Publication
Road to COP29: Our insights
The 28th Conference of the Parties on Climate Change (COP28) took place on November 30 - December 12 in Dubai.
Australia | Publication | november 2024
This article was co-authored with Masooma Saberi and Alyssya Warty-Hasan.
We previously provided a short summary of the Scams Prevention Framework (the Framework) to highlight the important changes Australian entities can expect with this Bill and the importance of implementing measures to prevent scams: Prevention (and disruption) is better than cure: The new framework for stopping scams before they start.
Submissions on the exposure draft legislation closed on 4 October 2024 and the Scams Prevention Framework Bill 2024 (the Bill) was introduced into Parliament on 7 November 2024.
In this article we provide further practical insights on the Bill, particularly highlighting certain obligations that will be placed on regulated entities to prevent scams.
It is essential for Australian entities captured by the Framework to ensure that they are well prepared for these sweeping changes. Here are some actions to consider:
The Framework is an economy-wide reform to protect Australian consumers from scams. Scammers stole some $2.7 billion from Australian consumers in 2023 and the government has described the growth in scams as ‘unacceptable’, particularly given the wider financial, psychological and emotional harm caused to Australian consumers.
In essence, the Framework sets out clear responsibilities for regulated entities to take various steps to address scams with the endorsement of the Government and regulators. The Framework provides a streamlined and overarching regulatory approach that has been introduced as part of the government’s efforts to modernise Australia’s laws for the digital age.
The Framework seeks to build upon and consolidate various sectoral initiatives within a responsive and adaptable framework. The intent is to implement consistent overarching principles yet still enable sector-specific codes to articulate bespoke regulatory detail in each sector. The underlying sectoral codes will contain a set of minimum standards for each industry sector included within the Framework. Non-compliance will have severe consequences, including serious penalties.
The Framework is introduced as a new Part IVF of the existing Competition and Consumer Act 2010 (Cth) (CCA). It builds upon Australia’s increasing use of industry codes to implement sectoral competition and consumer protection regulation. The Australian Competition and Consumer Commission (ACCC) will be the lead regulator.
The Framework has the following key features:
The Framework implements six overarching scam prevention principles (called SPF principles) which apply to all regulated entities:
Under the Framework, a Treasury Minister (or an appropriately delegated authority) may make a sectoral code for a regulated sector, known as an “SPF Code”. An SPF Code will generally contain detailed but not exhaustive, sector-specific matters for regulated entities to comply with the SPF principles.
A Treasury Minister may also authorise an external dispute resolution scheme for the Framework. The government’s current intention is to authorise the Australian Financial Complaints Authority (AFCA) in this role for all initially regulated sectors. A single scheme is intended to ensure consistency in consideration of complaints and a less burdensome approach for regulated entities and consumers.
Regulated entities are required to take reasonable steps under several of these principles, to combat scams. In determining whether ‘reasonable steps’ have been taken, a range of factors are relevant, such as entity size, the services they provide, who their consumers are and the exposure to specific kinds of scam activities.
The Minister, through a legislative instrument, will set out the regulated sectors. The following sectors are expressly identified as potential sectors that could be included within the Framework:
Of these, the government currently intends to initially designate 3 sectors, namely banking, telecommunication services, and digital platform services (social media, paid search engine advertising and direct messaging services), given the significance these sectors have in the lifecycle of scam activities.
There is also a mechanism to expand the designation into more sectors depending on the evolving nature of scam activities. This could include, for example, superannuation funds, digital currency exchanges, payment providers, and online marketplaces.
SPF principle 1: Governance |
|
Regulated entities must document and implement governance measures in the form of policies, procedures, metrics and targets to combat scams. Such governance measures are intended to be dynamic. Governance policies and procedures must be documented with reference to multiple factors such as how they prevented, detected, disrupted, responded and reported scams. Regulated entities must also:
Practical considerations:
|
|
SPF principle 2: Prevent |
|
Regulated entities must take reasonable steps to prevent scams, and proactivity is the key to demonstrating compliance with this principle. The Bill makes it clear that it is insufficient to merely act on relevant information relating to scams provided to the regulated entity. Sector-specific codes may contain information describing what are reasonable steps for the relevant sector. Examples of reasonable steps may include identifying consumers who have a higher risk of being targeted by scams, providing warnings to at-risk consumers, and providing information to assist them in identifying scams and steps they can take to minimise the risk of harm from scams. Reasonable steps may also require investing in educating staff on emerging scams, as well as adopting a proactive approach to obtain information on emerging scams, analysing trends or patterns in scam activities, and identify any vulnerabilities in the chain of operation. This principle is intended to stop scam activity from reaching or impacting consumers, as opposed to disrupting scam activity (see principles 3 and 5 below). Practical Considerations:
|
|
SPF principle 3: Detect |
|
Regulated entities must take reasonable steps to detect scams as the scam is occurring or after it has occurred, regardless of whether any loss has already been incurred. Reasonable steps include detecting scam activity through information from its internal mechanisms, or external to the organisation such as those from consumers or the regulator. Where the regulated entity has “actionable scam intelligence” (i.e. where there are reasonable grounds to suspect that a communication, transaction or other activity relating to, connected with, or using a regulated service of the entity is a scam), it must take reasonable steps to investigate if the activity in question is a scam within 28 days, and act on that intelligence to identify the persons who were SPF consumers at the time when they were or might have been impacted by the activity. Practical Considerations:
|
|
SPF principle 4: Report |
|
When a regulated entity has “actionable scam intelligence”, it must report this to the ACCC (in its capacity as the SPF general regulator) within the time period prescribed by the SPF rules containing specific information. It is contemplated that the information collected will include information necessary to disrupt the scam, such as the mechanism or identifier used for the scam activity, including bank account details that scammers instruct victims to transfer funds to, and phone number used by scammers to get in touch with victims. The entity must provide a report about a scam to the ACCC if it so requests within a certain timeframe and containing specific information as set out in the request. This may include de-identified information about the impacted consumer, the loss or harm which may have been caused by the scam, and what disruptive actions the entity has taken in response to the scam and in order to disrupt similar scams. The ACCC may disclose information about scams to other entities across the ecosystem to help disrupt the scam. Practical Considerations:
|
|
SPF principle 5: Disrupt |
|
Where they have “actionable scam intelligence”, regulated entities must take reasonable steps to disrupt the scam related activity and prevent losses from such activity (including further losses). The regulated entity will also need to report the outcomes of such investigations within a prescribed timeframe. Reasonable steps include putting payments on hold to allow the regulated entity to alert the consumer, blocking phone numbers of bank accounts, or removing scam advertisements on websites. A regulated entity is entitled to rely on a 28-day ‘safe harbour’ during its investigations whereby it will not be liable in a civil action or civil proceeding for taking certain actions to disrupt a suspected scam in specified circumstances, for example, if the disruptive action is reasonable and proportionate to the suspected activity (through the lens of potential loss to consumers if no action is taken, as well as potential loss where action is taken but the investigation reveals that the activity is not a scam), done in good faith and in compliance with the Framework. Practical Considerations:
|
|
SPF principle 6: Respond |
|
Regulated entities must have an accessible mechanism for their consumers to report actual or possible scams. Entities have the flexibility to set up a mechanism for consumers to report in a variety of ways, such as in-person, over the phone, or through an app or via its website, depending on its consumer base. Each entity must also provide an accessible and transparent internal dispute resolution mechanism for its consumers to lodge complaints about potential scams and the entity’s conduct in relation to these activities. It is expected that further details will be contained in the SPF rules, which may include specific guidance around the provision of information to the consumer in the entity’s response to complaints. Regulated entities must also become a member of an authorised external dispute resolution (EDR) scheme. While more than one SPF EDR scheme may be authorised, the intention of the proposed legislation is to have a single EDR scheme for multiple regulated sectors to streamline the process. Practical Considerations:
|
The Framework will be enforced through a multi-regulator model with the ACCC being the lead or ‘general’ regulator responsible for monitoring, investigating, and enforcing compliance with these provisions. In terms of the sector-specific codes, the ACCC will be supported by other regulators designated for each sector incorporated into the Framework. It is anticipated that the Australian Communications and Media Authority (ACMA) will be the regulator for telecommunications services, while the Australian Securities and Investment Commission (ASIC) will be the regulator for banking services.
The Framework contains provisions for information-sharing between the various SPF regulators, to coordinate their regulatory activities and enforcement via an arrangement between ACCC and the SPF sector regulators. As such, the Framework builds upon the existing initiatives undertaken by the ACCC to better co-ordinate the regulation of scam activity between the various Australian regulators.
The Framework will work under a two-tier system, with a Tier 1 contravention attracting a higher maximum penalty and reserved for the most egregious breaches. The relevant breaches include failing to prevent, detect, disrupt or respond to a scam. The maximum penalty for a Tier 1 contravention is the greater value of:
The penalty for an individual is approximately $2.5 million (current value). |
AA Tier 2 contravention occurs where a regulated entity has contravened a sector code or a breach of the governance or reporting principles. A Tier 2 contravention will attract a maximum penalty of the greater value of:
The penalty for an individual is approximately $500,000 (current value). |
The civil penalty regime will be supported by other administrative enforcement tools, including injunctions, enforceable undertakings, and infringement notices.
While the Bill has outlined significant changes to support a whole-of-ecosystem approach, various practical issues are expected to be elaborated by the SPF rules.
The Bill that has been tabled does not contain any information as to when the regime would actually become operative, but we assume the regime will be implemented relatively quickly for various reasons, including political priorities and continuing media attention.
The consensus among regulators is that there needs to be stricter regulation of scam prevention, with ASIC Deputy Chair Sarah Court stating in 2023 that “combatting scams is a critical task for all of corporate Australia — financial institutions, telecommunication providers, digital platforms and other organisations”.
The Bill and its explanatory materials are available here. The legislation is complex and there are many nuances that will need to be considered, including the resources that will need to be allocated by regulated entities to ensure compliance and the interaction of the Framework with existing procedures and approaches.
Please contact any of the lawyers identified below if you have any questions or would like to discuss the potential application of the Framework to your business. We are also happy to share any intelligence as to the current status of the Bill since it has been introduced into Parliament. It is likely to be enacted in the coming months.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023