Risk Insight

Australia's bold Scam Prevention Framework Bill has been introduced into Parliament

By Jonathan Perkinson

15 November 2024

What you need to know

The Albanese Government introduced its Scams Prevention Framework (SPF) Bill 2024 (the Bill) to Parliament on 7 November 2024.
The Bill largely retains the scope, obligations, provisions and penalty and enforcement structures of the 13 September 2024 exposure draft as summarised here.
Revisions to the Bill from the exposure draft have been made for the purpose of simplification, clarification, removal of ambiguities and reconciliation of compatibility with other areas of regulation.
The Bill will take immediate effect upon ascension, but the timing of the Bill and the accompanying industry codes which will provide further important industry guidance remains unclear.

What you need to do

Carefully consider and understand the proposed reforms and the associated obligations, as the Bill imposes tough penalties for non-compliance.
Consider what systems and controls may need to be implemented to address the requirements set out in the Bill.
Undertake a gap analysis of systems and controls, and develop plans for closure of gaps and compliance across the interim period.
Review scam datasets which may be requested by regulators for completeness and indications of current framework elements which are not operating within performance targets.
Update Board and senior management of the Bill's progress and the anticipated impact on your business.

Our take

The scope and thrust of obligations under the Bill have largely remained consistent with the September 2024 exposure draft and November 2024 consultation paper on Scams – mandatory industry codes. This suggests provisions are unlikely to materially change, enabling regulated entities to progress planning with confidence.
The Bill enhances the definition of a scam to include a series of conduct that may interact with other regulatory frameworks such as electronic payments and financial crimes. As a result regulated entities will need to plan for how they will identify and manage scam attempts and events subject to multiple areas of regulatory obligation.
The initial annual certification period has been revised as within 7 days of 12 moths of designation as a regulated entity (as opposed to 7 days following the entity's financial year end). This allows all regulated entities 12 months to certify their SPF compliance, but may not align to the entity's year end.
Businesses do not need the Bill to tell them to take reasonable steps to protect consumers. Existing EHF (efficiently, honestly and fairly provision of financial services), FAR (Financial Accountability Regime) and operational resilience obligations have applicability to scams. Regulators are increasingly focused on scams and actively requesting data to understand how regulated entities are performing.
The Bill introduces concepts for proportionate liability where more than one regulated entity is involved in a claim. In practice it may be challenging to administer and determine proportionality of claims across regulated entities.
The Bill has removed an obligation for regulated entities to publish information to consumers about the steps it is taking to protect them. This removal will serve to deny scammers information that may be misused to circumvent SPF systems and controls.

Context

An alarming number of Australians are impacted by scams. As our society has become more used to remote interactions in a post-COVID world, Australia has witnessed a related rapid increase in scam activity.

Lawmakers and regulators across the globe are adopting differing approaches to protect consumers from harm.

Whilst there are still changes to come, Australia has taken significant steps to shape an ecosystem approach where businesses and government work together to share information and work collaboratively to disrupt scams. Ahead of the SPF Bill, regulators are taking an active interest in the frameworks and performance of anti-scam measures at regulated entities.

Overview of the SPF Bill

The core features of the SPF Bill establish its scope, obligations applying to regulated entities, and oversight and penalty regim

SPF Bill

It can be observed that the principles and obligations set forth in the Bill are largely comprised of elements that follow from existing regulatory and societal expectations. Regulated entities already operate under regimes that call for the exercise of reasonable duty, diligence and care in protecting customers from harms such as scams. The report pillar will extend current regulatory obligations to establish active exchange of scam intelligence with SPF regulators, but obligations established within other pillars largely serve to formalise existing regulatory requirements.

Keep on the radar

Entities across delegated sectors have already been investing heavily to lift their scam prevention frameworks, and are at differing stages of progressing their anti-scam strategies. Based on our experience with other areas of regulatory intensity, we recommend keeping certain key areas in focus:

Record keeping and reporting – We are seeing an increase in regulatory requests for scam-data in the form of reports and complaints. We recommend entities review their scam record keeping to ensure the entity is confident in the completeness of its reporting, and comfortable that the entity is across its performance trends.
Reasonable steps – Entities are already operating under the regulatory expectation that the entity is taking reasonable steps to investigate scam activity in a timely manner and do what is necessary to reduce the risk of further consumer harm. We recommend entities review their systems and controls for guiding the reasonable steps taken and keep defensible records of key judgments.
Executive accountability – Entities will need to finalise planning for executive accountability for scams, and develop the frameworks required to support the senior officer's certification that the entity's framework is compliant.
Vulnerability and hardship – Scams intersect regulatory interest in protecting vulnerable customers and supporting customers in hardship. We recommend entities review these intersections in order to confirm that required information flows and controls are hard-wired into relevant systems and controls.

Want to know more?

The long awaited Scam Prevention Framework is here! (02 October 2024)
ASIC finds Australian banks' scam detection, prevention and response practices to be 'less mature than expected' (27 August 2024)
What will be keeping in-house litigation teams at banks busy in the year ahead? (22 January 2024)
Changes to the Contingent Reimbursement Model Code and the continued focus on APP fraud (17 February 2023)

Authors: Jonathan Perkinson

Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) is part of the Ashurst Group. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners acting in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services. For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

This material is current as at 15 November 2024 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in practice, or to cover all aspects of those referred to, and does not constitute professional advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.