Introduction
I would like to acknowledge the Wurundjeri people of the Kulin Nation as the traditional custodians of the land on which we gather today.
I pay my respects to their Elders past and present, and I acknowledge any First Nations Australians in attendance.
Thank you to our hosts today at Maurice Blackburn and to all of you for being here in attendance.
No one here needs to be convinced of the devastating impact of scams on Australians.
And I believe you want to be part of the solution of protecting Australians to help keep their money safe.
Four weeks ago, we took a significant step forward in that goal.
The Scams Prevention Framework –
The legislation that establishes a consumer‑focused defence against scams –
Will make Australia one of the toughest targets for scammers.
Many of you have been working constructively with our Treasury colleagues over the last few weeks.
I thank you for your input on this vital piece of economic reform.
I have personally engaged representatives from consumer groups, the Telecommunications sector, the Digital Platforms sector, the Banking sector, and potential future sectors.
These conversations have provided valuable insight into how the proposed framework will integrate into the ecosystem.
And I want to express my thanks to the Treasury team that are right now poring over your written submissions and processing your feedback.
Your feedback will help ensure this is a strong framework that actively prevents scams reaching potential victims.
And your engagement reflects the fact that we all bear the cost of scams.
Because while the digitisation of the economy has brought significant benefits –
The threat of scams can bring that all undone.
The digital economy has opened new markets.
Generated productivity gains.
And changed the way we work and live.
We can expect the pace of change to accelerate.
Now this change can be good.
And we want to encourage, unlock and spread the benefits of the digital economy.
But there are vulnerabilities.
And that means there is a premium on the role of government and business to keep Australians safe.
Because if Australians lose trust and confidence in the digital economy, we all lose.
This is why the government has a significant program of work underway to keep consumers safe.
The review of the Privacy Act seeks to bring it into the digital age.
It will impose higher standards on business to ensure they are keeping customers’ data safe.
We are looking at the way businesses store data –
What data they collect.
Why they collect it.
How they store it.
And how long they need it.
Our Digital ID System establishes a simple and secure means for consumers to verify their identity online.
And reduces the quantity of identity information that businesses and government need to collect and store.
Our National Cyber Security Strategy is helping to strengthen our resilience across the economy.
And improving our defence against cybercriminals.
Rejecting the status quo
All of these initiatives – and others – are designed to ensure that there is trust in our digital infrastructure.
But this unravels without a strong and coherent defence against scams.
This is critical and core economic policy.
This attitude alone differentiates us from our predecessors.
Scams exploded under them.
Losses in 2021 were double the losses in 2020.
Losses in 2022 were double the losses in 2021.
Doubling and doubling again.
In their final year in office, scam losses had reached $3 billion.
This was not just bad luck.
It was the product of a government that was asleep at the wheel.
And consumers paid the price.
We wholeheartedly reject this approach.
When the perpetrators are off‑shore
When thinking about the right approach to take, it has been often suggested to me that the answer is beefing up our law enforcement –
More police out there arresting the bad guys.
And it is true that law enforcement is part of the solution.
But it has its limitations.
Particularly when we know that the majority of these criminals are operating offshore –
Often in places where traditional law enforcement can’t reach.
And we are working with our international partners to improve cooperation and efforts in this area.
But more needs to be done at home.
So what to do.
Doing nothing is not an option.
And traditional approaches are severely limited.
Protecting consumers through prevention
Well, we can start with the principle that prevention has to be the goal.
As with other harms, prevention is better than cure.
We can’t wait until a victim is scammed.
The emotional and financial cost is too much to let that happen.
So we need to bring all of our capabilities to bear on having a wall of separation between scammers and their targets.
We also need to recognise that scammers will target the weakest link.
Many scams involve players across the economy.
A text message.
A social media ad.
A bank transfer.
We can put all our efforts into plugging one hole.
And the scammers will just find another way to their victim.
So we need to work together with urgency.
This is why our first actions were to build the infrastructure to take the fight to scammers.
Building government capacity – 3 key measures
Last year, we established the National Anti‑Scam Centre, which provides a necessary layer of defence for Australians.
It enables better reporting of scams for earlier intervention.
Near real‑time sharing of intelligence with banks, telcos, social media, and regulators.
It brings together the expertise and capability of government agencies, law enforcement and the private sector.
So that we can detect, disrupt and prevent scams.
We’re also cutting off the avenues for scammers directly.
Over half of reported scams originate from a phone call or a text message.
We have all been the recipient of the millions of scam messages bombarding Australians.
So we have also invested in an SMS ID Registry, and established a blacklist of phone numbers being used by scammers.
We are blocking an average of 1 million scam calls and 1 million texts per day.
We’re also beefing up the capabilities of our regulators.
We’ve built new functions for ASIC and the NASC to take down scam websites.
ASIC alone have already taken down over 7,300 phishing and investment scam websites through the last year, saving Australians millions of dollars. This is the government’s scams prevention infrastructure.
Information sharing.
Blocking the contact between scammers and their targets.
And getting on top of scam websites quickly.
And while it is way too early to claim victory, the initial results show the tide is turning in the favour of Australians.
Because of the first phase of our plan, annual scam losses declined in 2023 for the first time since 2016.
But there was still $2.74 billion lost.
So there is more to do.
With the infrastructure in place, we can take the next step –
Significantly raising the bar of obligations and expectations on business to keep their customers safe.
The Scams Prevention Framework legislation does this.
The Scams Prevention Framework
The Scams Prevention Framework is a whole‑of‑economy reform which will protect Australians from scams.
It will drive a significant uplift across the digital ecosystem.
The legislation creates new principles‑based obligations on industry to take reasonable steps to prevent, detect, report, disrupt, and respond to scams as well as implement strong governance frameworks.
These obligations are activated when the Minister, under the Act, designates a sector.
They are backed by strong regulator powers, penalties and remedies when businesses in a sector breach their obligations.
Beyond these general principles, the legislation also empowers the Minister to create sector‑specific codes which will set out specific obligations and deliverables.
These will be strong, legally binding measures which must be implemented by businesses within the sector to prevent, detect, report, disrupt, and respond to scams.
Protecting Australians from scams must be the shared goal.
And that protection will need to be tailored for each sector.
Because each sector has unique vulnerabilities that scammers seek to expose.
Sectors interact at different points in the scams chain.
So we’re not taking a one‑size‑fits all approach.
The codes will enforce specific obligations for each sector that lifts the standard.
Same goal.
Same high standards.
Specific, legally enforceable requirements for each sector that protect Australians across the ecosystem.
Initially, I will designate banks, telecommunication service providers, and a range of digital platform services, including social media.
This means they will need to meet obligations around talking preventative actions.
Examples of these obligations will include requirements on the banks to strengthen controls around transfers.
The banks will need to have in place mandatory confirmation of payee.
Digital platforms will need to implement verification measures for all new advertisers and taking down scam pages.
Telecommunication companies will be required to block known scam numbers.
This combines with the next phase of our investment in an SMS ID register.
In addition to blocking known scam numbers, telcos will need to check whether messages being sent under a brand name correspond with the registered sender.
If it doesn’t match, the number will either be blocked or the recipient will receive a warning.
This is good for businesses that want to legitimately communicate with customers.
And it’s good for Australians – taking our protections even further.
Cutting off the threat of scams early is paramount.
And so designated sectors will need to take steps to detect scams proactively.
Examples of this would include sharing information between sectors to identify threats.
And setting in place internal mechanisms to alert to the threat of high‑risk transactions.
Industry will also be required to report actionable intelligence to the ACCC.
Such as phone numbers, bank accounts, advertisements and other relevant information which can enable action.
Better and earlier information is crucial to stopping the scammers from harming Australians.
Taken together, the framework will provide the toughest safety obligations owed to a customer by a business anywhere in the world.
The pathways for redress within the framework
The Scams Prevention Framework will be a landmark reform for consumer protection.
We only need to consider what currently exists to see how big a shift this framework is.
Take a victim who was scammed through a social media platform.
There is no clear prevention standard to which the platform can be held accountable.
There is no mandatory internal dispute resolution procedure to raise the complaint.
There is no external dispute resolution process.
There may be access to court proceedings, but the lack of clear obligations under current laws means the cause of action is limited or not existent.
Victims who seek to raise a complaint against a telco are in a slightly better position, but only just.
This sector is required to have an internal dispute resolution process.
If they fail to resolve the matter there, they have access to the Telecommunications Industry Ombudsman.
Yet there is limited obligation to report or communicate scams to consumers.
It’s a similar story for someone bringing a complaint against a bank.
Bank clients have access to internal dispute resolution process.
If that does not resolve the issue, they can apply to AFCA.
If the payment was not authorised, AFCA may award compensation.
Where the payment has been authorised, but through the deception of a scammer there is little in the way of obligations to support the claim.
AFCA can apply the principle of fairness and efficiency as required by the corporations law, but this is of limited utility.
In fact, the general law supports the principle that a customer may direct their bank to make payments on their behalf and the bank must follow those directions.
There are many problems here:
The obligations on the businesses to protect customers from scam activity are at best uncertain but at worst non‑existent.
The avenues for redress are at best uncertain but at worst non‑existent.
The ability of a regulator to enforce a higher standard of safety is at best uncertain but at worst non‑existent.
Our redress pathway addresses each of these shortcomings.
The new law will require businesses to have an internal dispute resolution process.
It sets new standards of what businesses are required to do to keep their customers information and money safe.
It provides a mandated IDR and EDR process – including in sectors where none currently exist.
This is what it means to respond –
To have accessible and transparent dispute resolution processes.
It also establishes clear obligations and regulatory responsibility –
The ACCC as the system‑wide and digital platform regulator.
ACMA as the telecommunications regulator.
ASIC as the banking regulator.
It also provides consumers and regulators with judicial remedies – which for the most part do not currently exist for the scam activity that the framework will tackle.
In short this is a significant uplift in both obligation and remediation available to consumers and regulators.
When legislated it will provide the most comprehensive set of mandatory obligations in any country in the world.
Automatic reimbursement model
Some people also think we should put this all on the banks to pay compensation.
No fault, no questions.
I understand the motive behind this call.
But I worry that a significant beneficiary of this approach would be criminal scammers.
So let me just step through the government’s concerns with this approach.
The first problem is that it does not require proactive steps to prevent the scam from occurring in the first place.
The second problem is that it detaches liability from fault.
Throughout our legal system, we operate on the basis that compensation is preceded by establishing fault –
That a person who could and should have taken steps to prevent a harm did not.
Our legislation will set the standard for fault – a standard which does not exist today.
If an institution does not meet the standard at law, they absolutely should be held responsible for the financial loss of a victim.
So we actually need this legislation to provide pathways for compensation.
I’m also cautious when someone says that a ‘bank’ should just pay compensation.
What that often translates to is the customers of the bank paying higher costs.
We at least need to be honest about this flow‑through impact.
But what is perhaps the most concerning weakness of this approach is that it does not reflect the threat of scams.
Scams usually don’t originate at a bank.
They originate somewhere else in the economy – a telecommunications network or a social media platform.
If we are to be serious about prevention, then we must look upstream.
Our solution needs to be multi‑sector.
If we put this all on one sector, the scams won’t stop.
Scammers are sophisticated and will expose the weaknesses in the system if we only plug one hole.
Everyone needs skin in the game.
If there is fault that has occurred on a digital platform and a bank, they both should be held responsible.
In fact, I find it unconscionable that there would be liability on one business for a scam that another business profits from.
Take the very common example of the puppy scam that exploded during the pandemic.
These ads are commonly placed on a platform like Facebook Marketplace.
Scammers have stolen tens of thousands of dollars from victims of these scams.
But Meta has also received a revenue stream from the advertising revenue.
How is it fair that a bank – perhaps a very small bank – is held liable, while Meta – one of the largest companies in the world – gets off scot‑free?
How is this going to reduce scams?
This is a model advocated by businesses who want to avoid responsibility.
We disagree and think it’s quite simple.
Prevention must be the goal.
We need to lift the standard of the whole of industry, not just one sector.
And if industry does not meet the standard, then they absolutely need to provide redress for a victim.
This is fair for the consumer.
So the framework enables the government to set strong obligations that make prevention a realistic goal –
It sets a clear standard for industry to meet with clear financial penalties for failing –
And it protects Australians.
This will drive meaningful action.
The Scams Prevention Framework legislation will give us another strong asset in the fight against scammers.
We will start with the banks, telcos and social media companies.
But the design of the framework is intended to enable expansion into future sectors, where we see greater scam activity.
And I want to put all sectors on notice.
Don’t wait to be told to do more.
You owe it to Australians to do more.
And if that isn’t enough, then it is in your interests to do more too.
Conclusion
And it is the government’s commitment to make Australia one of the hardest targets in the world for scammers.
Our plan involves strong obligations.
Clear consequences for failures to prevent scams.
And putting consumers first.
This is how we work together individually and collectively to keep Australians’ money safe.