What is it?

The Albanese Government introduced into Parliament yesterday an initiative to impose obligations on businesses in certain industries to protect their consumers from being scammed.

The Competition and Consumer Act 2010 (Cth) (the 2010 Act) will be amended to establish a new ‘Scams Prevention Framework’ (SPF) that includes overarching principles and sector-specific codes that businesses must comply with to prevent, detect, report and respond to scams connected to, or facilitated through, their products and services. Scam victims will be able to receive compensation if businesses fail to meet these standards.

Who will it apply to?

Banks, insurers, telecommunication providers, digital platform services, social media, paid search engine advertising and direct messaging services will be subject to the SPF. In future, it may be extended to include further sectors of the economy, businesses and services.

SPF consumers: Australians, including Australia citizens or permanent residents and small businesses with less than 100 employees who have their principal place of business in Australia.

What scams are captured by the SPF?

Scams that directly or indirectly deceive an SPF Consumer into performing an action that could, or does result, in loss or harm to them, their relative, spouse, child, business partner, or trustee of the consumer.

It will likely cover scams that:

• Involve selling fake products in connection with a legitimate business (for example, fake insurance bonds); and
• Impersonating a business (such as a bank) by sms message to deceive a consumer to use an online service (such as a bank app) to transfer money or release personal information.

It will probably not cover: credit card fraud, cybercrime following a data breach and misleading and deceptive conduct already covered by the 2010 Act.

All regulated entities whose services or products are impersonated or utilised to facilitate the scam will, under the SPF, be obliged to detect, report and respond to the scam, regardless of whether or not the scam is successful.

What is covered by the Framework?

Regulated entities will need to comply with six principle based obligations.

SPF Principle 1 - Governance

• Develop, document and implement governance policies, procedures, metrics and targets to combat scams.
• Publish information on how they are protecting SPF Consumers from scams.

SPF Principle 2 - Prevent

• Take reasonable steps to prevent scams on or relating to its services by introducing robust processes that prevent scammers from accessing its systems.

SPF Principle 3 - Detect

• Take reasonable steps to detect scams as they are happening, or after they have happened, whether or not a loss has occurred. This includes identifying SPF Consumers that have been or could be impacted by a scam.

SPF Principle 4 - Report

• Report to SPF regulators information about scams obtained through detection activities and consumer reports.

SPF Principle 5 - Disrupt

• Take reasonable steps to disrupt scam activity or suspected scams on or related to its service. E.g. stop payment transfers, remove fraudulent scam advertisements, block phone numbers, accounts and hold payments to verify the receiving account.

SPF Principle 6 - Respond

• Maintain an Internal Dispute Resolution process to address consumer complaints about scams.

An SPF Code may provide sector – specific guidance about what the regulated entity must do to comply with the SPF, including what constitutes 'reasonable steps'.

AFCA is likely to be appointed as the free SPF External Dispute Resolution scheme to handle complaints from all regulated entities about scams.

Who monitors compliance with the SPF?

The ACCC will monitor and investigate compliance.

Significant penalties apply for breaches of the SPF. For an entity this could be up to $50million. For an individual, the penalty could be up to $2,500,000.

When does the SPF start?

The Government introduced the legislation into Parliament yesterday, but has not yet indicated when the SPF will come into force.