Coalition Senators' additional comments

Overview

1.1The legislation presented to this committee is rushed, only half-finished and a further example of the Albanese Government leaving its supposed priorities to the last minute.

1.2Stakeholders across the spectrum, from the regulated entities and their peak bodies to consumer advocates, have made submissions and provided evidence stating that the SPF legislation requires substantive amendments and should not pass in its current form.

1.3The most important protections are yet to be developed and Treasury provided evidence to the committee during the public hearing that the framework will not be operational until 2026.[1]

1.4Australians have been left waiting far too long for the Albanese Government to follow through on its many scams announcements and there is still significant work required. Despite issuing at least 14 media releases about its scams agenda in the last calendar year, the government has left this bare-bones enabling legislation to the final weeks of its term and at risk of not being legislated.

1.5The government’s approach to implementing the SPF is emblematic of its focus on announcements and grandstanding over action and follow-through.

1.6This delay serves as an example of the government’s warped legislative priorities and the clear de-prioritisation of Treasury portfolio legislation.

1.7The government took 28 months to come up with this legislation and then ran a shortened three-week consultation period on the draft legislation. The bill was then turned around for introduction four weeks later, with little of the consultation feedback incorporated as a result.

1.8This is novel and complex legislation, and these are not minor amendments, free from regulatory burden, that can be pushed through parliament without scrutiny. This government’s haphazard approach has yielded a defective bill which has been widely criticised.

1.9Significant detail has been left to future subordinate legislation, which is nowhere to be seen. The parliament, regulated entities, consumers and scam victims are having to take on faith most of the detail which has been left to future prescriptive industry codes, rules and designations. They are expected to wave this bill through and hope for the best.

1.10During its first term, the Albanese Government has done little to build confidence in its ability to get these matters right, with a litany of botched legislative instruments made with minimal or no consultation.

1.11While this legislation has made it to parliament before the end of the term, the same cannot be said for much of the Albanese Government’s financial services and consumer affairs agenda, which is still languishing undrafted and unfinished.

1.12The Coalition supports action against scams and the concept of a scams prevention framework is broadly supported in-principle by all stakeholders. Unfortunately, the bill as it stands has been described by those same stakeholders as rushed, heavy handed, complex, unclear and stacked against consumers.

1.13Scams are becoming more sophisticated and the Coalition agrees there must be mandatory standards in place and a consistent approach to how banks, telcos and digital platforms act to prevent scams and provide redress to victims.

1.14The Coalition supports the whole-of-ecosystem approach. The scam attack chain is complex and focusing on where there is the most risk, across banks, telcos and digital platforms is appropriate.

1.15While consumers should have simple and efficient access to redress, the Coalition agrees a mandatory or automatic reimbursement model is not the right approach.

1.16The proposed statutory review provides an opportunity to assess whether the proposed model is working and is something we strongly support but the Coalition’s view is that this review should also be brought forward given the amount of detail missing and unknowns in this legislation. The review should also consider international developments and the effectiveness of emerging scams prevention models in jurisdictions like the UK and Singapore.

1.17Considering the significance of the SPF for both regulated sectors and consumers, it is important this legislation is workable and effective so the future codes and instruments it enables can follow quickly. Industry-led initiatives should continue to be encouraged, and prescriptive SPF code obligations will need to be targeted to ensure they are effective while minimising compliance burden and unnecessary disruption.

1.18The Coalition recommends amendments and surrounding commitments from the government to improve the bill and ensure there are no further delays, noting the long road ahead before the SPF is fully implemented.

Interaction between overarching principles and targeted codes

1.19The bill has three key aspects:

(1)Enforceable principles-based obligations in the primary legislation, which apply to each sector once designated, with the ACCC as the responsible regulator;

(2)A regulation-making power for the Minister to designate sectors and regulators; and

(3)A regulation-making power for the Minister to make mandatory sector specific codes with prescriptive obligations.

1.20A significant amount of stakeholder feedback focused on the uncertainty created by the broad overarching obligations in the primary legislation, which require taking ‘reasonable steps’ and how they will interact with targeted SPF codes.

1.21Questioned by Senator Smith on risks posed by the bill as drafted, Digi noted:

The risk is confusion and frustration, because right now, as I said, we've got a set of obligations that have been put in the codes. I understand the government wants to act and wants to act quickly and wants to put forward some strict obligations in this primary legislation, but the challenge with that is that we've got a set of obligations that are an awkward fit across the different sectors…[2]

1.22At previous stages of consultation, the government’s focus was on prescriptive obligations contained in sector-specific mandatory codes, which clearly outline the practical minimum standards expected for each sector.

1.23The government has not been able to bring forward and consult on the designations and codes alongside the primary legislation. Instead, it has resorted to a stop-gap approach of adding principles carrying significant penalties to the primary legislation.

1.24The regulated sectors say it is difficult to understand how these obligations will be interpreted by the regulator or by AFCA when consumers complain. This is particularly difficult with the prescriptive content of the codes that will sit alongside and inform these ‘principles’ still unknown.

1.25The Customer Owned Banking Association (COBA) summed these concerns up in its submission to the consultation on the exposure draft:

The complexity of these obligations evidences why the codes must be created before designation, as key details on how to comply with the Principles will be within these codes, without which our members will lack clarity in how to meet their obligations under the framework.[3]

1.26Regulated entities have also raised significant concerns about the risks of being compliant with a mandatory code but still in breach of a primary legislation principle.

1.27On this point, the Australian Banking Association (ABA) has said:

In some cases, there is no assurance that these requirements would effectively reduce scams” and “the breadth of certain terms and compliance requirements may create uncertainty that could hinder large-scale investment aimed at preventing and detecting scams.[4]

1.28The Communications Alliance raised similar concerns with the dual application of the primary legislation and SPF codes:

…the issue remains of significant concern to our sector due to the remaining, partly ill-suited, detail contained in the primary legislation (also refer to section 5), and the continued existence of an approach that allows a regulator to find a regulated entity in breach of an SPF principle even if that entity had complied with its sector-specific subordinate regulation. Under the proposed approach C/CSPs are subject to unacceptable uncertainty for investment decisions and risk of liability that they cannot reasonably limit. By contrast, a sector-specific code that forms the minimum basis for compliance with the entire framework would send a clear signal for regulated entities as to how to focus company resources.[5]

1.29To address this issue, stakeholders have encouraged greater use of the targeted codes, with the primary legislation being focused on enabling the framework rather than containing its own potentially conflicting obligations.

1.30Digi recommended:

…the primary legislation should simply focus on enabling the development of mandatory codes that outline robust, sector-specific obligations for regulated entities, which would support and remain consistent with the delivery of the Government’s commitments.[6]

1.31Some stakeholders, including ABA and COBA, advocated for amending the bill to provide that if an entity, acting in good faith, has complied with the obligations under the Code, then there should be a presumption that is compliant with the SPF Principles. COBA contends this presumption would:

…ensure an entity can focus on meeting its obligations in an efficient manner that focuses on protecting customers from scams rather than on technical compliance in order to avoid regulator and court action.[7]

Reporting obligations and compliance burden

1.32Under the legislation, regulated entities face serious penalties if they do not report all ‘actionable scam intelligence’ to the ACCC. The broad definition used for scams intelligence means this reporting obligation could inundate the ACCC with an unprecedented volume of reports about scams without a clear mandate for what they will do with it.

1.33Stakeholders have said this obligation could create a significant compliance burden and potential privacy issues, without a clear connection to scam prevention or reducing consumer harm.

1.34The ABA captured the sentiment from regulated entities over risks associated with the broad definition of ‘actionable scams intelligence’ and why it should be more clearly defined in future SPF Rules:

On its own, a mere suspicion may not always be a sufficient basis on which to take effective action. We are concerned that the current definition may lead to a substantial increase in compliance, including substantially more reports to a regulator, rather than the creation of more information that can actually be used to inform decisions about combatting scams.[8]

1.35The Communications Alliance made a similar recommendation asking for further clarity and a greater focus on the reporting of sector-specific intelligence:

It would be more useful, at least in our sector, to focus on new types of intelligence and patterns rather than individual pieces of ‘actionable scam intelligence’.

Consequently, we recommend the inclusion of an option to delegate detail for reporting obligations to sector-specific codes, alongside a re-focused, sector-specific definition of ‘actionable scam intelligence’.[9]

1.36The Coalition also notes the work of the banking sector’s existing information sharing initiative, the Australian Financial Crimes Exchange (AFCX) which already facilitates the secure sharing of scam and fraud intelligence between banks and is expanding to encompass other sectors. It is important the reporting obligations do not unnecessarily duplicate effective and targeted industry led initiatives like this.

1.37The Coalition here reiterates its concerns over the government’s Regulatory Impact Analysis, tabled with the explanatory memorandum, and despite confirmation from Treasury during the public hearing it stands by the figure.[10]The analysis estimates regulatory compliance costs of around $228.8 million in the initial year of operation and $88 million for each year ongoing.

1.38This compliance burden appears to be significantly understated based on some of the costing assumptions that were used, including:

1.1 FTE staff required for a major bank to uplift anti-scam activity and governance improvements;

A $40,000 initial technology investment required for a major bank to comply with the info sharing and reporting obligations, and $20,000 ongoing;

A $40,000 initial investment in staff for a COBA member bank to administer anti-scam activity and governance improvements, and $10,000 ongoing; and

 A $100,000 initial investment for a major telco to uplift anti-scam activity and governance, and $50,000 ongoing.

1.39Evidence provided to this inquiry indicates that regulated entities expect a much greater compliance burden and will need to allocate far more resources to their SPF compliance programs than assumed in these costings.

Complexity of consumer redress and apportioning liability

1.40Feedback from both industry and consumer advocates points to the complexity arising from the lack of clear liability rules and an apportionment mechanism for situations where multiple entities across different sectors are involved in a scam.

1.41On the issue of apportionment, the Joint Consumer Organisations offered the following assessment:

We believe more specificity and guidance in the SPF bill or at a minimum the EM and ACCC guidance is still needed, including how apportionment would apply for at least for the first three designated sectors…

Uncertain and inflexible default levels of apportionment of liability may be unfair both to businesses and scam victims.[11]

1.42The ABA and COBA expressed a similar sentiment, outlining that a clearly defined and robust dispute resolution mechanism is critical:

The SPF Rules should provide clear liability rules, an apportionment mechanism to guide dispute resolution processes and ensure a consistent approach for customers to seek redress across all relevant sectors.

Banks accept that liability should apply to all relevant sectors on a proportional basis, including our own, where entities have failed to meet their obligations.[12]

1.43Uncertainty about liability and apportionment could create a chain of countersuing between entities to apportion liability for consumer redress. This could result in confusion and delays for consumers seeking redress, who will typically not have full visibility of the scam attack chain and the “reasonable steps” undertaken by each entity.

1.44While AFCA will be designated as the ‘single door’ for external dispute resolution, stakeholders expressed concerns about how their decisions would work in practice and whether it would be creating an expensive and convoluted process, without an improvement in consumer redress.

1.45Under the proposed model, there could be a protracted examination, through an external dispute resolution body, of different companies’ relative roles in the scammers’ attack to determine possible redress. Without further guidance or clear rules, this could take years to resolve and for consumers to be reimbursed because of the complexity of the scam attack chain.

Risks of unintended consequences and consumer disruption

1.46The broad, principles-based operation of the framework, and the ‘disrupt’ principle in particular, could have a chilling effect on the seamless experiences consumers have come to expect from their digital banking and other digital platforms. For example, delays and blocks to payments, freezing of accounts, additional verification processes and mandatory scam questionnaires are likely to become commonplace frictions as part of compliance with the SPF.

1.47While these could be valid ‘reasonable steps’ to prevent a scam, there will also create a broad inconvenience and frustration for many consumers. There is also a risk these ‘disrupt’ initiatives will exacerbate the existing issue of debanking, which has worsened under the government, and could be used to restrict banking services unnecessarily.

1.48The Tech Council of Australia raised similar concerns in their submission about the complexity and uncertainty of what reasonable steps could entail:

This is an inherently uncertain measurement, and combined with the significant penalties attached for breaches of the framework legislation, is likely to result in businesses overcorrecting for scams and unintentionally blocking legitimate traffic.

This has serious consequences for the consumers and businesses that rely on designated sectors for communication and as critical pieces of infrastructure for their business.[13]

1.49There was a similar warning from the Digital Economy Council of Australia regarding the risks of overreach and restrictions on banking access in the digital assets sector:

While the SPF’s goal of protecting consumers from scams is commendable, its unintended consequences must be carefully managed. Banks, as key enforcers of scam detection, may adopt an overly conservative approach, further limiting their willingness to work with digital asset businesses.[14]

1.50Fintech Australia similarly recommended “ensuring obligations on regulated entities are practical, proportionate to the consumer risk, and do not unintentionally hamper competition” and warned that “as currently drafted the ‘prevent’ and ‘disrupt’ obligations are likely to present some significant unintended consequences” – adding that:

Regulated entities may take unnecessary, overbroad action to restrict services to third parties even where those parties exhibit no particular or proven risk of scam activity. These restrictions could include, for example, debanking fintech businesses, denying consumers access to fintech services, or soft forms of exclusion such as delays on payment transfers, account transaction limits, customer number limits or ad-hoc audit and review frequency and costs.

This significantly increases the risk of excluding newer or competitive businesses from designated sectors, without recourse.[15]

1.51The Coalition also notes the final bill now includes a safe harbour protection from liability in relation losses incurred because of disruption activity. The inclusion of this acknowledges that consumers and businesses will inevitably be ‘disrupted’ in a way that could cause them losses.

Importance of a law-and-order response alongside prevention

1.52Scams are typically perpetrated by transnational criminals and Australia is viewed as a honeypot for these criminals.

1.53Despite this, the government’s scams policy does nothing to address the law-and-order issues associated with scams. Other countries take these criminals on, and prevention must go beyond the first tranche of regulated sectors.

1.54The scam attack chain involves different sectors and a coordinated approach that includes law enforcement is important as scam attempts become more sophisticated.

Disproportionate penalty regime and concurrent enforcement mechanisms

1.55Under the bill, regulated entities face significant maximum civil penalties. Some stakeholders have argued this is disproportionate and the civil penalty regime should be restricted to apply only to egregious or systemic breaches, or there should be a clear list of matters which can attract a pecuniary penalty.

1.56The severity of potential penalties compounds broader concerns about the vague principles-based obligations in the primary legislation serving as standalone obligations, rather than being guiding principles for future mandatory codes.

1.57COBA highlighted that the penalty regime could have the “unintended consequence that smaller entities, such as customer owned banks, bear disproportionately higher penalties” and recommended consideration of proportionality as part of the penalty regime:

We note that section 58BB requires a decision-maker to consider the size of a regulated entity when considering whether a regulated entity has taken reasonable steps to comply with SPF Principles and consider proportionality should also be imported into the penalty regime. Such proportionality could include a list of discretionary factors that the court must consider when awarding penalties, such as the size of the entity by turnover and its capacity to pay the penalty.[16]

1.58The current design of the framework and the potentially disproportionate penalty regime increases the risk of regulated entities being more focused on compliance and minimising potential liability, rather than acting quickly and flexibly to address emerging scams or provide consumer redress.

1.59Similar concerns were raised about the existence of a private right of action and the risk of what the Communications Alliance described as ‘dual liability’, with regulated entities being exposed to SPF regulator enforcement actions, in addition to IDR/EDR and a right to private action.[17]

1.60The ABA similarly recommended streamlining the enforcement mechanisms and questioned whether a right to bring individual causes of action is inappropriate to include in the legislation:

This creates a double jeopardy challenge that is problematic in principle and undermines the clarity of communication of regulatory expectations essential to drive the necessary long-term investments in anti-scams measures. Effectively marshalling resources for anti-scams investment means it is essential that regulated organisations know the goals at which they are aiming.[18]

Recommendations

1.61The bill be amended to provide that meeting the SPF Code obligations creates a presumption that a regulated entity meets its SPF Principle obligations. Industry codes made under the SPF:

be regularly reviewed to ensure they keep pace with an evolving scams landscape, are interoperable with SPF principles, and that disruptive scam prevention obligations do not create unintended consequences which adversely impact consumers seeking to access or transact their own money;

focus on the development of systems and processes, and minimize disruption for consumers and small businesses; and

prioritise consumer education, awareness and consent.

1.62The bill be amended to allow for SPF Rules to be made to better define ‘actionable scam intelligence’, with a view to reducing duplication of reporting and minimising compliance burden.

1.63The government create a Memorandum of Understanding clearly setting out the roles of the SPF Regulators (ACCC, ASIC, ACMA), the SPF EDR scheme operator (AFCA) and the National Anti-Scam Centre in relation to the operation of the SPF.

1.64The bill be amended to ensure EDR complainants can receive standardised, timely information about a regulated entity’s SPF compliance.

1.65The Explanatory Memorandum be revised to:

clarify the interoperability of the SPF with the existing legal rights for victims of unauthorised transactions under the ePayments Code; and

replace the Regulatory Impact Analysis to ensure it accurately reflects the likely regulatory burden of the SPF and uses realistic costing assumptions based on industry feedback.

1.66The bill be amended to bring forward the first statutory review of the SPF to two years after the day the first SPF Code is made.

1.67The first statutory review of the SPF consider:

the need for a private right of action under the SPF, noting that the SPF already provides for dispute resolution through IDR, EDR and regulator enforcement action;

whether SPF Principles should remain civil penalty provisions, once industry codes are operational;

whether the currently complex redress framework should be streamlined and focused on efficient IDR and EDR;

whether the proposed EDR framework is fit for purpose and ensuring timely access to compensation where entities have not complied with SPF obligations;

the effectiveness of AFCA as the sole prescribed EDR scheme;

harmonisation of concurrent obligations and broadening the safe harbour provision, in recognition of major concurrent reforms to the AML/CTF regime, Privacy Act and Chapter 7 of the Corporations Act;

the adverse impacts for consumers and small businesses arising from compliance with the ‘disrupt’ SPF principle;

the proportionality of the compliance burden for smaller regulated entities and how the SPF can be simplified; and

the effectiveness of emerging international models for scams prevention and how the SPF can be better aligned with frameworks in jurisdictions like the UK and Singapore.

1.68The bill be amended to provide that the SPF Rules can prescribe guidelines on how AFCA can apportion liability of complaints among regulated entities.

1.69The bill be amended to provide that SPF Regulators must consider proportionality in relation to SPF enforcement action and civil penalties.

1.70The government provide adequate transition timeframes when designating sectors and creating new obligations through SPF Codes and ensure codes for all sectors are developed and come into effect concurrently.

1.71The government support uptake of new, more secure technologies like the Consumer Data Right and the NPP as part of its scams prevention strategy.

1.72The government properly consult on all future SPF delegated legislation and avoid the truncated, rushed approach to consultation conducted for the exposure draft of this bill.

1.73That the government provide a clear roadmap for the inclusion of other regulated sectors, including payments providers and digital assets businesses.

1.74That the government urgently progress new licensing frameworks for digital asset platforms and payment service providers, recognising these businesses as part of the scams ecosystem and enabling their integration into the SPF.

Footnotes

[1]Mr Tom Dickson, Acting First Assistant Secretary, Department of the Treasury, Committee Hansard, 28 January 2025, p. 32.

[2]Ms Sunita Bose, Managing Director, Digital Industry Group Inc, Committee Hansard, 28 January 2025, p. 15.

[3]Customer Owned Banking Association, Submission to Scams Prevention Framework – exposure draft legislation, p. 2.

[4]Australian Banking Association, Submission to Scams Prevention Framework – exposure draft legislation, p. 2.

[5]Communications Alliance, Submission 11, p. 10.

[6]Digi, Submission 6, p. 2.

[7]Customer Owned Banking Association, Submission 19, p. 3.

[8]Australian Banking Association, Submission 33, p. 10.

[9]Communications Alliance, Submission 11, p. 15.

[10]Mr Tom Dickson, Acting First Assistant Secretary, Department of the Treasury, Committee Hansard, 28 January 2025, p. 33.

[11]Joint Consumer Organisations, Submission 31, p. 16.

[12]Australian Banking Association, Submission 33, p. 8.

[13]Tech Council of Australia, Submission 30, p. 5.

[14]Digital Economy Council of Australia, Submission to Scams Prevention Framework – Exposure draft legislation, p 6.

[15]FinTech Australia, Submission to Scams Prevention Framework – Exposure draft legislation, p 7.

[16]Customer Owned Banking Association, Submission 19, p. 4.

[17]Communications Alliance, Submission 11, p. 9.

[18]Australian Banking Association, Submission 33, p. 9.