Scam Prevention Framework – issues for businesses

On 13 February 2025, the Australian Parliament passed the Scams Prevention Framework 2025 (Cth) (Act) in response to the national “scam pandemic” that has purportedly cost the country billions of dollars over the past few years. The Act amends the Competition and Consumer Act 2010 (Cth) (CCA) and other related Acts.  The amendments to the CCA establish the Scam Prevention Framework (SPF) which requires certain businesses to take specified measures to combat scams.  The Deputy Chair of the Australian Competition and Consumer Commission (ACCC) said in relation to the SPF:

“this act is a critical step in the fight against scams – creating overarching principles that all members of designated sectors must comply with.”

Background to the Scams Prevention Framework 2025 Act

The word “scam” is defined in division one (1) section 58AG(1) of the Act as follows:

• A scam is a direct or indirect attempt (whether or not successful) to engage an SPF consumer of a regulated service where it would be reasonable to conclude that the attempt:
• involves deception (see subsection (2)); and
• would, if successful, cause loss or harm including obtaining SPF personal information of, or a financial or other benefit from, the SPF consumer or the SPF consumer’s associates.
• The attempt involves deception if the attempt:
• deceptively represents something to be (or to be related to) the regulated service; or
• impersonates a regulated entity in connection with the regulated service; or
• is an attempt to deceive the SPF consumer into:
• performing an action using the regulated service; or
• facilitating another person to perform an action using the regulated service; or
• is an attempt to deceive the SPF consumer that is made using the regulated service.
• The attempt may be a single act or a course of conduct.

[Bold is our emphasis]

What is an SPF consumer and a regulated service?

An “SPF consumer” (SPF Consumer) is defined in division one sections 58AC and 58AD – as an individual or small business who is or may be provided a regulated service[1] – that is, a service which is commonly exploited by scammers such that the entity providing the service must be regulated.   For a small business to be considered an SPF Consumer, it must have a principal place of business in Australia, less than 100 employees, and an annual turnover of less than $10 million.[2] 

Which entities are regulated entities?

The Act authorises the Treasurer, to designate businesses as regulated entities (Regulated Entities) which must comply with the SPF contained by the Act.  Section 58AC(1) of the CCA contains these requirements. Currently, businesses which operate in sectors including banking, insurance, telecommunications, and digital platform providers are considered by the Act as being regulated entities, although this list is not limited.[3] 

The CCA, following these amendments, aims to protect SPF Consumers who are likely to fall victim to scams from engaging services that are provided by entities that are frequently impersonated by scammers.  The Act also aims to do so by requiring Regulated Entities to share scam intelligence, enforcing the digital platforms sector scams codes, and intercepting scammers before they can reach SPF Consumers.

What does the Act require Regulated Entities to do?

Under the Act, regulated entities must comply with the six (6) overarching principles of the SPF:

• governance;
• prevention;
• detection;
• reporting;
• disruption; and
• response. 

These principles may be further supplemented by sector-specific codes, created by the ACCC or any other Commonwealth entity designated as a regulator by the Honourable Dr Jim Chalmers MP under the SPF.  Additionally, the Act has introduced rules to support the operation of the SPF, a multi-regulator framework, regulatory and enforcement mechanisms, and internal and external dispute resolution mechanisms.  Failure to comply with any of the overarching principles or sector-specific codes constitutes a civil penalty.

Each of the six (6) principles are explained in detail below:

Principle one (1) – Governance

The Act broadly defines the Governance principle as follows:

“Each regulated entity must document and implement governance policies, procedures, metrics and targets for combatting scams.  These must be reviewed, and certified by a senior officer of the entity, at least annually.  The entity must keep records and give reports about its compliance with this principle.“[4]

“Combatting scams” includes preventing, detecting and disrupting scams, responding to scams, and addressing reports relating to scams.[5]  Records of the documentation, implementation or review of any of the entity’s policies, procedures, metrics, and targets must be kept for at least six (6) years after the activity occurs.[6]

Principle two (2) – Prevention

This principle requires regulated entities to take reasonable steps to prevent scams.  “Reasonable steps” requires more than merely acting on information about possible scams provided to the entity by another person – it may also require the Regulated Entity to identify its SPF Consumers who are at risk (or higher risk) of scams and provide information about such scams to the consumers.  Sector-specific codes may dictate what constitutes “reasonable steps” for Regulated Entities within a specific sector.

Principle Three – Detection

Regulated Entities must take reasonable steps to detect scams.  This includes promptly investigating activities that may potentially be scams and identifying consumers who may be affected by these activities.  The Act suggests that failure to detect a scam as or after it happens, failure to investigate potential scam activity within 28 days, and failure to identify within a reasonable time consumers who may be impacted by the activity may all constitute breach of this principle.[7]

Principle four (4) – Reporting

The Act’s general definition of the Reporting principle is as follows:

“Each regulated entity must give the SPF general regulator reports of any actionable intelligence the entity has about activities relating to, connected with, or using the entity’s regulated services.  A regulated entity must give an SPF regulator a report about a scam if the SPF regulator requests.  The SPF general regulator may disclose information about scams to certain other entities.“[8]

[Bold is our emphasis]

The SPF general regulator (SPF General Regulator)is the ACCC, which is responsible for monitoring, investigating, and enforcing compliance with the regulations in the CCA.[9] 

The ACCC is given broad powers to undertake a variety of activities deemed necessary to uphold the Reporting principle.  This includes the power to request personal information and access to information via specific data gateways, portals, or websites,[10] as well as the power to disclose information about scams to law enforcement agencies and regulatory agencies in foreign countries.[11]  A Regulated Entity’s duty to report any scams or potential scam activity to the ACCC overrides any contrary duty of confidence owed by the entity under another agreement or arrangement.[12]

Principle Five – Disruption

The Disruption principle requires a Regulated Entity to take reasonable steps to disrupt an activity that is the subject of actionable scam intelligence and prevent losses from such an activity.[13]  According to the Act, a Regulated Entity identifies or has actionable scam intelligence if and when there are reasonable grounds for the entity to suspect that a communication, transaction, or other activity relating to, connected with, or using a regulated service of the entity is a scam.  Whether there are reasonable grounds for suspicion is determined objectively.[14]

The steps taken are “reasonable” if they are proportionate to the entity’s actionable scam intelligence.  For example, if a bank has received substantial reports of similar suspicious activities, a proportionate response would be pausing or delaying authorised push payments while the bank investigates the suspicious activities.[15]

The Act also clarifies that a Regulated Entity will not be liable in a civil proceeding for disrupting an activity if the disruption occurs promptly and in good faith, complies with the SPF provisions, is a reasonably proportionate response to the activity, and is reversed when appropriate.[16]  For example, if a Regulated Entity temporarily blocks an SPF Consumer’s website while investigating whether an activity relating to the website is a scam, the entity can be protected from civil actions brought by the consumer.

Principle Six – Response

Regulated Entities must have an accessible, transparent, and published internal dispute resolution mechanism for consumer complaints about scams or potential scam activity, as well as the entity’s conduct relating to such activities.  Entities must respond to complaints with a statement on their compliance with obligations under the SPF provisions and must have regard to the relevant dispute resolution processes and guidelines prescribed by the SPF rules.[17]

If the entity provides a regulated service, it must also be a member of an external dispute resolution scheme and comply with the relevant requirements during a dispute.[18]  The SPF does not enforce any mandatory scam reimbursement scheme. 

Consequences of non-compliance

As noted above, failure to comply with any of the regulations under the Act’s six (6) overarching principles, as well as failure to comply with any sector-specific codes, constitutes a civil penalty.  The penalty involved depends on the type of contravention and the status of the perpetrator (that is, whether the perpetrator is a body corporate or other person) – the maximum penalty may be upwards of $50 million, three (3) times the value of the benefit obtained, or 30% of the body corporate’s adjusted turnover during the breach turnover period for the contravention.[19]  An inspector of the SPF regulator will also have the power to issue an infringement notice in the event of an alleged contravention of an SPF principle or code.

Other remedies for contraventions of the SPF rules include infringement notices, enforceable undertakings, injunctions, actions for damages, public warning notices, remedial directions, adverse publicity orders, and other punitive and non-punitive orders.[20]

What does this mean for SPF Consumers?

The Act can provide businesses that are SPF Consumers with various pathways for redress in the event of scams or potential scam activities.  The strict requirements under the Reporting principle, especially in relation to dispute resolution, allows complaints made by businesses to be addressed transparently and appropriately.  Furthermore, businesses can commence legal proceedings for contraventions of any civil penalty provisions in the CCA or sector-specific codes, allowing them to seek alternate remedies such as injunctions or orders varying the terms of contracts with a contravening Regulated Entity.  

While the large number of new rules may lead to practical uncertainty and complexity, the Act’s introduction of a coherent uniform approach to addressing scams and scam activity would seem to be a positive step towards addressing Australia’s “scam pandemic”.

Links and further references

Legislation

Competition and Consumer Act 2010 (Cth)

Scams Prevention Framework Act 2025 (Cth)

Other links

ACCC welcomes passage of world-first scams prevention laws

AFCA welcomes passing of scams prevention legislation

The Scams Prevention Framework legislation passes Parliament: time to get your house in order

Further information

If you need advice on how the Scam Prevention Framework Act may affect your business, contact us for a confidential and obligation-free discussion:

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

---

[1] Section 58AH(1) of the Competition and Consumer Act 2010 (Cth).

[2] Section 58AH(5) of the CCA.

[3] Section 58AC(2) of the CCA.

[4] Section 58BC of the CCA.

[5] Section 58BD(1)(a) of the CCA.

[6] Section 58BF(1) of the CCA.

[7]Sections 58BM(3), 58BN(1), and 58BO(1) of the CCA.

[8]Section 58BQ of the CCA.

[9]Section 58EB of the CCA

[10]Sections 58BR(5)(a), 58BR(6), 58BS(4)(a) and 58BDS(5) of the CCA.

[11]Section 58BV(2)(d) of the CCA. 

[12]Section 58BU of the CCA.

[13]Section 58BW of the CCA.

[14]Section 58AI of the CCA.

[15]Section 58BX of the CCA.

[16] Section 58BZA of the CCA

[17] Sections 58BZDA and 58BZE of the CCA.

[18] Section 58BZG of the CCA.

[19] Section 58FK of the CCA.

[20] Section 58FA of the CCA.

---

Related Insights