Proposed new Scam Protection Framework released – what you need to know
Banks, digital platform services and telecommunication companies will have strict obligations to identify, prevent and respond to scams, if proposed draft legislation is passed.
The Federal Government’s exposure draft legislation to establish the Scam Prevention Framework (Framework) is open for public consultation until 4 October 2024, and
the draft legislation is still subject to parliamentary scrutiny.
- The Framework will be implemented through an amendment to the Competition and Consumer Act 2010 (Cth) (CCA). The object is to protect Australian consumers against scams.
- The Minister has designated banks, telecommunication and digital platform providers (initially social media, paid search engine advertising and direct messaging services) as the initial regulated sectors. However, the Framework allows the Minister to designate other sectors as scammers shift their activity to target consumers through other channels.
- Regulated entities will be required to adhere to principle-based obligations, monitored and enforced by the ACCC. Sector-specific codes will outline additional detailed and mandatory obligations, tailored to scam activity in different sectors and monitored by specific sector-code regulators.
- A regulated entity will be required to report and share information indicating possible detected scam activity with the ACCC, develop and implement appropriate governance arrangements for protecting Scam Prevention Framework (SPF) consumers against scams and take reasonable steps to prevent, detect, disrupt and respond to scams relating to its regulated service.
- Regulated entities must implement an accessible and transparent Internal Dispute Resolution (IDR) mechanism to effectively manage consumer complaints about scams. Entities that provide a regulated service must become members of the prescribed External Dispute Resolution (EDR) scheme. While banks are already Australian Financial Complaints Authority (AFCA) members, this is a new requirement for telecommunication and digital platforms.
- Failure to comply with the obligations may result in significant civil penalties of up to $50 million.
What are the regulated sectors?
- Banks, telecommunication providers and digital platform services, initially social media, paid search engine advertising and direct messaging services – as each represent significant vectors of scam activity.
- The Minister may designate additional regulated sectors by legislative instrument. We expect that sectors will be designated in the future as scam methods and trends adapt overtime.
Who is a regulated entity?
You may be a regulated entity if:
- you are a corporation acting in the course of, or in relation to, providing a business or service in a regulated sector; or
- you are a person who carries on or provides businesses or services that fall within the banking, insurance or communications constitutional powers (the definition of ‘person’ is taken to include partnerships, unincorporated associations and trusts).[1]
Meaning of scam
Scam is defined to cover conduct involving a direct or indirect attempt, successful or otherwise, to deceive an ‘SPF consumer’ into performing an action that results in a loss or harm to the SPF consumer.
A SPF consumer broadly includes a natural person residing in Australia or a person carrying on a small Australian business of less than 100 employees. Importantly, a person can be an SPF consumer of a regulated service even if they do not have a direct customer relationship with the regulated entity.
The key ingredient that distinguishes scams from other misconduct is the element of deception, which may include:
- deceiving consumers into facilitating an action using a regulated service under false pretences (eg where a person sends money from their bank account through their banking app to a bank account nominated by the scammer);
- deceptively impersonating a regulated entity in connection with its regulated service (eg receiving a fake text message purportedly from a bank); or
- deceptively representing something to be a regulated service (eg an imposter bond scam where a scammer impersonates a financial advisor and makes a false representation in relation to an investment product offered by a banking service that does not actually exist).
The Framework sets out ‘overarching principles’ that apply to regulated entities (outlined below), which are monitored and enforced by the ACCC.
SPF principle | Obligations |
---|---|
1. Governance | Regulated entities must develop and implement appropriate governance policies, procedures, metrics and targets to protect SPF consumers against scams. Policies and procedures must include the steps the entity is taking to identify actionable scam intelligence. A regulated entity will have actionable scam intelligence when there are reasonable grounds to suspect that an activity on or related to a regulated service of the entity is a scam. Regulated entities must make publicly accessible steps taken to protect SPF consumers from scams, the rights of consumers and the process for reporting. Records must be kept in relation to activities taken to comply with its obligations to be made available to the ACCC and relevant SPF sector-specific regulator on request. |
2. Prevent | Broadly, regulated entities must take reasonable steps to prevent scams on or relating to its service. This may include (but is not limited to):
|
3. Detect | Regulated entities must take reasonable steps to detect scams, which includes identifying SPF consumers that are or could be impacted by a scam in a timely way. This includes taking steps to detect scams as they are happening, or after they have happened, including where a SPF consumer has already incurred a loss or before a loss has occurred. |
4. Report | Broadly, each regulated entity must share with SPF regulators:
|
5. Disrupt | A regulated entity for a regulated sector must:
Examples of disruption activity may include removing content such as scam advertisements or fraudulent accounts, blocking phone numbers or holding payments. Subject to certain conditions, a 28-day safe harbour protection will enable regulated entities to take proportionate disruptive steps to respond to actionable scam intelligence while an investigation into the nature of that activity is underway. The policy intent is to protect third parties from disruption activities where they are not involved in scam activity. |
6. Respond | Each regulated entity must have accessible mechanisms for their SPF consumers to report scams and an accessible and a transparent IDR mechanism for those consumers to complain about scams. Entities that provide a service that is regulated by the framework must become a member of an EDR scheme that is authorised by the Minister for their sector. The Minister intends to prescribe the AFCA as the single EDR scheme for the three initial sectors designated under the framework. |
- A multi-tiered regulatory design will deliver a whole-of-ecosystem approach to enforcement. The ACCC will enforce obligations in the CCA and the digital platform service provider code, ACMA will enforce the telecommunications code and ASIC will enforce the banking code.
- The ACCC as the general regulator will have the ability to delegate its functions and powers to sector code regulators.
Multi-regulator approach
Consequences of breach
Breach of the SPF obligations can give rise to civil penalties. The Framework establishes a tiered penalty regime, with higher penalties applying to more significant breaches.
Tier 1 | Tier 2 | |
---|---|---|
Breaches of obligations relating to preventing, detecting, disrupting and responding to the scams | Breaches of obligations relating to reporting and governance and any breaches of the sector codes | |
Entities | The greater of:
| The greater of:
|
Individuals | $2,500,000 | $500,800 |
The obligations are currently imposed on banking and insurance businesses, digital platform service providers (beginning with social media, paid search engine advertising and direct messaging service) and telecommunications companies. However, given the unprecedented increase in scale and sophistication of scam operations (with scammers increasingly using advanced AI technologies), we suspect the Minister will designate further sectors in the future. This could include superannuation funds, digital currency exchanges and other payment providers.
The government is inviting further feedback on the draft legislation up until 4 October 2024. We encourage you to submit a response to the legislation if you believe you may be impacted.
We will provide a further update following the finalisation of the draft.
If the legislation is passed with no further amendments, regulated entities will be subject to broad obligations to take steps to combat scams and implement appropriate governance arrangements.
For more information about the proposed draft legislation, reach out to our financial services experts who can help explain the significant impact on businesses operating in the digital economy.
This article was written with the assistance of Vanessa Hynes, Law Graduate.
[1] See Division 7 of the Framework; note 2 to subsections 58AD(1) and (2).