Combatting payment account fraud: Australia's Scams Prevention Framework

The SPF Bill is very broad and will initially require mandatory participation from three business sectors: banks, telecommunications providers and digital platform services. The SPF establishes overarching scam prevention principles in legislation that will guide industry specific, mandatory obligations on designated sectors. It also introduces a multi regulator framework and enables sector codes to be made and an external dispute resolution (EDR) scheme to be authorized.

The draft legislation establishes a new part IVF in the Competition and Consumer Act 2010 (CCA), enabling the Australian Competition and Consumer Commission (ACCC) to impose the full force of the law against businesses in designated sectors who fail to meet their obligations. This includes penalties of up to AUD50 million for non compliance under the CCA.

The design of the draft SPF Bill was informed by a previous consultation which ran from November 30, 2023 to January 29, 2024 (please see our blog post here for further information on this).

Scope of regime

In-scope persons 

The SPF will initially apply to:

• Banks;
• Telecommunications providers; and 
• Digital platform services providers, including social media, paid search engine advertising and direct message services.

The Treasury Minister may use the designation mechanism in the SPF Bill to designate further sectors and the relevant regulator into the framework over time where scam activity shifts. This could include superannuation funds, digital currency exchanges, other payment providers, and transaction based digital platforms like online marketplaces.

The SPF will protect “SPF consumers” who are defined as natural persons who are: (1) in Australia (e.g. visitors), ordinarily reside in Australia, or are an Australian citizen or permanent resident of Australia; or (2) a business which has less than 100 employees and a principal place of business in Australia.

What is a scam?

The draft legislation defines a scam as:

“a direct or indirect attempt (whether or not successful) to engage an SPF consumer of a regulated service that: (a) involves deception; and (b) would, if successful, cause loss or harm including obtaining personal information of, or a benefit (such as a financial benefit) from, the SPF consumer or the SPF consumer’s associates.”

An ‘attempt’ will involve deception, if the attempt:

1. Deceptively represents something to be (or to be related to) the regulated service; or
2. Deceptively impersonates a regulated entity in connection with the regulated service; or
3. Is an attempt to deceive the SPF consumer into either performing an action using the regulated service or facilitating another person to perform such an action; or
4. Is an attempt to deceive the SPF consumer that is made using the regulated service.

This, alongside the range of example scams referred to in the explanatory notes, seems to be a broad, catch-all definition intended to cover a wide range of scams. Interestingly, the definition does not include unauthorized fraud (including unauthorized payments) and the extent to which it strikes an appropriate level of consumer protection will likely be a point of future discussion.

How does the SPF work?

The tiered regulatory design of the framework will be administered and enforced via a multi regulator model. The Treasury has designated the ACCC as the general regulator for the SPF. The ACCC also enforces the Competition and Consumer Act 2010 (CCA), which the SPF will form part of.

There will also be a regulator for each initial sector:

• Banking - The Australian Securities and Investment Commission (ASIC)
• Telecommunications - Australian Communications and Media Authority (ACMA)
• Digital Platforms - Australian Competition and Consumer Commission (ACCC)

Each regulator will need to create its own governance associated with the SPF. This governance will control how each regulator enforces the SPF with its sector’s regulated entities. The SPF sector regulator will be responsible for monitoring compliance with SPF codes and pursuing enforcement actions for suspected breached of entity required controls.

As the framework expands to more sectors over time, additional regulators may be brought within the framework to enforce new codes where they have the relevant experience and expertise.

Figure 1 sets out the current overall make-up of the proposed SPF:

Core obligations

The proposed SPF introduces a principles-based approach, setting out obligations that will apply to all in-scope persons. In-scope persons will be required to take a proactive approach to combat scams and adjust their business models if necessary to fulfil their principles-based obligations. 

The SPF will introduce six overarching principles that apply to regulated entities which must be complied with to avoid enforcement action:

The SPF principles will be enforced by the ACCC as the SPF general regulator.

Treasury can also add sector-specific SPF codes. These codes will add detailed regulation and controls above and beyond what is contained in the legislation. The SPF codes will be more prescriptive type controls, but still allowing room for entities to interpret the code for final deployment and allow for addressing new scam variants.

Dispute/reimbursement

The dispute process will take place when an SPF consumer loses money in a financial scam and wants reimbursement. They will first go to its entity’s IDR and if not satisfied with the outcome, proceed to the EDR.

Regulated entities will effectively only be required to reimburse a SPF Consumer who has lost money due to a scam being perpetuated against them if they have failed to comply with their obligations under the SPF and relevant sector-specific SPF codes. There does seem to be some confusion as to whether 100% compliance is necessary or if a lower degree may suffice. Given the stringent new requirements, it may be an onerous exercise for regulators attempting to decide whether regulated entities have complied to a satisfactory standard. 

Enforcement 

Regulated entities that fail to comply with the new regime will be subject to a two-tier penalty system, with higher penalties applying to more significant and egregious breaches of the framework:

In addition, regulators will be able to issue enforceable undertakings, injunctions, public warning notices about an entity’s contravention of the SPF, remedial directions where an entity is failing to comply with the SPF, adverse publicity orders, non-punitive orders and orders other than damages. While the Treasury is keen for firms to put in place these measures voluntarily, it is clear that the SPF allows for a more forceful approach if necessary. 

Next steps 

The SPF Bill will now be sent for assent and is set to become law shortly. This will be followed by further sector-specific SPF codes and guidance.

The establishment of the SPF contributes to the broader effort by the Government to modernise Australia's laws for the digital age, including reforms to Australia’s privacy, money laundering and cyber settings, modernisation of the payment systems, introduction of online safety measures, as well as the rollout of Digital ID and eInvoicing infrastructure for businesses.

Acknowledgments to John Hobbs, trainee with A&O Shearman's Financial Services Regulatory team in London, for his contribution to this post.