Chapter 1Introduction
1.1On 21 November 2024, the Senate referred the provisions of the Scams Prevention Framework Bill 2024 (the bill) to the Senate Economics Legislation Committee for inquiry and report.
Purpose of the bill
1.2The bill amends the Competition and Consumer Act 2010 to implement the Scams Prevention Framework (SPF) to prevent and respond to scams impacting the Australian community. The SPF will be a framework through which regulated entities will be required to implement measures to prevent, combat and respond to scams. The SPF includes the following features:
overarching principles (SPF principles) that apply to regulated entities;
sector-specific codes (SPF codes) that apply to regulated entities in certain regulated sectors;
rules (SPF rules) to support the effective operation of the framework;
a multi-regulator framework;
regulatory and enforcement mechanisms, including a two-tier civil penalty framework; and
dispute resolution mechanisms.
1.3The legislative framework allows a Treasury Minister to designate sectors of the economy to be subject to the SPF principles, make an SPF code for that sector, and designate a regulator to enforce that code. The bill also makes minor consequential amendments to other legislation.
1.4The SPF will not require sectors to mandatorily compensate victims of scams but will include redress mechanisms for consumers where a regulated entity has contravened the requirements of the SPF to prevent and address scam activity. These redress mechanisms include internal and external dispute resolution frameworks and external legal action.
Background
1.5Digital communications and the digital economy have brought significant efficiencies to the way Australians communicate and conduct business. However, there has been a corresponding increase in the risks associated with digital forms of conducting business, communicating and making payments. This includes a rise in sophisticated scams over recent years, which manipulate consumers and undermine trust in digital services.
1.6Australians lose billions of dollars to scams each year. In 2023, reported financial losses due to scams in Australia amounted to at least $2.74 billion. This is a decrease from the $3.1 billion lost to scams in 2022 but is higher than reported annual losses in both 2020 and 2021. There is also an increase in prevalence, with an 18.5 per cent increase over the 2022 reporting period. Investment scams, which accounted for approximately $1.3 billion of total scam losses in 2023, are overwhelmingly the largest source of these financial losses.
1.7Australia is known as ‘the world’s honeypot for scammers’. However, as one victim of a scam noted in evidence to this inquiry, the total amount lost to scams is probably significantly under-reported, because of the shame that many scam victims experience.
1.8Scams are becoming increasingly complex, with victims from a variety of backgrounds. For example, the committee received evidence from one victim of a scam who never provided her internet banking pin or password to scammers who had remote access to her devices. She informed the committee that in total, she lost four payments of $5000 each, with her bank offering her a ‘good will payment’ of $2000 that only increased to $7000 after she went through the Australian Financial Complaints Authority process and negotiation.
1.9A number of different government and non-government entities currently exist that are involved in monitoring and regulating scam activity, including the National Anti-Scam Centre (NASC), the Australian Securities and Investment Commission (ASIC), the Australian Financial Complaints Authority (AFCA) and the Australian Financial Crimes Exchange (AFCX).
1.10There are a range of government and industry measures developed, or in development, that specifically address scam threats. These include the Scam-Safe Accord (a banking sector code), the Australian Online Scams Code (signed by several social media companies), the Reducing Scam Calls and Scam SMS Industry Code (a telecommunications industry code), and the SMS Sender ID Register. The ePayments Code also stipulates who is liable for unauthorised transactions.
1.11There are additional measures that address fraud more broadly, found in other legislative frameworks such as the obligations found in the Banking Act 1959, Corporations Act 2001, National Consumer Credit Protection Act 2009, Privacy Act 1988, and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
1.12However, as outlined in the bill’s Explanatory Memorandum, these current scam protections are piecemeal and inconsistent across the economy, meaning that Australian consumers face inconsistent protections depending on their service providers. Some sectors have industry codes to address scam activity, while other sectors have no formal scam protection requirements, creating a vulnerability for scammers to exploit.
1.13To address this, the bill would enact the SPF as an economy-wide reform that will require the private sector to ‘adhere to consistent principles-based obligations and enforceable mandatory codes’ in order to prevent and respond to scams that impact the Australian community.
1.14The bill also partially implements the 2024–25 Budget Measure Fighting Scams with the introduction of mandatory industry codes to be established under the SPF.
1.15The bill is part of a range of other measures currently being undertaken to protect the Australian public, including reforms to Australia’s:
privacy laws;
payment systems;
money-laundering and cybersecurity settings;
online safety measures;
safe and responsible use of artificial intelligence;
product safety standards;
unfair trading practices; and
the Digital ID system.
Structure of the bill
Division 1 – Preliminary
1.16The bill comprises seven divisions:
Division 1: introduces the SPF into the Competition and Consumer Act 2010 (Competition Act) and provides an overview of the relevant provisions.
Division 2: establishes the overarching principles of the SPF and the application of those principles.
Division 3: allows for sector-specific SPF codes.
Division 4: establishes external dispute resolution mechanisms.
Division 5: outlines the framework to regulate the SPF.
Division 6: establishes the enforcement framework for the SPF.
Division 7: contains additional provisions, such as those to ensure a consistent treatment for the purposes of the SPF obligations across different types of entities.
1.17The provisions of the bill are outlined in Chapter two.
1.18Chapters three and four then discuss the responses from submitters and witnesses to the proposed SPF. Chapter three is focused on comments regarding the legislative structure of the SPF, namely the use of legislation and delegated legislation to enact the responsibilities of regulated entities. Chapter four then outlines the discussion of the operational aspects of the SPF itself. The committee view is then captured in Chapter five.
Commencement
1.19The bill commences the day after Royal Assent.
Financial and regulatory impact
1.20The bill is estimated to have a negative impact of $51.9million during the four years estimated it will take to enable regulators to administer and enforce the SPF and provide seed funding for AFCA to establish external dispute resolution (EDR) rules and processes for the SPF. ASIC and Australian Communications and Media Authority (ACMA) functions will be subject to cost recovery arrangements.
Table 1.1Financial impact
| | | | |
Payments | 16.5 | 18.5 | 8.3 | 8.6 |
Receipts (cost recovery) | - | 8.0 | 5.2 | 4.5 |
Total | 16.5 | 10.5 | 3.1 | 4.1 |
Source: Explanatory Memorandum, p. 1. Note: All figures in this table represent amounts in $million, rounded to the nearest $0.1 million each year.
1.21For designated sectors likely to be involved in the SPF, this reform is estimated to result in ‘an overall increase in regulatory compliance costs of around $228.8million in the initial year of operation and $88 million’ each year.
Legislative scrutiny
Scrutiny of Bills Committee
1.22The Senate Standing Committee for the Scrutiny of Bills (Scrutiny Committee) reviewed the bill and published its findings on 20 November 2024. The Scrutiny Committee was concerned with the number of aspects proposed to be set out in delegated legislation, including:
SPF codes for regulated sectors: the Scrutiny committee asked for an addendum to the Explanatory Memorandum containing an explanation for the inclusion of codes in delegated legislation and expressed concerns that the bill uses delegated legislation to modify the operation of the ASIC Act.
No-invalidity clause: the Scrutiny Committee requested an addendum to the Explanatory Memorandum containing a justification for the use of no-invalidity clauses in the Minister’s powers to designate regulated sectors and for authorising external dispute resolution schemes.
Privacy: the Scrutiny Committee noted potential privacy issues with the powers of the SPF general regulator to disclose information relating to a scam to external entities, including personal and identifying information. Further privacy issues were noted with the requirement that regulated entities report on suspected scam activity, including divulging personal information of customers.
Procedural fairness of public notices: the Scrutiny Committee noted the Explanatory Memorandum does not confirm that the safeguards of procedural fairness apply to the issuing of public warning notices from the SPF regulator(s) about scam activity and recommended that the bill should ‘provide a requirement that the regulator remove any notices that have been incorrectly issued’.
Immunity from civil liability: The bill provides limited immunity from civil liability where regulated entities take action to disrupt scam activity. However, the Scrutiny Committee noted that ‘a small business owner, who conducts all their business online and has their website blocked for up to 28 days due to wrongly suspected scam activity, may have no redress for the impact this may have had on their business and finances’.
Parliamentary Joint Committee on Human Rights
1.23The Parliamentary Joint Committee on Human Rights (PJCHR) reviewed the bill in its report of 20 November 2024 and found that the SPF allows for the sharing of personal information. However, the PJCHR noted the statement of compatibility provides no details as to what types of personal information may be shared, whether or how such disclosure would be subject to oversight and review, or whether a person whose privacy was breached would have access to an effective remedy.
1.24As per the PJCHR’s usual process, the secretariat has written to the relevant department to notify them the PJCHR considers the statement of compatibility to be inadequate.
Conduct of the inquiry
1.25The committee advertised the inquiry on its webpage and wrote to relevant stakeholders to invite them to make a submission by 9 January 2025. The committee received 43 submissions, as listed at Appendix 1.
1.26The committee held a public hearing in Canberra on 28 January 2025. The witnesses who appeared at the hearing are listed at Appendix 2.
Acknowledgements
1.27The committee thanks the individuals and organisations who contributed to the committee’s inquiry, particularly those who made written submissions and gave evidence at the committee’s public hearing.