‘Click Here’: Australia’s Scam Prevention Framework takes shape

• Governance policies and procedures (s 2-2): Must develop required policies and procedures having regard to the risk of scams (considering type/scale of services, ability to implement measures, prior scams, consumer types, emerging threats and recent major scam events). The policies and procedures must include information about how the entity assessed that risk.
  
• Staff training (s 2-3): Required policies must include reasonable processes for training SPF staff members to identify scams, identify high-risk consumers, support affected consumers, respond to SPF reports/complaints and understand the entity's SPF obligations. Training must be provided within a reasonable time of engagement and at least every 12 months.

• Reasonable systems, processes and resources (s 2-4): Must have reasonable systems (including financial, technological and human resources) to comply with the prevention provisions and must implement, monitor and regularly review them.
• Maintain secure systems (s 2-5): Must maintain reasonable and secure systems to protect consumers' information and accounts from misuse, including regular security assessments, testing, patching and software updates.
• Supervise third-party service providers (s 2-6): Must ensure agents and third-party service providers act consistently with SPF prevention obligations, exercising due skill and care in selection, ongoing monitoring and dealing with breaches.
• Brand impersonation (s 2-7): Must have reasonable systems to prevent brand impersonation being used to facilitate scams, including informing consumers of official communication channels, protecting those channels, monitoring the internet and requesting removal of impersonation material.
  
• Consumer awareness (s 2-8): Must make publicly available information about scam risks, including common types of scams, protective mechanisms and links to resources (e.g. Scamwatch), in a manner that is easy to understand, locate and regularly updated.

• Reasonable systems, processes and resources for detection (s 2-9). 
• Identifying activity as a scam (s 2-10): Where an entity has actionable scam intelligence, it must identify whether the activity is a scam (and in doing so must have regard to corroborating information, shared scam characteristics, report volumes, high-risk indicators and systemic issues).
• Recording investigation information (s 2-11): Must record whether the activity is identified as a scam, supporting factors, contact methods used and (if a scam) the type of scam and identifiers used.
  
• Identifying affected SPF consumers (s 2-12): Must have systems to identify affected consumers as soon as practicable, including direct and indirect SPF consumers.

• Reasonable systems, processes and resources for disruption (s 2-13).
• Notify affected SPF consumers (s 2-14): Must take reasonable steps to notify consumers who have, or may have, been affected, as soon as practicable and proportionate to the risk.
• Risk assessment for disruptive actions (s 2-15): Must undertake a risk assessment (including likelihood/severity of harm, nature of activity, systemic risks, strength of intelligence and reversibility) to inform proportionate disruption.  This obligation does not apply to telecommunications providers.
  
• Reverse disruptive actions if not a scam (s 2-16): If an activity is found not to be a scam, entities must reverse disruptive action as soon as practicable to the extent reasonably practicable. This does not apply to telecommunications providers.

• Reasonable systems, processes and resources for responding (s 2-17).
• Reporting mechanisms (s 2-18): Must maintain free, accessible, multi-channel reporting mechanisms available at any time, including an option for human assistance.
• Acknowledgement of scams report (s 2-19): Reports must be acknowledged within 24 hours, with suggested mitigating actions, information about preferred contact methods and a summary of consumer rights.
• Timely assistance to reporting person (s 2-20): Must give timely assistance appropriate to the nature of the report.
• IDR mechanisms (s 2-21): Must have free, accessible, multi-channel internal dispute resolution mechanisms.
• Detecting and dealing with issues with IDR mechanism (s 2-22): Required policies and procedures must set clear accountabilities and processes for dealing with issues with the IDR mechanism.
• Acknowledgement of IDR complaint (s 2-23): Must acknowledge complaints as soon as practicable, with suggested actions, key steps and timeframes and information about consumer rights.
• Timely resolution of complaints (s 2-24): Must deal with complaints as quickly as possible having regard to the complexity and scale.
• Notice if complaint not resolved within 30 days (s 2-25): If a complaint is unresolved within 30 days, the entity must inform the complainant of the reasons and their rights under the SPF EDR scheme.
• Cooperation between regulated entities (s 2-26): Must have systems to cooperate with other regulated entities (including cross-sector) in responding to complaints, sharing information and apportioning liability.
• Vexatious / frivolous complaints (s 2-27): Entities may decline to deal with frivolous or vexatious complaints (but not merely because of a low loss amount), subject to written notice with reasons within 5 business days.
• Record keeping (s 2-28): Must record complaint details, dates, types and outcomes in a manner enabling data analysis.

One of the most consequential common obligations under the respond principal is the requirement for cross-industry cooperation in multi-party scam complaints through IDR. This is because a typical scam may cross sectors (a scam text via a telco, a fraudulent ad on social media, a payment through a bank) and no single entity can resolve a complaint in isolation. Section 2-26 of the Common Code will require regulated entities to have reasonable systems and processes to facilitate cooperation with other regulated entities (including entities in other regulated sectors) including when it comes to responding to requests for information and for cooperation with other regulated entities to apportion liability. Precisely how entities will meet this obligation is as yet unclear.

• Information (s 2-1): A statement of compliance following IDR must contain a description of each matter raised, findings of fact, the process followed, the outcome (including apportionment of compensation), information about any other entity's conduct that affected the outcome and a summary of EDR rights. If a complaint is resolved to the complainant's satisfaction within 5 business days, a brief explanation and notice of the right to request a full statement suffices. Commercially sensitive and personal information must not be included.
• Authorised representative (s 2-2): A senior officer of a regulated entity who has oversight of matters relevant to a complaint, is an authorised representative of the entity in relation to the complaint.
  
• Timeframes, manner and form (s 2-3): The statement of compliance must be given within 21 calendar days. If delayed, written notice with reasons and a revised timeframe must be provided. The statement must be in writing and easy to understand, including for people with disability or from culturally and linguistically diverse backgrounds.

Records must be in English (or readily convertible), kept in or accessible from Australia and retained for 6 years. 

Foreign currency amounts must be translated to Australian currency using applicable accounting standard exchange rates or, failing that, published average rates from the Reserve Bank of Australia. 

• Payee confirmation (s 3-2): Must, on request by another bank, provide information required for the other bank to comply with payee confirmation obligations.
• Identity verification of SPF consumers (s 3-3): Must verify the identity of each direct SPF consumer.
• Systems and processes for high-risk activities (s 3-4): Must have reasonable systems to identify transactions/activities with a high risk of being or facilitating a scam.
• Targeted warnings (s 3-5): Where a consumer undertakes or attempts a high-risk transaction, the bank must issue a clear, concise and timely warning relevant to the risk.
• Identifying scam transactions (s 3-6): Before a high-risk transaction is made, the bank must take proportionate action to identify whether it is, or is facilitating, a scam.
  
• Limiting high-risk transactions (s 3-7): Must take proportionate action to limit consumers from making high-risk transactions after identification.

• Transaction monitoring (s 3-8): Must monitor transactions for unusual activity (inconsistent with history) and attempted high-risk transactions.
• Account monitoring (s 3-9): Must monitor non-transaction activity (e.g. changes to contact details, credentials or authentication settings).
  
• Identifying affected SPF consumers/services (s 3-10): Must have systems to identify affected transactions, accounts and contact affected consumers to verify identity and transactions.

• Payment recall requests (s 3-11): Where a bank reasonably believes a transaction is facilitating a scam, it must request reversal from the receiving entity (or reverse it if internal). Receiving regulated banks must take reasonable steps to assist.
• Blocking accounts associated with scams (s 3-12): Must be able to block accounts associated with scams.

Disruption obligations extend to both sending and receiving banks, a significant development given receiving banks' role in enabling "mule" accounts. These obligations are reinforced by AFCA's expanded jurisdiction. From 12 March 2026, AFCA can investigate complaints against receiving banks where scam funds were received (even where the complainant is not a customer) and complaints about unauthorised account openings.

• Terms of service (s 5-2): Must include a prohibition on using the service to commit scams, a summary of platform responsibilities under the SPF and a term regarding suspension/banning of users and disabling of accounts.
• User verification (s 5-3): Must take reasonable steps to verify new users' identity, confirm they have not previously been banned and (for business accounts) confirm authorised representative status.
• Advertiser additional verification (s 5-4): Must verify advertisers' identity, ABN and business authority.
• Check advertisements (s 5-5): Must have reasonable systems to review advertisements for scam activity before publication, including verifying advertiser identity and checking for prior scam associations.
  
• Targeted warnings (s 5-6): Must take reasonable steps to warn high-risk consumers (based on user behaviour and content attributes) about specific scam types, with clear and timely warnings including educational resources.

• Suspicious behaviour, content and messages (s 5-7): Must have reasonable systems to monitor for scam activity (subject to not requiring decryption of encrypted messages on designated instant messaging services).
  
• Monitor and assess advertisements (s 5-8): Must monitor published advertisements, re-verify advertisers if details change and monitor for suspicious content.

• Disruptive action during investigation (s 5-9): Must take reasonable steps to include warnings to suspect content and suppress/reduce/limit the activity while investigating.
• Removal of content following investigation (s 5-10): Once a scam is identified, platforms must remove content, block related content and persons and disable associated accounts.
  
• Limiting scam advertising (s 5-11): Must suspend display of suspect advertisements during investigation, suspend accounts previously linked to scams and (once confirmed) remove the advertisement, block similar content and ban associated persons.

• Information about prospective and existing customers (s 6): Must verify identity before supplying a service; for high-risk services, also conduct a rights-of-use check and establish a legitimate use case. Must take reasonable steps to ensure customer information is accurate and up to date.
• No rights of use (s 7): Originating carriers must prevent carriage of calls/messages where the customer lacks rights of use in respect of the associated number.
• Obligation not to carry certain calls/messages (s 8): Must not carry voice calls without a CLI attached, must not carry inbound international calls with Australian CLIs unless verified as legitimate and must not carry calls/messages using numbers on the Do Not Originate List or with incorrect trust markings.
• Verification of inbound international calls to which Australian CLI is attached that is associated with mobile number (s 9): Interconnected carriers must make reasonable attempts to determine legitimacy of inbound international voice calls with Australian CLIs (e.g. by verifying international roaming); if unable to verify, a no-verification signal must be attached.
• Agreement for carriage of inbound international voice calls (s 10): Sets out circumstances in which regulated entity may, in supplying a covered telecommunications service, carry an inbound international voice call to which Australian CLI is attached.
• International CLI information must be carried exactly as received (s 11).
• Customer’s right to block all inbound voice calls and messages from numbers other than Australian numbers (s 12): Terminating carriers must, within 5 business days of request, apply a block on all inbound calls and messages from non-Australian numbers.
• Trust marking (s 13): Must not attach a trust marking unless they have verified identity, rights of use and established a legitimate use case.
• Network trust information (s 14): Originating carriers satisfied that a call/message is legitimate must attach network trust information before carriage.
• Preventing use of telecommunications infrastructure to commit scams (s 15): Must take reasonable steps to implement secure systems to prevent networks/facilities from being used to commit scams.
• Restrictions on sending messages using prepaid mobile carriage services (s 16): Originating carriers must impose a maximum limit on bulk message volumes for prepaid services, taking into account scam traffic indicators and typical legitimate use.
• Assistance to SPF consumers (s 17): Must take reasonable steps to assist consumers who are, or may be, victims of scams, including identifying appropriate tools/settings and providing scam information.
  
• Do Not Originate List (s 18): Originating carriers must establish, maintain and share a list of numbers not used for outbound calls/messages.

• Network monitoring (s 19): Must actively monitor networks for scam activity, including real-time tracking to validate traffic legitimacy and identify scam indicators and analyse information to identify patterns, trends and anomalies.
• Filtering of messages (s 20): Originating carriers and message aggregators must use fully automated filtering technology to detect scam material (numbers, emails, URLs, hyperlinks) in messages.
• Notice of actionable scam intelligence (s 21): Transiting/terminating carriers must, within 5 business days, give written notice of actionable scam intelligence to the originating or interconnected carrier.
• Acknowledge receipt (s 22): Entities receiving a notice must acknowledge receipt within 2 business days.
  
• Informing regulated entity of investigation outcome (s 23): Originating/interconnected carriers must inform the notifying entity of the investigation outcome within 2 business days of completing the investigation.

• Investigating actionable scam intelligence (s 24): Terminating carriers must block the CLI or attach a warning while investigating; non-terminating carriers must signal to other entities to do so.
• Scam activity (s 25): Once confirmed as a scam, entities must take reasonable steps to interrupt calls/messages from the offending number and warn consumers attempting to contact the number.
• SIP response codes/notices (s 26): Must return a SIP response code when interrupting calls or give written notice if not technically possible.
• Seeking international assistance (s 27): Where material volumes of scam traffic originate internationally, entities must use contractual arrangements to secure assistance from international service providers.
• No scam activity (s 28): If a regulated entity has intelligence about an activity involving a voice call or message, identifies the number and the activity has been investigated and is not a scam, the entity ensure that any action taken to disrupt the activity is promptly reversed, if it is reasonably practicable to reverse the action. If an activity is found not to be a scam, disruptive action must be reversed within 5 business days.
• Request to reverse disruptive action (s 29): Entities receiving a reversal request with supporting evidence must acknowledge within 2 business days and reverse within 5 business days if practicable.
• The SMS Sender ID Register, commencing on 1 July 2026, will provide an important additional layer of protection.

• Verification records of identity (s 30): Records of identity verification methods must be kept for at least 6 years.
• Agreement records (s 31): Copies of agreements for carriage of inbound international calls must be kept for at least 6 years.
  
• Security of SPF personal information contained in record (s 32): Entities must protect personal information in records from misuse, loss and unauthorised access and destroy/de-identify it after the minimum retention period.

In a major surprise when launching this consultation, the Government proposed that scam victims be automatically reimbursed for verified losses below $3,000, without the need for a full IDR investigation. The Assistant Treasurer explained on ABC Radio National that "it's really not going to make sense to have tens of thousands of cases in that realm swamp the dispute resolution process. That would lead to huge costs and also delays. So, we want to have some kind of automated or semi-automated process."

Where multiple entities are involved, reimbursement could be split equally. This expectation will be set out as Ministerial Guidance in the SPF Rules (not in primary legislation), pursuant to sections 58GE and 58BZE of the Competition and Consumer Act 2010 (Cth) (CCA), which provide the Minister broad rule-making powers and which require regulated entities to have regard to IDR processes and liability apportionment guidelines prescribed by the rules.

Question 12 in the Guide asks whether this provides "a sensible approach to handling low-value scam complaints in an efficient and proportionate manner" and if not, “how else can low-value scam complaints be handled efficiently and proportionately?”.

The short answer: Treasury does not say. The Position Paper states only that most complaints involve losses below this amount and that automatic reimbursement would reduce the burden on IDR and external dispute resolution (EDR) systems. With a median loss of $400 in the latest Targeting Scams report from the NASC, a $3,000 threshold would capture the majority of complaints by volume while representing a modest fraction of total dollar losses.

Two points are worth noting. First, the $3,000 figure appears for the first time in this consultation, it has not been separately consulted on. Consumer advocates had called for a fast-track small claims process in earlier submissions but did not nominate a dollar figure. Second, embedding the threshold in Ministerial Guidance (rather than in legislation) affords the government flexibility to adjust it over time, but also means it will receive less parliamentary scrutiny.

The $3,000 threshold invites inevitable comparison with the UK's mandatory Authorised Push Payment (APP) fraud reimbursement regime (commenced 7 October 2024). Under that regime, payment service providers must reimburse victims up to £85,000 per claim (approximately A$165,000) within five business days. Crucially, the UK regime includes safeguards absent from the Australian proposal: an optional excess of up to £100 (not applicable to vulnerable consumers) and a "consumer standard of caution" exception relieving providers from reimbursing consumers who fail to heed warnings, report promptly, respond to information requests, or consent to police reporting.

The Australian Position Paper addresses none of these safeguards. It does not say whether a consumer standard of caution or "gross negligence" exception will apply, nor whether the $3,000 threshold will be periodically reviewed or indexed.

This is a notable shift in the government's position. Treasury's own internal briefing materials, released under Freedom of Information, stated that "there has been a clear policy decision not to pursue a reimbursement-based framework". Former Minister Stephen Jones had said that a reimbursement model would mean "you will get every scammer in the world saying, 'Come to Australia, it's a victimless crime because the bank will always pay'" (cited in Dr Helen Haines MP, speech to Parliament, February 2025). The $3,000 automatic reimbursement proposal, while narrower than the UK model, represents a partial reversal of that position.

When asked directly about the honeypot risk on ABC Radio National, Dr Mulino acknowledged it: "we don't want to create an environment where there's an incentive on perpetrators to bombard our system more. We're going to monitor those risks. But I'm confident that a balanced approach where it's just the very small transactions will see reasonable outcomes." Whether monitoring alone is sufficient, without the structural safeguards built into the UK regime, remains to be seen.

The more pressing question is whether automatic reimbursement for losses under $3,000 will create perverse incentives. The concern is not theoretical. In the UK, UK Finance cautioned that the reimbursement model "may encourage more complicit fraud and exacerbate the APP risk as fraudsters capitalise on a reimbursement model which requires minimal consumer evidence" (UK Finance, Response to CP24/11, September 2024, p 2). In the Netherlands, where a voluntary reimbursement scheme for bank impersonation fraud was introduced, losses from that fraud category nearly doubled in the first year of widespread reimbursement.

Applied to Australia, a $3,000 automatic reimbursement threshold without robust safeguards could:

• encourage scammers to calibrate attacks below the threshold, targeting high volumes of victims for low-value losses
• create first-party fraud risk, where individuals fabricate or exaggerate claims knowing automatic reimbursement will apply
• undermine the SPF's "prevention first" orientation by shifting the focus from stopping scams to processing claims.

The Position Paper's requirement that losses be "verified" offers some protection, but the consultation does not elaborate on what verification will entail.

The Position Paper also proposes that where more than one regulated entity has breached its obligations under the SPF, liability should be shared equally between those breaching entities. This represents a significant simplification of the apportionment question, which has been one of the most contested aspects of the SPF's development.

The equal apportionment approach will be set out as liability apportionment guidelines in the SPF Rules. The guidelines will allow entities to make a case to adjust apportionment in exceptional circumstances, such as where there is unanimous agreement that one entity played a more significant role in the scam chain.

In adopting an equal apportionment approach, Australia appears to be mirroring the UK position which splits equally the costs of reimbursement between sending and receiving payment service provider (a concept which includes banks). Given, however, the broader scope of the SPF in applying to covered telecommunication services and digital platforms, as well as the varied entry-points of scams, an equal apportionment approach will not be workable and may involve some entities and sectors paying proportionately more than those with weaker protections. This will not encourage the necessary uplift across all regulated entities.

The Common Code requires regulated entities to have regard to "any major scam event that the entity was affected by within the last 12 months" when developing their governance frameworks (Common Code 2-2(f)).

A major scam event is defined as a scam, or a group of related scams, relating to, connected with, or using a regulated service of the entity that results in, or would, if successful have resulted in, significant or widespread loss to SPF consumers of the entity’s regulated service (Common Code, 1-7).

No further details (including triggering metrics) are provided in the Common Code or in the associated explanatory memorandum. This creates uncertainty for compliance teams seeking to calibrate governance frameworks and for regulators seeking to assess compliance. We suggest defined thresholds or non-exhaustive list of criteria is required.

The word "proportionate" appears throughout the draft code as the standard for disruptive action.

All regulated firms must give a notification to SPF consumers that is proportionate to the risk of loss or harm arising from the activity (Common Code, 2-24(2)(b)) and must engage in proportionate disruptive action (Common Code, 2-15).

Banks must take action that is "proportionate to the risk" when limiting high-risk transactions (Banking Code, section 3-7(2)) and banks must stop the scam by either closing, freezing or placing other restrictions on a bank account proportionate to the risk of loss or harm (Banking Code 3-12(1)(a)).

Whilst proportionality is a familiar legal concept and is welcomed, its application in the scam disruption context creates a difficult tension: over-disruption risks consumer harm (blocked payments, frozen accounts, removed legitimate content), whilst under-disruption risks regulatory breach. While the Common Code provides some factors for the risk assessment (likelihood and severity of loss, nature of activity, strength of intelligence, reversibility) it does not indicate how these are to be weighted or what practical outcome is "proportionate" in common scenarios. This is likely to be a significant source of compliance risk and commercial tension.

The exposure draft codes use varying evidentiary thresholds without clear differentiation.

An entity must identify activity as a scam if it has "reasonable grounds to believe" it is a scam (Common Code, 2-10(2)), but other requirements are triggered only based on a ‘suspicion’ or where the entity ‘suspects’the activity may be a scam (for example, Common Code 2-14(2)(c)(ii) on notifying a SPF consumer that the entity suspects the SPF consumer is, or may be, affected by the activity).

Further requirements are triggered where a digital platform ‘reasonably suspects’ content is a scam (Digital Platform Code, 5-2(1)(c)). A further standard is applied where a bank “reasonably believes” that a transaction is facilitating a scam (Banking Code, 3-11(1)).

The practical distinction between these thresholds will be critical for determining when obligations are triggered, yet the codes provide no consistency or guidance on these terms.

Section 2-16 of the Common Code requires regulated entities to reverse disruptive actions if an activity is identified as not being a scam. For banks, this may involve unfreezing accounts or reversing transaction blocks. For digital platforms, it may require reinstating removed content and re-enabling disabled accounts.

The obligation to reverse is not qualified by feasibility: once content has been removed, advertisers may have lost revenue or customers; once an account has been frozen, downstream payment obligations may have been breached. The absence of a liability safe harbour for good-faith disruptive action that is subsequently reversed (distinct from the existing 28-day safe harbour in the primary legislation for disruption itself) may discourage entities from taking prompt action.