unfair competition

Scam Prevention Framework – key business impacts

by

reviewed by

Malcolm Burrows

Reading Time:

8–12 minutes

On 13 February 2025, the Australian Parliament passed the Scams Prevention Framework 2025 (Cth) (Act) in response to the national “scam pandemic” that has purportedly cost the country billions of dollars over the past few years. The Act amends the Competition and Consumer Act 2010 (Cth) (CCA) and other related Acts.  The amendments to the CCA establish the Scam Prevention Framework (SPF) which requires certain businesses to take specified measures to combat scams.  The Deputy Chair of the Australian Competition and Consumer Commission (ACCC) said in relation to the SPF:

this act is a critical step in the fight against scams – creating overarching principles that all members of designated sectors must comply with.”

Background to the Scams Prevention Framework 2025 Act

The word “scam” is defined in division one (1) section 58AG(1) of the Act as follows:

  • scam is a direct or indirect attempt (whether or not successful) to engage an SPF consumer of a regulated service where it would be reasonable to conclude that the attempt:
  • involves deception (see subsection (2)); and
  • would, if successful, cause loss or harm including obtaining SPF personal information of, or a financial or other benefit from, the SPF consumer or the SPF consumer’s associates.
  • The attempt involves deception if the attempt:
  • deceptively represents something to be (or to be related to) the regulated service; or
  • impersonates a regulated entity in connection with the regulated service; or
  • is an attempt to deceive the SPF consumer into:
  • performing an action using the regulated service; or
  • facilitating another person to perform an action using the regulated service; or
  • is an attempt to deceive the SPF consumer that is made using the regulated service.
  • The attempt may be a single act or a course of conduct.

[Bold is our emphasis]

What is an SPF consumer and a regulated service?

An “SPF consumer” (SPF Consumer) is defined in division one sections 58AC and 58AD – as an individual or small business who is or may be provided a regulated service[1] – that is, a service which is commonly exploited by scammers such that the entity providing the service must be regulated.   For a small business to be considered an SPF Consumer, it must have a principal place of business in Australia, less than 100 employees, and an annual turnover of less than $10 million.[2] 

Which entities are regulated entities?

The Act authorises the Treasurer, to designate businesses as regulated entities (Regulated Entities) which must comply with the SPF contained by the Act.  Section 58AC(1) of the CCA contains these requirements. Currently, businesses which operate in sectors including banking, insurance, telecommunications, and digital platform providers are considered by the Act as being regulated entities, although this list is not limited.[3] 

The CCA, following these amendments, aims to protect SPF Consumers who are likely to fall victim to scams from engaging services that are provided by entities that are frequently impersonated by scammers.  The Act also aims to do so by requiring Regulated Entities to share scam intelligence, enforcing the digital platforms sector scams codes, and intercepting scammers before they can reach SPF Consumers.

What does the Act require Regulated Entities to do?

Under the Act, regulated entities must comply with the six (6) overarching principles of the SPF:

  • governance;
  • prevention;
  • detection;
  • reporting;
  • disruption; and
  • response. 

These principles may be further supplemented by sector-specific codes, created by the ACCC or any other Commonwealth entity designated as a regulator by the Honourable Dr Jim Chalmers MP under the SPF.  Additionally, the Act has introduced rules to support the operation of the SPF, a multi-regulator framework, regulatory and enforcement mechanisms, and internal and external dispute resolution mechanisms.  Failure to comply with any of the overarching principles or sector-specific codes constitutes a civil penalty.

Each of the six (6) principles are explained in detail below:

Principle one (1) – Governance

The Act broadly defines the Governance principle as follows:

Each regulated entity must document and implement governance policies, procedures, metrics and targets for combatting scams.  These must be reviewed, and certified by a senior officer of the entity, at least annually.  The entity must keep records and give reports about its compliance with this principle.[4]

“Combatting scams” includes preventing, detecting and disrupting scams, responding to scams, and addressing reports relating to scams.[5]  Records of the documentation, implementation or review of any of the entity’s policies, procedures, metrics, and targets must be kept for at least six (6) years after the activity occurs.[6]

Principle two (2) – Prevention

This principle requires regulated entities to take reasonable steps to prevent scams.  “Reasonable steps” requires more than merely acting on information about possible scams provided to the entity by another person – it may also require the Regulated Entity to identify its SPF Consumers who are at risk (or higher risk) of scams and provide information about such scams to the consumers.  Sector-specific codes may dictate what constitutes “reasonable steps” for Regulated Entities within a specific sector.

Principle Three – Detection

Regulated Entities must take reasonable steps to detect scams.  This includes promptly investigating activities that may potentially be scams and identifying consumers who may be affected by these activities.  The Act suggests that failure to detect a scam as or after it happens, failure to investigate potential scam activity within 28 days, and failure to identify within a reasonable time consumers who may be impacted by the activity may all constitute breach of this principle.[7]

Principle four (4) – Reporting

The Act’s general definition of the Reporting principle is as follows:

Each regulated entity must give the SPF general regulator reports of any actionable intelligence the entity has about activities relating to, connected with, or using the entity’s regulated services.  A regulated entity must give an SPF regulator a report about a scam if the SPF regulator requests.  The SPF general regulator may disclose information about scams to certain other entities.[8]

[Bold is our emphasis]

The SPF general regulator (SPF General Regulator)is the ACCC, which is responsible for monitoring, investigating, and enforcing compliance with the regulations in the CCA.[9] 

The ACCC is given broad powers to undertake a variety of activities deemed necessary to uphold the Reporting principle.  This includes the power to request personal information and access to information via specific data gateways, portals, or websites,[10] as well as the power to disclose information about scams to law enforcement agencies and regulatory agencies in foreign countries.[11]  A Regulated Entity’s duty to report any scams or potential scam activity to the ACCC overrides any contrary duty of confidence owed by the entity under another agreement or arrangement.[12]

Principle Five – Disruption

The Disruption principle requires a Regulated Entity to take reasonable steps to disrupt an activity that is the subject of actionable scam intelligence and prevent losses from such an activity.[13]  According to the Act, a Regulated Entity identifies or has actionable scam intelligence if and when there are reasonable grounds for the entity to suspect that a communication, transaction, or other activity relating to, connected with, or using a regulated service of the entity is a scam.  Whether there are reasonable grounds for suspicion is determined objectively.[14]

The steps taken are “reasonable” if they are proportionate to the entity’s actionable scam intelligence.  For example, if a bank has received substantial reports of similar suspicious activities, a proportionate response would be pausing or delaying authorised push payments while the bank investigates the suspicious activities.[15]

The Act also clarifies that a Regulated Entity will not be liable in a civil proceeding for disrupting an activity if the disruption occurs promptly and in good faith, complies with the SPF provisions, is a reasonably proportionate response to the activity, and is reversed when appropriate.[16]  For example, if a Regulated Entity temporarily blocks an SPF Consumer’s website while investigating whether an activity relating to the website is a scam, the entity can be protected from civil actions brought by the consumer.

Principle Six – Response

Regulated Entities must have an accessible, transparent, and published internal dispute resolution mechanism for consumer complaints about scams or potential scam activity, as well as the entity’s conduct relating to such activities.  Entities must respond to complaints with a statement on their compliance with obligations under the SPF provisions and must have regard to the relevant dispute resolution processes and guidelines prescribed by the SPF rules.[17]

If the entity provides a regulated service, it must also be a member of an external dispute resolution scheme and comply with the relevant requirements during a dispute.[18]  The SPF does not enforce any mandatory scam reimbursement scheme. 

Consequences of non-compliance

As noted above, failure to comply with any of the regulations under the Act’s six (6) overarching principles, as well as failure to comply with any sector-specific codes, constitutes a civil penalty.  The penalty involved depends on the type of contravention and the status of the perpetrator (that is, whether the perpetrator is a body corporate or other person) – the maximum penalty may be upwards of $50 million, three (3) times the value of the benefit obtained, or 30% of the body corporate’s adjusted turnover during the breach turnover period for the contravention.[19]  An inspector of the SPF regulator will also have the power to issue an infringement notice in the event of an alleged contravention of an SPF principle or code.

Other remedies for contraventions of the SPF rules include infringement notices, enforceable undertakings, injunctions, actions for damages, public warning notices, remedial directions, adverse publicity orders, and other punitive and non-punitive orders.[20]

What does this mean for SPF Consumers?

The Act can provide businesses that are SPF Consumers with various pathways for redress in the event of scams or potential scam activities.  The strict requirements under the Reporting principle, especially in relation to dispute resolution, allows complaints made by businesses to be addressed transparently and appropriately.  Furthermore, businesses can commence legal proceedings for contraventions of any civil penalty provisions in the CCA or sector-specific codes, allowing them to seek alternate remedies such as injunctions or orders varying the terms of contracts with a contravening Regulated Entity.  

While the large number of new rules may lead to practical uncertainty and complexity, the Act’s introduction of a coherent uniform approach to addressing scams and scam activity would seem to be a positive step towards addressing Australia’s “scam pandemic”.

Links and further references

Legislation

Competition and Consumer Act 2010 (Cth)

Scams Prevention Framework Act 2025 (Cth)

Other links

ACCC welcomes passage of world-first scams prevention laws

AFCA welcomes passing of scams prevention legislation

The Scams Prevention Framework legislation passes Parliament: time to get your house in order

Further information

If you need advice on how the Scam Prevention Framework Act may affect your business, contact us for a confidential and obligation-free discussion:


[1] Section 58AH(1) of the Competition and Consumer Act 2010 (Cth).

[2] Section 58AH(5) of the CCA.

[3] Section 58AC(2) of the CCA.

[4] Section 58BC of the CCA.

[5] Section 58BD(1)(a) of the CCA.

[6] Section 58BF(1) of the CCA.

[7]Sections 58BM(3), 58BN(1), and 58BO(1) of the CCA.

[8]Section 58BQ of the CCA.

[9]Section 58EB of the CCA

[10]Sections 58BR(5)(a), 58BR(6), 58BS(4)(a) and 58BDS(5) of the CCA.

[11]Section 58BV(2)(d) of the CCA. 

[12]Section 58BU of the CCA.

[13]Section 58BW of the CCA.

[14]Section 58AI of the CCA.

[15]Section 58BX of the CCA.

[16] Section 58BZA of the CCA

[17] Sections 58BZDA and 58BZE of the CCA.

[18] Section 58BZG of the CCA.

[19] Section 58FK of the CCA.

[20] Section 58FA of the CCA.


Related Insights

  • ACCC publishes guidance on cash acceptance industry codes

    ACCC publishes guidance on cash acceptance industry codes

    From 1 January 2026, new cash acceptance obligations have commenced under industry codes applying to supermarkets and fuel retailers, overseen by the Australian Competition and Consumer Commission (ACCC).  In March 2026, the ACCC published guidance on these newly enforced regulations, reminding retailers to consider their obligations before penalties apply on 1 July 2026.

    Read more …

  • ESS vs ESOP – what’s the difference?

    ESS vs ESOP – what’s the difference?

    Employee share schemes (ESS) and employee share option plans (ESOP) are commonly used by corporations to incentivise employees and align performance with company growth by providing them with an interest in the company.  While the terms are often used interchangeably, they have distinct legal and structural differences under Australian law.  This article explains the key…

    Read more …

  • Disputed ESOP – Selak v National Tiles Co Pty Ltd

    Disputed ESOP – Selak v National Tiles Co Pty Ltd

    In the case of Selak v National Tiles, the Vic Supreme Court considered whether a company breached an option agreement governed by the terms of an Employee Share Option Plan (ESOP) by requiring an option holder to execute an undisclosed shareholders’ agreement as a condition of exercising vested options.  

    Read more …

  • Bill to allow victims of AI deepfakes to sue for emotional damages

    Bill to allow victims of AI deepfakes to sue for emotional damages

    On 24 November 2025, Senator David Pocock introduced a private Senator’s bill, the Online Safety and Other Legislation Amendment (My Face, My Rights) Bill 2025 (Cth) (Bill) to amend the Online Safety Act 2021 (Cth) (Online Safety Act) and the Privacy Act 1988 (Cth) (Privacy Act). 

    Read more …

  • Can a unit trust be wound up by the oppression remedies

    Can a unit trust be wound up by the oppression remedies

    The Corporations Act 2001 (Cth) (Corps Act) grants the Courts the power to award remedies under section 233, specifically designed to address situations of oppression within corporate entities under section 232.  These remedies, also known as the “Oppression Remedies”, aim to resolve situations where a company’s conduct unfairly prejudices its members or shareholders.  While primarily…

    Read more …

  • Business Lawyer

    Business Lawyer

    Business Lawyer, commercial and contracts and advisory lawyer, 4-10 years PAE, and $ negotiable performance based, depending on experience.

    Read more …

  • Directors’ obligations to comply with Accounting Standards

    Directors’ obligations to comply with Accounting Standards

    Directors are personally liable for ensuring their company operates in accordance with corporate governance and accounting standards.  Obligations contained in part 2M.2 and 2M.3 of the Corporations Act 2001 (Cth) (Corporations Act) outline obligations for companies to keep financial records and prepare annual financial and director’s reports.  Sections 180 and 344 of the Corporations Act…

    Read more …

  • OAIC publishes new guidance for under-16s social media ban

    OAIC publishes new guidance for under-16s social media ban

    On 10 October 2025, the Office of the Australian Information Commissioner (OAIC), led by Privacy Commissioner, Ms Carly Kind, released a twenty-nine (29) page Privacy Guidance on Part 4A (Social Media Minimum Age) of the Online Safety Act 2021 (New Guidance).  This New Guidance details the privacy obligations for Age-Restricted Social Media Platforms (Restricted Platforms)…

    Read more …

  • Aust Clinical Labs fined $5.8mil for failing to report data breach

    Aust Clinical Labs fined $5.8mil for failing to report data breach

    On 8 October 2025, the Federal Court published the judgement of Justice Halley in the case of Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (AIC v ACL).  Australian Clinical Labs Limited (ACL) was ordered to pay $5.8 million in civil penalties in relation to a 2022 data breach.  This…

    Read more …


Posted

in

,
Send this to a friend