Stage 1 Of The Scams Prevention Framework

Article Insights

Herbert Smith Freehills Kramer LLP are most popular:

within Wealth Management, Employment and HR and Technology topic(s)
with Senior Company Executives, HR and Finance and Tax Executives
with readers working within the Law Firm industries

On 28 May 2026, the Treasury published stage 1 of its long-awaited package of laws and consultations to designate, implement and operationalise the Scams Prevention Framework (SPF). Other stages will follow (discussed below).

This package (Stage 1 Package) is made up of the following:

the Competition and Consumer (Scams Prevention Framework – Regulated Sectors) Designation 2026 which designates the initial sectors and businesses to be regulated entities under the SPF. This passed into law on 22 May 2026 with an effective date of 23 May 2026 (Designation Instrument);
an exposure draft instrument setting out common code obligations and specific code obligations for banks and digital platforms;
an exposure draft instrument setting out code obligations for the telecommunications sector;
(The two draft instruments above will be consolidated into a single legislative instrument once finalised.)
an exposure draft instrument setting out rules under the SPF (SPF Rules), which contain exemptions from the Designation Instrument (amongst other items);
explanatory materials for each of the draft instruments;
a guide to support the review of codes and rules; and
a position paper containing the government’s preliminary proposals in relation to how internal dispute resolution arrangements within regulated entities could work under the SPF (IDR Position Paper).

What is missing from the package is the instrument authorising the Australian Financial Complaints Authority (AFCA) to be the external dispute resolution (EDR) scheme for the SPF (EDR Instrument). As at the date of this note, this is awaited.

The consultation closes on 25th June 2026.

Brief background

The Scams Prevention Framework Act 2025 (Cth) (SPF Act) introduced a principles-based, high-level framework to prevent scams which took effect from 21 February 2025. The SPF Act introduces the SPF into the Competition and Consumer Act 2010 (Cth) (CCA). However, the SPF did not apply to any particular entities in the ecosystem until they and their activities were designated. In addition, the SPF Act also envisaged that there would be:

SPF Rules supporting the effective operation of the SPF by setting out detailed, operational requirements that entities must meet to fulfil their obligations under the SPF;
SPF Codes which would apply to designated sectors;
internal dispute resolution (IDR) arrangements to be implemented by designated entities; and
a single EDR framework for complaints to be escalated from IDR.

On 28 November 2025, Treasury released a consultation package (Consultation) containing:

a draft designation instrument;
a draft instrument authorising AFCA to be the single EDR;
explanatory statements for the draft instruments;
targeted questions for the draft instruments; and
a position paper on the government’s initial proposals for what could be contained in the SPF Rules and SPF Codes.

That consultation closed on 5 January 2026.

Much of the substance and core principles from this consultation package have been carried through to the Stage 1 Package, although there are a few noteworthy changes which have arisen from stakeholder feedback.

This article provides our insights into the current proposals with a focus on the banking sector.

Who is in scope?

The Designation Instrument confirms that there will initially be three sectors designated for regulation under the SPF – banks, telecommunications services and digital platforms. There are no changes to the description of the sectors themselves from the consultation version of the Designation Instrument.

For banks, all banks are in scope save for those ADIs whose banking business activities are limited to providing purchased payment facilities only (PPFs) who are subject to a complete exception in the draft SPF Rules.¹

For in scope banks, it will only be their “covered banking services” that are within scope of the SPF capturing a “service provided by an ADI in the course of carrying on its banking business”. This can be illustrated as follows:

What about wholesale banking?

The Consultation stated that the government did not intend for wholesale banking to be caught, considering that as a covered service needs to involve a ‘SPF Consumer’ (discussed below) this would naturally exclude wholesale banking. However, there is no such specific exclusion for wholesale banking in the Designation Instrument and no exception in the draft SPF Rules. This means that where a wholesale bank that has an ADI licence and deals with ‘SPF Consumers’, its banking businesses are in scope of the SPF.

What do banks need to comply with and by when?

Although the Designation Instrument came into effect on 23 May 2026, the transitional arrangements are as follows:

Separately, as was earmarked in the Consultation, proposed rules relating to SPF principle 4: Reporting and actionable scam intelligence will be developed during 2026 and 2027. This means that by the end of 2027, banks will need to comply with the information sharing and reporting requirements for actionable scam intelligence.

In addition, notwithstanding that the key obligations on banks do not start to apply until the earliest of 31 March 2027, banks should still be implementing the commitments that were made under the ABA’s Scam Safe Accord.

What is proposed in the bank sector code?

The CCA sets out the high level principles that a bank must meet under the SPF (i.e. taking reasonable steps). Despite being high level, most of these requirements are civil penalty provisions. The codes were intended to contain further detail on some of the principles (all principles excluding SPF principle 4 – report). The SPF in the CCA required that the codes must be consistent with the SPF principles.

Set out below are a summary of the high level principles from the SPF and the detail in the codes. An asterisk identifies a civil penalty provision:

SPF in CCA	Exposure Draft Bank Sector Code
SPF principle 1: Governance
Each regulated entity must document and implement governance policies, procedures, metrics and targets for combatting scams. * These must be reviewed, and certified by a senior officer of the entity, at least annually. * The entity must keep records and give reports about its compliance with this principle. *	Introduces specific requirements that must be had regard to in a bank’s required governance policies and procedures * Staff training *
SPF principle 2: Prevent
Each regulated entity for a regulated sector must take reasonable steps to prevent scams from being committed. * This requires more than merely acting on actionable scam intelligence.	Banks must have reasonable systems, processes and resources (including financial, technological and human resources). * Banks must have reasonable and secure systems * and must undertake regular assessments and testing. Banks must have reasonable systems and processes to ensure its agents and other entities have reasonable systems, processes and resources to comply with certain requirements * including as part of their appointment, ongoing monitoring and incident response. Banks must have reasonable systems and processes to prevent brand impersonation * which must include a range of specific items. Banks must make public information about the risk of scams relating to the entity * which must comply with certain requirements. Banks must conduct confirmation of payee. * Banks must verify the identity of each director SPF consumer. Banks must have reasonable systems and processes for identifying high-risk activities. * Banks must provide targeted warnings to SPF consumers. * Banks must identify scam transactions. * Banks must take action to limit high-risk transactions and activity. *
SPF principle 3: Detect
Each regulated entity for a regulated sector must take reasonable steps to detect scams. * This includes: investigating, in a timely way, activities that are the subject of its actionable scam intelligence; * and identifying, in a timely way, its consumers that have or may have been impacted by such activities. *	Banks must have reasonable systems, processes and resources (including financial, technological and human resources) to detect scams. * Banks must identify whether or not an activity is a scam * and find that it is if the entity has reasonable grounds to believe that the activity is a scam taking into account a variety of factors. Banks must record information relevant to the entity’s investigation into that activity * with specific information mandated and certain exclusions. Banks must have reasonable systems and processes to identify affected SPF consumers. * Banks must conduct monitor accounts and transactions to identify actionable scam intelligence. * Banks must have reasonable systems and processes to enable the bank to identify SPF consumers and services affected by scams. *
SPF principle 5: Disrupt
Each regulated entity must take reasonable steps within a reasonable time to: disrupt activities that are the subject of actionable scam intelligence; * and prevent loss or harm (including further loss or harm) arising from the activity. * Give a report about the actionable scam intelligence to the SPF general regulator which contains information prescribed by the SPF rules. *	Banks must have reasonable systems, processes and resources (including financial, technological and human resources) to disrupt scams. * Banks must take reasonable steps to notify affected SPF consumers. * Banks must undertake a risk assessment for disruptive actions. * Banks must, to the extent reasonably practicable, reverse disruptive actions as soon as practicable, if it is not a scam. * Sending banks must send payment recall requests to third party banks or take reasonable steps to reverse transactions internally. * Receiving banks must take reasonable steps to assist the sending bank to reverse the transaction. * Banks must block accounts associated with scams. *
SPF principle 6: Respond
Each regulated entity must have an accessible mechanism for its consumers to report activities that are or may be scams. The entity must have an accessible and transparent internal dispute resolution mechanism for its consumers to complain about: activities that are or may be scams; or the entity’s conduct relating to such activities. The entity must publish information about these mechanisms. When undertaking such internal dispute resolution about a complaint, the entity must give a statement, relevant to the complaint, about whether it has complied with its obligations. When undertaking such internal dispute resolution, the entity must have regard to: any processes prescribed by the SPF rules; and any guidelines prescribed by the SPF rules for apportioning any liability. The entity must become a member of an authorised external dispute resolution scheme for dealing with complaints about scams if the entity provides services regulated by the Scams Prevention Framework.	Banks must have reasonable systems, processes and resources (including financial, technological and human resources) to respond to scams. * Bank’s reporting mechanisms must meet certain requirements. * Banks must acknowledge scam reports and scam complaints within certain timeframes * and provide timely assistance, support and resolution, * and a notice if the complaint is not resolved within 30 days. * Bank’s IDR mechanism and its policies and procedures must meet certain requirements. * Banks must have reasonable systems and processes to facilitate cooperation with other regulated entities in relation to complaints. * There are specific requirements relating to vexatious or frivolous complaints. * Complaints must be recorded. *

Does complying with the Code mean that a bank has complied with the SPF Principles in the CCA?

Compliance with the code is the ‘primary factor’ in determining whether a bank has taken reasonable steps for the purposes of the corresponding SPF principles. However, the codes are stated as setting minimum compliance standards. This means that some banks with larger operations, more at risk activities, etc. may need to do more than what is set out in the code in order to meet the principles in the CCA. The Position Paper from the Consultation referred to this as the ‘scalability’ obligation – i.e. the reasonable steps obligation is scalable.

Who is a SPF Consumer?

An SPF consumer is defined in the CCA as either:

A natural person, or a small business operator, who is or may be provided or purportedly provided the service in Australia; or
A natural person who is ordinarily resident in Australia and is or may be provided or purportedly provided the service outside of Australia by a regulated entity that is either an Australian resident or is providing or purportedly providing the service through a permanent establishment in Australia.

The draft SPF Rules propose that a person is not an SPF consumer of a covered banking service where they do not have a direct relationship with the regulated entity providing the service (the bank), or they are not making a payment to, or receiving a payment from, the bank (discussed further below). This exception is stated to intend to ensure that business-to-business banking services, such as those providing back-end payment infrastructure, are not captured by the banking designation. However, it also operates more broadly to limit who a bank owes its duties to. One of the concerns with the definition of SPF consumer in the CCA (set out above) is that it was overly broad and would have resulted, on one interpretation, in banks owing duties to the world at large (a point that Australian courts have not upheld). This proposed limitation will now restrict an SPF consumer to being either a direct customer of the bank or a customer of the paying or receiving bank’s services.

Where covered banking services are provided under a white labelling arrangement with a non-ADI (e.g. branded credit and debit cards), the government proposes that this is captured where the ADI has the contractual relationship for the covered banking service. However, it will not be captured where the non-ADI has the contractual relationship with the customer. This aspect may need further thought given that a non-ADI may hold client money with an ADI or otherwise hold customer’s funds with an ADI as trustee for customers.

What is a 'scam'?

A scam is defined in the CCA as a direct or indirect attempt (whether or not successful) to engage an SPF consumer of a regulated service where it would be reasonable to conclude that the attempt involves deception and would, if successful, cause loss or harm include obtaining SPF personal information of the SPF consumer or their associates.

The Consultation proposed that certain activities might be excluded from being a scam however none are proposed in the draft SPF Rules. The Stage 1 Package states that rules are being made to further refine the definition of a scam. It is currently proposed to exclude misleading or deceptive conduct engaged in by legitimate businesses and AFSL holders from being a scam (but not from entities impersonating legitimate businesses – e.g. bank impersonation scams).

What are the expectations of IDR arrangements?

The Stage 1 Package includes the government’s policy options for regulated entities’ IDR arrangements but no draft instruments have been published yet.

These IDR arrangements are difficult as a single scam complaint may involve several regulated entities across different sectors, each of which may have played a role at different stages of the scam. This creates a level of complexity not typically present in existing IDR frameworks, which are generally designed to assess disputes involving a single entity.

The IDR process under the SPF will need to accommodate multi-party complaints, whereby each entity will need to assess their own compliance against the SPF and come to a shared view on how to settle a complaint with the SPF consumer.

The government’s current policy settings are as follows:

Regulated entities need to be mandated to engage with an IDR process (wherever the customer has started that complaint) – the current draft sector code obligations require regulated entities to cooperate with one another in the handling of scam complaints at the IDR stage.
Verified scam losses below $3,000 should be automatically reimbursed - Ministerial guidance is proposed to be included in the SPF rules to set out this expectation and to make it clear that investigations and complaints handling at IDR should be proportionate to the value and complexity of the scam loss.
Further, entities should be liable for losses where they have breached their obligations and where more than one regulated entity has breached its obligations, the proposal is that liability should be shared equally. It is proposed that these liability apportionment guidelines will allow entities to adjust liability in exceptional circumstances (such as where there is unanimous agreement that one entity played a more significant role in the scam chain).
The liability apportionment guidelines will not support consideration of the role of non-regulated entities.

Separately, the draft SPF Rules propose that banks would need to provide consumers who make an IDR complaint with a statement of compliance (or a simpler statement). The rules contain the detail on the timing and content of such statements.

Who is the EDR Scheme?

As at the date of this article, the Minister for Financial Services has not yet made a final version of the Competition and Consumer (Scams Prevention Framework—External Dispute Resolution) Authorisation 2025 (EDR Instrument). However, it is expected that the final EDR Instrument will authorise AFCA to be the EDR scheme in respect of the three initial designated sectors, consistent with the exposure draft instrument as part of the Consultation.

In preparation for this anticipated EDR role, AFCA made a number of required amendments to its constitution on 26 May 2026. The key objective was broadening AFCA’s jurisdiction to allow it to consider SPF complaints against the telecommunications and digital platforms designated sectors, in circumstances where AFCA’s remit has historically been confined to financial services firms. AFCA achieved this by removing participation in a financial services, superannuation or related industry as a pre-requisite for admission as an AFCA member, as well as expanding its constitutional definition of “Industry” to include participants required by law to be a member of an AFCA-operated EDR scheme.²

With the jurisdictional framework for its EDR role in place, AFCA will now look to amend its rules to address how will it actually manage and consider SPF complaints. The commencement date for the EDR Instrument is expected to be 31 March 2027.

What is yet to come?

As noted above, the SPF is being operationalised in Stages. The following areas are yet to be developed/finalised:

Scope of what is a ‘scam’	The government proposes to make rules to further refine the definition of a scam.
Internal dispute resolution	The government proposes to make policy settings for internal dispute resolution. These policy settings will be set out in SPF rules and sector codes.
Information sharing / reporting requirements for actionable scam intelligence	The government intends to make information sharing rules at a later stage so that it takes effect by the end of 2027.
Telecommunication sector designation exceptions	The government intends to exclude entities who only operate private lines from designation.

Footnote

1 The draft SPF Rules propose that entities with an exception are not subject to SPF obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]