Essential ESG: Episode 29 – Inside Australia’s new Scams Prevention Framework

Phoebe Wynn-Pope, Head of Responsible Business and ESG, Corrs Chambers Westgarth

Caroline Marshall, Partner, Investigations and Inquiries, Corrs Chambers Westgarth
 

Phoebe: Welcome to another episode of Essential ESG coming to you today from beautiful Gadigal country in Sydney. Today I am talking to Caroline Marshall who is a partner in Corrs’ investigations and inquiries practice group specialising in corporate and financial crime matters including bribery and corruption, anti-money laundering, sanctions violations and integrity issues. Caroline has represented clients facing regulatory enforcement by Austrack, ASIC and APRA and has previously worked in London and Hong Kong on investigations. Caroline is dual qualified in Australia and England and Wales and is Company Secretary and Director on the Board of the Australian Compliance Institute. Caroline welcome to the podcast.

Caroline: Thank you for having me.

Phoebe: Caroline the Scams Prevention Framework, we are going to talk scams today which is taking off in a big way with AI and all sorts of other things happening. But the Scams Prevention is a major piece of new legislation touching on banking, telecommunications, digital platforms. Can you give our listeners the big picture view, what problem is the Scams Prevention Framework trying to solve and why has the Australian Government taken this ‘whole of ecosystem’ approach?

Caroline: Scams are pervasive in Australia, they are pervasive everywhere right now, it is a problem that governments in most countries are trying to solve for and have tried to solve for through legislation and through the financial system in particular. We have had legislation overseas in the UK, and Singapore and Malta are trying to ensure that financial institutions have in place controls to prevent scams and to compensate victims of scams.

Phoebe: So basically anything that is really trying to get money out of you and cause you financial harm.

Caroline: Correct. 

Phoebe: Ok, so in this context – and these things are just going out of sight aren’t they, they are just increasing. I think all of us get these text messages all the time that we are just looking at and thinking ‘ooh, just delete that one’. 

Caroline: Almost everyone has been touched by some form of scam. You are familiar with the text messages that you have been getting, I have had several myself almost on a monthly basis. They have declined recently but according to the Australian Bureau of Statistics 1 in 7 Australians have been subject to some form of fraud or scam on their cards in 2024 and 2025 alone. Losses around $2 billion in 2024 alone from card scams. So you can imagine that is just a fraction of the overall percentage of the scam ecosystem if we are just talking about card scams. So a huge pervasive problem in Australia and abroad and it’s a problem that the Australian Government is rightfully trying to tackle and protect our consumers from more harm and more financial loss.

Phoebe: One of the significant unresolved issues under the scams prevention framework (SPF) as I understand it is the appointment of liability between regulated entities and the consumers. Could you talk about the overseas models, what we are learning here, how that is playing out?

Caroline: I might just give an overview of the SPF and what it actually does and the whole of ecosystem approach that you alluded to earlier. In Australia the Government has taken a broader approach. Overseas we have regulated mainly the financial institutions where there is a compensation framework. For example in the UK there is a compensation framework where the banks are liable to compensate consumers up to £85,000 for a scam or a fraud that occurs through the bank. Here the Government has decided that they want to regulate what they see as the whole scams chain not just the end bit, the financial transaction that results from the scam, but they want to attack the root cause of the scam or the initiation of the scam through a text message or through a digital platform, they are planning – the designations haven’t yet been finalised although they are in draft form – they are planning to regulate three key sectors: the telcos, the digital platforms where the scams are viewed as originating and then the banks that are processing the payments in relation to the scam. A very broad approach, a whole of ecosystem approach, to require all three regulated sectors to implement reasonable steps to prevent, detect and report scams. So it is not a compensation framework it is a reasonable steps framework where each of those regulated entities within those three sectors will have to implement controls to identify and report scam activity and prevent it at the source. There are a number of regulators that are involved. They have to report the scams to the ACCC for example and then there are a number of entities that are charged with enforcing the Scams Prevention Framework. But it is not a regime that allows for a simple compensation claim to be made as soon as you have been a victim of a scam. It will be for those entities to show that they have taken reasonable steps and  implemented controls and processes to prevent those scams. The approach is to lift everyone’s game in the scams prevention field to make sure that they are catching and preventing those scams at the outset so that they are not liable going forward. Those three sectors will only be liable where they haven’t implemented scam prevention mechanisms and they haven’t taken reasonable steps to do so.

Phoebe: Right. So, when that is being regulated I understand there is a multi-regulator model that is going to oversee or take responsibility for different sectors. You have touched on that. Is there a risk of inconsistency? How is that going to work?

Caroline: The overarching regulator here will be the ACCC. This legislation is being introduced into the Competition and Consumer Act and it will be for the ACCC, they will be the regulator where the scam reports are reported to by those three industries. Then we have ASIC and ACMA, ASIC will regulate the banks, ACMA will regulate the telcos, ACCC will regulate the digital platforms from a compliance perspective. And then we have an external dispute resolution framework so there is a requirement for every regulated entity to implement both an internal dispute resolution framework. What that means is if there is a complaint, if there has been a scam and a consumer wants to complain about the scam they can complain to those three sectors and each entity has to have an internal dispute resolution mechanism whereby that complaint can be received and processed and assessed. That is the first step. The second step is if that fails it then goes to external dispute resolution and then we have another body AFCA, that will be receiving any external disputes that have not been resolved at that first complaint stage with the body. There are discussions around a multi-party solution whereby all three industries agree to a one stop shop for that initial complaint – it’s no longer going to be an internal dispute resolution mechanism because it was set externally – but the idea is that all consumers would then have the ability to go to that one body – it could be AFCA, it could be somebody else that is not yet resolved – but Treasury have suggested that the industries get together and resolve on a multi-party body that will receive the initial complaints and determine actually who is liable and whether anybody is liable or whether the consumer is at fault for the specific scam. So all of this is still to be worked out. We have a deadline of 1 July which is just around the corner.

Phoebe: Wow. That is a lot to be worked out by then. 

Caroline: It is a lot to be worked out by then and we don’t yet have the finalised rules of the code. So we are still in consultation phases to finalise and complete before the regime is actually set in stone.

Phoebe: That seems like a very short timeframe for people to be implementing things so soon. Caroline just with your AML and CTF hat on as well, the SPF sits alongside reformed AML / CTF regime and the privacy framework, and the legislation as I understand it is largely silent on how these regimes interact. What are the most pressing compliance challenges for regulated entities trying to manage their scams prevention, AML / CTF and privacy obligations simultaneously?

Caroline: Yes. It’s a good question. Some of this hasn’t yet been worked out. The AML / CTF regime only regulates currently – of those three sectors – only the banks. Only they have to concern themselves with that. Obviously privacy regulates all three. There will be inconsistencies and overlaps. For example with AML in particular there are tipping off provisions in the AML legislation which prevent the sharing of certain information if you’ve made a suspicious matter report in relation to a customer or suspicion you have formed in relation to a customer. Although those have been relaxed in the most recent reforms it’s not clear whether disclosure amongst these non-AML regulated entities would be permissible. For example if a bank wants to notify a telco or a tech company there is a scam happening or vice versa whether that will be possible under these regimes because the telcos and the banks are not regulated. It’s actually not yet possible to do that from bank to bank yet either although there are provisions in the legislation that would allow it if regulations are made by Austrack, those haven’t yet been finalised. We might have a world in which the banks can communicate about scams which would be a great outcome but it is unclear how that will apply to the wider ecosystem or whether it will be left to the ACCC who will house all of the reports or someone like the Australian Financial Crimes Exchange that also receives a lot of scams intelligence from its various member organisations to disseminate some of the bigger scams intelligence that they are getting to stop scams. Because there is also a whole other ecosystem around well if we are building our own individual controls if we can’t communicate about this particular criminal enterprise or syndicate and warn others then that is going to be harder for the banks. We don’t necessarily have the same restrictions on the other entities but privacy laws may pose issues there as well. I am not a privacy lawyer, all of this is to be worked out still and we are talking about controls around how far do you go – reasonable steps thinking about privacy. We are entering a world in which of course banks can monitor your transactions through the accounts and that is all regulated through privacy and there are appropriate consents and disclosures that are in place through the T’s and C’s and it is understood that for AML purposes that your account activity is monitored by the banks. But where does that leave the tech companies and the telcos? Should a tech company be listening in on private conversations or reading your text messages or likewise should a tech company be doing the same on its platform. To what extent do privacy laws prevent that when you have a requirement to implement reasonable steps to prevent, detect and report scams. So those controls will only be able to go so far if they come up against those privacy concerns and I think those are very much live. I don’t think anybody wants their text messages and their telephone conversations being listened to.

Phoebe: No. No we might prefer to be scammed.

Caroline: Potentially.

Phoebe: Although that’s not a very attractive option either, is it? 

Caroline: No.

Phoebe: We can sit here and talk about that but the complexity of it is so hard and the whole ecosystem of scams is difficult. I know that putting my human rights hat on that many of the scammers have traditionally been people trafficked and there have been terrible reports of people being trafficked into scam centres, being threatened with organ removal if they don’t participate in the scams and literally being in very very dire situations. So the whole framework behind it is quite insidious.

Caroline: Yes, it’s a pervasive and a real, real problem from all perspectives but it is a lucrative industry. If we’re thinking $2 billion a year in Australia alone from one type of specific scam you can imagine what the numbers look like and so there is a whole industry, whole corporations offshore are sitting behind these scam centres where people are being trafficked and where we have human slavery.

Phoebe: I have got a couple more questions for you. So, regulated entities have to have these internal dispute resolution mechanisms for scam complaints that you have mentioned and are required to provide consumers with a statement of compliance which can then be used in external dispute resolution or court proceedings. How should organisations approach these statements given the tension between this transparency and the risk of self-incrimination in subsequent enforcement action?

Caroline: The main problem is how much you disclose, right, so as you rightfully point out these are statements of compliance that will be given to the consumer that has been a victim of the scam that are there to defend the bank / telco / tech company in relation to that specific scam. They will set out the measures that the institution has taken to prevent the scam. So to what level of detail do you also go in that statement of compliance. You don’t want to disclose commercially sensitive information, you don’t want to disclose information that could then later be exploited by criminal syndicates or gangs seeking to scam consumers through your channels and find ways to evade and avoid your controls. It is going to be a very difficult act to pull together these statements of compliance whereby they disclose enough but don’t disclose too much. To your point, the transparency point, the defence point either incriminating the institution as well but also disclosing very sensitive information around how the institution puts in place controls. So Treasury have come out and have tried to indicate what level of detail should be contained in those statements of compliance and they have said they don’t expect commercially sensitive information to be included or anything that would contravene privacy or AML legislation but for example for a bank they would want some details about the specific steps taken by the entity to comply with the reasonable steps requirement in the regime. So things like information about when and how the bank provided a warning to a consumer before making a relevant payment to a new payee or the fact that they had a block on payments to new BSBs or new recipients for 24 hours or confirming that the bank’s payee technology was operational and was performing as expected in relation to the relevant payment or information about when the bank issued a recall notice to the receiving bank following a scam. But also not so much information that we give away all of the processes. I think on all of the underlying controls the detection controls that sit underneath. I think it will be things around the warnings, the visible measures that they have taken rather than the detection underneath. But if there are no visible – let’s say a warning hasn’t been issued or money hasn’t been clawed back from the receiving institution then that really leaves the bank in the lurch because although they might have very good detection controls they might not want to disclose those in a public document.

Phoebe: And also because presumably if they did that is providing information to the scammers about how to get around their protection controls as well. There is some of that as well as all the other commercial and legal considerations.

Caroline: Yes it’s a really difficult way to set up a regime right. The Government didn’t want those three industries just to be automatically liable to compensate consumers for scams and instead you have to have reasonable steps to prevent which is probably a good way of legislating – and again what are reasonable steps? We need to talk about that at some point but that is still to be ironed out as well because we don’t have the rules and the codes yet. So it’s a better regime in the sense that it doesn’t trigger automatic compensation but the three regulated sectors will have to be able to demonstrate somehow that they have taken those reasonable steps and that they do have those controls in place and they will have to do that to the consumer.

Phoebe: Lots of challenges ahead. Sounds like they will need a good lawyer to help them work their way through all of those things.

Caroline: Probably both sides unfortunately, particularly on the bigger scams.

Phoebe: A final question around the codes that are yet to be drafted and if this is all coming into play in July, it’s a very short timeframe, so once those sectors are designated what practical steps should organisations in the initial sectors in any case, what should they be taking right now, what should they be doing to get ready for the new regime?

Caroline: Yes, without the rules of the codes or the mechanism for internal dispute resolution being worked out at this stage, entities should be thinking through – well first checking if they are designated, if the draft designations that have been published catches them number one and number two if it does thinking through what scams controls do we have? How do we document those? What else should we be implementing and there are principles that sit behind the legislation as well and there has been guidance released from Treasury and a position paper that was published late last year around the Scams Preventions Framework and some of the controls that they expect, so mapping their controls against those but the detail is still to be worked out. I would say at this point have a solid implementation plan, have an understanding of the regime, work out how you are going to do internal dispute resolution, how you will receive complaints and if there is a multi-party solution that is put forward how that operates in practice and where you fit in to the picture and participate in any industry discussion that will ensue in relation to a multiparty mechanism, IDR mechanism, and that will be probably one of the main areas that we still have to iron out with Treasury. So understand designations, understand your controls, figure out where else you should be implementing controls and what other controls. Think through IDR, whether that be you as an entity individually how you have received complaints, how you have processed them, whether through a multiparty system and then think about things like your statement of compliance and drafting that once you have a good understanding of your controls and also having the flexibility around the statement of compliance as well to respond to the specific scam in question and the specific complaint. It’s not like having just one statement of compliance, potentially I think there will be variations of those statements of compliance that will be issued to consumers depending on the specifics of the scam.

Phoebe: So there’s a lot of work to be done and it doesn’t sound like it’s a set and forget regime it sounds like something that is going to just require that continuous diligence and adjustment and diligence to keep on top of these things.

Caroline: Yes, spot on. I think what will be reasonable steps now, what might not be reasonable steps in five years’ time once AI has really kicked in and we have got very sophisticated controls and tools to detect some of the scam activity. So it will be a framework that evolves with time. 

Phoebe: It might be a conversation for another day but I can visualise a world where you have scams being run by AI and defence being run by AI and it becomes like the battle of the AI’s…

Caroline: …the more powerful AI’s. I can see that happening. Scams are already being driven by AI and certain banks already have AI defence mechanisms in place. The war – the scams war will probably accelerate and maybe with that we will have less human collateral to your point around the scams centres in various regions in Asia Pacific. There will be less human scam callers and it will be AI bots and agents that will be doing the calling, the texting and the posting on various platforms.

Phoebe: And then the thought is that maybe that one in seven will increase, we are all going to have to learn about these types of scams, what they look like, be aware of them to protect ourselves as well, not just leave it up to the telcos and the banks and the digital platforms. And on that note I think we will leave it there Caroline. Thank you so much for joining us today it has been really fascinating.

Caroline: Thank you for having me.