Chapter 4Operation of the Scams Prevention Framework
4.1This chapter details the responses to the bill from submitters and witnesses as to the operational aspects of the Scams Protection Framework (SPF), including suggestions made to improve its implementation.
Definitions
4.2As outlined in Chapter two, the bill provides definitions of key words to ensure that there is clarity around responsibilities of regulated entities. The key definitions provided are for ‘scams’, ‘SPF consumer’, ‘actionable intelligence’ and ‘reasonable steps’. Submitters discussed improvements that could be made to provide greater clarity on these foundational definitions.
Defining scam activity
4.3As outlined in Chapter two, a scam is defined as:
… a direct or indirect attempt (whether or not successful) to engage an SPF consumer of a regulated service where it would be reasonable to conclude that the attempt:
involves deception; and
would, if successful, cause loss or harm including the obtaining of SPF personal information of, or a benefit (such as a financial benefit) from, the SPF consumer or the SPF consumer’s associates.
4.4The Australian Payments Network welcomed ‘the flexibility provided by the bill to explicitly exclude’ through delegated legislation certain activities, such as hacking, data breaches and fraud that occurred without action from a consumer, and other types of cyber and economic crime, and called for the Minister to exercise this power.
4.5The Mortgage Association supported the current definition of scams as being ‘sufficiently broad to capture the two most common types of scam-related activity observed by our broker members, being impersonation and payment redirection scams’ but also recommended the definition ‘would benefit from further guidance by Treasury to help both consumers understand their rights and businesses within designated sectors to comply more effectively’. The Association recommended ‘a non-exhaustive list in the Rules of what is not considered to be scam activity including fraud where parties are known to each other, ponzi schemes and misleading and deceptive conduct’ as this would ‘support greater clarity to entities within designated sectors to comply with the SPF’.
4.6Conversely, the Law Council of Australia suggested that the definition of a ‘scam’ in the bill be amended ‘to more comprehensively capture various forms of scam activity, including phishing and remote access scams’.
4.7The Telecommunications Industry Ombudsman (TI Ombudsman) noted that a consumers’ view of what constitutes a scam can be very different to a legal definition of a scam. The TI Ombudsman submitted that of the 3049 complaints received in 2024 where the consumer believed they were the victim of a scam, only 331 complaints fell within the definition of a scam under SPF and ‘486 complaints related to fraud, falling outside of the SPF’s scam definition, with the fraud issues being the subject of existing telco-specific obligations’.
4.8DIGI submitted that it considered the scam definition proposed by the bill as lacking clarity and suggested the Commonwealth Fraud Control Policy definition to ‘be a more effective and implementable starting point’. In this policy, fraud is defined simply as ‘dishonestly obtaining a benefit or causing a loss by deception or other means’. DIGI also pointed to its definition within its Australian Online Scams Code, whereby a scam is defined as ‘an invitation, request, notice or offer by a person with the purpose of deceiving another person in order to obtain a financial benefit or cause a financial loss’.
4.9DIGI also noted the scam definition includes the obtainment of personal information. DIGI suggested removing this component as the ‘obtainment of personal information might certainly be the means by which a loss or benefit is obtained, but it should not be considered the scam itself’.
4.10The Insurance Council of Australia noted that many scams involve scammers setting up fake websites mirroring an insurer’s website or may otherwise impersonate the company or its employees. The Council recommended the SPF clarify the different types of scams and take into account whether they are external scams or whether they are ‘facilitated through the sector in the day-to-day provision of services’.
4.11BDO Australia noted that the scam definition is understandably broad to capture a range of potential scam-related activities, but this potentially gives rise to difficulties, ‘particularly where there is limited guidance or examples of what types of activity may fall within, or outside of, the definition of scam’. BDO advised that a clearer definition would help ensure consistent application of the SPF and reduce the risk of under or over identification of scam activity.
Defining an SPF consumer
4.12As outlined in Chapter two, the bill provides a definition of ‘SPF consumer’ to clearly set out who the SPF is designed to protect. An SPF consumer of a regulated service is:
a natural person, or a small business operator, who is or may be provided or purportedly provided the service in Australia; or
a natural person who is ordinarily resident in Australia and is or may be provided or purportedly provided the service outside of Australia by a regulated entity that is either an Australian resident or is providing or purportedly providing the service through a permanent establishment in Australia.
4.13The Australian Payments Network iterated its support for ‘the intention to provide broad customer and small business protections under the SPF’. However, it expressed concern about the breadth of the definition of ‘SPF consumer’ in the bill, arguing that it ‘will be particularly difficult for entities to identify and effectively communicate with individuals or businesses [that the entities] have no formal relationship with, or identify all persons who were SPF consumers that may have been impacted by a scam activity’.
4.14Nonetheless, the Australian Payments Network welcomed the provision in the bill allowing delegated legislation to limit the scope of ‘SPF consumers’ and the intention for the SPF codes to set out more specific obligations relating to specific classes of SPF consumers.
4.15The Law Council of Australia proposed that the definition of ‘small business operator’ be aligned ‘more fully … with the existing “small business” definition under subsection 23(4) of the Australian Consumer Law’, arguing that a lack of consistency may create ‘unnecessary regulatory complexities’. Such a change, the Law Council argued, ‘would ensure that only genuine small businesses—as opposed to conglomerates that may conduct multi-million dollar businesses despite using entities with few (or no) employees—are captured within this definition’.
4.16The Commonwealth Bank also made recommendations regarding the inclusion of small businesses, noting that ‘the definition may inadvertently capture entities which are part of large, sophisticated business operations’. The Commonwealth Bank recommended the definition be amended to ‘exclude a company if it is listed on the Australian Stock Exchange, a government entity, or an Australian Financial Services licensee that is authorised under its licence to operate registered managed investment schemes as a responsible entity to provide custodial and depository services’.
Defining reasonable steps
4.17As outlined in Chapter two, the bill provides for a broad definition of ‘reasonable steps’ that is principles-based, in which the process to determine reasonable steps is ‘an objective assessment that depends on the particular facts and circumstances’.
4.18Some evidence was received around the definition of reasonable steps, with calls for greater clarity or further examples, in order to ensure a more universal understanding which may then lead to reduced litigation.
4.19For example, DIGI welcomed section 58BB of the Bill which provides some guidance on the meaning of ‘reasonable steps’ to prevent scam activity. However, DIGI argued there is still some confusion on the definition as industry has ‘a different interpretation to consumers’.
4.20The Australian Communications Consumer Action Network (ACCAN) was of the view that the definition of ‘reasonable’ steps could be clarified by drawing on other pieces of risk-based legislation, pointing to the Work Health and Safety Act 2011’s definition of what is ‘reasonably practicable’ in ensuring health and safety.
4.21Consumer advocacy organisations suggested that the current definitions of ‘reasonable steps’ in the bill ‘appear to be weighted towards limiting the obligations on businesses, with considerations for consumers largely absent’. They voiced concern that the bill’s provisions are ‘insufficient to protect customers experiencing vulnerability’, arguing that the mere existence of a scams policy, even if it is inadequate and does not protect the victim, will allow regulated entities to “‘tick off’ the SPF obligation’. Accordingly, they proposed that regulated entities be required to consider consumer vulnerability when taking ‘reasonable steps’ to meet their obligations under the SPF.
4.22The Australian Payments Network expressed concern that even where the sector-specific codes provide guidance in how the SPF principles should be applied, particularly the meaning of ‘reasonable’, ‘proportionate’ and ‘relevant’ under each principle, the bill as drafted could lead to a regulator or external dispute resolution (EDR) scheme determining a different standard from the guidance contained in the relevant code. The Australian Payments Network considered that this ‘ambiguity creates regulatory uncertainty and will potentially lead to inconsistent enforcement’, and regulated entities may ‘take overly risk-averse approaches to compliance’, leading to the unwinding of efficiency and competition gains, dampen innovation and delay the adoption of certain payment methods, particularly real-time payments. In addition, ‘such risk aversion could also have an impact on the viability of non-bank’ payment service providers. The Network called for an amendment acknowledging that compliance with an SPF code constitutes ‘reasonable steps’.
4.23Telstra was of the view that the list included under ‘reasonable steps’ ‘should either be expressed as exhaustive or, at least, as matters which should be given substantial weight’. Telstra also argued that the list should ‘emphasise that the adequacy of the processes, systems and practices of the regulated entity is a relevant matter in assessing whether it has taken reasonable steps’.
4.24Google noted an additional concern, in that in order to defend their actions as reasonable, regulated entities would need to outline ‘extremely sensitive information about how they combat bad actors’. Google advised that such information is tightly guarded ‘to ensure that it is not leaked and abused by bad actors’ to improve their tradecraft. Google submitted that the disclosure of such scam prevention or detection information ‘risks the information falling into the wrong hands, thereby facilitating bad actors to circumvent detection and protections’.
4.25The Association of Superannuation Funds of Australia noted its support for changes to the definition of the term ‘reasonable steps’ in the bill compared with the draft form, suggesting this change provides ‘greater clarity to regulated entities’. It also supported the inclusion of a clause stating that codes may include sector-specific provisions relating to examples of reasonable steps, in clause 58BL. However, the Association suggested that the relevant clause defining ‘reasonable steps’ would ‘still benefit from the provision of greater regulatory guidance, including detailed examples’.
4.26However, as outlined in the Explanatory Memorandum, it is not considered practical that the bill should set out a prescriptive definition of ‘reasonable steps’ given the disparity between regulated sectors and business capabilities within those sectors:
… given the SPF will apply to a diverse range of entities, both across and within regulated sectors, it is not intended that the SPF codes will set out an exhaustive list of requirements that would be reasonable for every entity in every set of circumstances.
4.27Treasury noted that following feedback on the exposure draft bill, the Australian Government had sought ‘to address matters that were raised by quite a number of industry groups, around the interaction between the primary legislation and the codes, to clarify the elements of what will be considered reasonable steps’ for industry to ‘adhere to their obligations’.
Defining actionable scam intelligence
4.28As outlined in Chapter two, the bill provides a broad definition of actionable scam intelligence, in order to provide clarity around the scam intelligence reporting obligations within the SPF. Some submitters raised questions about this definition and the reporting obligations. These two issues are discussed together later in this chapter under the section on reporting obligations.
Internal dispute resolution
4.29Consumer advocacy organisations suggested that the SPF ‘relies heavily on regulated entities handling the majority of scam complaints in good faith and always putting their customer’s rights and needs ahead of their other commercial evidence’. However, the ‘evidence from scam victims who present on our frontlines show that we cannot rely on this’. They pointed to cases in which scam victims ‘are treated appallingly’, arguing that ‘this is not the conduct of outlier bad actors, but industry-wide practice’.
4.30As such, consumer advocacy organisations proposed that the bill be amended so that scam complaints lodged in an entity’s internal dispute resolution (IDR) processes are registered with AFCA and automatically escalated to EDR if not resolved within a fixed timeframe. The consumer organisations submitted that without incentives for ‘fair IDR outcomes, the result will be an avalanche of complaints at AFCA, and many scam victims ultimately dropping out of the process altogether’.
4.31Similarly, the ACCC recommended the SPF ‘require regulated entities to provide consumers with certain standard, clear and intelligible information in response to a complaint’ during IDR processes to ensure that consumers are clear on the steps being taken, which will assist consumers in making decisions on whether to pursue EDR.
4.32The TI Ombudsman made similar recommendations on the IDR, noting that currently, digital platforms have no obligations in relation to dispute resolution and that the ‘absence of clear, consistent IDR obligations on all regulated entities undermines the effectiveness of the “respond” principle of the SPF’. The TI Ombudsman recommended ensuring that ‘subordinate instruments will address the right minimum IDR standards across regulated entities’ alongside ‘comprehensive and transparent consultation and scenario testing’ involving ‘stakeholders from all regulated industries, including EDR schemes, peak industry bodies, regulators, and consumer groups’.
4.33Specifically, the TI Ombudsman recommended the minimum IDR standards include:
minimum response times for regulated entities that receive IDR complaints for consumers;
information regulated entities must provide to consumers;
the contact methods and process for consumers to bring a complaint to one or more regulated entities; and
the point at which a consumer can access EDR where IDR has failed.
4.34Legal Aid Queensland was of the view that ‘consumers should not be required to approach all the organisations that may have been involved in a scam individually’. Instead, ‘a complaint to one entity should be treated as a “one stop shop” for the consumer’.
4.35Bendigo Bank raised concerns that the bill was ‘silent on how liability will be apportioned across the regulated sectors and how coordination across the regulated sectors would occur’ and further, that it ‘does not allow regulated entities to add third parties into their IDR processes’. The bank argued this would ‘significantly reduce the impact of the effectiveness of the IDR schemes and cause more cases to go to EDR’. Evidence questioning how liability will be apportioned is discussed later in this chapter.
4.36Consumer advocacy organisations considered that ‘without introducing presumptions and efficiencies’ in complex complaints involving multiple regulated entities, ‘a scam victim will almost always have to resort to AFCA to obtain a fair outcome. This means complainants will be waiting months out of pocket, and will be required to have the knowledge, expertise and stamina to pursue their dispute’. They were of the view that only ‘a small minority of victims will make it there’, and called for ‘clearer direction in the SPF Bill and EM about presumptions of compensation’ if a regulated entity cannot prove that it met its obligations under the SPF arguing that this ‘would be consistent with the well-accepted policy justification for reversing the onus of proof in the ePayments Code’. The issue of consumer redress is outlined further below.
4.37AFCA expressed its support for ‘amendments to the SPF bill which would require regulated firms to certify compliance with SPF obligations as part of the IDR process’, arguing that this ‘would go some way to addressing the information asymmetry and power imbalance that will exist between a victim of a scam and very large firms at IDR’. AFCA expanded on this, noting that certification mechanisms are ‘one of the tools for shifting onus and accountability to the financial firms’. AFCA further recommended that such ‘certification should be open to independent scrutiny by regulators and the EDR scheme’ and ‘should not be an absolute defence to a consumer complaint’.
4.38Consumer advocacy groups also called for amendments that would require an information/certification process, in which regulated entities would be required to provide a statement of compliance about whether they have complied with their obligations, and such a statement would be available to AFCA for scrutiny. They contended that such a provision would not require the victim to bear ‘an insurmountable burden to prove a multi-million-dollar business failed to protect them’.
4.39AFCA noted that ‘there remains a significant body of policy development work to be completed by government and SPF regulators to set clear and comprehensive IDR standards across the three designated sectors’. AFCA anticipated that the standards ‘will leverage and modify existing IDR models and may be supported by tailored regulatory guidance and education’, given differences across the three sectors.
External dispute resolution
4.40Many submitters agreed that a ‘clearly defined and robust dispute resolution mechanism will be critical to the SPF’s operation’ where there are clear liability rules and dispute resolution processes to ensure a consistent approach for customers across all relevant sectors. However, submitters had differing views on what factors would make an appropriate EDR scheme. These issues are discussed below.
EDR regulators
4.41Some evidence concerned the role of regulators, with the Law Council of Australia, for example, suggesting that the model proposed in the bill may ‘result in protracted examinations of different entities’ relative roles in [a] scammer’s attack to determine possible redress’, leading to lengthy disputes. In addition, the Law Council proposed ‘further consideration’ be given to reducing ‘the complexity of the multi-regulator model, either through demarcating roles and responsibilities clearly, or by establishing a one-stop shop coordinator office’ to interact with industry and consumers. The Law Council was of the view that the bill should be amended to incorporate ‘a clear process for handling multi-party complaints’ and ‘specific details’ about the EDR model that should be followed. The issue of multiple EDR avenues is discussed further below.
4.42DIGI raised concerns with the proposal that the EDR entity would be AFCA. DIGI noted that AFCA ‘would lack familiarity and experience with the new sectors [digital platforms] it would need to regulate’ and further, that ‘AFCA generally considers disputes involving a single service provider’. As well as raising concerns about the expertise of AFCA, DIGI went further to state:
… we query whether any EDR scheme—as opposed to a Court—has the necessary resources and expertise across the regulated sectors to make the determinations contemplated in the legislation, particularly if large numbers of claims are brought forward.
4.43On the other hand, the ACCC expressed its support for AFCA being designated the sole EDR body for the three initially designated sectors. The ACCC was of the view that this ‘is an important step in providing consumers with a simple, single pathway to seek redress and recover’, arguing that in practice this approach will require AFCA to work closely ‘with the Telecommunications Industry Ombudsman to navigate inevitable grey areas that may arise and ensure a smooth experience for consumers’.
4.44AFCA itself outlined its extensive operational experience engaging in actions that it will be required to conduct under the SPF, submitting that it will ‘leverage this experience and build capability in new sectors to establish Australia’s first scams EDR jurisdiction’. It acknowledged that a ‘significant amount of work needs to be done to establish the first scams EDR jurisdiction’ but reaffirmed its commitment to working with ‘stakeholders to deliver a robust, fair, independent and efficient process’.
4.45Some evidence noted the importance of ensuring that regulators are appropriately resourced to carry out their functions. The Australian Payments Network proposed ‘ongoing assessment of regulators’ capacity and expertise in carrying out their roles under the SPF, particularly as the framework expands to cover new sectors’, given the volume and changing nature of scams. It noted that the volume of suspicious matter reports entities are required to submit under the Anti-Money Laundering and Counter-Terrorism Financing regime ‘has led to many—if not most—of these reports not being investigated or acted upon’, and expressed concern that the SPF regime would lead to a similar result.
4.46The Australian Government announced in the Mid-Year Economic and Fiscal Outlook 2024–25 that it would provide up to $14.7 million over two years to AFCA ‘to ensure it has capacity to provide a clear, single dispute resolution pathway for complaints relating to the three initial sectors to be designated under the Scams Prevention Framework’. Additionally, the Explanatory Memorandum to the bill outlines that ASIC and ACMA functions will be subject to cost recovery arrangements.
Apportioning liability
4.47Many submitters argued that the SPF is silent on the important question of how to apportion liability when there is more than one regulated entity within the scope of a scam. For example:
If an ad on social media led the consumer to share their phone number with a scammer, which the scammer used to send SMSes to the consumer, leading to the consumer transferring money from their bank account to the scammer —and each of those services complied with their obligations under the framework to varying degrees—to what extent should each be responsible? The Bill does not address this.
4.48DIGI expanded on this point, arguing that lack of clarification on liability in the bill:
… will frustrate consumers. It will see industry focus on finger pointing, sometimes through lengthy legal battles, rather than collaborating to beat scammers at their game.
4.49The ACCC submitted that it has ‘long advocated for consumers to be at the heart of any legislative framework designed to combat scams’ and that within the SPF there should be ‘a clear articulation of liability for losses arising from scam complaints and, if there are to be multiple parties (within and across sectors) that might share liability in a particular case, clarity about how liability will be allocated’.
4.50Similarly, AFCA emphasised the importance of clarity ‘on proportionate liability and contribution to redress’ to facilitate timely redress.
4.51The Law Council outlined in detail in its submission areas which it argued were inconsistent or absent regarding apportionment of liability. As such, it called for ‘clear and simple liability principles’, which it suggested should ‘be specified in primary legislation, and these should be able to be consistently applied to internal and external dispute resolution, and statutory actions for compensation under the Bill’.
4.52The Commonwealth Bank argued that the principles-based obligations contained in the primary legislation ‘are generally not suitable to determine liability for compensation for individual consumer cases’. The Commonwealth Bank further recommended there be a ‘clear and workable apportionment mechanism to allocate liability between regulated entities that have not complied with the liability rules in relation to the particular scam event’.
4.53Although consumer advocacy organisations also welcomed these additions, they argued that ‘more specificity and guidance in the SPF Bill or at a minimum the EM and ACCC guidance is still needed, including how apportionment would apply for at least the first three designated sectors’, particularly in cases where only one entity failed to meet its obligations. They considered that such an amendment is necessary given, in their view, the bill as currently drafted has a low threshold for determining the extent to which a scam victim is ‘negligent’, compared to the existing threshold of ‘extreme carelessness’ when determining the extent to which a scam victim is responsible under the ePayments Code.
4.54Consumer advocacy organisations suggested that Australia borrow from the Maltese approach to liability apportionment in scams cases, in which entitlement to compensation is determined by set tables and percentages. They called for the bill to be amended to require ‘primary’ regulated entities to compensate victims for their entire losses, with these entities to recover any contributions directly from other regulated entities or via a compensation pool.
4.55The TI Ombudsman argued that there is uncertainty within the proposed SPF as to how the issue of ‘multi-party liability for scam losses’ will be addressed. The TI Ombudsman argued that the SPF, or explanatory materials, should ‘provide guiding principles regarding liability to support the development of more detailed rules’ which should ‘include certainty for consumers about how much of their scam losses are recoverable and from whom, as well as simplicity for consumers and regulated entities to understand and apply the framework’.
4.56Relatedly, Legal Aid Queensland submitted that after ‘a consumer establishes that they have been the victim of a scam, the use of standard formula for apportionment between industry should not result in the customer receiving less than 100% in compensation’.
4.57Mr David Niven contended that the SPF would allow ‘a bank to reduce its liability by saying the consumer contributed to the loss by some negligent or careless behaviour and so apportion the loss’. Mr Niven argued that the SPF ‘is likely to reduce consumers’ ability to obtain refunds compared to the current position’. He also suggested the fact that banks would be able to appeal any decision to the Federal Court ‘is virtually unheard of’ in EDR schemes and argued that it ‘will be a rare victim who has the funds to defend their case in the Federal Court’. He called for a framework similar to the model used in the United Kingdom.
4.58Several victims of scams who submitted to the inquiry were also in favour of a model based on the United Kingdom’s compensation model. For example, one submitter argued that ‘banks have little motivation to implement scam prevention as they have little financial incentive to’. She and her daughter called for the bill to include a model ‘where banks are legally required to reimburse all scam victims’.
4.59On the matter of appeals to the Federal Court, the Consumer Action Law Centre argued that:
This is unprecedented and undermines a cornerstone of external dispute resolution, giving deep-pocketed multinationals immense power in dispute resolution: they can just challenge a decision in a jurisdiction where victims can’t afford to defend.
4.60The Consumer Action Law Centre considered that the threat of appeals to the Federal Court ‘fundamentally shifts the power dynamic in that dispute. A consumer is far more likely to settle’. Further, if there is the possibility of a regulated entity appealing a court decision, ‘people are going to settle and not have that fair hearing that dispute resolution offers, and if it starts to crumble here, where else will it start to crumble?’
4.61In its submission, DIGI sought to divest all responsibility for scam liability onto the banking sector. DIGI also noted the multi-party liability issues, and submitted that ‘digital platforms, including social media services, are not an equal vector as the banking and telecommunications sector in relation to scams’. DIGI stated that as 100 per cent of scam cases involve a financial service, a redress scheme solely focused on banking anti-scam interventions and liability ‘would be simpler, easier for consumers to understand, and more effective’.
4.62DIGI claimed that due to the complex and multi-party liability nature of the redress scheme, ‘redress under the Framework could take years for people who have lost their life savings because of the sheer number of different services scammers exploit in their complex attack chain’.
4.63The Australian Banking Association noted that scams typically originate ‘through a social media post, messaging app, SMS or direct phone call’. The Association noted that while banks have a role in ‘detecting scams, warning customers of potential scam risks, and attempting to recover funds’, banks have no direct influence over the initial point of contact where scams occur.
4.64The Australian Banking Association stated that while banks ‘accept liability should apply to all relevant sectors on a proportional basis, including our own, where entities have failed to meet their obligations’, the social media sector needs greater incentives to take serious action against scams as:
… experience to date shows that the digital platform sector has not matched the investments or ambition of the Australian banking sector. As the business model of these entities is based on advertising revenue (which unfortunately currently includes a great deal of scam advertising), it is unlikely that they will take significant anti-scams steps unless the SPF contains effective incentives to do so.
4.65The Communications Alliance argued that ‘if a telco is in adherence to their industry code then that should mean they are in compliance with the legislation and therefore should not be subject to liability’.
4.66AFCA informed the committee that it ‘considers it essential that the liability regime applies consistently across all sectors’. It submitted that all participants in the scheme will be required to consider and develop models like standardised decision trees to clearly and consistently apportion liability, and stated that it is ‘ready to contribute to the development of an Australian model … that prioritises … shared responsibility tables to support liability apportionment and the adoption of a remediation lens’.
4.67While there were calls for banks to take a greater proportion of liability as they are often the entity that ultimately provides the platform through which money is transferred to scammers, the Customer Owned Banking Association (COBA) pointed out that banks often have limited oversight of the scam itself, meaning it is hard for them to determine whether a payment request is legitimate or part of a scam. COBA further noted that taking action to prevent customers from making payments to potential scammers ‘can cause significant friction and prove very challenging for staff’.
4.68Google noteded that the ‘proposed apportionment of liability between multiple regulated entities also carries the risk of fostering an adversarial environment of blame-shifting, rather than one of working together with a common goal of reducing scam activity’.
4.69Taking a different view, the Australian Payments Network welcomed ‘the addition of provisions in the Bill that will help ensure fair apportionment of liability’ and ‘the intention that the SPF rules will set out guidance for apportioning liability at the internal dispute resolution stage’.
Multiple EDR avenues
4.70The TI Ombudsman expressed a view that any EDR pathway must should be as simple as possible for consumers to access and raised concerns that consumers may be confused as to whether to approach the SPF EDR or use other existing EDR processes such as that offered by the TI Ombudsman for related matters:
A consumer can access EDR through AFCA as a ‘single front door’, but this does not negate the need for behind-the-scenes EDR arrangements to prevent unnecessary complexity, delays, and confusion during multi-party dispute resolution. The consumer experience of scams and fraud in the telco sector is multifaceted and requires expertise across the entire telco regulatory framework, not just scam obligations.
4.71The Commonwealth Bank agreed with this view and recommended a ‘one stop’ compensation complaint mechanism that would ‘apply to all regulated entities regardless of existing processes and regardless of whether located locally or offshore’.
4.72The Internet Association of Australia submitted that ‘the legislation may indeed result in a scenario where entities and SPF consumers are forced to engage through multiple EDR schemes about one issue where there are multiple layers to a complaint, causing undue administrative burden for all involved’.
4.73Similarly, the Consumer Action Law Centre called for ‘a primary entity [to be] responsible for compensating the victim—either the bank itself, or through a compensation pool—so that a victim doesn’t have to spend even more time chasing multiple businesses’.
4.74At the public hearing, Treasury informed the committee that the bill ‘enables consumers to explore a number of different avenues for redress’. It noted the ‘need to assist consumers so that they’re not doing this by themselves. That’s why … there is assistance from AFCA with the external dispute resolution process’. In addition, Treasury pointed to ‘additional regulatory oversight’, so the ‘ACCC can also assist consumers in the space, including taking on cases that have systemic merit so there is a range of avenues that consumers can benefit from under the bill’.
Consumer redress and civil action
4.75The issue of whether or not the SPF would include, or lead to, a consumer redress scheme was raised by multiple submitters as an issue of concern—some in favour and others against such a scheme.
4.76The Consumer Action Law Centre, CHOICE, the Australian Communications Consumer Action Network, the Financial Rights Legal Centre, Super Consumers Australia, Financial Counselling Australia, Westjustice and the Consumer Credit Legal Service, in their combined submission, expressed support for ‘the urgent passage’ of the bill’. However, they considered that the bill should not be passed without a key amendment to give effect to the … intention that regulated entities will compensate victims if they fail to meet their SPF obligations’, arguing, based on their experience, that ‘this would be international best practice to protect consumers … and drive industry investment in preventing scams’. They noted that consumer advocates around Australia had ‘unanimously called for a modified reimbursement model’ to reimburse customers, and were of the view that without such an amendment, the bill would ‘introduce a burdensome regime that fails to ensure fair outcomes for scam victims’. In their submission,Choice noted they ‘remain hopeful that the approach to dispute resolution and redress to be established under the scam prevention framework could also work’.
4.77In addition, the above consumer advocacy organisations proposed that victims of scams should be compensated 100 per cent, ‘regardless of whether just one or multiple regulated entities have breached their obligations under the Framework’.
4.78The Consumer Action Law Centre argued that ‘if business is on the hook to prevent scams, they would do all they can’. The Consumer Action Law Centreconsidered that the bill will see an ‘unreasonable burden on victims to fight and prove their unlikely cases for compensation through internal and external dispute resolution’. It argued:
We are being told that the prevention measures set out in the government’s bill will work and will be the best in the world. If that is the case, then what is the argument against industry being liable for losses when the prevention measures fail?
4.79TPG Telecom suggested that the ‘current mechanisms in Division 6, while well-intentioned, risk creating complex and lengthy legal processes’, arguing that a ‘well-designed redress scheme should not have to rely on the inclusion of a private right of action for consumers’. TPG Telecom called for the ‘private right of action [to] be removed from the Bill’ because of the risk of ‘creating a highly litigious and costly avenue to be exploited only by those individuals with the means and resources to fund such action’.
4.80Optus similarly argued that the bill ‘has listed all possible form of redress rather than propose a process for simple, fast and effective redress for consumer harm’ and further noted that action for damages can be taken up to six years after the scam event.
4.81The Australian Small Business and Family Enterprise Ombudsman considered that as the bill currently stands, ‘there is no guarantee that an external dispute resolution mechanism will be established’ by legislative instrument. The Ombudsman expressed concern that if this delegated legislation is not enacted, ‘the only form of redress for a consumer is through the courts. Small businesses are unlikely to pursue compensation through such a mechanism’ because of the cost, time and effort involved. The Ombudsman proposed that the bill be amended to incorporate a system similar to the Faster Payments Scheme reimbursement requirement in the United Kingdom or the Shared Responsibility Framework introduced in Singapore, or ‘a requirement that regulated entities must include compensation as an available remedy in their internal dispute resolution mechanisms’.
4.82The Communications Alliance called for a ‘waterfall of liability’—that is, a ‘model which is based on the Monetary Authority of Singapore and their approach to scams’. In particular:
Telcos can monitor calls and texts, and we are held to account by the regulator already for blocking calls and texts. Similarly, banks are the only part of the supply chain that can block a bank transaction. Digital platforms are the only ones that can prevent a scammer ad being posted on a social media platform. I would say the principle we should seek to uphold here is that each sector should be held to account for their sector code, and if they are not in adherence with their sector code then it should open up the door for them to be potentially held liable for consumer redress.
4.83Google also recommended the Australian Government ‘evaluate the relative merits of the United Kingdom’s (UK) tried and tested single-sector recovery model for authorised push payment fraud’, where in 2023 participating banks reimbursed approximately 67 per cent of money lost to Authorised Push Payment scams.In contrast, Australia’s banks compensate just 2–7 per cent of scam losses.
4.84Conversely, Westpac argued that the ‘continued increase in UK scam cases suggests the [UK] scheme has failed to materially reduce the actual occurrence of scams as intended’, contending that ‘reimbursement schemes only serve to drive scam cases up further by encouraging scam activity and consumer complacency’.
4.85The Australian Banking Association argued that the ‘bill is very much focused on the obligations on companies and sectors to do everything in their power in the first instance to prevent the scam’. Further:
… what’s really important from our perspective is that the system should incentivise companies to continue to invest in prevention. The bill has very serious civil penalties that can be imposed on companies that fail and, just as importantly, a regime that will allow those customers who have lost money because of a failure to comply by any of the companies involved some redress and compensation.
4.86The Australian Communications Consumer Action Network (ACCAN) called for the bill to be amended to ‘establish a presumption of reimbursement for scam losses, with limited exceptions where gross negligence can be demonstrated’. ACCAN argued that such an approach would align ‘with established economic theory, which supports allocating risks and costs to parties best positioned to mitigate harm, thereby reducing overall social costs’. ACCAN also contended that such an approach would ‘incentivise effective prevention by financial institutions, telecommunications providers and digital platforms’.
4.87The ACCC pointed to the Shared Responsibility Framework introduced in Singapore on 16 December 2024 and, in relation to the development of the SPF in Australia, encouraged ‘consideration of different models for consumer redress and compensation in IDR and EDR processes, such as appropriately designed and regulated compensation pools’. The ACC advised that such a model should be simple and accessible for consumers and overall, that the SPF ‘should be designed to avoid a situation where consumers feel they must turn to third parties to assist with money recovery and compensation’.
4.88The Commonwealth Bank noted the importance of compensation being available from the start of the SPF, and indicated it is ‘supportive of ecosystem participants pre-funding the designated complaint mechanism, intended to be AFCA, in order to ensure that the operation of the scheme is effective in compensating consumers in a timely manner from the outset’.
Overlapping external regimes
4.89Some evidence expressed concern about the bill imposing different requirements to other external regimes that regulated entities are subject to.
4.90King & Wood Mallesons noted that the obligations in the SPF will interact with the obligations of other legislative frameworks, including those found in the Banking Act 1959, Corporations Act 2001, National Consumer Credit Protection Act 2009, Privacy Act 1988 and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. King & Wood Mallesons suggested that provisions in the bill ‘may be inconsistent, or conflict, with existing obligations or prohibitions created under’ those laws. Regulated entities would be ‘required to take certain actions to comply with the SPF Bill but those same actions may result in the regulated entity breaching other applicable laws’. King & Wood Mallesons argued that without a broader safe harbour provision or exemptions stating that such actions would not contravene other laws, regulated entities ‘may be exposed to civil and/or criminal penalties in the course of taking reasonable steps in good faith to comply with the SPF Bill’.
4.91The Australian Payments Network expressed similar concerns. It welcomed clarification in the Explanatory Memorandum that entities will not be required to compensate twice, under two different regimes, for the same loss or damage. However, it argued that if ‘the potential regulatory scope overlaps continue to be permitted under the SPF, it will be critical to provide clarity and certainty to regulated entities through the Bill, SPF rules or SPF codes about which obligations under which regulatory regimes should take precedence’. It proposed that the Minister and SPF general regulator consult and work closely with designated sectors to clarify reporting priorities across the different regimes, and ‘additional relief from potential contraventions of other laws and contractual obligations for reasonable disruption activities … [or] additional guidance on how such conflicts should be addressed’.
4.92AFCA was of the view that the SPF ‘should expressly exclude’ the operation of the ePayments Code from application to scam complaints to ‘mitigate the risk of uncertainty, confusion, delay and cost for regulated firms and AFCA in deciding which regime applies when determining liability in scam complaints’. It considered that ‘timely resolution of any conflict between the application of the SPF’ and the ePayments Code should be a priority before the SPF commences.
4.93Mr David Niven referenced ‘suggestions that the ePayments Code will be wound back’ because of the bill being ‘the new protection for consumers. This would be a disaster for consumers as it is a powerful consumer protection measure that assisted hundreds of consumers to obtain refunds in the HSBC case’. He called for an amendment to the bill to make clear that it would ‘not have the effect of lowering consumer rights under other laws’.
4.94The Communications Alliance similarly noted that the telecommunications sector is already subject to the Telecommunications (Consumer Complaints Handling) Industry Standard 2018, enforced by ACMA, and argued that scam-related complaints should only be dealt with by one EDR scheme.
4.95Consumer advocacy organisations noted that the ePayments Code offers rights and protections that have been further refined through recent AFCA determinations. Consumer advocacy organisations also expressed concerns that remote access scams will be covered under the SPF, and questioned whether consumers would have access to the same rights and outcomes as those available under the ePayments Code. They called for the bill to ‘specify that no existing rights or protections, including those accessible and articulated through recent AFCA determinations and under the ePayments Code, will be scaled back’, arguing that victims ‘cannot afford to lose the consumer rights and redress provisions of the ePayments Code with the introduction of a scams framework based primarily on prevention’.
4.96However, AFCA noted that the ePayments Code only applies to banks who have subscribed to it and is ‘quite limited in terms of its application with regard to scams’ because it ‘only deals with transactions which are classified as unauthorised transactions’. AFCA suggested that the policy question of how the ePayments Code will be used in interaction with the SPF is ‘an active consideration’, noting:
At the moment, the ePayments Code would only apply to a particular limited number of scams against the transactional bank if it were a member of the ePayments Code in circumstances where the transaction was unauthorised. We would need to look, in those situations, as to whether it was more appropriate to apply the ePayments Code or the SPF framework, our point being that that is a matter that we think could be tidied up earlier given the overarching objective of all parties that there be a simple, universal, consistent framework that will respond to all scams in the macro environment.
4.97Bendigo Bank pointed to reporting obligations under existing fraud prevention schemes which may duplicate or be in contravention to the SPF. This is discussed further below.
Reporting obligations
4.98As outlined in Chapter two, the bill would enact several obligations on regulated entities in relation to actionable scam intelligence, including to provide the SPF general regulator with reports of and about actionable scam intelligence and taking reasonable steps to disrupt scams on receipt of actionable scam intelligence. Gathering and reporting this information is intended to minimise the harm to SPF consumers from scams.
4.99This intelligence can come from range of sources, including (but not limited to):
a report about a scam made to a regulated entity;
information provided by SPF regulators; or
a regulated entity’s own investigation into suspected scam activity.
4.100Submitters noted the importance of these reporting obligations. The Commonwealth Bank submitted:
Leveraging the collective knowledge of consumers, entities, and government to detect a scam and prevent it from being used by scammers, through timely information sharing and action, is crucial.
4.101Submitters raised a number of issues to be ironed out in the implementation of the SPF relating to these reporting requirements, including whether the SPF reporting obligations might be in contravention of reporting requirements of other existing regimes, whether the definition of actionable intelligence was so broad it would lead to a ‘tsunami’ of reporting, and potential impacts to privacy laws. These issues are explored below.
Existing reporting obligations
4.102Bendigo Bank contended that the reporting requirements of the SPF could replicate and overlap with existing and well-established reporting of suspected fraudulent transactions to the Australian Reporting and Transaction Analysis Centre, made via the reporting and information disclosure requirements under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Because the AML/CTF Act precludes the sharing and disclosure of such reports outside of the parties mentioned in Section 123 of the AML/CTF (the ‘Tipping Off’ provision), these reports could not be shared with the ACCC for the purposes of SPF reporting requirements, meaning ‘each individual case would have double the reporting obligations to different regulators’.
4.103Bendigo Bank suggested the SPF may benefit from greater consideration of existing regulatory reporting channels, including, ‘where possible, utilising existing regulator information sharing provisions, to minimise the amount of duplication required by regulated entities’. Bendigo Bank suggested this could be achieved with ‘an additional provision to state [that] when information has already been provided to one regulator, it does not need to be provided to another’.
4.104Bendigo Bank further pointed to existing industry reporting mechanisms, such as the Fraud Reporting Exchange operated by the Australian Financial Crimes Exchange, which ‘allows for shared intelligence and secure communications between banks with agreed timeframes’.
4.105The Australian Banking Association recommended this issue could be resolved by including a ‘safe harbour’ provision in the SPF that would enable entities ‘to take an action to prevent a scam being perpetrated in circumstances where existing laws may prevent the action’. The Commonwealth Bank made a similar recommendation for a ‘reasonable use’ exception so existing laws and obligations are not triggered where there is ‘reasonable use’ under the SPF.
4.106DIGI noted that reporting obligations for multinational companies not headquartered in Australia may be different. DIGI advised that companies ‘are still working through the extent to which reporting to the [National Anti-Scam Centre] can be done without a conflict of laws’.
4.107The Commonwealth Bank noted that the current ‘safe harbour’ provisions of 28 days, in effect, provide entities up to 28 days to act on scam intelligence, by which time the value of that intelligence is diluted. The Commonwealth Bank recommended strengthening the reporting obligations to ensure regulated entities provided with intelligence via the Anti-Scam Intelligence Loop ‘have 48 hours to conduct an investigation to validate the legitimacy of the account, close the account, or suspend use of or access to the account’.
Actionable intelligence
4.108As outlined in Chapter two, a regulated entity has several obligations under the SPF in relation to actionable scam intelligence, including to provide the SPF general regulator with reports of and about actionable scam intelligence and taking reasonable steps to disrupt scams on receipt of actionable scam intelligence. Gathering and reporting this information is intended to minimise the harm to SPF consumers from scams.
4.109All submitters agreed that sharing intelligence and data on scam activity is a vital component in reducing scams. There were many suggestions on how to streamline this process and create efficiencies with existing systems to maximise the impact of the intelligence gathering function of the SPF.
4.110Westpac considered that the scope and reporting requirements in the bill for entities to undertake in response to actionable scam intelligence may be set too broadly, which may result in the reporting of irrelevant information. As a result, time and resources that would otherwise be invested in stopping scams may be diverted elsewhere. Westpac called for refinements to the scope of actionable scam intelligence ‘to information that will genuinely make an impact’ in stopping scams.
4.111DIGI similarly maintained that the reporting requirements for actionable scam intelligence were set with too low a bar for reporting, and that, combined with high penalties for non-compliance, they may result in companies over-reporting to the ACCC, who may then be inundated with ‘low-quality reports about potential scams that might not even eventuate to a serious concern in Australia’.
4.112The Australian Banking Association recommended an approach to ‘allow for the SPF Rules to further define “actionable scam intelligence”‘ which would then ‘allow the Minister to work with expert anti-scam practitioners in industry to identify and define those data elements that are most useful in combatting scams without the risk of swamping the system with non-useable information’. The Association contended that this would strengthen the whole ‘ecosystem data sharing model that has already begun to pay dividends in Australia’s battle against scammers’.
4.113The Communications Alliance also argued that the definition of actionable scam intelligence is overly broad and such intelligence is substantially different across different sectors. It argued that the definition ‘should focus on the establishment of systems and compliance with processes as opposed to the prevention of individual scams’. The Alliance advised the definition of actionable scam intelligence be delegated to the respective sector codes ‘to ensure that each sector can provide the most meaningful information without overburdening the system or, worse, rendering information less valuable as useful information gets drowned out by less useful information’.
4.114NAB proposed ‘further narrowing and specifying the types of information that constitute actionable scams intelligence’. BDO Australia similarly recommended ‘there may be advantages to streamlining the approach to scam data collection, sharing and reporting’ as taken in other economic-crime reporting regimes.
4.115Under the SPF, regulated entities will be permitted to use a third-party provider to meet certain reporting obligations. The ACCC noted that while it supported this in principle, it recommended that whether a regulated entity is reporting direct to the ACCC (or another SPF regulator) or using an authorised third party, ‘regulated entities should be required to adhere to the ACCC and the National Anti-Scam Centre’s existing data sharing standards and processes’ to ‘create efficiencies, avoid data gaps and eliminate the need for additional frictions such as staff manually extracting and verifying data from a third-party portal’.
4.116Multiple submitters recommended that reporting to the National Anti-Scam Centre be used to ‘develop a public, searchable database of known scams that consumers and companies can use to investigate whether something is a scam in real-time’.
Privacy
4.117Some evidence expressed concerns about potential privacy implications of sharing information, with the Tech Council of Australia, for example, calling for the Government to ‘provide further clear guidance, in subordinate legislation, to businesses about the type of data that should be shared, and how to maintain best practice privacy policies while also facilitating information sharing about scams’.
4.118The ACCC argued that it will sometimes need to rapidly share personal information with various scam ecosystem participants as part of the ACCC’s role as the SPF general regulator. However, the SPF does not currently authorise the ACCC to share personal information with private sector entities that are not ‘regulated entities’ to disrupt scams.
4.119The ACCC submitted that it considers the fast and efficient sharing of personal information (including between regulators and regulated entities, entities in sectors outside the SPF, law enforcement and other relevant government agencies) is essential to the success of the SPF in the disruption of scam activity and protecting Australians from serious harm. The ACCC suggested that the balance between disrupting scam activity and privacy considerations could be assisted by the insertion of a ‘sole purpose’ requirement in relation to the use of data by recipients that are not regulators.
4.120The Internet Association of Australia also raised privacy concerns, noting that although the bill gives SPF regulators the power to disclose personal information relating to scam activity ‘the legislation is almost silent on the oversight laws that relate to each recipient’s use, secondary disclosure, retention, and destruction of such personal information’. The Association recommended the SPF ‘be clearer and more prescriptive in setting out privacy obligations of each EDR Scheme operator, as well as each SPF regulator’.
4.121DIGI likewise noted that reporting requirements ‘may involve the disclosure of personal information of non-Australians, and may therefore enter into conflict with international privacy laws applicable to regulated entities that will restrict reporting’.
4.122The bill would allow persons ‘authorised under the scheme’ to ‘use or disclose SPF personal information’ if it is ‘reasonably necessary to achieve the object of the SPF’. The Law Council of Australia called for clarification from Treasury about why this clause has been included, with this rationale to be incorporated into the bill’s Explanatory Memorandum.
Civil penalties
4.123Some evidence considered that the penalties that would be imposed under the bill would be too high. The Tech Council of Australia, for example, considered that the combined threat of penalties would likely ‘result in platforms and telecommunications providers over-correcting to avoid the risk of breaching the framework and facing fines’.
4.124DIGI argued that the civil penalty amounts for not sharing information about potential scams with the regulator were excessively high.
4.125Similarly, the Australian Payments Network noted ‘the high maximum dollar amount of the proposed penalties’ and called for ‘further clarity [to] be provided in the legislation or supporting rules to ensure that only systemic or egregious breaches of the SPF principles and codes would attract civil penalties’, in a similar vein to the penalty regime under section 1317G of the Corporations Act 2001. The Network also proposed that warnings be issued to non-compliant entities before regulators seek a civil penalty order.
4.126The Association of Superannuation Funds of Australia proposed that the legislation delineate maximum amounts for a civil penalty provision between a tier 1 or tier 2 contravention, ‘with lesser penalties to be proportionately adjudicated via judicial discretion’.
4.127The Law Council of Australia considered that civil penalties should be reserved ‘for systemic conduct in breach of the overarching SPF Principles or SPF Code, rather than making any failure to detect or prevent an isolated scam event subject to a civil penalty’.
4.128The Commonwealth Bank made a similar recommendation where civil penalties would apply ‘to systemic failures at the policy, strategy or governance level, with consideration given to whether the entity had taken reasonable steps in all the circumstances’. However, this would also be complemented by ‘separate specific liability rules under the SPF rules, the breach of which would trigger an obligation by the regulated entity, or entities, to contribute to compensation for an individual consumer’.
4.129Consumer advocacy organisations, however, submitted that ‘we can’t rely on businesses to meet their obligations, identify their failings and appropriately remediate victims without transparency, oversight and serious penalties for non-compliance’.
Safe Harbour Provision
4.130Some evidence called for changes to the Safe Harbour Provision of up to 28 days’ protection from civil action or proceedings for regulated entities while they are investigating actionable scam intelligence. The Law Council of Australia, for example, called for Treasury to provide clarification on why the safe harbour period was limited to a maximum of 28 days, arguing that ‘there is no limitation as to the period for which immunity applies’ in particular clauses of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 or the Superannuation Industry (Supervision) Act 1993.
4.131King & Wood Mallesons proposed that the Safe Harbour Provision be expanded to provide ‘appropriate protection for all actions done in purported compliance with the SPF Bill’, with amendments to include ‘removing the time restriction, expanding the provision to provide protection from criminal liability, and reviewing the other conditions included in the Safe Harbour Provision, which may be unnecessarily restrictive and do not align with safe harbour provisions in other legislation’. They argued that such broadening of the provision would ‘provide additional comfort to regulated entities that … appropriate protection from liability’ would be available for potential breaches of other legislative frameworks because of actions they would be required to take under the SPF (as outlined above).
4.132King & Wood Mallesons was of the view that provisions similar to the Safe Harbour Provision in other legislative contexts are less restrictive, without time limitations. They contended that broader ‘protection from liability would also be consistent with the approach taken in the United Kingdom’ that a person is not liable to civil proceedings because of acts or omissions undertaken ‘in the reasonable belief that the act is in compliance with’ particular provisions of the relevant legislation.
4.133TPG Telecom, while supportive of the inclusion of a safe harbour provision, similarly called for the removal of the 28-day time limit, questioning ‘why actions taken in good faith based on actionable scam intelligence should be limited by an arbitrary deadline’. TPG Telecom pointed to the ‘Hi Mum/Dad’ scam, arguing that telecommunications providers may block legitimate communications from vulnerable children to disrupt potential scam traffic as a result of ‘poorly designed obligations … combined with a safe harbour framework’.
4.134Conversely, the Australian Small Business and Family Enterprise Ombudsman considered that 28 business days was ‘far too long for a small business to be locked out’ of a regulated entity’s digital platform, given ‘the low levels of cash reserves that many small businesses hold … could result in the business failing’. The Ombudsman was of the view that the codes ‘are the ideal mechanism to set out an appropriate timeframe in which a small business must be allowed to return to business’, and proposed that the drafters of the codes consult widely on both timeframes and how a small business could return to business while a scam is being investigated.
Consultation
4.135Different views were expressed in evidence as to the level of consultation undertaken as part of developing the proposed SPF. DIGI noted that while there appears to have been ‘intense and ongoing consultation’ with the banking sector regarding the SPF, it claimed such consultation did not extend to other sectors proposed to be regulated under the SPF.
4.136The TI Ombudsman argued that consultation on the bill ‘was rushed’ and submitted that it had not seen any ‘public consumer journey mapping prepared by government that outlines how IDR and EDR will work’. The TI Ombudsman recommended that in any amendments to the SPF, including the development of subordinate instruments, ‘the Government conduct transparent, collaborative consultation and scenario testing’ and such consultation should ‘bring together affected stakeholders from the telco, digital platforms, and banking industries, including EDR schemes, regulators, peak industry bodies, and consumer groups’.
4.137However, there has been significant consultation on the development of the SPF. The Treasury undertook a two-month consultation on the proposal to develop mandatory codes in 2023 which received 75 submissions, followed by a consultation on an exposure draft of the bill which received 85 submissions.
4.138Some evidence acknowledged ‘positive changes’ and ‘improvements’ to the framework since the Exposure Draft was released for consultation, including requirements for the Minister to consult before designating a sector, changes to key definitions, the inclusion of a mechanism through which entities could be excluded from the SPF, and provision for delegated legislation to determine how liability will be apportioned for scam losses between regulated entities.
4.139The ACCC made positive comment on the consultative approach taken to the drafting of the bill and submitted that it had ‘engaged extensively with Treasury and other areas of government as the Scams Prevention Framework has developed’. The ACCC noted that it ‘appreciates the Government’s adoption of many of the ACCC’s proposed changes to the Bill’.
4.140Treasury outlined the steps of consultation the Government had undertaken, including in relation to codes in 2023, further consultation in 2024 on draft legislation, and ‘fairly regular engagement’ throughout that period ‘with various industry representative groups, with the members that are representing consumer groups and with individual businesses outside those formal consultation processes, as well as with the regulators that are intended to have roles and functions under the framework’.
Implementation period
4.141Some evidence called for a transition or implementation period after a sector has been designated and its SPF code has been released.
4.142The Internet Association of Australia pointed to the approach taken by the Department of Home Affairs, where, in the first 12 months after enactment of the Security of Critical Infrastructure Act 2018, the Department ‘took an educative and awareness raising approach’ in which it ‘did not enforce compliance and enforcement provisions, unless in very serious or egregious circumstances of an entity’s disregard for its obligations’. The Association recommended:
We would strongly urge the Treasury to similarly work with the SPF General Regulator, the ACCC, and the SPF Sector Regulators to engage with industry, and only use enforcement measures in select circumstances for a 12-month period, given the SPF is a significant regulatory reform that will impose many new and complex obligations.
4.143The Insurance Council of Australia also noted that the SPF will require ‘a significant uplift and change to business operations depending on the nature of the regulated sector’. The Council also recommended a phased introduction.
4.144Bendigo Bank likewise noted the expected increased workload of the ACCC and suggested ‘the agency should prioritise enforcement of significant and egregious breaches of the obligations to best achieve the policy intent of the legislation’. Bendigo Bank argued that doing so would ‘maintain confidence among stakeholders subject to the framework and its associated civil penalties’.
4.145The Law Council of Australia acknowledged that the Explanatory Memorandum specifies that regulated entities will not be required to adhere to the SPF’s obligations until their sector is designated and the instrument for their sector is in force. However, the Law Council suggested that the bill ‘should include a transitional period of at least six months’ to allow regulated entities to develop internal policies and procedures to educate their staff in how to apply the requirements of the SPF. Without such a transitional period, the Law Council argued, ‘entities may be exposed to penalty regimes for non-compliance, despite their best efforts to prevent scams’.
4.146The Australian Banking Association likewise recommended that a ‘staggered transitional approach’ would be ‘the best way to balance allowing time for system changes while also ensuring that the rollout of additional protections for Australian consumers are not delayed’. The Commonwealth Bank further noted that a transition period would ‘ensure there is a clear delineation between the SPF and the existing ePayments Code, providing clarity on consumer protections and entity obligations’.
4.147However, the Australian Banking Association also informed the committee at the public hearing that ‘we are not sitting around waiting for a code—we’ve put in place a range of actions’ to reduce scams, which:
… have been signed up for not only by members of the Australian Banking Association but also every building society and credit unions. So what that means is it doesn’t matter if you choose to bank with the smallest financial institution in Australia or the largest, you should have the same protections when you are transferring money and the same obligations will be resting on the shoulders of your bank regardless of who they are.