Part 2: Navigating the new frontier: Unpacking the new Scams Prevention Framework

SPF principle 1: Governance 

Regulated entities must document and implement governance measures in the form of policies, procedures, metrics and targets to combat scams. Such governance measures are intended to be dynamic. Governance policies and procedures must be documented with reference to multiple factors such as how they prevented, detected, disrupted, responded and reported scams.

Regulated entities must also:

• Review and certify their governance measures at least annually by a senior officer of the entity.
• Keep material records of their governance arrangements for a least 6 years and give reports about its compliance as requested by the regulator.

Practical considerations:

• Do you have a good understanding of the areas in your chain of operations which may be susceptible to the risk of scams?
• Do you have appropriate frameworks to document and maintain a scam specific policy?
• Do you have appropriate frameworks to support your annual certification process, such as processes covering implementation of monitoring metrics, and review and uplift of relevant governance policies and procedures? 

SPF principle 2: Prevent 

Regulated entities must take reasonable steps to prevent scams, and proactivity is the key to demonstrating compliance with this principle. The Bill makes it clear that it is insufficient to merely act on relevant information relating to scams provided to the regulated entity. Sector-specific codes may contain information describing what are reasonable steps for the relevant sector. 

Examples of reasonable steps may include identifying consumers who have a higher risk of being targeted by scams, providing warnings to at-risk consumers, and providing information to assist them in identifying scams and steps they can take to minimise the risk of harm from scams. Reasonable steps may also require investing in educating staff on emerging scams, as well as adopting a proactive approach to obtain information on emerging scams, analysing trends or patterns in scam activities, and identify any vulnerabilities in the chain of operation.

This principle is intended to stop scam activity from reaching or impacting consumers, as opposed to disrupting scam activity (see principles 3 and 5 below).

• Do you conduct regular risk assessments and seek out information proactively from relevant sources on the emerging scam activities to inform your risk assessment and potential remediation activities to address any vulnerabilities on your service?
• Are there processes in place to identify which of your consumer base are at a higher risk of being scammed?
• Do you regularly monitor and analyse organisation and industry data for any trends to identify which cohort is more susceptible to scams and the latest tactics which scammers are using to target consumers?
• Do you have clear protocols to guide what resources or warnings you provide to consumers about scams? For instance:
  • Do you take into account any attributes of vulnerability, channels which these consumers are more likely to access (e.g. where they are less familiar with technology), and potential language barriers when making decisions with respect to these protocols?
  • Do you provide direct scam-related alerts to consumers in plain language, which you update from time to time to alert them of the latest developments with respect to scams on your services or platforms, and what they can do to minimise the risk of harm?
• How often do you conduct staff training on emerging scam activity and the organisation’s processes to identify and respond to scams?   

SPF principle 3: Detect 

Regulated entities must take reasonable steps to detect scams as the scam is occurring or after it has occurred, regardless of whether any loss has already been incurred. Reasonable steps include detecting scam activity through information from its internal mechanisms, or external to the organisation such as those from consumers or the regulator. 

Where the regulated entity has “actionable scam intelligence” (i.e. where there are reasonable grounds to suspect that a communication, transaction or other activity relating to, connected with, or using a regulated service of the entity is a scam), it must take reasonable steps to investigate if the activity in question is a scam within 28 days, and act on that intelligence to identify the persons who were SPF consumers at the time when they were or might have been impacted by the activity.

Practical Considerations:

• Do you have effective proactive procedures to identify scams and consumer cohorts that are or have been affected by actual or suspected scams?
• How is the organisation approaching the detection of scams? For instance, is there whole-of-business coordination where different functions regularly share relevant information such as consumer complaints or intelligence, any spikes, or trends in terms of irregularities in transactions, or more broadly market trends in terms of scam tactics?
• Are you investing sufficiently in advanced technology and resources to monitor complaints from consumers, and establishing procedures to address to those complaints swiftly where scams have taken place or will take place? 

SPF principle 4: Report 

When a regulated entity has “actionable scam intelligence”, it must report this to the ACCC (in its capacity as the SPF general regulator) within the time period prescribed by the SPF rules containing specific information. 

It is contemplated that the information collected will include information necessary to disrupt the scam, such as the mechanism or identifier used for the scam activity, including bank account details that scammers instruct victims to transfer funds to, and phone number used by scammers to get in touch with victims.

The entity must provide a report about a scam to the ACCC if it so requests within a certain timeframe and containing specific information as set out in the request. This may include de-identified information about the impacted consumer, the loss or harm which may have been caused by the scam, and what disruptive actions the entity has taken in response to the scam and in order to disrupt similar scams. The ACCC may disclose information about scams to other entities across the ecosystem to help disrupt the scam.

Practical Considerations:

• Do you have a defined framework and team to comply with these reporting obligations?  
• While the Bill provides that complying with this principle will not represent a breach to the obligations to maintain a duty of confidence, are your contractual provisions sufficiently robust to cover these information sharing requirements?
• Where personal information (within the meaning of the Privacy Act 1988 (Cth)) is expected to be captured under these reporting obligations, or where you anticipate, additional personal information being collected to meet these reporting obligations, how are you aligning your relevant policies and processes to ensure you are compliant with the applicable regimes?

SPF principle 5: Disrupt  

Where they have “actionable scam intelligence”, regulated entities must take reasonable steps to disrupt the scam related activity and prevent losses from such activity (including further losses). The regulated entity will also need to report the outcomes of such investigations within a prescribed timeframe. Reasonable steps include putting payments on hold to allow the regulated entity to alert the consumer, blocking phone numbers of bank accounts, or removing scam advertisements on websites.

A regulated entity is entitled to rely on a 28-day ‘safe harbour’ during its investigations whereby it will not be liable in a civil action or civil proceeding for taking certain actions to disrupt a suspected scam in specified circumstances, for example, if the disruptive action is reasonable and proportionate to the suspected activity (through the lens of potential loss to consumers if no action is taken, as well as potential loss where action is taken but the investigation reveals that the activity is not a scam), done in good faith and in compliance with the Framework. 

• Are your processes aligned with the specific requirements that need to be met to rely on the ‘safe harbour’ provisions?
• Regulated entities may need to apply enhancements to consumer communications to swiftly disrupt a scam – do your communication protocols take into account how the various channels that consumers generally use your services and whether the communications should be sufficiently tailored to maximise engagement?
• How are you approaching the interface between this principle and your consumer complaints processes? Regulated entities may need to speed up the process of review for consumer complaints to be able to effectively disrupt an actual or suspected scam (such as introducing friction to bank transfers in high risk settings).

SPF principle 6: Respond 

Regulated entities must have an accessible mechanism for their consumers to report actual or possible scams. Entities have the flexibility to set up a mechanism for consumers to report in a variety of ways, such as in-person, over the phone, or through an app or via its website, depending on its consumer base.

Each entity must also provide an accessible and transparent internal dispute resolution mechanism for its consumers to lodge complaints about potential scams and the entity’s conduct in relation to these activities. It is expected that further details will be contained in the SPF rules, which may include specific guidance around the provision of information to the consumer in the entity’s response to complaints. 

Regulated entities must also become a member of an authorised external dispute resolution (EDR) scheme. While more than one SPF EDR scheme may be authorised, the intention of the proposed legislation is to have a single EDR scheme for multiple regulated sectors to streamline the process.

Practical Considerations:

• The Australian Financial Complaints Authority (AFCA) charges regulated entities for all cases they manage based on a Fee Structure. The fees vary based on the matters in this Schedule, for example, whether they move to case management or require a decision. If AFCA is the EDR provider, this will result in additional costs to regulated entities.
• Where you are required to comply with additional requirements with respect to your IDR mechanisms (such as Australian Securities and Investments Commission (ASIC) RG 271), how are you approaching any overlapping or related requirements to ensure you are compliant with this principle as well as other requirements?