With Australians reporting approximately $4.7 billion in losses to scams [1] in the period covering 2023-24, concerns about the consumer harm arising from scam activity remains a hot-button issue in Australia’s digital regulation landscape. This is despite industry-specific efforts to combat scam activity over recent years.
Against that backdrop, on 13 February 2025, Federal Parliament passed a Bill to amend the Competition and Consumer Act 2010 (CCA) and introduce a new scam prevention framework (SPF). The SPF is designed to combat scam activity through a new regulatory toolkit that imposes a range of obligations on businesses in the telecommunications, digital platforms, and banking sectors (at least to begin with). In this article, we provide a brief overview of how the SPF will operate.
The Scams Prevention Framework Bill 2024 (Cth) (SPF Bill) was introduced in response to what the Government saw as ‘piecemeal and inconsistent’ protections[2] against scams across different sectors. The SPF Bill establishes a general framework that can be applied to any business sector, but at least initially will prioritise those sectors that are perceived to present the greatest risk to consumers.
While telecommunications providers are subject to a co-regulatory framework and have been operating under a registered industry code since 2020, other sectors are not subject to formal regulatory obligations and scam mitigation initiatives have been on a largely voluntary basis. Following a public consultation late last year, the SPF Bill was passed by both houses of Parliament on 13 February 2025.
In the telco sector, there has been considerable debate about the best methods of combatting scam, and the threat of scam has been raised (rightly or wrongly) in debates about the Numbering Plan, the SMS Sender ID Register and the ACCC’s inquiry into declaration of certain telecommunications services. However, the SPF Bill has been largely met with support from both regulators and industry participants including Communications Alliance which was responsible for preparing the Reducing Scam Calls and SMs Code which applies to telecommunications providers.
The SPF Bill is also being introduced at a time when the Government is considering new measures to enable Australia’s telecommunications regulator to directly enforce contraventions of registered industry codes relating to telecommunications providers (on which we have previously written here).
The SPF Bill is ‘deliberately broad[3] and s.58AG defines a scam as a direct or indirect attempt (whether successful or otherwise) to engage an SPF consumer in a way that it would be reasonable to conclude that the attempt:
The SPF is an overarching framework administered by the Australian Competition and Consumer Commission (ACCC) as the SPF General Regulator. The Framework establishes six general principles that will apply to businesses in regulated sectors. Regulated entities must comply with these overarching principles (SPC Principles) as well as sector specific codes (SPF Codes).
These principles are set out in the table below:
SPF Principle |
Summary |
1. Governance |
Each regulated entity must document and implement governance policies, procedures, metrics, and targets for combating scams. This includes an annual review, certification, reporting and record keeping requirements as evidence of compliance. |
2. Prevent |
Each regulated entity for a regulated sector must take reasonable steps to prevent scams. |
3. Detect |
Each regulated entity for a regulated sector must take reasonable steps to detect scams. This includes: |
4. Report |
Each regulated entity must provide the ACCC with reports of any actionable intelligence the entity has about activities relating to, connected with, or using the entity’s regulated services. (A regulated entity will not be liable in civil action or civil proceedings for taking action to disrupt a scam activity, subject to certain requirements). |
5. Disrupt |
Each regulated entity for a regulated sector must take reasonable steps to: |
6. Respond |
Each regulated entity must have an accessible mechanism for its consumers to report activities that are or may be scams. This includes having an internal dispute resolution mechanism which is subject to further reporting and publishing requirements. |
When published, the SPF Codes will set out detailed and sector-specific obligations relating to the SPF principles (excluding the reporting obligations under SPF Principle 4)[4]. The explanatory memorandum suggests that SPF codes will only create ‘minimum standards,’ which an entity may be required to go beyond to comply with SPF principles[5]. The SPF codes will be sector-specific, and the explanatory memorandum suggests some SPF codes will only apply to certain regulated entities within a sector[6]. For instance, in the telecommunications sector, an SPF code may impose different obligations on carriage service providers compared to transit carriers.
The Minister can designate specific sectors (regulated sector) that the SPF will apply to. Individuals or businesses (regulated entities) providing services (regulated services) in a regulated sector in Australia must comply with SPF obligations.
The Federal Government has indicated that the following sectors will be designated as ‘regulated sectors’ from the outset:
Before designating a specific sector, the Government must consider, among other things, the effectiveness of existing industry initiatives to address scams in those sectors.
The SPF is aimed at improving scam protections for individuals and small businesses, both of which are considered to be a ‘SPF consumer’. Regulated services provided to any SPF consumer are subject to the SPF. Similar to the unfair contract terms regime of the Australian Consumer Law, a small business will be an SPF consumer where it has a principal place of business in Australia, fewer than 100 employees and a turnover of less than $10 million.
Importantly, the SPF will also capture services provided outside Australia by regulated entities when the consumer in question is ordinarily an Australian resident.
While some consumer organisations had pushed for a similar approach to that adopted in the United Kingdom, under which victims of scams will be mandatorily reimbursed for any financial losses, this approach has not been adopted in Australia.
The SPF does however provide some means for scam victims to seek redress:
Contraventions of any obligations contained in the SPF Principles and SPF codes will attract significant financial penalties.
The maximum civil penalty will vary depending on whether the contravention is a Tier 1 civil penalty or a tier 2 civil penalty. For bodies corporate, Tier 1 civil penalties will not exceed the greater of 159,745 penalty units (currently $52,715,850), 3 times the benefit obtained, or 30% of adjusted turnover if benefit value is undetermined. These apply to contraventions of civil penalty provisions of Principles 2, 3, 5 or 6 of the SPF.
Whereas tier 2 civil penalties (for body corporates) will not exceed the greater of: 31,950 penalty units (currently $10,543,500), 3 times the benefit obtained, or 10% of adjusted turnover. These will apply to contraventions of civil penalty provisions of an SPF Code or Principles 1 or 4.
In addition to civil penalties outlined above, there are other administrative enforcement tools available including:
Compliance with the SPF Principles will be monitored, investigated and enforced by the ACCC (designated as the lead SPF Regulator). The SPF Bill permits other regulators to take the lead in enforcing compliance with industry-specific SPF codes. For example, the Australian Securities and Investments Commission (ASIC) will be responsible for enforcement of the banking sector’s SPF Code while the Australian Communications and Media Authority (ACMA) will enforce for the telecommunications sector’s SPF code.
The new laws have been largely welcomed by the telecommunications and banking sectors, alongside AFCA. Digital industry associations however have voiced concerns with reforms, arguing that the banking sector should be bear a greater regulatory burden than other sectors as “100% of scams involve a financial service”[9].
Now that the SPF has received Royal assent, attention will turn to the legislative rules, including:
Since banks, telecommunications companies, and digital platform service providers are expected to be designated sectors, businesses in these areas should strengthen their existing strategies and frameworks related to scams in preparation for increased compliance and enforcement measures.
If you require further information or would like to discuss, please contact Thomas Jones, Matthew Bovaird, Patrick Cordwell, or Dylan McGirr.
[1] National Anti-Scam Centre ‘Targeting Scams’ Report – March 2025
[2] Scam Prevention Framework Bill 2024 - Revised Explanatory Memorandum para 1.7
[3] Revised explanatory memorandum paragraph 1.61
[4] Revised Explanatory Memorandum para 1.115
[5] Revised Explanatory Memorandum para 1.17
[6] Revised Explanatory Memorandum para 1.313
[7] Revised Explanatory Memorandum para 1.8
[8] Scam Protection Framework Bill 2025 s.58FZC(1)
[9] Scam Prevention Framework - Digital Industry Group Inc submission 6 p.4