The Scams Prevention Framework Bill 2024 establishes a world‑leading and whole‑of‑ecosystem approach to combat scams in the Competition and Consumer Act 2010.
This Bill will lift obligations on industry, enable enforcement action by regulators, and deliver strong protections for consumers.
It will make Australia one of the toughest places in the world for scammers to operate.
The Human Impact of Scams
Over the last 2 years, I have talked to thousands of Australians across the country.
In every room, so many have been touched by the scourge of scams.
Allow me to share some of these stories:
Investment scams
Mark received advice from what he thought was a legitimate financial advice advertisement which encouraged him to invest in cryptocurrency.
Mark was directed to set up multiple accounts to transfer his investment into. After 3 payments, he started to get concerned that nothing was appearing in his cryptocurrency account.
He was told he had insufficient funds in the account so needed to make another payment for the crypto to appear.
It was only then that he realised that he’d had over $5,000 stolen by criminal scammers.
Romance scams
Sam had thousands of dollars stolen in a romance scam. They met online before quickly moving to communicating by text and email.
The criminal scammer claimed to have been locked out of his bank account and needed urgent funds as his sister had been rushed to hospital.
It was only after transferring more than $14,000 that Sam realised that the scammer had been impersonating someone else.
The money was stolen with limited hope of getting anything back.
Online Scams
Nick found a vehicle advertised online and contacted the seller to make arrangements to purchase.
The criminal scammer sent a through an official‑looking invoice and payment details and Nick transferred $18,000 to purchase the car.
The car was being shipped from interstate and the arrival date came and went without a car in sight.
The money was stolen with limited hope of getting anything back.
These stories, and thousands like it, are the product of a non‑existent legal framework which has abandoned consumers and does not require businesses within the scams ecosystem to disrupt and prevent scams.
The Scale and Nature of the Problem
These stories point to a criminal pandemic with deep economic and social consequences. It is not a new problem. Losses had been increasing every year since 2016. They became supercharged during the pandemic.
In 2021, scam losses increased by 84 per cent.
In 2022, an extraordinary $3 billion was lost to scammers – a 75 per cent increase on the previous year.
When the Albanese government came to office, scams were out of control and urgent action was needed. A business‑as‑usual approach could have seen losses approach $6 billion on their trend at the time.
We moved quickly to establish the National Anti‑Scam Centre, a Sender ID registry, and a website take‑down capacity with ASIC.
The early results are good. In 2023, scam losses did not increase as they had under the previous government. In fact, they decreased for the first time in nearly a decade to $2.74 billion – but this is still an extraordinary amount stolen by scammers.
Some people still think of scammers as conmen peddling easy-to-spot schemes.
In this framing, it is convenient to blame the victims for falling for ‘obvious’ scams.
However, this is an outdated view. Scams have become industrialised and promulgated by sophisticated, transnational criminal operations.
I want to give a sense of the magnitude and industrialisation of these operations. In May this year, a report prepared by the ASEAN‑Australia Counter Trafficking program looked at the relationship between human trafficking, forced labour and the cyber‑scam industry in Cambodia, and found:
‘As many as 100,000 people from around Asia, and as far away as East Africa, are trapped in cyber‑scam compounds around the country. In these guarded compounds, thousands of individuals, many of whom are recent university graduates, are forced to engage in cybercriminal activities, ranging from romance and cryptocurrency scams to online gambling and fraudulent investment scams, for up to 16 hours per day’.
The criminals do not discriminate. There are scams targeted to specific demographics: ticket scams for concert goers, investment scams for retirees – but there are scams across the entire spectrum of age, education and socioeconomic status.
If you have a phone, an email address, a social media account, or a bank account, you are a target.
International Response
International criminal activity of this scale requires a coordinated international response, and we have prioritised our relationships in this area.
Earlier this year, I attended the first international summit convened in the United Kingdom. Signatories to the communique from that summit committed to working together to improve our cooperative efforts, including in the areas of intelligence sharing and money recovery.
I have followed this up in our region, including in a recent visit to Singapore with our colleagues from New Zealand and from the banks where we met with regulators, the Singapore Anti‑Scam Centre, digital platform providers and a range of other key stakeholders.
We exchanged information and ideas on regulatory and law enforcement responses to the challenge.
These are all important initiatives.
But there are limitations to a traditional law enforcement.
The Scams Prevention Framework Bill
This Bill sets out what we must do at home.
This Bill is about prevention – and has the consumer at the centre of it. It looks across the entire scams ecosystem which has a requirement to take the fight to scammers. The best approach is to protect a consumer from a scam before it happens.
It also provides clear pathways for redress if a victim is scammed.
The Albanese government believes the government must play an active role in keeping Australians’ money and information safe.
The first phase of our work – establishing the National Anti‑Scam Centre (NASC) – is an investment in consumer protection infrastructure to bring together the expertise and capability of government agencies, law enforcement and the private sector to detect, disrupt and prevent scams. The NASC is a function operated within the ACCC. It will have a key role as an information exchange in the operation of the new framework.
This Bill is the next step. It establishes the legal framework setting out the legal obligations for business. The Scams Prevention Framework – the SPF, for short – will drive a significant uplift in the obligations and expectations on businesses to keep the Australian community safe.
Key features of the Scams Prevention Framework (SPF) include:
- the SPF principles that apply to regulated entities
- provision to establish sector‑specific codes that apply to regulated sectors
- strong, active regulator oversight
- clear dispute resolution procedures, and the ability to set guidelines for apportioning liability between parties where they have not met their obligations
- strong enforcement powers and penalties for breaches by regulated entities
The definition of scams
Preventing scams means understanding the nature of the threat. Scam activity is quickly evolving and becoming increasingly sophisticated and diverse. There are many different methods scammers use to harm the community.
The Bill recognises this in the definition of scams, by setting a broad definition to capture the wide range of activities which may form part of the deceit and manipulation used by scammers. They are deceptive attempts to engage a consumer, which if successful would cause loss or harm, such as by obtaining personal information or financial benefit, from the consumer or their associate.
The SPF seeks to stop scammers at every step of their deceptive activity, and therefore captures both successful scams which have caused loss or harm, and scam attempts which have not yet resulted in loss or harm.
Who is protected?
The Bill is about protecting consumers, broadly defined. This includes people or small businesses that are provided services by regulated businesses in Australia, as well as people ordinarily residing in Australia that may use a service outside of Australia, where that service is provided by a regulated entity in Australia.
Who are the Regulated Entities?
On a number of occasions, I have described our prevention approach as whole of eco‑system. This is an important concept in the preparation and operation of these laws. Our banking system is part of that ecosystem, but there is much more to it.
In December last year the peak international body for Consumer Organisations issued a statement which called on governments to take this approach:
‘We are calling on governments to ensure adequate protection against the growing risks of scams on technology platforms. governments should require platforms to take effective action in the prevention, disruption and detection of scams, which should be continually improved. There should be significant consequences if technology platforms fail to meet the following essential requirements...’
The essential requirements include measures, disruption strategies and response and support for victims. The statement is endorsed by the Australian Consumer organisations Choice and the Consumer Action Law Centre.
The government agrees. The SPF will do this.
Just last month the UK’s peak consumer body called on their government to implement a cross sectoral scams and fraud reporting framework. A framework that joins up intelligence from government, telco, banking and social media sources.
The government agrees. This is what the SPF will achieve.
The scam ecosystem looks at the environment in which scams are generated, how they are transmitted, how they reach their intended victim and the location of the money or information which is the end goal of the criminal.
While scam techniques will change over time, they are overwhelmingly distributed through a publication on a social media platform, a call or message sent over the telecommunications network, and a transaction through a bank account.
We understand that the vectors and targets of scam activity will change over time. This is why the Bill provides for the responsible Treasury Minister to designate a sector of the economy that will be subject to the obligations of the Scam Prevention Framework.
Once a sector is designated, the Minister will be able to make an enforceable SPF code that provides the designated sector with prescriptive obligations tailored to that sector.
The government will designate telecommunication providers, banks and digital platform services relating to social media, paid search engine advertising and direct messaging initially.
Each of these sectors represents a significant vector of scam activity.
The SPF is responsive and adaptable, enabling other sectors to be designated in the future. We have put the superannuation, insurance and cryptocurrency industries on notice that they will be fast followers.
They do not have to wait for government designation to start the work on improving consumer protections.
SPF Principles
The SPF principles set‑out requirements for regulated entities to implement governance arrangements to combat scams and take reasonable steps to prevent, detect, report, disrupt and respond to scams.
SPF Principle 1: Governance. Regulated entities must document and implement policies, procedures, metrics and targets for combatting scams.
SPF Principle 2: Prevent. Regulated entities must take reasonable steps to prevent scams. This is aimed at stopping scams from reaching or impacting consumers.
For banks, this could mean enhanced verification procedures, such as confirmation of payee for transactions. For digital platforms, could require strict advertising policies and require them to verify and validate the advertiser. Is the business legitimate? Is the person placing the ad an authorised representative of that business? If this cannot be validated – then no ad will be able to be placed.
SPF Principle 3: Detect. Regulated entities must take reasonable steps to detect scams both as they are happening and after they have happened. This may include implementing systems and processes to identify suspicious activity, timely investigations of actionable scam intelligence and identifying consumers that may be impacted.
SPF Principle 4: Report. Regulated entities must share actionable scam intelligence with the Australian Competition and Consumer Commission (ACCC), who may then disclose that information to other parties including other regulated entities, regulators, and law enforcement to drive timely disruptive action in response to scam activity.
The Bill makes clear that actionable scam intelligence covers information where it is reasonable to suspect that a communication, transaction or other activity is conduct related to a scam.
SPF Principle 5: Disrupt. Regulated entities must take reasonable steps to disrupt an activity suspected of being a scam and prevent losses to consumers.
The legislation provides a 28‑day protection (a safe harbour) for regulated entities taking proportionate action to disrupt scams in good faith. The safe harbour protection enables timely and decisive disruptive action, whilst setting clear guardrails and parameters to ensure third parties are protected from ongoing disruptive action where they are not involved in scam activity.
Detecting and disrupting scams will require investment in advanced monitoring systems and prompt content removal or other relevant disruptive action. It will also involve providing consumers with better education and awareness activities.
SPF Principle 6: Respond. Regulated entities must have an accessible way for consumers to report scams, raise a complaint about a scam or about the regulated entities conduct relating to scam activities.
Internal dispute resolution processes are intended to provide regulated entities with an opportunity to assess their conduct and resolve the consumer’s complaint in a timely manner.
Regulated entities must have regard to processes prescribed by the SPF rules and any guidelines for apportioning liability arising from the complaint.
Regulated entities must also be a member of an external dispute resolution scheme authorised by the Minister which provides consumers a pathway to escalate scams related complaints.
The government has announced that it intends to authorise the Australian Financial Complaints Authority (AFCA) as the single external dispute resolution scheme for the 3 initial sectors to offer an independent, free, impartial and fair mechanism for consumers to escalate their complaints. AFCA will be required to report serious and systemic scam issues to regulators, as well as report circumstances where parties fail to give effect to a determination in a complaint case.
This will provide clear reporting channels and support for victims. It will also embed transparency and accountability in the process.
Codes
The SPF principles will be supported by SPF codes tailored for each regulated sector.
An SPF code will set out detailed obligations specific to a regulated sector. This recognises that each regulated sector faces unique challenges with respect to scams and enables obligations to reflect those relevant circumstances.
The obligations in an SPF code are not intended to be an exhaustive list of requirements that an entity must follow to comply with SPF principles.
SPF codes create only minimum standards for that sector, which an entity may be required to go beyond to comply with the SPF principles where it is facing a specific, targeted, and heightened risk of scam activity related to its regulated services.
Regulation and Enforcement
The Bill establishes a multi‑regulator model for regulation and enforcement which recognises existing regulatory relationships and the existing roles and expertise of various regulators which is valuable for the effective administration of tailored sector obligations.
The ACCC will oversee and enforce the SPF principles as well as the digital platforms SPF code.
The Australian Securities and Investments Commission (ASIC) will oversee and enforce the banking SPF code.
The Australian Communications and Media Authority (ACMA) will oversee and enforce the telecommunications SPF code.
The Bill imposes strong incentives for regulated entities to prevent, detect and deter scams. Maximum civil penalties – which are currently set at over $50 million per breach – may be imposed in regard to obligations where breaches would be the most egregious and have the most significant impact on consumers.
High penalties are intended to be an effective incentive for compliance across all sectors of the economy and provide a deterrent where higher possible gains could be made by regulated entities by breaching the SPF.
Regulators will also be able to use other compliance tools such as infringement notices, enforceable undertakings, injunctions, public warnings and remedial directions. Additionally, regulators could seek redress for harm or damages on behalf of victims where they pursue court action for the breach of an obligation (s58FZC(2)).
Consumers can also bring claims in court to recover loss or damages, where this occurs courts will be able to consider the role of multiple service providers connected to a scam and apportion liability between them. Courts are required to prioritise payment of redress to the scam victim over payment of penalties for breaches (s58FD).
The SPF is being introduced as part of a broader effort to modernise Australia’s laws for the digital age and consumer protection agenda. This includes reforms to Australia’s:
- privacy laws
- payment systems modernisation
- money laundering and cyber‑security settings
- online safety measures
- safe and responsible use of artificial intelligence
- product safety standards
- unfair trading practices
- the Digital ID system.
This Bill will also support the government and industry in international engagement and collaboration by enabling the sharing of scam intelligence across regulated entities, law enforcement and regulators in Australia, and supporting international enforcement action to disrupt illicit scam activities.
Finally, the Legislative and Governance Forum on Corporations was consulted in relation to the Bill and has approved them as required under the Corporations Agreement 2002.
Full details of the measure are contained in the Explanatory Memorandum.