Explainer: Australia’s New Scam Prevention Framework

With Australians reporting approximately $4.7 billion in losses to scams ^[1] in the period covering 2023-24, concerns about the consumer harm arising from scam activity remains a hot-button issue in Australia’s digital regulation landscape. This is despite industry-specific efforts to combat scam activity over recent years.

Against that backdrop, on 13 February 2025, Federal Parliament passed a Bill to amend the Competition and Consumer Act 2010 (CCA) and introduce a new scam prevention framework (SPF). The SPF is designed to combat scam activity through a new regulatory toolkit that imposes a range of obligations on businesses in the telecommunications, digital platforms, and banking sectors (at least to begin with). In this article, we provide a brief overview of how the SPF will operate.

Background

The Scams Prevention Framework Bill 2024 (Cth) (SPF Bill) was introduced in response to what the Government saw as ‘piecemeal and inconsistent’ protections^[2] against scams across different sectors.   The SPF Bill establishes a general framework that can be applied to any business sector, but at least initially will prioritise those sectors that are perceived to present the greatest risk to consumers.

While telecommunications providers are subject to a co-regulatory framework and have been operating under a registered industry code since 2020, other sectors are not subject to formal regulatory obligations and scam mitigation initiatives have been on a largely voluntary basis.  Following a public consultation late last year, the SPF Bill was passed by both houses of Parliament on 13 February 2025.

In the telco sector, there has been considerable debate about the best methods of combatting scam, and the threat of scam has been raised (rightly or wrongly) in debates about the Numbering Plan, the SMS Sender ID Register and the ACCC’s inquiry into declaration of certain telecommunications services.  However, the SPF Bill has been largely met with support from both regulators and industry participants including Communications Alliance which was responsible for preparing the Reducing Scam Calls and SMs Code which applies to telecommunications providers. 

The SPF Bill is also being introduced at a time when the Government is considering new measures to enable Australia’s telecommunications regulator to directly enforce contraventions of registered industry codes relating to telecommunications providers (on which we have previously written here).

What is a ‘scam’ under the SPF?

The SPF Bill is ‘deliberately broad^[3] and s.58AG defines a scam as a direct or indirect attempt (whether successful or otherwise) to engage an SPF consumer in a way that it would be reasonable to conclude that the attempt:

• involves deception; and
• would, if successful, cause loss or harm.

What does the SPF set out to do?

The SPF is an overarching framework administered by the Australian Competition and Consumer Commission (ACCC) as the SPF General Regulator.  The Framework establishes six general principles that will apply to businesses in regulated sectors.  Regulated entities must comply with these overarching principles (SPC Principles) as well as sector specific codes (SPF Codes).

These principles are set out in the table below:

How will the sector-specific SPF Codes work?

When published, the SPF Codes will set out detailed and sector-specific obligations relating to the SPF principles (excluding the reporting obligations under SPF Principle 4)^[4]. The explanatory memorandum suggests that SPF codes will only create ‘minimum standards,’ which an entity may be required to go beyond to comply with SPF principles^[5]. The SPF codes will be sector-specific, and the explanatory memorandum suggests some SPF codes will only apply to certain regulated entities within a sector^[6].  For instance, in the telecommunications sector, an SPF code may impose different obligations on carriage service providers compared to transit carriers. 

Who must comply with the new SPF?

The Minister can designate specific sectors (regulated sector) that the SPF will apply to. Individuals or businesses (regulated entities) providing services (regulated services) in a regulated sector in Australia must comply with SPF obligations.

The Federal Government has indicated that the following sectors will be designated as ‘regulated sectors’ from the outset:

• telecommunications services;
• banking services;
• digital platform services related to social media, paid search engine advertising and direct messaging.^[7]

Before designating a specific sector, the Government must consider, among other things, the effectiveness of existing industry initiatives to address scams in those sectors.

Who does the SPF seek to protect?

The SPF is aimed at improving scam protections for individuals and small businesses, both of which are considered to be a ‘SPF consumer’. Regulated services provided to any SPF consumer are subject to the SPF. Similar to the unfair contract terms regime of the Australian Consumer Law, a small business will be an SPF consumer where it has a principal place of business in Australia, fewer than 100 employees and a turnover of less than $10 million.

Importantly, the SPF will also capture services provided outside Australia by regulated entities when the consumer in question is ordinarily an Australian resident.

Can scam victims seek compensation?

While some consumer organisations had pushed for a similar approach to that adopted in the United Kingdom, under which victims of scams will be mandatorily reimbursed for any financial losses, this approach has not been adopted in Australia.

The SPF does however provide some means for scam victims to seek redress:

• regulated entities must provide an accessible and transparent internal dispute resolution (IDR) mechanism;
• where IDR fails to resolve dispute, aggrieved SPF consumers can use a single SPF External Dispute Resolution (EDR) scheme, which will likely be administered by the Australian Financial Complaints Authority (AFCA); and
• SPF Consumers, and regulators acting on their behalf, can seek to recover loss or damages from regulated entities through court action^[8].

Are there civil penalties?

Contraventions of any obligations contained in the SPF Principles and SPF codes will attract significant financial penalties.

The maximum civil penalty will vary depending on whether the contravention is a Tier 1 civil penalty or a tier 2 civil penalty.  For bodies corporate, Tier 1 civil penalties will not exceed the greater of 159,745 penalty units (currently $52,715,850), 3 times the benefit obtained, or 30% of adjusted turnover if benefit value is undetermined.  These apply to contraventions of civil penalty provisions of Principles 2, 3, 5 or 6 of the SPF.

Whereas tier 2 civil penalties (for body corporates) will not exceed the greater of: 31,950 penalty units (currently $10,543,500), 3 times the benefit obtained, or 10% of adjusted turnover.  These will apply to contraventions of civil penalty provisions of an SPF Code or Principles 1 or 4.

In addition to civil penalties outlined above, there are other administrative enforcement tools available including:

• infringement notices;
• enforceable undertakings;
• injunctions;
• actions for damages;
• public warning notices;
• remedial directions;
• adverse publicity orders; and
• other punitive and nonpunitive orders.

Who will enforce it?

Compliance with the SPF Principles will be monitored, investigated and enforced by the ACCC (designated as the lead SPF Regulator). The SPF Bill permits other regulators to take the lead in enforcing compliance with industry-specific SPF codes. For example, the Australian Securities and Investments Commission (ASIC) will be responsible for enforcement of the banking sector’s SPF Code while the Australian Communications and Media Authority (ACMA) will enforce for the telecommunications sector’s SPF code.

How has it been received by industry?

The new laws have been largely welcomed by the telecommunications and banking sectors, alongside AFCA. Digital industry associations however have voiced concerns with reforms, arguing that the banking sector should be bear a greater regulatory burden than other sectors as “100% of scams involve a financial service”^[9].

What’s next?

Now that the SPF has received Royal assent, attention will turn to the legislative rules, including:

• the confirmation of which sectors of the economy will be ‘designated sectors’ and subject to the SPF principles;
• consultation on exposure drafts of the proposed sector-specific SPF Codes; and
• development of the SPF Rules.

Since banks, telecommunications companies, and digital platform service providers are expected to be designated sectors, businesses in these areas should strengthen their existing strategies and frameworks related to scams in preparation for increased compliance and enforcement measures.

If you require further information or would like to discuss, please contact Thomas Jones, Matthew Bovaird, Patrick Cordwell, or Dylan McGirr.