Scam Prevention Framework Consultation Closes

What you need to know

• The Scams Prevention Framework (SPF) Bill 2024 (the Bill) has been referred to the Senate Standing Committee on Economics (the Committee) whose report is due to back to the Senate 3 February 2025. The Committee opened a consultation period for written submissions on the Bill which closed 9 January 2025.
• A range of industry bodies, consumer protection groups, regulators, businesses and individuals provided submissions which are publicly available and which the Committee will now consider in preparing its report back to the Senate.
• The submissions provide important insights as to the sentiments of stakeholders towards the Bill and any elements of concern from the represented stakeholder group.
• It is unclear the extent to which submissions will ultimately result in significant changes to the Bill's drafting. The timeline for passing the Bill in such final form is also unclear, although based on existing levels of bipartisan support we continue to expect the Bill to pass in 2025.

What you need to do

• Whilst the Bill progresses ensure your business has thoughtfully considered and documented the reasonable steps it will take now and in the future to address scam activity in the context of the business and scam risk faced by its consumers.
• Take a fresh look at historical consumer scam reports in order to consider if the business is responding in the timeframes and with the diligence expected. Regulators are not waiting for the Bill to take action against businesses that fail to respond to consumer scam reports with due speed and skill.
• Consider whether the business has deployed sufficient scam analytics and trend monitoring to identify when the threat profile has changed in order to respond accordingly.

Summary of consultation feedback

The SPF Bill encapsulates a novel, multi-faceted and comprehensive principles-based approach to harden Australia as a target for scammers. Because of that, it is no surprise that a wide-range of feedback, including sometimes conflicting feedback, was shared from a diverse group of stakeholders.

We provide a summarised version of selected response feedback herein:

• Support for the overall objective – All responses signalled their overall support for the objective of hardening Australia as a target for scammers and their commitment to playing their part. Concerns flowed where respondents found the Bill to lack sufficient clarity or left important provisions to be deferred for inclusion in the subsequent industry codes.
• Reasonable steps – A number of responses expressed concern about the principles-based obligations subject to a reasonable steps test contained within the Bill. Those respondents requested detailed guidance by sector of the activities that would constitute reasonable steps.

Responses also observed that some businesses who would be designated under the code may not have the ability to take reasonable steps with respect to certain obligations. For example a small internet service provider (ISP) may have limited ability to prevent scam activity because it has a limited ability to observe internet traffic.

• Primary versus subsidiary legislation – Certain responses advocated for more comprehensive obligations in primary legislation (the Bill) in order to drive consistency in obligations across designated sectors.

In contrast, other responses sought to reduce or remove outright guidance in primary legislation in favour placement of guidance in subsidiary legislation (industry codes) in order to recognise the important differences in the nature of services and scam threats faced by different sectors.

A significant number of responses were concerned at the prospect of meeting the businesses obligations under the relevant Code yet found to be having not met obligations under the Bill by the general SPF regulator. Respondents have called for one set of obligations and one regulator that they must satisfy in achieving compliance for a particular business.

• Data sharing and privacy – Multiple responses observed that the bar for classifying a scam report as actionable scam intelligence triggering a requirement to report has been set low in order to maximise information sharing, which could result in a large volume of low quality scam reports being shared (certain digital economy businesses receive large volumes of inaccurate or malicious scam reports).

A number of responses expressed concern at the prospect of sharing actionable scam intelligence that may include PII. This concern is amplified by organisations with a global operating model who may be bound by privacy rules applying to extra-judicial data (such as the details of a suspected bad actor in an overseas jurisdiction). In contrast, other responses emphasised the criticality of being able to share PII to regulators and other private institutions where such sharing is justified to avoid further consumer harm.

• Overlap in reporting – Multiple responses noted overlap in reporting requirements and thresholds for reporting a matter as a challenge. Existing reporting requirements vary by sector, but may include AUSTRAC suspicious matter reports (SMR), Australian Financial Crimes Exchange (AFCX) Fraud Reporting Exchange (FRX) and anti-scam intelligence loop. Additional reporting requirements may result from the National Anti-Scam Centre (NASC) and the ongoing and periodic reporting requirements of the SPF Bill.

By extension, because scams will usually involve more than one designated business the same event may be reported multiple times. The need to rationalise reporting thresholds and clarify what activity must be reported to what body and at what frequency was a thematic element across multiple responses.

• Over corrections – Multiple responses expressed concern that risk-averse businesses may over-correct via actions such as takedowns, account suspensions or transaction delays which would block legitimate traffic and commerce.

• Consumer redress – Responses thematically expressed concern related to the administration of a multi-party liability regime which might result in contentious and drawn out redress outcomes.

Examples are given where a consumer reports a successful scam to one designated business but a different designated business involved in the scam chain exhibited the failure to meet its obligation that allowed the scam to take place. In this example the consumer's report would need to failover to EDR in to achieve the appropriate redress outcome.

One response advocated for an existing amendment that has been tabled which would require businesses to put forward a 'statement of compliance' when a consumer reports a scam which would serve to formally establish the businesses' position as to whether it has met it related obligations. The statement of compliance is intended to reduce information asymmetry in dispute resolution and expedite redress outcomes, including those involving multiple parties.

• Multiple sources of liability – Designated businesses will carry financial exposure in the form of (i) redress of SPF consumer losses and (ii) regulatory penalties where the business is found to have not met its obligations.
  • Consumers can pursue redress of losses via IDR, EDR and civil action avenues (on the assumption that industry ombudsman avenues are closed off in favour of the designated EDR).
  • Regulatory penalties may be applied by the sector regulator (where there are existing and overlapping enforceable sector codes) or the general SPF regulator.

Certain respondents hold the view that their business will be subject to an unreasonable number of avenues of liability and financial risk exposure.

• Proportionality – Responses noted that designated businesses under the SPF will come in different shapes and sizes, where concerns were expressed that the Bill does not address the Bill's applicability to small or niche businesses.
• Superannuation – One consumer group response called for the superannuation sector to be quickly designated as an additional sector under the Bill, citing the immense value held by the superannuation sector and the significant levels of scam losses impacting consumers.

Our take

Taking a step back from the detail of responses the central role that a strong reasonable steps framework will play in navigating the complexities of the SPF Bill once passed becomes evident.

Inherent across multiple responses is a concern that without explicit, sector-oriented guidance businesses will be unable to gain certainty they have met their obligations and in doing so will not be required to compensate SPF consumers for losses.

A fit-for-purpose reasonable steps framework can assist businesses to interpret obligations in their own context which will naturally emphasise certain obligations over others based on the nature of the businesses' designated services. Such a framework will also help to guide decisions over data sharing, consumer redress (where the business has failed to take reasonable steps), and proportionality to business size.

In summary

Consultation responses submitted to the Senate underscore the collective commitment across the business community to play a part in combatting scams. Parties however are concerned that the Bill will establish obligations which are unclear or mismatched to their role. Some clarity may come in revisions to the Bill and more from the subsequent industry codes.

In the meantime and starting now, businesses must continue to focus on the reasonable steps they will take in the context of their business and the threats faced by their consumers.

Want to know more?

• Australia's bold Scam Prevention Framework Bill has been introduced into Parliament (15 November 2024)
• The long awaited Scam Prevention Framework is here! (02 October 2024)
• ASIC finds Australian banks' scam detection, prevention and response practices to be 'less mature than expected' (27 August 2024)
• What will be keeping in-house litigation teams at banks busy in the year ahead? (22 January 2024)
• Changes to the Contingent Reimbursement Model Code and the continued focus on APP fraud (17 February 2023)