Introduced by the Australian government in September, the Scam Prevention Framework (SPF) is the latest policy aimed at protecting scam victims. The framework places significant responsibility on the technology, banking, and telecommunications sectors to develop effective solutions.
Non-compliance could result in hefty penalties, including fines of up to AU$50 million. Additionally, companies that fail to comply may be required to compensate scam victims.
The codes will be mandatory and are expected to be introduced in late 2024.. Australians lost $2.74 billion to scams last year — and that figure is likely underestimated, as many victims do not report their losses. This has become a significant issue affecting society as a whole.
SEE: How Organizations Can Prevent Their Employees Falling for Cyber Scams
Australia won’t be the first to introduce laws to protect victims from scams.
In 2023, the U.K. passed legislation making the banking industry liable for losses from scams. These laws, which took effect on Oct. 7, 2024, have not yet been fully tested for their impact. However, they allow scammed individuals to claim up to £415,000 in lost money, with few exceptions.
What sets the Australian laws apart is that they also cover tech platforms like Google and Facebook, which frequently host scam ads and allow scammers to operate. Additionally, telecommunications companies are included, as they facilitate the data flow and communication between scammers and their victims.
The SPF laws have been drafted up with five key objectives in mind:
Consumer Protection:
Detection and Reporting:
Industry Collaboration:
Government and Law Enforcement:
Technological Solutions:
The Communications Alliance has raised concerns with the SPF, suggesting that there is a “quadruple jeopardy” liability within the draft legislation.
Luke Coleman, CEO of the Communications Alliance, highlighted that there were already three other government-controlled avenues available to people that telecommunications are liable to make reparations from scams: the Australian Communications and Media Authority, Australian Competition and Consumer Commission, and External Dispute Resolution Scheme. There is also the potential for civil action, including class action.
In a submission to the government in response to the proposed laws, the Communications Alliance made three “key” recommendations for refinement:
Move specific details into sector codes: They recommend shifting detailed provisions from the primary legislation to sector-specific codes, which would be registered and enforced by relevant regulators. This would allow for greater flexibility and ease of enforcement, as each sector, including telecommunications, banking, and digital platforms, faces unique challenges.
Establish a safe harbour from “quadruple jeopardy”: Telecommunications companies could face liability under four concurrent enforcement mechanisms, leading to legal uncertainty. The submission advocates for creating a “safe harbour” for telcos who comply with their sector-specific codes, protecting them from additional penalties by other regulators, dispute resolution bodies, or civil actions.
Accelerate implementation of practical scam-prevention measures: They call for the fast-tracking of initiatives such as the SMS Sender ID registry and reforms to the Numbering Plan. These measures would enhance the ability to prevent scams by improving how sender identities and phone numbers are managed and tracked across the telecommunications industry.
Meanwhile, a consortium of consumer advocates, including Choice and Consumer Action Law Centre, claimed in their own submission that the currently proposed laws would fail to adequately protect consumers. It claimed that the dispute resolution process is “unworkable,” and that “it is designed for businesses to take a minimum-standard compliance approach to obligations, rather than incentivising innovation to keep up with scammers who are always steps ahead.”
The SPF isn’t expected to go before parliament until November and, if it is passed, it won’t come into effect until 2025. But IT professionals should take proactive measures to ensure their organizations have a smooth transition into compliance, as the SPF will become a major source of risk, and technology will need to be the answer:
1. Review current security protocols
IT teams should conduct a comprehensive audit of their existing security infrastructure, identifying any gaps in the detection and prevention of scam-related activities. This includes assessing how effectively systems identify phishing attempts, fraudulent transactions, and other forms of cybercrime.
2. Collaborate with cross-industry stakeholders
A core objective of the SPF is to encourage collaboration between technology companies, financial institutions, and telecommunications operators. IT professionals should engage with these stakeholders to ensure that data-sharing protocols are robust and secure, and that the latest scam trends and emerging threats are communicated in real time. This collaborative approach will be essential to staying ahead of increasingly sophisticated scams.
3. Strengthen incident reporting and response
A standardized reporting system is key to ensuring consistent tracking of scams. IT departments should streamline their incident reporting processes to ensure that any scam attempt is documented and shared promptly with relevant authorities and industry players. An efficient response strategy will also mitigate the impact of any successful scams.
4. Enhance consumer education and support
As part of the broader SPF mandate, IT professionals should collaborate with marketing and communications teams to create consumer education programs. By finding ways to leverage technology to help individuals learn how to spot scams, organizations can reduce the likelihood of their customers falling victim to such attacks.
5. Monitor international developments
Given the global nature of scams, IT professionals should take notes from similar regulations in other countries — such as in the U.K. — are being implemented and enforced.
While the specifics of the SPF still need to be ironed out, and the final form of the legislation will no doubt look different than how it is currently presented, it seems likely that Australia will become a world leader in holding multiple sectors to account for consumer protection. This is a big opportunity for IT professionals to show leadership and continue to develop risk mitigation strategies for areas that will be very high on the board priority list.