Finale: World first scam prevention legislation has now commenced in Australia

Clarification of ‘reasonable steps’

New s 58BB(2) clarifies that the primary consideration when assessing whether a regulated entity has taken ‘reasonable steps’ to prevent, detect and disrupt scams, is whether the regulated entity has complied with any relevant SPF Code obligations. This recognises that the SPF Code for each regulated sector will play a role in supporting the ‘reasonable steps’ obligations in the SPF principles, including by describing what the reasonable steps include for the purposes of those obligations.

While SPF Code compliance is the primary consideration, the other matters discussed in our previous article here, are also relevant. These include, but are not limited to, the size of the regulated entity and the kind of regulated services concerned.

Giving a statement of compliance

Under SPF principle “6: Respond”, a regulated entity must have an accessible mechanism for its consumers to report activities that are or may be scams.

New s 58BZDA requires a regulated entity, when undertaking internal dispute resolution (IDR) to deal with a person’s complaint, to provide that person with a statement of compliance on specific matters, including whether the entity has complied with its obligations under the SPF provisions.

There is usually an asymmetry of information between regulated entities and consumers at the IDR stage. The intention of this requirement is to help a consumer understand a regulated entity’s position in response to their complaint and to ensure a consumer is provided with the necessary information to decide if they would like to escalate the complaint to external dispute resolution or to take further court action.

As set out in s 58BZDA(2), a statement of compliance must:

• State whether the regulated entity has complied with the obligations under the SPF provisions based on information reasonably available to the entity at the time of making the statement.
• Contain specific information prescribed by the SPF rules relevant to the complaint.
• Exclude information (if any) prescribed by the SPF rules relevant to the complaint (such as where the information is commercially sensitive or may contravene other legislative obligations).
• Be in writing and signed by an authorised representative of the entity as prescribed by the SPF rules.
• Meet any specific criteria prescribed by the SPF rules, such as timeframes to provide and manner and form in which it is to be provided.

This requirement will come into effect once the SPF rules are made. The SPF rules will prescribe the kinds of information to be included in the statement, including those matters listed in 58BZDA(2)(b), (d) and (e) above. Once the SPF rules are in force, civil penalties may apply if the statement of compliance does not meet the requirements under s 58BZDA(2).

Guidelines for apportioning liability between multiple regulated entities involved in a scam

A new subparagraph (1A) under s 58BZE clarifies that when a regulated entity undertakes IDR arising from a complaint, any guidelines prescribed by the SPF rules for apportioning liability do not have to be consistent with the proportionate liability rules that apply in court actions for damages as outlined in ss 58FZD to 58FZK. This clarification to s58BZE seeks to ensure that the guidelines for apportioning any liability at the IDR stage are not unnecessarily constrained by the framework for court actions and to support the efficient resolution of complaints.

These guidelines, along with other aspects of the SPF rules, will undergo consultation with public stakeholders.

Regulators’ roles and responsibilities statement

A new s 58EFA requires the ACCC (as the SPF general regulator, except for the provisions relating to SPF codes overseen by a designated SPF sector regulator) to publish a roles and responsibilities statement on its website. The statement is intended to provide a high-level view of the roles and responsibilities of each SPF regulator, operate of an SPF external dispute resolutions (EDR) scheme and any other entity the SPF general regulator considers appropriate.

This statement is intended to support the operation and transparency of the multi-regulator framework and help enhance community understanding of the different roles of each relevant entity in the SPF. For example, this statement may cover details about the role and responsibilities of the National Anti-Scam Centre, run by the ACCC, with respect to its information-sharing role of the SPF.

External dispute resolution to redress loss

During consultation on the draft legislation, submissions queried the extent of compensation for scam victims. The revised explanatory memorandum confirms the SPF does not mandate that scam victims be compensated, but rather that regulated entities provide compensation and/or another appropriate remedy to consumers. Section 58FZQ provides for orders other than an award for damages to redress loss or damage including declaring a contract void, varying the terms of such contract or specific performance.

The EDR mechanism in Part IVF is intended to provide a pathway to redress loss, including compensation, for an SPF consumer of a regulated service where the regulated entity has not complied with its SPF obligations. A regulated entity must be a member of the relevant SPF EDR scheme for its sector to provide regulated services to SPF consumers. Non-compliance with this requirement is a civil penalty.

The Minister may authorise EDR schemes for dealing with consumer complaints about scams relating to, connected with or using regulated services. The Minister may authorise an existing scheme like the Australia Financial Complaints Authority (AFCA) scheme for this purpose, or new schemes could be developed and authorised in accordance with ss 58DB and 58DC. The operator of the SPF EDR scheme will be able to determine complaints by consumers about how regulated entities will respond to scams. Part IVF does not make clear who the operator of the SPF EDR scheme may be, although we expect this will be contained within the sector specific SPF Code.

What can we expect next?

The commencement of the SPF under Part IVF does not in itself impose any obligations on entities. The next steps are:

• First, designation of a sector by way of a designation instrument must be made with respect to a regulated sector.
• Upon designation of the regulated sector, entities operating within the sector will be subject to the obligations in the SPF principles, enforced by the ACCC (as the SPF general regulator) and to any SPF Code if made for the sector, enforced by the relevant SPF sector regulator.
• The designation instrument will outline the scope of entities required to comply and may specify an application or a transition period before the SPF comes into effect to manage implementation risks.

The explanatory materials to the Scams Prevention Framework Bill 2025 as passed by both Houses in Parliament is available here.

Call to action

Australian entities captured by the SPF (particularly in the industries of banking, telecommunication services and digital platform services) must act now, and ensure they are ready for these landmark changes, including the latest amendments above.

Here are some actions to consider:

• Be prepared for the SPF code for your organisation’s regulated sector to be introduced shortly, and assess your organisation’s policies, processes and training requirements for compliance.
• Integrate a robust internal dispute resolution process within your organisation to handle complaints, ensuring that a valid statement of compliance is issued.
• Keep abreast of the roles and responsibilities statements to be disseminated by the ACCC and other sector regulators to ensure you are up to date with the key information shared by these regulators, to ensure your organisation’s compliance with the SPF.