What you need to know
- The Albanese Government introduced its Scams Prevention Framework (SPF) Bill 2024 (the Bill) to Parliament on 7 November 2024.
- The Bill largely retains the scope, obligations, provisions and penalty and enforcement structures of the 13 September 2024 exposure draft as summarised here.
- Revisions to the Bill from the exposure draft have been made for the purpose of simplification, clarification, removal of ambiguities and reconciliation of compatibility with other areas of regulation.
- The Bill will take immediate effect upon ascension, but the timing of the Bill and the accompanying industry codes which will provide further important industry guidance remains unclear.
What you need to do
- Carefully consider and understand the proposed reforms and the associated obligations, as the Bill imposes tough penalties for non-compliance.
- Consider what systems and controls may need to be implemented to address the requirements set out in the Bill.
- Undertake a gap analysis of systems and controls, and develop plans for closure of gaps and compliance across the interim period.
- Review scam datasets which may be requested by regulators for completeness and indications of current framework elements which are not operating within performance targets.
- Update Board and senior management of the Bill's progress and the anticipated impact on your business.
Our take
- The scope and thrust of obligations under the Bill have largely remained consistent with the September 2024 exposure draft and November 2024 consultation paper on Scams – mandatory industry codes. This suggests provisions are unlikely to materially change, enabling regulated entities to progress planning with confidence.
- The Bill enhances the definition of a scam to include a series of conduct that may interact with other regulatory frameworks such as electronic payments and financial crimes. As a result regulated entities will need to plan for how they will identify and manage scam attempts and events subject to multiple areas of regulatory obligation.
- The initial annual certification period has been revised as within 7 days of 12 moths of designation as a regulated entity (as opposed to 7 days following the entity's financial year end). This allows all regulated entities 12 months to certify their SPF compliance, but may not align to the entity's year end.
- Businesses do not need the Bill to tell them to take reasonable steps to protect consumers. Existing EHF (efficiently, honestly and fairly provision of financial services), FAR (Financial Accountability Regime) and operational resilience obligations have applicability to scams. Regulators are increasingly focused on scams and actively requesting data to understand how regulated entities are performing.
- The Bill introduces concepts for proportionate liability where more than one regulated entity is involved in a claim. In practice it may be challenging to administer and determine proportionality of claims across regulated entities.
- The Bill has removed an obligation for regulated entities to publish information to consumers about the steps it is taking to protect them. This removal will serve to deny scammers information that may be misused to circumvent SPF systems and controls.
Context
An alarming number of Australians are impacted by scams. As our society has become more used to remote interactions in a post-COVID world, Australia has witnessed a related rapid increase in scam activity.
Lawmakers and regulators across the globe are adopting differing approaches to protect consumers from harm.
Whilst there are still changes to come, Australia has taken significant steps to shape an ecosystem approach where businesses and government work together to share information and work collaboratively to disrupt scams. Ahead of the SPF Bill, regulators are taking an active interest in the frameworks and performance of anti-scam measures at regulated entities.
Overview of the SPF Bill
The core features of the SPF Bill establish its scope, obligations applying to regulated entities, and oversight and penalty regim
It can be observed that the principles and obligations set forth in the Bill are largely comprised of elements that follow from existing regulatory and societal expectations. Regulated entities already operate under regimes that call for the exercise of reasonable duty, diligence and care in protecting customers from harms such as scams. The report pillar will extend current regulatory obligations to establish active exchange of scam intelligence with SPF regulators, but obligations established within other pillars largely serve to formalise existing regulatory requirements.
Keep on the radar
Entities across delegated sectors have already been investing heavily to lift their scam prevention frameworks, and are at differing stages of progressing their anti-scam strategies. Based on our experience with other areas of regulatory intensity, we recommend keeping certain key areas in focus:
- Record keeping and reporting – We are seeing an increase in regulatory requests for scam-data in the form of reports and complaints. We recommend entities review their scam record keeping to ensure the entity is confident in the completeness of its reporting, and comfortable that the entity is across its performance trends.
- Reasonable steps – Entities are already operating under the regulatory expectation that the entity is taking reasonable steps to investigate scam activity in a timely manner and do what is necessary to reduce the risk of further consumer harm. We recommend entities review their systems and controls for guiding the reasonable steps taken and keep defensible records of key judgments.
- Executive accountability – Entities will need to finalise planning for executive accountability for scams, and develop the frameworks required to support the senior officer's certification that the entity's framework is compliant.
- Vulnerability and hardship – Scams intersect regulatory interest in protecting vulnerable customers and supporting customers in hardship. We recommend entities review these intersections in order to confirm that required information flows and controls are hard-wired into relevant systems and controls.
Want to know more?
Authors: Jonathan Perkinson