Bills Digest No. 2, Bills Digests alphabetical index 2024-25

Telecommunications Amendment (SMS Sender ID Register) Bill 2024

Infrastructure, Transport, Regional Development, Communications and the Arts

Author

Ipshita Mondal

Go to a section

Key points

  • The Telecommunications Amendment (SMS Sender ID Register) Bill 2024 (the Bill) amends the Telecommunications Act 1997 to require the Australian Communications and Media Authority (ACMA) to establish and maintain a SMS Sender ID Register (the Register) and to put in place other related administrative arrangements.
  • The Bill aims to prevent SMS and MMS impersonation scams where a sender identification (ID), like myGov or AusPost, is faked by a scammer. Legitimate entities would register their sender IDs with the ACMA. Telecommunications companies could then confirm whether messages using these sender IDs were being sent by authorised parties. If not, they would be blocked or would include a warning.
  • Adoption of a voluntary or mandatory registration model will be determined by the Government later in 2024, subject to costings and consultation outcomes.
  • Key measures in the Bill include:
    • new statutory functions and powers for the ACMA (or a contracted service provider) to establish and maintain a Register that contains approved sender IDs
    • a two-step process for entities to apply to the ACMA for approval before applying to register one or more sender IDs
    • flexibility to include other kinds of communication services that use a sender ID feature in the future (via legislative instrument)
    • a hybrid decision making feature whereby the ACMA may use a computer program to assist with making administrative decisions.
  • The Register is one measure in the Government’s Fighting Scams initiative announced in the 2023–24 Budget and is generally supported by stakeholders.

 
Introductory Info Date of introduction: 2024-06-26

House introduced in: House of Representatives

Portfolio: Communications

Commencement: On the earlier of Proclamation or 6 months after Royal Assent

This Bills Digest replaces a Preliminary Digest published on 1 July 2024 to assist in early consideration of the Bill.

 

Purpose of the Bill

The purpose of the Telecommunications Amendment (SMS Sender ID Register) Bill 2024 (the Bill) is to amend the Telecommunications Act 1997 (the Act) to require the Australian Communications and Media Authority (ACMA) to establish and maintain a Short Message Service (SMS) Sender ID Register (the Register) and to put in place other related administrative arrangements. The Register also covers communications via Multimedia Messaging Service (MMS). As explained in the second reading speech by the Minister for Communications, Michelle Rowland:

The formal creation of this register will bolster existing anti-scam measures. Once operational, this register is designed to:

  • decrease the frequency and impact of SMS impersonation scams on consumers;
  • increase protections for legitimate brands and agencies against bad actors impersonating them;
  • disrupt the business models for SMS impersonation scams;
  • restore public confidence in SMS as a communications channel; and
  • ultimately, make Australia a harder target for scam activity.

The Government’s Fighting SMS Scams consultation paper, of 18 February 2024, notes:

The registry aims to protect consumers and brands by disrupting a specific type of SMS impersonation scam, where scammers send SMS with alphanumeric sender IDs to imitate well-known brands such as banks, government agencies or retailers in order to deceive victims, to steal their money or personal information.

Sender IDs are used to sort SMS within applications on smart phones, meaning a scam SMS may appear in otherwise legitimate SMS threads from businesses or government agencies. This makes it very difficult for consumers to identify a scam (pp. 4 and 6).

Figure 1 provides an example of how these fake SMS sender identifications (ID) may appear in text messages. The alpha tag is where the sender ID appears. Figure 2 provides an example of where a scammer has falsely used Bupa’s sender ID to trick people into believing the message has come from Bupa.

Figure 1  Example of a scam SMS appearing in an otherwise legitimate thread

Figure 1  Example of a scam SMS appearing in an otherwise legitimate thread

Source: Department of Infrastructure, Transport, Regional Development, Communications and the Arts (DITRDCA), ‘Fighting SMS Scams – What Type Of SMS Sender ID Registry Should Be Introduced In Australia?’, Consultation Paper, (Canberra: DITRDCA, 18 February 2024), 6.

Figure 2  False use of sender ID

Figure 2  False use of sender ID

Source: Explanatory Memorandum, Telecommunications Amendment (SMS Sender ID Register) Bill 2024, 15.

 

Structure of the Bill

The Bill has one Schedule, the main focus of which is to insert a new Part 24B into the Act to detail the establishment and operation of the Register.

 

Background

The Fighting SMS Scams consultation paper notes that:

SMS is now the most frequently reported contact method for scams, and almost $27 million was lost to SMS scams in 2023, as reported to Scamwatch. The actual figure is likely to be significantly higher, as many scams go unreported. As a popular communications channel, Australians have become accustomed to receiving SMS from businesses or organisations that they trust. Impersonation scams delivered via SMS decreases consumer confidence in these communications from legitimate brands and entities.[1]

On 23 April 2023, the Minister announced the establishment of the Register as a part of the Government’s Fighting Scams initiative. This initiative includes the creation of a National Anti‑Scam Centre (NASC) within the Australian Competition and Consumer Commission (ACCC), and the identification and removal of scam related websites by the Australian Securities Investment Commission (ASIC).[2]

These measures built on the 2022–23 October Budget’s Fighting Online Scams measure, which included establishment of the NASC, expansion of the Department of Home Affairs’ IDCARE support service, and support for Treasury to raise public awareness of scam risks.[3] The Register would also complement the Reducing Scam Calls and Scam SMs Industry Code, which places obligations on telecommunication providers that originate SMS traffic to confirm there is a legitimate use case for an entity to use an alphanumeric sender ID.

Consultation

The Government undertook two tranches of consultation in 2023 and 2024 to inform development of the Register.[4] The first tranche of consultation was undertaken by the ACMA in February 2023 and targeted to key stakeholders, including telecommunications providers, government agencies, merchants, and consumer organisations. Outcomes from the first tranche of consultation do not appear to be publicly available.

The second tranche of consultation sought public feedback through a discussion paper and survey on whether the Register should adopt a voluntary or mandatory registration model. This consultation was undertaken from 18 February to 20 March 2024 with written submissions published on the website of the Department of Infrastructure, Transport, Regional Development, Communications and the Arts (the Department).

Pilot register

A pilot register was launched in December 2023 as an interim measure, with organisations such as the Commonwealth Bank of Australia, NAB, Services Australia, the Australian Taxation Office, Telstra, Optus, TPG Telecom and Pivotel participating.[5] Lessons from the pilot will inform development of the Register.

Voluntary or mandatory registration model

The Bill does not state whether the Register will employ a voluntary or mandatory model. The model will be determined by Government later this year subject to detailed costings and analysis, as well as outcomes from the second tranche of stakeholder consultations. The Explanatory Memorandum provides examples of what each model would look like:

Under a mandatory registration model, all entities, within Australia and overseas, that wish to continue to send SMS with alphanumeric sender identifications to an Australian mobile phone would have to register those sender identifications. Telecommunications companies would be subject to enforceable rules (under an industry standard) and either prohibited from sending SMS with alphanumeric sender identifications unless they were registered and the sender was the registered party or agent or being required to send such messages with a warning or tag that the message may be a scam. If an entity did not wish to register their sender identifications, they could no longer use those identifications in SMS or Multimedia Messaging Service (MMS), and would have to use phone numbers or numeric short codes as sender identifications instead.

Voluntary registration would allow entities wishing to send messages with alphanumeric sender identifications to choose to apply to register those identifications. Telecommunications companies would be subject to enforceable rules requiring them to check registered sender identifications to determine whether the sender is the registered party.[6]

In a media release of 26 June 2024, the Government notes that 89% of those who participated in the consultation survey favoured a mandatory Register.

 

Committee consideration

Senate Standing Committee for the Scrutiny of Bills

The Bill was considered by the Committee on 3 July 2024. Comments were published in Scrutiny Digest 8 for 2024 with a Ministerial response due by 19 July. The Committee’s webpage indicates that the response was received on 23 July 2024, but at the time of this Digest’s publication the response had not yet been published. The Committee examined the automated decision-making powers in proposed section 484J of the Act (at item 4 of the Bill). The Committee requested the Minister’s advice on the following:

  • whether consideration was given to providing, on the face of the Bill, that only non-discretionary decisions, or non-discretionary aspects of specified decisions set out in proposed section 484J, may be subject to automated decision-making
  • whether the additional criteria to be set out in legislative instruments to be considered under proposed sections 484F and 484G will be limited to non-discretionary matters given they will form the criteria for a decision subject to automated decision-making.[7]

Additional detail on the above is discussed alongside the relevant provisions in the Key issues and provisions section of this Bills Digest.

 

Policy position of non-government parties/independents

On 2 July 2024, the Shadow Minister for Communications, David Coleman noted the Opposition’s overall support for the Register during his second reading speech on the Bill:

What this bill seeks to do is something very sensible. I think almost all of us, on some occasion, have received a scam text message that pretends to be from someone that it's not … There are a few issues with the bill, which I'll come to in a second, but generally it is sensible and something we support.

There are a few curiosities in the bill. It doesn't say whether the register will be mandatory or voluntary on the part of the telecommunications sector. That's a pretty important point. I believe the sector is open to it being mandatory and is broadly supportive of this legislation, but it's a pretty important point which is missing from the legislation. It also doesn't set a date for when the register will actually start working. Again, that would be good.[8]

 

Position of major interest groups

The positions outlined in this Bills Digest were sourced from selected submissions to the SMS Sender ID Registry – Fighting SMS Impersonation Scams consultation held by the Department from 18 February to 20 March 2024. While the consultation largely focused on whether a voluntary or mandatory model was preferred, broader views on the Register were also included.

Overall, most stakeholders across government and the private sector were supportive of the Register being established but had varied views on its design and implementation. The Communications Alliance (CA) noted concerns were raised by some of its members regarding other anti-scam measures underway and how the Register would fit within the broader regulatory framework as a result. For example, the CA noted that the benefits from the establishment of the NASC have yet to be fully realised, the scheduled review of the Scam Code is forthcoming, and the lessons learnt from the Register’s pilot phase have not been finalised and circulated. Without the findings of these measures, development of the Register and its end state model may be premature.[9]

Feedback on specific provisions outlined in the Bill is discussed in the Key issues and provisions section of this Digest, with broader policy issues presented here.

Implementation issues

Several submissions raised questions about how particular aspects of the Register would function as well as unintended consequences of the Register’s operation.

The Australian Banking Association (ABA) questioned whether a sender ID is blocked if it is not registered and how this is managed including:

  • whether the sender is notified
  • if not wholly blocked, what controls (such as warnings or alerts) are applied to messages
  • whether brands are informed by telcos if they have been impersonated in a scam so that they can take further action to prevent future occurrences.[10]

The ACCC[11] and TPG Telecom[12] considered that SMS messages that do not pass the checks required by the Register should be blocked outright and not just marked as potentially ‘fraudulent’.

The Commonwealth Bank of Australia (CBA) supports blocking sender IDs identified outside of a registered whitelist for an alpha tag, but also notes the need to cover ‘2 way SMS and SMS short codes’ which cannot be sent with alpha tags but are still vulnerable to spoofing. The CBA also notes an unintended consequence of the Register may be that some businesses can no longer use alpha tags which could:

… undermine efforts to build confidence in digital communication channels, as consumers will receive messages from unknown numbers, making it difficult for them to identify a genuine communication.[13]

The Customer Owned Banking Association noted the importance of capturing the evolving nature of scams given:

… the likely effect of the Registry is a shift of scammers from alphanumeric messaging to SMS messaging utilising phone numbers or a greater use of telephone scams. As such, we recommend that consideration be given towards further steps to combat scams utilising these numbers.[14]
 

Financial implications

As part of its Fighting Scams initiative, the Government will provide funding of $10.9 million over 4 years from 2023–24 (and $2.2 million per year ongoing) to the ACMA and the Department to establish and enforce the Register.[15]

 

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[16]

Parliamentary Joint Committee on Human Rights

The Parliamentary Joint Committee on Human Rights had no comment on the Bill.[17]

 

Key issues and provisions

Overview

The provisions in proposed Part 24B of the Act (proposed sections 484B to 484M) relate to the establishment and operation of the SMS Sender ID Register (the Register), and how entities can apply to register their sender IDs on the Register. Most of the Bill concerns administrative matters. The Explanatory Memorandum summarises the simplified outline of Part 24B as follows:

… the new Part would require the ACMA to ensure that the SMS Sender ID Register is established and maintained. The Register will be a Register of sender identifications that have been accepted by the ACMA and other information that may be contained in the Register. Only entities that have been successfully approved to access the Register may apply to the ACMA to have sender identifications registered. New Part 24B contains provisions which confer power on the ACMA to make determinations, by legislative instrument, relating to access to the Register; and its administration and operation.[18]

While the Bill provides the basic framework for the Register’s establishment and operation, many of the details relating to application criteria and other process matters are not specified. The Bill allows for the ACMA to determine what these details are at a later date.

Key definitions

Item 3 adds 5 new definitions to section 7 of the Act in relation to the new Part 24B. Substantive definitions are examined below.

A sender identification (sender ID) is a message header that is used in:

  • SMS and MMS communications (proposed paragraphs 484C(1)(a) and (b))
  • any other communication service specified by the Minister via a legislative instrument (proposed paragraph 484C(1)(c)). [19]

A sender ID must also include one or more of the following:

  • letters, numbers, or symbols (proposed subsection 484C(2))
  • any other thing the Minister specifies by legislative instrument (proposed subsection 484C(5)).

The Explanatory Memorandum notes that the ability of the Minister to specify an additional communications service, or a thing in relation to what constitutes a sender ID, ensures that the evolving nature of communications services and associated technology can be captured by the Register in the future.[20]

The only exception to the above definition is where a sender ID consists only of numbers (such as phone numbers). In this case, it would not be a sender ID for the purposes of Part 24B (proposed subsection 484C(3)).

The Bill does not define what a ‘message header’ is. The Explanatory Memorandum notes that the term ‘message header’:

… would have its commonly understood meaning; namely as the text, numbers or symbols that appear at the top of text messages, to help the recipient of the SMS message (or other type of communication) recognise the organisation, brand, service or business that has sent the particular message.

The message header need not include the name of the organisation sending the message. It could also reflect a slogan, promotion or the purpose of the message. Message headers are typically used by a range of entities, including businesses, banks and government agencies for sending bulk SMS messages, and are also commonly used in messages informing customers about ongoing promotions, closing periods, schedule changes and upcoming sales.[21]

The Explanatory Memorandum defines ‘spoofing’ as:

In general terms… a situation where a scammer pretends to be someone else by disguising a scam SMS to appear as though it came from a trusted source. Scammers commonly ‘spoof ’trusted organisations such as government agencies, banks, law enforcement or utility companies by using the alphanumeric sender identifications (or a sender identification which closely resembles a legitimate sender identification) of those entities to impersonate them.[22]

A spoofing sender identification (spoofing sender ID) refers to a sender ID with a message header that would cause a reasonable person to incorrectly believe that:

  • an authorised entity covered under proposed subsection 484F(2) has sent a message, or authorised a message be sent, to them (proposed subparagraph 484D(b)(i))
  • the information provided in a message is true in relation to a particular thing or matter, an example being government endorsed health information (proposed subparagraph 484D(b)(ii)). [23]

Figure 3 provides an example of how a spoofing sender ID and fraudulent message would appear to the recipient.

Figure 3  Example of a spoofing sender ID and fraudulent message

Figure 3  Example of a spoofing sender ID and fraudulent message

Source: Explanatory Memorandum, 15.

SMS Sender ID Register

Establishment and maintenance of the Register

Proposed subsection 484E(1) requires the ACMA, or a contracted service provider on the ACMA’s behalf, to establish the Register. Either the ACMA or the contracted service provider could maintain all of the Register, or the ACMA could maintain part of the Register with a contracted service provider maintaining the remainder (proposed subsection 484E(2)). The ACMA must ensure the establishment of the Register as soon as practicable once proposed subsection 484E(1) commences (proposed subsection 484E(9)).

The Explanatory Memorandum notes the intent behind this provision is to acknowledge the complex ICT solution that will likely be required to establish the Register. This will require time to be developed and implemented given it will need to interact with the operating systems of telecommunications providers and the entities wishing to register. The Register is anticipated to be fully operational within 18 months following passage of the Bill.[24]

The Register would contain sender IDs approved under proposed subsection 484G(4) and any other information, including personal information, as determined by the Minister via legislative instrument (proposed subsection 484E(3)). Information determined by the Minister would need to be related to sender IDs (proposed subsection 484E(8)).

Proposed subsection 484E(5) notes the Register must be kept in an electronic format. The Register itself would not be a legislative instrument (proposed subsection 484E(6)).

The Explanatory Memorandum notes the Register could utilise internet technology for the collection, transmission, recording and authentication of information, or that it could be kept in another electronic format.[25]

Issue: lack of clarity around the design of the Register

The CA submission noted that some of its members were unclear on the final form the Register might take:

Further discussion needs to be had between the various stakeholders on the technical design and details regarding how a Registry will be operationalised and scaled. Without knowing if the system is to be a centralised database, a whitelist approach, blacklist, first in best dressed alphanumeric register etc there are more questions than answers on many of the system requirements, than on how a Registry should operate down the track.[26]

Amazon Web Services notes that a cross-section of industry entities should be engaged in the design and implementation of the Register to avoid unintended consequences and other technical issues. [27]

Disclosure of information on the Register

Under proposed paragraph 484E(7)(a), the ACMA may make sender IDs, and the entities that registered them, public so long as this information does not include any personal information as defined in the Privacy Act 1988.

The Explanatory Memorandum notes the intent is to allow a person to check if a sender ID they received an SMS message from is on the Register and which entity registered it. This would assist a person to determine whether a sender ID had been spoofed.[28]

The ACMA may disclose some or all of the information on the Register, including personal information, to Commonwealth entities to assist them to perform their functions or duties, or exercise their powers (proposed paragraph 484(7)(b)).

The Explanatory Memorandum notes the intent of this provision is to allow government agencies, such as the ACCC or Australian Federal Police, to liaise with one another for a public purpose, including for scam reduction activities.

Similarly, information sharing between Commonwealth entities is critical to the work of the NASC in actively targeting and disrupting scamming operations as they happen. However, there is no mandatory requirement for the ACMA to disclose information on the Register publicly or to Commonwealth entities.[29]

Approval of applicants

Proposed subsection 484F(1) notes that entities covered under proposed subsection 484F(2) may apply to the ACMA for approval. The Explanatory Memorandum clarifies that while the ACMA may contract a third party to assist processing applications on its behalf:  

… all actions associated with decisions for approval and approval of sender identification applications are done for and on behalf of the ACMA. The intention of this provision is to ensure that the Commonwealth has sole and clear carriage of the application process, as only Commonwealth officers will make (or be attributed as having made) decisions on whether to approve applicants under section 484F and whether to approve applications for registration of sender identifications under section 484G.[30]

An entity must be approved under proposed section 484F before it may apply to register a sender ID. Eligible entities are: an individual; body corporate; corporation sole; body politic; a government entity; partnership; any other unincorporated association or body of persons; a trust; or a superannuation fund.

The Explanatory Memorandum notes that entity approval is an initial vetting step to minimise the possibility of ‘bad actors’ attempting to access the Register so that they can register spoofing sender IDs for scam purposes.[31]

Proposed subsection 484F(3) details the information that must be included in an application by an entity and how this information should be provided to the ACMA. Proposed paragraph 484F(3)(a) notes the application must be made in the form approved under proposed subsection 484F(10), which the ACMA must publish online.

The Explanatory Memorandum notes that the form would likely be an ‘interactive and sequential online process’, such as ACMA Assist and would include information and guidance on the steps to register.[32]

Proposed paragraph 484F(3)(b) requires the application to include the information requested by the form. The Explanatory Memorandum notes that this could be an entity’s email address and other contact details. The purpose of this requirement is to ensure entities verify their identity as part of the application process.[33]

Proposed paragraph 484F(3)(c) notes that there may be a fee for submitting the application. The fee amount would be determined under section 60 of the Australian Communications and Media Authority Act 2005 (the ACMA Act).

The Explanatory Memorandum notes that subsection 60(1) of the ACMA Act allows the ACMA to determine the fee amount and to specify the times when fees are payable. This could be a one-off processing fee for the first stage of the application and then a periodic charge to maintain the registered sender ID for a specified time e.g. 1 year, 2 years etc. Once that time period expired, the registration of the sender ID would lapse and the ACMA could remove the entry from the Register.[34]

Proposed paragraph 484F(3)(d) would require the application to comply with any other requirements determined by the ACMA under proposed subsection 484L(1). These could include (but are not limited to) requirements related to the making of the application, or how the applicant’s identity is verified (proposed paragraphs 484F(4)(a) and (b)).[35]

If an entity’s application complies with the requirements set out in proposed subsection 484F(3), the ACMA must grant it an approval (proposed subsection 484F(5)). If the requirements in proposed subsection 484F(3) are not met, the ACMA must, in writing, refuse to grant the entity approval (proposed subsection 484F(6).

Proposed subsection 484F(7) notes that the ACMA may, in writing, revoke an entity’s approval if it is satisfied it would be appropriate to do so in all the circumstances.

The Explanatory Memorandum notes this provision is intended to be broad in scope to include circumstances where revocation is in the interests of preventing potential scam activity. Furthermore:

The factors which the ACMA (or any delegate) must take into account when exercising this [discretion] are not express and can be inferred by the power itself, when read in the context of new Part 24B and with regard to established general principles of the exercise of discretion in administrative decision making. These include:

  • acting within power and consistently with the objects of the [Telecommunications] Act;
  • acting in good faith and for a proper purpose;
  • considering only relevant considerations and ignoring irrelevant ones;
  • acting reasonably, and on reasonable grounds;
  • acting without bias;
  • making decisions based on supporting evidence; and
  • exercising the discretion independently and not under the dictation of a third person/body.

Examples of circumstances where the ACMA could exercise this discretion to revoke an entity approval under proposed subsection (7) include:

  • if it becomes apparent that an applicant has currently or previously submitted information that is untruthful in an approval application;
  • if the applicant is charged with offences connected to scam activity; and
  • if it becomes apparent that an applicant has been involved in scam activity, or has previously been connected to a business or entity that has previously been involved in scam activity.[36]

Proposed subsection 484F(8) requires the ACMA to give the relevant entity written notice of decisions made under subsections 484F(5),(6) or (7). The notice must include a statement about review rights (see section 557 of the Act). If the decision was made by a computer program, as allowed for in proposed subsection 484J(1), the notice must inform the entity that the decision was made by a computer program.

Applying to register a sender ID

Once an entity is approved under section 484F, it can apply to the ACMA for one or more sender IDs to be registered on the Register (proposed subsection 484G(1)). The process is similar to the entity approval application process.

The application must specify each sender ID to be registered (proposed paragraph 484G(2)(a)), be accompanied by a fee if required (proposed paragraph 484G(2)(b))[37], and comply with any other requirements determined by the ACMA. This could include requirements related to the making of the application, or how the applicant’s identity is verified (proposed subsection 484G(3)). The criteria may also relate to ensuring that a spoofing sender ID is not accepted through the application process (proposed subsection 484G(5)).

The Explanatory Memorandum notes that the ACMA is expected to develop objective, risk‑based criteria to ensure spoofing sender IDs are not accepted into the Register.[38]

The ACMA must, in writing, accept one more sender IDs made in an application under proposed subsection 484G(1) if they meet all of the following requirements:

  • the sender IDs and the application meet the criteria (if any) specified in a determination under proposed subsection 484L(1) (proposed paragraphs 484G(4)(a) and (b))
  • the application complies with the requirements in proposed subsection 484G(2) (proposed paragraph 484G(4)(c)).

The note to this provision says that approved sender IDs must be included in the Register. If a determination under proposed subsection 484(L)(1)(a) specifies a time period for a senderID to be registered, it must be registered before the end of that time period (proposed subsection 484E(4)).

The ACMA must, in writing, refuse to register sender IDs or applications that have not met the criteria determined under proposed subsection 484L(1) or if an application does not meet the requirements detailed in proposed subsection 484G(2) (proposed paragraphs 484G(7)(a) and (b)).

When giving notice to accept or refuse a sender ID or application, the ACMA must provide its decision to the applicant in writing (proposed subsection 484G(8)). The note to this provision advises that the notice must also include a statement about review rights, as required by section 557 of the Act. Similarly, if the decision was made by a computer program as allowed for in subsection 484J(1), the notice must advise the applicant of this (proposed subsection 484G(9)).

Issue: criteria for sender IDs

Pivotel notes the challenges of indexing possible sender ID permutations and proposes an alternative approach that extends to message contents:

We strongly believe that this will become unmanageable for the Registry and CSPs. The issue of infinite possible source combinations is exacerbated further by the dynamic nature of how A2P SMS is routed. Such a Registry would be attempting to contain a boundless system that is constantly changing. The Registry model needs to leverage fundamentally finite and stable parameters for it to scale to an effective, workable and fit-for-purpose mandatory model.

Pivotel continues to hold the position that the best parameter to support a finite list of legitimate sender IDs is an equally finite list of legitimate calls to action (CTAs) that businesses may include in their A2P SMS messages. This should include URL domains, email domains and telephone numbers.[39]

Amazon Web Services notes that enterprises with multiple distinct brands should be able to register for more than one sender ID.[40] TPG Telecom notes that:

The registration of an alphanumeric Sender ID should not restrict the use of that Sender ID to one user. Multiple brands could register the same Sender ID, provided they can demonstrate a connection to the Sender ID.[41]

Issue: effects of the registration fee on small businesses

The ABA disagrees with the proposal that the cost of operating the proposed registry should be entirely borne by businesses on the Register. It argues that carriers should share some of the cost as is the case in a range of other banking industry anti-scam initiatives.[42]

Yabbr (an Australian owned communications startup) notes that:

The cost of such systems is inherently inflated due to implementation and operational inefficiencies, and red tape, which could see even the registration fees being prohibitive to very small businesses. In addition to the simple registration fee, significant investment is required to gain an understanding of the system, complete the registration process, maintain the registration and implement any necessary system or software changes. These costs form significant barriers to SMEs which can result in disadvantage leading to anticompetitiveness.[43]

Similarly, Sinch (a global messaging provider) notes that:

The Registry should adopt a cost model that is accessible to small business should there be a need to expand the Registry scope beyond the well-known most frequently misused brands. This could be achieved, for example, by allowing C/CSPs to appropriately apply surcharges by having regard to the sending volumes of that business.[44]

Removal of a sender ID from the Register

The ACMA can remove an entry from the Register if it is satisfied that the sender ID is:

  • offensive, misleading, or deceptive (proposed paragraph 484H(1)(a))
  • a spoofing sender ID (proposed paragraph 484H(1)(b)), or
  • it would be appropriate in all circumstances to remove the entry (proposed paragraph 484H(1)(c)).

The Explanatory Memorandum notes the following:

In relation to proposed paragraph 484H(1)(a) the concept of offensive is intended to capture message headers which are, or contain words that are, commonly accepted as being offensive. This ground provides a basis, in very limited and exceptional circumstances, for the ACMA to remove the registration of a sender identification that would violate the community’s expectations of a Register administered by a government agency.

The concepts of ‘misleading’ and ‘deceptive’ are expected to be applied broadly and could capture conduct that is wider than misleading and deceptive conduct under subsection 18(1) of the Australian Consumer Law. For example, a message header that conveyed a misleading connection with government, or the Royal Family, or related to things that do not exist in Australia e.g. (‘Federal Tax Department’) could be removed.[45]

The Explanatory Memorandum notes that the purpose of proposed paragraph 484H(1)(c) is to operate as a consumer protection whereby the ACMA has broad discretion to remove an entry that has been mistakenly registered or where its registration period has lapsed.[46] In making this decision, the general principles that apply to the exercise of discretion in administrative decision making apply.[47]

Under proposed subsection 484H(2), the ACMA does not have to observe requirements of the natural justice hearing rule when exercising its power to remove an entry from the Register. The Explanatory Memorandum notes that this provision:

… enables the ACMA to act swiftly, in the public interest, to deal with problematic identifiers entered onto the Register.

The exclusion of the hearing rule is considered necessary and justified on public interest grounds to rapidly protect consumers from potential harm (personal and financial) arising from SMS scams’.[48]

The Explanatory Memorandum notes the exclusion to procedural fairness requirements is limited to the natural justice hearing rule, which allows people affected by a proposed administrative decision to have the opportunity to be heard by the decision maker, especially where that decision may adversely affect the person’s rights, interests, or legitimate expectations. The rule against bias, which is the second fundamental natural justice rule, and which requires a decision maker to be impartial and unprejudiced on the question they are considering, still applies as it is not included in this provision.[49]

The Explanatory Memorandum notes that decisions to remove an entry from the Register could be subject to reconsideration by the ACMA under sections 555 and 558 of the Act and must be accompanied by a statement of reasons (pursuant to section 559 of the Act). Reconsidered decisions are then subject to merits review by the Administrative Appeals Tribunal or its successor, the Administrative Review Tribunal (see section 562 of the Act).[50]

As noted in the following section of this Digest, under proposed subsection 484L, the ACMA can make determinations about the administration and operation of the Register, including about the removal of entries from the Register. A determination by the ACMA in relation to the removal of entries may expand upon the reasons listed in proposed subsection 484H(1) but cannot limit them (see proposed subsection 484L(5)).

Determinations relating to the Register

The Explanatory Memorandum notes that proposed section 484L covers the determinations that can be made by the ACMA in relation to certain matters, including detailed rules, operational aspects, fees, and processes. The end state of the Register (i.e. whether it’s voluntary or mandatory), will inform the content of these future instruments.[51]

The ACMA may determine:

  • an upper time limit for registration of a sender ID (proposed paragraph 484L(1)(a))
  • requirements for an application from an entity for approval (proposed paragraph 484L(1)(b))
  • requirements for applications to register a sender ID (proposed paragraph 484L(1)(c))
  • criteria for the acceptance of applications and sender IDs (proposed paragraphs 484L(1)(d) and (e))
  • access to the Register and any fees payable (proposed subsections 484L(2) and (3)).

Examples of things the ACMA may determine under these provisions include:

  • the number of characters in a sender ID
  • how many sender IDs can be included in a single application
  • the requirement for a valid use case to ensure legitimate registration of a sender ID.[52]

The ACMA may also determine aspects of the administration and operation of the Register, including one or more of the following:

  • the manner in which entries are to be made on the Register (proposed paragraph 484L(4)(a))
  • the correction of entries in the Register (proposed paragraph 484L(4)(b))
  • the removal of entries in the Register (proposed paragraph 484L(4)(c))[53]
  • any other matter relating to the administration or operation of the Register (proposed paragraph 484L(4)(d)), such as the handling of complaints and enquiries about how the Register operates.[54]

The Explanatory Memorandum provides examples of how this might operate in practice. A determination made under this subsection could provide for:

  • how approved Australian sender identifications (as defined) may be entered on the Register;
  • processes required to update or correct a registered sender identification, or information in relation to the registered sender identification (such as contact details);
  • arrangements for the removal of entities from the Register after a period of time. This is referenced as a note under the section, and reflects the possibility that the ACMA could impose a periodic charge related to the maintenance of a registration of a sender identification for a specified time (e.g. 1 year, 2 years, 5 years). Once the specified time has expired, the registration of the sender identification would lapse, and the ACMA would remove the entry from the Register.[55]

As noted earlier, if the ACMA makes a determination under proposed section 484L, about the removal of entries from the Register, this will not limit the ability of the ACMA to remove an entry where any of the scenarios listed in proposed subsection 484H(1) apply (proposed subsection 484L(5)).[56]

Determinations made under subsections 484L(1), (2), or (4) are legislative instruments (proposed subsection 484L(6)). The Explanatory Memorandum notes that these determinations are subject to Parliamentary disallowance and must be registered on the Federal Register of Legislative Instruments. Ultimately it is the ACMA’s decision as to which determinations it makes, if any.[57]

 

Other provisions

Automation of administrative action

The ACMA may use computer programs to assist with some of its decision-making functions in relation to the Register. The Explanatory Memorandum notes:

To facilitate the efficient registration of sender identifications on the Register and the expected high volume of applications (for entities and also sender notifications), it is likely that the application and registration processes will include some aspects which are automated or aided through the use of computer programs.[58]

Under proposed subsection 484J(1), the Chair of the ACMA may, in writing, arrange for the use of computer programs to take administrative action under Part 24B. The ACMA Chair would provide oversight of this process. This arrangement would not be a legislative instrument (proposed subsection 484J(6)). The ACMA Chair can also delegate, in writing, their power under proposed subsection 484J(1) to an ACMA SES, or acting, SES employee (proposed subsection 484J(7)).

The Explanatory Memorandum notes:

This oversight will support ongoing monitoring of the operation and the validity of computer programs arranged for use. A written record of any future arrangement ensures appropriate accountability, responsibility and record-keeping for the use of computer programs taking administrative action. Written records of arrangements will be particularly important to inform review rights, complaints and also in any future legal proceedings and reporting obligations.[59]

Proposed subsection 484J(2) defines the following as an administrative action:

  • making a decision under proposed subsection 484F(5) or (6), which involves approving or refusing an entity’s application for approval
  • making a decision under proposed subsection 484G(4), (6) or (7), which involves approving or refusing an application to register a sender ID or the sender ID itself
  • giving a notice under subsection 484F(8) or 484G(8), which involves giving notice of a decision in writing when accepting or refusing an application for approval, an application to register a sender ID, or the sender ID itself
  • doing, or refusing or failing to do, anything related to making a decision under proposed subsection 484F(5) or (6) or 484G(4), (6) or (7).

The Explanatory Memorandum notes:

Where a decision involves the exercise of discretion or an evaluative judgement, a computer program will not be programmed to take action. This includes cases where an exception is raised because the case falls outside of business rules relating to the assessment of an application for a sender identification, or the case meets parameters requiring the decision to be made by a human – the required final decision would be taken by a human rather than the computer. The term ‘failure’ would include inaction by the computer program, either by design or by fault.

‘Anything related to…’ is intended to extend to the use of computer programs to assist with preliminary procedural or routine aspects leading to the final administrative action. For example, where: (i) a computer program materially contributes to the final action taken by a person; (ii) the computer program determines the non-discretionary aspects of a decision and leaves discretionary elements of a decision to be made by a human; (iii) the computer program guides a person through the decision-making process through analysis and recommending decisions that are available to the decision-maker based on the data.[60]

The Explanatory Memorandum notes that in situations where a human undertakes the substantive analysis and makes the administrative decision, legislative authority is not required for the use of a computer system in this process. For example, legislative authority would not be required where an individual used a spreadsheet to track the number of sender IDs registered in a period.[61]

An administrative action taken by a computer program under an arrangement made under proposed subsection 484J(1) is to be treated as an administrative action taken by the ACMA (proposed subsection 484J(3)). The Explanatory Memorandum notes that this provision preserves the review mechanisms that would be available if a human had taken the administrative action.[62]

The ACMA may substitute a decision made by the computer program if it is satisfied that the decision made by the computer program is incorrect (proposed paragraph 484J(4)(a)); or where the computer program has approved a sender ID which the ACMA is satisfied is actually a spoofing sender ID (proposed paragraph 484J(4)(b)). The ACMA must provide a written notice to the entity that is the subject of a substituted decision within 14 days of making said decision (proposed subsection 484K(4)). The notice would need to include a statement about review rights (see section 557 of the Act).

The substituted decision would take effect on the day specified by the ACMA, which may be earlier than the day the substituted decision is made, or the day the computer program made the original decision (proposed paragraphs 484J(5)(a) and (b)).

The Explanatory Memorandum notes:

The proposed subsection recognises the potential for errors to occur in the decision-making process, including through computer errors, coding or system malfunctions. It is important to enable the substitution of a decision or administrative action taken with the assistance of a computer program in these situations. This provision would ensure that the ACMA can override or substitute a decision informed through the use of a computer when required.[63]

Oversight and safeguards for automation of administrative action

Proposed section 484K provides oversight and safeguards for matters involving the use of computer programs under an arrangement approved under proposed section 484J. The Explanatory Memorandum notes that the measures under proposed section 484K are in recognition of the Government’s work to:

… develop a consistent legislative framework for automated-decision making, as part of the Government’s response to recommendation 17.1 of the Royal Commission into the Robodebt Scheme Report. They are intended to ensure automated systems comply with administrative law principles of legality, fairness, rationality and transparency.[64]

The ACMA Chair must take all reasonable steps to ensure that an administrative action taken by a computer program in accordance with an arrangement approved under proposed subsection 484J(1) is one the ACMA could validly take (proposed subsection 484K(1)). The Explanatory Memorandum notes the following:

  • the ACMA Chair would need to ensure the computer program is functioning lawfully and correctly on an ongoing basis
  • the computer program could make valid decisions in relation to the specified administrative actions by using pre-programmed decision-making criteria without human judgement at the point of decision
  • ‘reasonable steps’ will depend on the circumstances but could include regular audits and updates of the computer system to ensure compliance with Part 24B.[65]

If there are regulations in relation to proposed subsection 484K(1), then the ACMA Chair must do what is prescribed in those regulations (proposed subsection 484(K)(2)), noting that an administrative action may still be invalid even if proposed subsections 484K(1) and (2) are complied with. Additionally, a failure to comply with proposed subsections 484K(1) and (2) does not affect the validity of an administrative action taken by a computer program.

If the ACMA Chair makes an arrangement to use a computer program for administrative action purposes under proposed paragraph 484(J)(1), they must publish a statement on the ACMA website noting this, as well as the provisions under which such actions may be taken (proposed paragraphs 484K(5)(a) and (b)).

Furthermore, when preparing the ACMA annual report, the ACMA Chair must include the following information:

  • the total number of substituted decisions made by the ACMA under proposed subsection 484J(4) (proposed paragraph 484K (6)(a))
  • the kinds of substituted decisions made (proposed paragraph 484K(6)(b))
  • the kinds of decisions taken by the computer program that the ACMA was satisfied were not correct (proposed paragraph 484K(6)(c)).

The ACMA Chair can also include any other information (other than personal information) about the operation of sections 484J and 484K that they deem appropriate for that period.

The Senate Standing Committee on the Scrutiny of Bills raised concerns about the automated decision-making process when it came to discretionary and non-discretionary decisions:

The committee’s position is that administrative automated decision-making should only be applied to non-discretionary decisions, and while this intent is reflected in the explanatory memorandum, this protection would be strengthened by being included on the face of the bill itself. These concerns are heightened by the operation of proposed paragraphs 484F(3)(d), and 484G(4)(a) and (b) which allow for criteria relevant to the decisions to be set out in legislative instruments. This prevents the committee from assessing whether or not such criteria could be considered discretionary and therefore whether it is appropriate for decisions made under proposed subsections 484F(5) or (6) and 484G(4), (6) or (7) to be subject to automated decision-making [emphasis added].

Further, the committee is concerned that the impact of proposed subsection 484K(3) is to water down the effectiveness of the oversight measures in proposed subsections 484K(1) and (2) by providing that a failure to comply with these safeguards does not invalidate decisions.[66]

Application of the Privacy Act to contracted service providers

The Explanatory Memorandum notes that the ACMA will need to have appropriate information security practices and technical systems in place to ensure compliance with Australian Privacy Principle 11—security of personal information. The ACMA will be expected to conduct privacy impact assessments as part of the design, development and running of the Register and where it engages a contracted servicer provider to assist.[67]

Proposed section 484M provides that if a contracted service provider is involved in the establishment or maintenance of the Register, any action taken by the contracted service provider in relation to the Register is taken to be the provision of a service to the ACMA under the contract. 

The Explanatory Memorandum notes that the intent of section 484M is:

… to ensure that if the ACMA contracts out its function of establishing the Register, or contracts out its function of maintaining the Register (in whole or in part) to another person (the contracted service provider), then the contract would be a ‘Commonwealth’ contract for the purposes of section 95B of the Privacy Act.

In compliance with the Privacy Act, the ACMA would need to implement contractual measures to ensure that the contracted service provider does not do an act, or engage in a practice, that would breach an APP if done or engaged in by the agency (section 95B). As the contract that is the primary source of a service provider's privacy obligations in relation to its activities is performed under the contract with the Commonwealth, section 95B provides a safeguard to ensure that Commonwealth contracts provide for the contracted service provider to comply with the APPs as if it were an agency in respect of its activities under the contract.[68]

Review function

Item 5 of the Bill inserts 7 new paragraphs after paragraph 1(x) of Schedule 4 of the Act, which sets out reviewable decisions of the ACMA. The Explanatory Memorandum notes that the effect of Item 5 would be that the following decisions would be subject to merits review by the ACMA under section 555 of the Act:

  • a decision under proposed subsection 484F(6) to refuse to grant an approval [of an entity];
  • a decision under proposed subsection 484F(7) to revoke an approval [of an entity];
  • a decision under proposed subsection 484G(4) to accept one or more sender identifications;
  • a decision under proposed section 484G(6) to refuse one or more sender identifications;
  • a decision under proposed subsection 484G(7) to refuse an application;
  • a decision under proposed section 484H to remove an entry from the Register;
  • a decision under proposed subsection 484J(4) in relation to substituting a decision. [69]

The Explanatory Memorandum notes that these reviewed decisions would also be subject to further merits review by the Administrative Appeals Tribunal or its successor, the Administrative Review Tribunal (see section 562 of the Act).[70]