliance with the relevant aspects of the SPF’, in its role as the SPF general regulator or as an SPF sector regulator;
if the ACMA or ASIC are sector regulators, they must use powers in their own legislation to monitor and investigate compliance with an SPF code for that sector; and
other SPF sector regulators can monitor or investigate compliance using the powers set out below, or a Treasury Minister may declare that they can use the powers in their own legislation.
2.57As noted above, if the ACCC, ASIC and the ACMA are designated as an SPF sector regulator, they ‘will automatically have alternative monitoring and investigation powers under their own respective legislation’.
2.58A Treasury Minister, where appropriate, ‘may declare that alternative monitoring and investigation powers apply to an SPF sector regulator in relation to a specified provision or provisions of the SPF code’. Default powers would apply unless such a declaration was in force, or the ACCC, ASIC or the ACMA is the SPF sector regulator for the sector.
2.59The Explanatory Memorandum argued that it ‘is necessary and appropriate for the Minister to have this power’ so that ‘designations and declarations can be made quickly and effectively to respond to the emergence of scams and shifting of scam activity in different sectors’. In addition:
Scam activity is fluid and could become more active in a previously untouched sector of the Australian economy. The Ministerial power is appropriate so that compliance with an SPF code can be effectively monitored and investigated by a regulator who may have sector specific tools available to them that are appropriate to be used in the SPF context. Leveraging existing monitoring and investigation tools by a sector regulator may also reduce compliance costs on industry participants, who will be more familiar with existing regulatory arrangements.
2.60A Treasury Minister would also be able, via legislative instrument, to declare that specified alternative power provisions apply to an SPF sector regulator ‘in relation to specified provisions of the SPF code for the sector’. In other words, the instrument ‘may specify modifications to one or more of the alternative power provisions to remove doubt as to how those powers would apply in the context of the SPF code’. Such an instrument would be ‘limited only to ensuring the application of the SPF sector regulator’s existing powers would apply to the SPF effectively, and in a corresponding way’. The instrument would be subject to sunsetting and disallowance.
2.61The Explanatory Memorandum notes that it is expected that the ACMA will be the SPF sector regulator for the telecommunications sector and would have access to monitoring and investigations powers under parts 26 and 27 of the Telecommunications Act 1997. However, the Minister may, ‘by legislative instrument, specify modifications to one or more of ACMA’s referenced powers to remove doubt as to how those powers would apply in the context of the SPF code’. Such instrument ‘is not intended to modify the referenced powers as they ordinarily apply’ outside the SPF code and would be subject to sunsetting and disallowance.
2.62The Explanatory Memorandum also states that it is ‘expected that ASIC would be the SPF sector regulator for the banking sector for the purposes of the SPF’. ASIC would have available to it Divisions 1, 2, 3, 7, 9 and 10 of Part 3 of the Australian Securities and Investments Commission Act 2001, which include monitoring and investigation powers. As with the ACMA, the Minister would be able, by legislative instrument, to modify ‘ASIC’s referenced powers to remove doubt as to how those powers would apply in the context of the SPF code’, with the same limitations outlined above.
2.63According to the Explanatory Memorandum, the SPF’s enforcement framework ‘is consistent with the Attorney-General’s Department’s Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers’ and ‘is based on existing powers in law’, including in the Regulatory Powers (Standard Provisions) Act 2014, the Competition and Consumer Act 2010 and the Telecommunications Act 1997. The Explanatory Memorandum argued that:
… the standard provisions of the Regulatory Powers Act are an accepted baseline of powers required for an effective monitoring, investigation and enforcement regulatory regime, while providing adequate safeguards and protecting important common law privileges.
2.64The Explanatory Memorandum notes that the enforcement framework is ‘set out in the primary law, rather than being left to subordinate legislation’.
Types of penalties
2.65The Minister noted that the bill ‘imposes strong incentives for regulated entities to prevent, detect and deter scams’. This includes civil penalties of over $50million per breach for the more ‘egregious’ breaches with significant impact on consumers. Additionally, ‘regulators could seek redress for harm or damages on behalf of victims where they pursue court action for the breach of an obligation’.
2.66The Explanatory Memorandum outlines that penalties for contraventions of the codes will include:
civil penalties (fines), where there are contraventions of the civil penalty provisions; and
other enforcement tools as an alternative to court proceedings, including:
- infringement notices;
- enforceable undertakings;
- injunctions;
- actions for damages;
- public warning notices;
- remedial directions;
- adverse publicity orders; and
- other punitive and non-punitive orders.
Civil penalty amounts
2.67Tier 1 contraventions would be contraventions of civil penalty provisions of the SPF principles found in Subdivisions C, D, F and G of the Scams Prevention Framework (found in Part IVF):
SPF Principle 2: Prevent;
SPF Principle 3: Detect;
SPF Principle 5: Disrupt; and
SPF Principle 6: Respond.
2.68The Explanatory Memorandum argued that maximum penalties for tier 1 contraventions reflect ‘an appropriate deterrence for the worst breach of the SPF provisions, which could contribute to substantial consumer loss’. In addition:
High penalties reflect the importance of regulated entities complying with the obligations under the SPF, which is expected to substantially minimise scam losses for SPF consumers. Significant penalties recognise the ongoing damage and loss in the Australian economy, and the role that regulated entities play in preventing and combatting scam activity.
Further, it is expected that regulated entities will often be large entities that may have little incentive to take steps to combat scams but benefit from the advances in the digital economy that support those scams. Some sectors that are the most significant vectors for scam activity also profit from allowing scammers to use their services.
2.69Maximum penalties for tier 1 contraventions by a body corporate would be the greater of the following:
159 745 penalty units (currently $50 000 185);
three times the total value of the benefit that the body corporate (and associated body corporates) obtained directly or indirectly because of the contravention, if a court is able to determine this amount; or
if a court is unable to determine the total value, 30 per cent of the adjusted turnover of the body corporate during the breach turnover period for the contravention.
2.70The maximum penalty for tier 1 contraventions by a person other than a body corporate would be 7990 penalty units (currently $2 500 870).
2.71Tier 2 contraventions would be contraventions of civil penalty provisions of an SPF code, SPF Principle 1 (Governance) or SPF Principle 4: Report.
2.72Maximum penalties for tier 2 contraventions by body corporates would be the greater of the following:
31 950 penalty units (currently $10 000 350);
three times the total value of the benefit that the body corporate (and associated body corporates) obtained directly or indirectly because of the contravention, if a court is able to determine this amount; or
if a court is unable to determine the total value, 10 per cent of the adjusted turnover of the body corporate during the breach turnover period for the contravention.
2.73The maximum penalty for tier 2 contraventions by a person other than a body corporate would be 1600 penalty units (currently $500 800).
2.74The Explanatory Memorandum outlined that Tier 2 contraventions ‘have a lower maximum penalty because these obligations are more systems and process-focused, with more minimal direct consequences for consumers’.
2.75An SPF regulator would be able to seek multiple remedies for a single contravention, if appropriate, but a person required to pay an SPF civil penalty would not be ‘liable to a pecuniary penalty for contravening another civil penalty provision of an SPF principle or of an SPF code, or under some other provision of a law of the Commonwealth’ relating to that conduct. This would ‘prevent civil penalty double jeopardy’ and ‘avoid the multi-regulator model and tiered structure of the framework leading to an outcome where a regulated entity is penalised twice for the same conduct’. However, a court would still be able to make other kinds of orders under Division 6, such as an order relating to action for damages relating to the same conduct.
Infringement notices
2.76According to the Explanatory Memorandum, the SPF infringement notice regime ‘is broadly consistent with existing frameworks’ in the Competition and Consumer Act 2010.
2.77Under this regime, inspectors of SPF regulators would be able to issue an infringement notice to a person for an alleged contravention of a civil penalty provision of an SPF principle or an SPF code. This power could be used as an alternative to proceedings for an SPF civil penalty order.
2.78Inspectors would not be able to issue more than one infringement notice to the same person for the same alleged contravention.
2.79Infringement notices would only have effect if they are issued within 12 months after the day the contravention is alleged to have occurred.
2.80Section 58FP sets out matters that must be included in an infringement notice, including the details of the alleged contravention (including the date of the alleged contravention and which provision was allegedly contravened) and the penalty that is payable for the alleged contravention.
2.81Penalties specified in SPF infringement notices issued to a person would equal 60 penalty units for a body corporate or 12 penalty units otherwise.
2.82If a person fails to pay a penalty within the infringement notice compliance period (28 days, beginning on the day after the day that an inspector issues the notice), the person would be liable to proceedings for an SPF civil penalty order. The Commonwealth would be unable to commence or continue proceedings against a person related to the alleged contravention if the person has complied with the infringement notice.
2.83SPF regulators could extent the infringement notice compliance period once only, for no longer than 28 days.
Enforceable undertakings
2.84The SPF general regulator (the ACCC) and SPF sector regulators may accept written enforceable undertakings from persons related to compliance with obligations under the SPF principles, in the case of the former, or under an SPF code for the relevant sector, in the case of the latter.
2.85SPF regulators who consider that a person who gave them an enforceable undertaking has breached any of its terms may apply to a court with jurisdiction for an order:
directing the person to comply with the terms of the undertaking;
directing the person to pay the Commonwealth an amount up to the value of the financial benefit that the person obtained directly or indirectly because of the breach, provided it is reasonably attributable to the breach;
that the court considers appropriate, directing the person to compensate any other person who has suffered loss or damage because of the breach, such as a scam victim; or
that the court considers appropriate.
2.86Enforceable undertakings would not preclude an SPF regulator from taking other regulatory actions at the same time, where appropriate.
Injunctions
2.87SPF regulators or any other persons may make an application for an injunction. Courts may grant the injunction in terms they consider appropriate if they are satisfied that the person has engaged in, or is proposing to engage in, conduct that would constitute:
contraventions of civil penalty provisions of the SPF principles or of an SPF code;
attempting to contravene such a provision;
aiding, abetting, counselling or procuring a person to contravene such a provision;
inducing, or attempting to induce, whether by threats, promises or otherwise, a person to contravene such a provision;
being in any way (directly or indirectly) knowingly concerned in, or party to, the contravention of such a provision; or
conspiring with others to contravene such a provision.
2.88Courts may also grant an injunction to prevent a person from engaging in conduct, and to require a person to do an act or thing.
Actions for damages—compensation
2.89Persons who suffer loss or damage because of conduct of another person done in contravention of a civil penalty provision of an SPF principle or SPF code may take action against the person to recover the amount of the loss or damage. In addition, an SPF regulator may make a claim on behalf of the victim if they have the victim’s consent to do so.
2.90The person may make a claim at any time within six years after the day of the cause for the action being commenced.
2.91The Minister noted that ‘courts will be able to consider the role of multiple service providers connected to a scam and apportion liability between them’ and further noted that courts ‘are required to prioritise payment of redress to the scam victim over payment of penalties for breaches’.