The long awaited Scam Prevention Framework is here! 

What you need to know

• On 13 September 2024, Treasury released an exposure draft of the long awaited Treasury Laws Amendment Bill 2024: Scams Prevention Framework 2024 (Bill) for consultation.
• The Bill seeks to address growing government and public concerns regarding the increased proliferation of scams impacting Australian consumers across a number of industries. Scam prevention has a been a priority of the government in recent months.
• The framework will first apply to banks, telecommunications providers, and digital platform services providers (social media and search engines etc.). Before it is phased out to a wider variety of entities.
• Consultation on the Bill is open until 4 October 2024.

What you need to do

• Carefully consider and understand the proposed reforms and the associated obligations, as the Bill imposes tough penalties for non-compliance.
• Consider what systems and controls may need to implemented to address the requirements set out in the Bill.
• Inform the Board and senior management of the proposed changes set out in the Bill and the anticipated impact on your business.
• Consider responding to the consultation process where you have concerns or suggestions in relation to the proposed operation of the Bill.

Our take

• The Bill is a welcome addition to a growing body of consumer protection measures for Australians.
• The principles based approach taken by the Bill is a stark contrast to the stricter mandatory reimbursement requirements set to apply in the United Kingdom from 7 October 2024.
• Whilst well meaning, the balance between protecting consumers from harm against requiring banks to subsidise unreasonable conduct by consumers will likely cause teething issues in the early stages. It remains to be seen how broadly the Australian Financial Conduct Authority (AFCA), who are the sole external dispute resolution (EDR) provider under the Bill, and the courts, will interpret the principles set out in the Bill.
• We expect that expanding the scope of the Bill will remain a priority for the government, and we anticipate that additional sectors (such a digital asset service providers and superannuation funds) are likely to be included in the near future.

Background

On 13 September 2024, an exposure draft of the Bill, along with draft explanatory materials and a "summary of reforms" was released for consultation by Treasury. It is proposed that the scams prevention framework reforms will be inserted as Part IVF of the of the Competition and Consumer Act 2010 (Cth) (CCA) (along with various other consequential amendments).

The proposed amendment to the CCA reflects the fact that scam prevention is a matter to which the entire economy should turn its mind in order to protect the Australian community – that is, it is a matter for many providers of goods and services (and not only for the banks or payments companies). The Bill is part of a broader effort by the Australian government to "modernise Australia's laws for the digital age, including reforms to Australia’s privacy, money laundering and cyber settings, modernisation of the payment systems, introduction of online safety measures, as well as the rollout of Digital ID and eInvoicing infrastructure for businesses". Notably, many of the obligations arising under those regimes are linked – for example, a failure to comply with privacy protections heightens cyber attack risks, which in turn heightens the risks of fraud and other serious financial crimes (such as money laundering).

The Bill is split into various obligations for businesses in designated sectors to "Prevent; Detect; Report; Disrupt; and Respond to" scams, and to implement associated policies and procedures.

The jurisdictional reach of the scams prevention framework is broad - relevant obligations are intended to apply to Australian residents (even where they are aboard) and visitors to Australia, and (in line with the unfair contract terms regime) will also extend to "small businesses" (i.e. a business with less than 100 employees and a principal place of business in Australia).

What is a scam?

The Bill introduces the first proposed legislative definition of a "scam" in Australian law:

This is a broad definition that will capture a wide variety of actions (and omissions), and the explanatory materials only provide 3 general examples of what is and isn't a scam for the purposes of the Bill.

We expect that determining whether certain conduct falls within this definition is likely to be a key aspect of consideration by AFCA and/or the courts. Striking a balance between protecting consumers legitimately impacted by scams against subsidising reckless or otherwise importer behaviour is likely to cause teething issues in the initial stages of implementation.

The proposed definition does not capture unauthorised fraud that does not involve the deception of a consumer into performing an action that results in loss or harm, including unauthorised payments, which is not unexpected.

The question that arises is why there is a need to implement a scams prevention framework, particularly where "unauthorised payments" are already captured under the ePayments Code. Well, that code is relatively limited in scope (it is directed at payments providers and does not extend to others) and is a voluntary code.

What are the key obligations?

Broadly speaking, entities designated under the Bill will be required to comply with 6 core principles:

1. Prevent scam activity from reaching or otherwise impacting consumers. Which generally requires systems and procedures to restrict scammers from accessing or using the relevant platform in the first place, and educating/training staff and customers to recognise the signs of scams.
2. Detect scams which have or may have impacted consumers by implementing systems and controls which demonstrate the entity is taking reasonable steps to identify scams.
3. Report and share information about possible detected scams ("actionable scam intelligence") with the Australian Competition and Consumer Commission (ACCC) and provide "scam reports" to either the ACCC or the sector regulator upon request.
4. Disrupt scams suspected to be in progress to prevent losses or further losses to consumers by implementing safeguards which slow the rate at which a scam can be realised. This principle introduces a 28-day "safe-harbour protection" to enable regulated entities to respond to concerns.
5. Respond to consumers who report scams via a dedicated internal dispute resolution (IDR) mechanism. Entities must also become a member of AFCA to act as an EDR provider.
6. Governance arrangements which implement policies, procedures and controls which prevent and target scams. Entities must have "documented and dynamic" policies and procedures for managing the risk of scams.

In addition, the Minister will also make sector-specific codes (such as a code in relation to banks) which imposes additional requirements on those designated entities to comply with the above principles.

Under the Bill, regulated entities will effectively only be required to reimburse a consumer who has been the victim of a scam if that regulated entity hasn’t complied with their obligations under the Bill. This is likely to be a high bar for many consumers, as we expect that regulated entities such as banks will implement stringent systems and controls (such as pop-ups and confirmation) intended to discharge this risk to the fullest extent possible (even though scams may still occur).

Where a regulated entity fails to comply with these obligations, the Bill will empower to the Australian Competition and Consumer Commission to impose penalties in a two tiered approach, with penalties of $10 million for breaching of the "report" and "governance" principles, as well as specific sector requirements, or up to $50 million where a designated business contravenes the obligations set out in the "preventing", "detecting", "disrupting" and "responding" principles.

The explanatory materials also outline that the Bill will be administered by a variety of regulators in addition to the ACCC, including the Australian Securities and Investment Commission (ASIC) and the Australian Communications and Media Authority (ACMA). Accordingly, regulated entities which contravene the obligations set out in the Bill may also be subject to additional regulatory scrutiny or enforcement.

What you need to do

Entities which are in designated sectors should closely review the Bill and the associated explanatory materials to determine how their policies, procedures and complaints handling process may need to updated.

We expect that all regulated entities will need to:

• Ensure that appropriate systems, controls and procedures are implemented to address the risk of scams within their business;
• Enhance the processes in relation to the training of staff and education of consumers on the risks of scams;
• Review their IDR mechanisms and their complaints handling policies and procedures more generally;
• Review their payment platforms to identify areas which will require enhanced monitoring and "friction" to enable the prevention, detection and disruption of scams;
• Implement reporting systems to enable actionable scam intelligence to be shared with the relevant regulatory bodies in an effective and timely manner; and
• Closely monitor the progress of the Bill, and forthcoming codes for their designated sector/s.

Comparisons with the UK APP Fraud Reimbursement Requirement

The Bill is bound to draw comparisons to the United Kingdom's forthcoming mandatory reimbursement requirement for authorised push payment (APP) fraud administered by the Payment Services Regulator (PSR) which will apply from 7 October 2024.

This reimbursement regime is much stricter that the proposed model under the Bill, and essentially requires UK payment service providers (PSPs) using the "Faster Payments" system to reimburse all victims of APP fraud up to a maximum of £85,000 (as a 50/50 split between the sending and receiving PSP). Sending PSPs may charge an excess up to a maximum of £100 per claim.

The maximum reimbursement was originally £415,000, but this was reduced after industry lobbying.

PSPs do not have to reimburse consumer where, as a result of "gross negligence" (which requires a high standard of "carelessness"), they fail to meet one of the four requirements of the "consumer standard of caution" which include requirements to:

1. have regard to interventions (such as pop-ups or other warnings);
2. report suspected APP scams promptly (and not more than 13 months after the last relevant payment was authorised);
3. respond to reasonable and proportionate requests for information made by their PSP to help them assess a reimbursement claim; and
4. consent to the PSP making a report to the police on consumer’s behalf (or make the report directly if requested).

This is a much more stringent regime that strongly incentivises PSPs to implement robust systems and controls to prevent and reverse payments made as a result of APP fraud.

In contrast, the principles based approach set out under the Bill is more business friendly and is likely to result in far fewer reimbursements for impacted consumers.

What happens next

Given scam prevention is a cornerstone of the government's current policy agenda, we expect that, subject to consultation, the Bill will likely be passed relatively soon, and in a substantially similar form.

Sector-specific codes have yet to be released, but this will provide additional clarity around the scope of the obligations for each type of entity under the Bill which may require additional rounds of consultation and refinement in the near future.

Want to know more?

• ASIC finds Australian banks' scam detection, prevention and response practices to be 'less mature than expected' (27 August 2024)
• What will be keeping in-house litigation teams at banks busy in the year ahead? (22 January 2024) 
• Changes to the Contingent Reimbursement Model Code and the continued focus on APP fraud (17 February 2023)

Authors: Hong-Viet Nguyen, Partner; Greg Patton, Senior Associate and Conor Tarpey, Lawyer.