Purpose and structure of the Bill

The Scams Prevention Framework Bill 2024 (the Bill) implements the Scams Prevention Framework (SPF) through amendments to the Competition and Consumer Act 2010 (CCA) and other related legislation. The Bill consists of one schedule with two parts which introduce the SPF to prevent and respond to scams that impact the Australian community.

To achieve this, the Bill introduces proposed Part IVF into the CCA (Part 1 of the Bill) and makes other technical amendments (Part 2 of the Bill). Part 1 of the Bill:

• allows the Minister to designate ‘regulated sectors’, which enlivens SPF obligations, and defines ‘regulated entities’ and ‘regulated services’ (Division 1)
• introduces principles-based obligations, which require regulated entities to detect, prevent, report and disrupt scams. Additionally, regulated entities will be required to maintain corporate records, report certain information to regulators, and establish dispute resolution frameworks for consumers subject to scams (Division 2)
• allows the Minister to make sector-specific codes which accord with the SPF (Division 3)
• allows the Minister to authorise external dispute resolution schemes (Division 4)
• establishes the Australian Competition and Consumer Commission (ACCC) as the ‘SPF general regulator’, and allows for the appointment of other Commonwealth entities as ‘sector regulators’ (Division 5)
• authorises the appointment of inspectors to monitor and investigate compliance with the SPF and SPF codes who, in certain circumstances, will possess specified powers with respect to monitoring and investigating compliance (Division 6), and
• provides mechanisms for the recovery of damages for scam victims as a result of contravention of civil penalty provisions by a regulated entity, as well as other non-punitive orders (Division 6).

Background

Australians lose billions of dollars to scams each year. Reported financial losses from scams in Australia in 2023 amounted to at least $2.74 billion (p. 1) (the figure is likely higher, as it is understood that many scams are not reported). While this is a decrease from the $3.1 billion lost to scams in 2022, the 2023 losses remain higher than the annual losses in both 2020 and 2021. Moreover, around 601,000 scams were reported during 2023, which reflects an 18.5 per cent increase over the 2022 reporting period. Investment scams, which accounted for approximately $1.3 billion of total scam losses in 2023, are overwhelmingly the largest source of these financial losses (Report of the National Anti-Scam Centre on scams activity 2023, p. 4).

A number of different government and non-government entities currently exist that are involved in monitoring and regulating scam activity, including the National Anti-Scam Centre (NASC), the Australian Securities and Investment Commission (ASIC), the Australian Financial Complaints Authority (AFCA) and the Australian Financial Crimes Exchange (AFCX). Additionally, a range of government and industry measures have also been developed, or are currently in development, to address scam threats. These include the Scam-Safe Accord (a banking sector code), the Australian Online Scams Code (signed by several social media companies), the Reducing Scam Calls and Scam SMS Industry Code (a telecommunications industry code), and the SMS Sender ID Register.

Despite this, the Explanatory Memorandum for the Bill states that:

[c]urrent scam protections are piecemeal and inconsistent across the economy. As a result, Australian consumers face inconsistent protections with differing service providers. While some sectors have industry codes to address scam activity, other sectors have no formal scam protection requirements, providing scammers with an avenue to target consumers. (emphasis added) (p. 4)

As the Minister for Financial Services has noted, there is currently ‘no clear obligation’ on banks, telecommunications companies or social media platforms in relation to scam management. Moreover, whilst there has been a ‘downward trend’ in scam-related financial losses during 2023-24, the ACCC notes ‘there remains much important work to be done’ (see ACCC Annual Report 2023-24, p. 8).

The Bill has been developed for the purpose of addressing these concerns. The Treasury undertook public consultation in relation to an Exposure Draft (ED) of the Bill from 13 September 2024 until 4 October 2024. During this period, 85 stakeholder submissions were received. The Bill was introduced into the House of Representatives on 7 November 2024.

Policy position of non-government parties/independents

In his 2023 Budget Reply speech, the Leader of the Opposition, Peter Dutton stated that a Coalition Government would ‘impose more onerous obligations on big digital companies to stop scams and financial fraud.’

Several independent members of Parliament have spoken about scams in the context of the Bill (including the ED). On Wednesday 11 September 2024, Zali Steggall raised a matter of public importance in relation to scams. Several independent MP’s spoke on this matter, including Dr Sophie Scamps, Kate Chaney, Kylea Tink, Dr Helen Haines, and Zoe Daniel. Separately, Dai Le spoke about how scams in Australia particularly impact vulnerable persons including non-English speaking migrants.

Several independent MPs, including Dr Monique Ryan and Allegra Spender, have articulated concern that the ED did not contain a scams reimbursement model for consumers, and have shown support for a mandated reimbursement scheme similar to the United Kingdom (UK) reimbursement scheme.[1] Senator David Pocock has stated that a scam reimbursement model ‘is the most effective means of getting financial institutions to take this seriously and reduce scam losses.’

Key issues and provisions

What sectors, services and entities will be regulated by the SPF?

The Minister may, by legislative instrument, designate regulated sectors, which would be subject to SPF obligations: proposed subsection 58AC(1) of the CCA (item 1 of the Bill constitutes all provisions referred to below unless otherwise specified). Both individual businesses and services, and classes of businesses and services could be designated.

The type of businesses or services that may be designated under the Bill are defined non-exhaustively, but may include (proposed subsection 58AC(2)):

• banking businesses
• insurance businesses, and
• postal, telegraphic, or telephonic services, including carriage, electronic (such as social media services) and broadcasting services.

A banking, insurance or communications business or service of a regulated sector is a regulated service, and a person who is engaged in such a business or service is a regulated entity: proposed subsection 58AD(1). Other business or services may also be regulated services, and persons engaged in such businesses or services may be regulated entities: proposed subsection 58AD(2). Complete or partial exceptions to these definitions may be provided under the SPF rules (made pursuant to proposed section 58GE), or under an instrument that designates a regulated sector: proposed subsections 58AD(4)-(5)).

Before designating a regulated sector, the Minister must consider certain things including scam activity in the sector, the interests of consumers if the sector became a regulated sector, the likely consequences for the public, and any other relevant matters: proposed section 58AE.

What constitutes a ‘scam’?

The Bill defines scam as a direct or indirect attempt (whether successful or otherwise) to engage an SPF consumer of a regulated service in a way that it would be reasonable to conclude involves deception (an attempt that involves deception is explained in proposed subsection 58AG(2)) and, if successful, would cause loss or harm: proposed section 58AG. As stated in the Explanatory Memorandum (p. 15), the definition of scam ‘is deliberately broad to capture the wide range of activities scammers engage in and their ability to adapt and to adopt evolving behaviours over time.’

Meaning of ‘SPF consumer’

An ‘SPF consumer’ is defined as a natural person or small business operator who is provided a service in Australia, or a natural person who is ordinarily resident in Australia but is provided a service outside of Australia by a regulated entity that meets certain taxation-related residency requirements: proposed section 58AH.

Who are SPF regulators?

There are two types of SPF regulators established in the Bill:

(1)   SPF general regulator

The ACCC is the regulator (referred to as the SPF general regulator) for all provisions except for SPF codes (discussed below): proposed section 58EB. The ACCC’s functions and powers for the purposes of the SPF include:

• reviewing and advising the Minister about the operation of SPF provisions
• exercising existing functions outlined in section 155 (power to obtain information, documents and evidence) of the CCA to the extent it relates to SPF provisions, and
• developing and publishing non-binding guidance material relating to SPF provisions.

(2)   SPF sector regulators

The Minister may, by legislative instrument, designate a Commonwealth entity to be the SPF sector regulator for a particular regulated sector: proposed section 58ED. For instance, it is expected that the Australian Communications and Media Authority (ACMA) will be designated as the sector regulator for the media and communications sector, and ASIC as the corporate markets and financial services sector regulator. Other agencies may also be designated SPF sector regulators (Explanatory Memorandum, p. 81).

If ACMA is authorised as an SPF sector regulator, then Part 26 (Investigations) and Part 27 (ACMA’s information‑gathering powers) of the Telecommunications Act 1997 apply for SPF purposes: proposed section 58FG.

If ASIC is authorised as an SPF sector regulator, then certain provisions of the Australian Securities and Investments Commission Act 2001 (being Divisions 1, 2, 3 (other than sections 30A, 30B and 39A), 7, 9 and 10 of Part 3) apply for SPF purposes: proposed section 58FH.

Ministerial powers to make sector specific SPF codes

To regulate specific sectors the Minister may, by legislative instrument, make a code (SPF code) for each regulated sector: proposed section 58CB. Each SPF code must be consistent with SPF principles: proposed section 58CC. Specific functions and powers of SPF sector regulators may be contained within an SPF code.

Information sharing between regulators

An SPF regulator may disclose information or documents to another SPF regulator if doing so is relevant to the operation (including enforcement) of the SPF provisions: proposed section 58EG. An SPF regulator that discloses information or documents is not required to notify any person of its disclosure actions or intentions: proposed section 58EI.

The SPF general regulator is required to enter an arrangement with each SPF sector regulator relating to the regulation and enforcement of SPF provisions: proposed section 58EF. These arrangements can include, for example, when disclosures should be made between SPF regulators (see the Note in proposed section 58EH).

Regulated entity obligations: what are entities required to do?

Division 2 of proposed Part IVF requires entities to comply with principles-based obligations. Regulated entities are required to implement appropriate governance arrangements, report certain information to SPF regulators, and have accessible forums for consumers to report scams. Additionally, an entity must take reasonable steps (defined in proposed section 58BB) to prevent, detect and disrupt scams.

(1)   Governance requirements

Regulated entities are required to establish governance policies about how they will prevent, detect, disrupt, respond to and report scams: proposed paragraph 58BD(1)(a). Once established, entities are required to implement their governance policies and create performance metrics and targets assessing the effectiveness of their policies: proposed paragraphs 58BD(1)(b)–(c). Entities must keep records relating to their governance policies for 6 years: proposed subsection 58BF. If an entity fails to comply with these requirements, it may be liable for civil penalties.

Governance policies (and associated documents) must be certified annually by a senior officer (defined in item 5): proposed subsection 58BE(1). If a senior officer does not certify governance policy compliance within the required timeframes, the entity is liable for civil penalties: proposed subsection 58BE(2).

(2)   Prevention requirements

Regulated entities must take reasonable steps to prevent scam activity from occurring. Taking reasonable steps for the purpose of preventing scam activity requires more than merely acting on actionable scam intelligence (defined in proposed section 58AI) which the entity has received: proposed subsection 58BK(1). If an entity fails to comply with these requirements, it may be liable for civil penalties.

(3)   Detection requirements

Regulated entities must take reasonable steps to detect scams related to regulated services they offer. This includes, but is not limited to, taking reasonable steps to detect a scam as it happens or after it happens: proposed subsection 58BM(3). Failure to take reasonable steps to detect scams may result in civil penalties.

Additionally, an entity contravenes requirements if it has in its possession actionable scam intelligence relating to a regulated service, and it fails to take reasonable steps to investigate (within 28 days) whether the activity is a scam: proposed section 58BN. Failure to take reasonable steps to investigate may result in civil penalties. Regulated entities may also be liable for civil penalties if they fail to take reasonable steps to identify impacted SPF consumers impacted by scams: proposed sections 58BN and 58BO.

(4)   Reporting requirements

An entity must report any actionable intelligence it has about scams to the SPF regulator: proposed section 58BR. Failure to report this information may result in civil penalties.

The SPF general regulator may disclose information relating to scams with prescribed entities including Commonwealth agencies, law enforcement agencies, and relevant agencies of foreign countries (being law enforcement or regulatory agencies responsible for scam prevention): proposed section 58BV. Information may be shared with prescribed foreign agencies if the SPF general regulator is satisfied that certain conditions have been met, relating to the storage and use of such information, and that it is appropriate to disclose the information to the foreign agency: proposed subsection 58BV(3).

(5)   Disruption requirements

Entities that possess actionable scam intelligence are required to take reasonable steps to disrupt the scam activity or prevent any loss or harm arising from the activity: proposed section 58BX. Failure to take reasonable steps may result in civil penalties. The word ‘disrupt’ is not defined in the Bill or the CCA. However, the Bill notes that the reasonable steps taken to disrupt ‘should be proportionate to the actionable scam intelligence’: proposed subsection 58BX(3). Within this subsection, the Bill provides the example (Note 1) of a bank receiving a substantial number of similar reports of suspicious activities, noting in those circumstances it may be appropriate to pause or delay authorised payments while the bank investigates (satisfying the disruption requirements).

Safe harbour for taking actions to disrupt a scam activity

A regulated entity will be provided safe harbour (meaning the entity will not be liable in civil action or civil proceedings) for taking action to disrupt a scam activity, subject to certain requirements: proposed section 58BZA. Safe harbour will be provided for a maximum of 28 days, so long as the actions of the regulated entity are undertaken in good faith, in compliance with the SPF provisions, and are reasonably proportionate to the scam activity: proposed subsection 58BZA(2).

(6)   Response requirements

Each regulated entity is required to have an accessible mechanism for consumers to report scam-related activities to the entity: proposed section 58BZC. Failure to have this mechanism may result in civil penalties.

Internal dispute resolution

A regulated entity must have an accessible and transparent internal dispute resolution (IDR) mechanism to deal with a person’s complaint about a scam or scam related activity: proposed section 58BZD. SPF consumers will be able to bring complaints about scams relating to an entity’s regulated services, and about the entity’s conduct relating to such scams. If an entity does not have an IDR mechanism, it may be liable for civil penalties.

External dispute resolution

Where complaints are not resolved at the IDR stage, or if the IDR outcome is unsatisfactory, consumers can escalate their complaints to an independent and impartial external dispute resolution (ED) mechanism. The Minister may, by legislative instrument, authorise an EDR scheme (SPF EDR scheme): proposed section 58DB. There are two possible types of SPF EDRs that can be established. Firstly, the SPF EDR scheme can be a scheme that is already authorised under Commonwealth law: proposed paragraph 58DB(1)(a). For example, AFCA could be designated: Note 1 to proposed subsection 58DB(1). A Treasury officer stated in Senate Estimates on 6 November 2024 (p. 113) that it was the Government’s intention that AFCA, as an SPF EDR, would be ‘a one-stop shop’ for consumers who have been scammed. Authorising AFCA would enliven ASIC’s functions and powers relating to the AFCA scheme for the purposes of the SPF (see: Note 1 of proposed subsection 58DB(1)).

Secondly, the Minister may, by legislative instrument, authorise an SPF EDR scheme (that is not currently authorised by Commonwealth law), so long as the Minister is satisfied that certain requirements prescribed in the SPF rules are satisfied: proposed paragraph 58DB(1)(b). If the Minister authorises a scheme, then the SPF rules may prescribe certain requirements which are to be met: proposed section 58DC. If an SPF EDR scheme becomes aware of certain contraventions in relation to SPF requirements, then the SPF EDR operator must give particulars to the relevant SPF regulator: proposed section 58DD.

A regulated entity must not provide a service if it is not a member of an SPF EDR scheme: proposed section 58BZG.

Enforcing the SPF

Contraventions of the SPF may be enforced by (subdivisions C-K in Division 6 of proposed Part IVF):

• civil penalties
• infringement notices
• enforceable undertakings
• injunctions
• actions for damages
• public warning notices
• remedial directions
• adverse publicity orders, and
• non-punitive orders.

An SPF regulator may appoint an employee of the regulator who holds or performs the duties of an Executive Level 1 position or higher, or a member of the Australian Federal Police as an inspector (proposed subsection 58FB(1)), if they have ‘appropriate qualifications, training, skills or experience’ to perform the role: proposed subsection 58FB(2) (Explanatory Memorandum, pp. 80–81). An inspector will have specified powers with respect to monitoring and investigating compliance with the SPF. If an SPF regulator has not appointed an inspector, the regulator itself is taken to be the inspector: proposed subsection 58FB(4).

Default monitoring and investigation powers under the Regulatory Powers (Standard Provisions) Act 2014 apply to an SPF code for a regulated sector, unless:

• the regulator is ACMA, ASIC, or the ACCC (as these entities have existing monitoring and investigation powers under their own respective legislation) or
• the Minister has declared (under proposed subsection 58(FI)(2)) that alternative monitoring and investigation powers apply to an SPF sector regulator in relation to specified provisions of the SPF code (proposed sections 58FE and 58FF).  

Civil penalties

Regulated entities that fail to comply with obligations in the SPF may be liable for civil penalties: proposed section 58FJ. For civil penalties relating to SPF principles outlined in the Bill, the authorised applicant is the ACCC: proposed paragraph 58FJ(2)(a). For civil penalties relating to SPF codes, the authorised applicant is the SPF regulator for the regulated sector: proposed paragraph 58FJ(2)(b). Civil penalties vary, being either tier 1 contraventions (proposed section 58FK) or tier 2 contraventions (proposed section 58FL).

Tier 1 civil penalties

A tier 1 contravention is a contravention of a civil penalty provision located in Subdivisions C (Prevent), D (Detect), F (Disrupt) or G (Respond) of Division 2 of proposed Part IVF. The maximum penalty for a tier 1 contravention for a body corporate is the greater of:

• 159,745 penalty units ($52,715,850)
• three times the value of the benefit obtained from the contravention, or
• if the value of the benefit cannot be determined, 30 per cent of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

Tier 2 civil penalties

A tier 2 contravention is a contravention of a civil penalty provision located in Subdivisions B (Governance) or E (Report) of Division 2 of proposed Part IVF. The maximum amount for a tier 2 contravention for a body corporate is the greater of:

• 31,950 penalty units ($10,543,500)
• three times the value of the benefit obtained from the contravention, or
• if the value of the benefit cannot be determined, 10 per cent of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

Infringement notices

Infringement notices can be issued as an alternative to civil penalty proceedings for an alleged contravention of a tier 2 civil penalty provision, or a civil penalty provision of an SPF code: proposed subsection 58FN(1).

To issue an infringement notice, an inspector of the SPF regulator must reasonably believe that a person has contravened a relevant civil penalty provision: proposed section 58FO. An infringement notice must be issued within 12 months of the alleged contravention having occurred: proposed paragraph 58FO(4)(a). The infringement notice penalty for a body corporate is 60 penalty units ($19,800), or 12 penalty units ($3,960) for an individual: proposed section 58FQ.

Can victims of scams seek damages?

The Bill offers avenues of redress for victims of scams. However, it does not guarantee that victims of scams will be mandatorily reimbursed for all, or any, of the monies they have lost to scammers.

It appears that sectors, including the banking sector, will not be automatically liable for compensating victims. This differs from the UK reimbursement scheme, which ‘require[s] UK payment service providers to reimburse all in-scope customers who fall victim to APP [authorised push payment] fraud, save for limited exceptions’. However, in Senate Estimates on 6 November 2024, a Treasury official stated that ‘there are multiple channels that you can go through if you want to pursue redress.’ The official listed the IDR and EDR mechanisms, and the ability for victims to seek redress through the court (p. 111). Consumers may seek redress (including compensation) through these avenues if a regulated entity has not met their SPF obligations.

IDR and EDR mechanisms to recover loss

As outlined in the Explanatory Memorandum (p. 55, emphasis added), the IDR mechanism is ‘intended to encourage the early resolution of complaints, including for compensation or other remedies to be provided to SPF consumers where there has been a breach of an SPF provision.’ The SPF EDR scheme is also ‘intended to provide a pathway for redress, including compensation’, for those consumers who fail to resolve their complaints at the IDR stage or if the outcome is unsatisfactory (Explanatory Memorandum, p. 58, emphasis added).

Scam-victim can take action to recover loss

A person who suffers loss or damage by conduct of another, done in contravention of a civil penalty provision of an SPF principle or SPF code, may recover the amount of loss or damage by taking action against that other person: proposed subsection 58FZC(1) (see also Explanatory Memorandum, p. 98). If the victim provides written consent to the SPF regulator, then the SPF regulator may make a claim for damages on behalf of the victim: proposed subsection 58FZC(2). A claim for damages may be made any time within 6 years of the conduct causing loss: proposed subsection 58FZC(3).

If a court considers it appropriate that a person (the defendant) is liable to pay a penalty for contravening a civil penalty provision as well as pay compensation to a scam victim, but the defendant does not have sufficient resources to pay both, the court must give preference to making an order for compensation: proposed section 58FD.

Stakeholder comments

At the time of publication, some stakeholders have commented publicly on the Bill including:

• the Australian Banking Association, who welcomed the introduction of the Scams Bill (7 November 2024)
• the Council on the Ageing Australia, who also welcomed the Bill (7 November 2024)
• the Communications Alliance, the peak body of the telecommunications industry, who called for scams reform ‘to be done right not rushed’ (7 November 2024).

A number of other stakeholders from the banking, insurance and telecommunications sectors, as well as regulators, and business and consumer groups, have made submissions and/or issued media releases in relation to the ED but have not yet commented on the Bill.