Home Insights The new Scams Prevention Framework: insights from abroad
Share

The new Scams Prevention Framework: insights from abroad

The new Scams Prevention Framework (SPF) is now law and the next steps are for SPF Codes and SPF Rules to be prepared in consultation with industry, and for sectors to be designated. Looking abroad at other scam prevention regimes provides insights into how the details of the SPF might be developed.

What is the Scams Prevention Framework?

The SPF does not in itself impose any obligations on entities until a designation of their sector is made. Treasury has indicated that banks, telecommunication providers and digital platforms will be the first sectors to be designated for SPF regulation. Future sectors for designation may include superannuation, insurance, online marketplaces and cryptocurrency providers.

The SPF sets the foundations for the regime but the operational details are yet to be developed, including:

  • Sector-specific obligations: Regulatory requirements tailored to each regulated sector are to be developed in SPF Codes.

  • Apportionment: The SPF requires regulated entities to develop accessible and transparent internal dispute resolution (IDR) mechanisms to deal with customer complaints about scams, and encourages the early resolution of complaints, including for compensation to be provided where there has been a breach of an SPF provision.

    It also provides for an external dispute resolution (EDR) mechanism through the Australian Financial Complaints Authority. The SPF is largely silent on how liability for scams losses will be apportioned between regulated entities and/or the consumer at the IDR and EDR stages.

    At the court action stage, proportionate liability under ‘concurrent wrongdoer’ provisions provides for apportioning liability based on what the court thinks justly reflects the responsibility of the regulated entities involved, excluding any proportion of loss for which the scam victim is contributorily negligent.
  • Compensation: The SPF does not mandate compensation of scam victims. However, there is an expectation that scam victims will be able to seek compensation or ‘another appropriate remedy’ at IDR, a pathway to compensation at EDR, and a route to claim loss in court.

When will regulated entities need to comply?

Although the SPF is now law and does not provide for a transitional period, it is envisioned that regulated entities will not be required to adhere to the SPF’s obligations until their sector is designated and the designation instrument for their sector is in force. Those instruments may include transitional arrangements.

What are other countries doing?

The United Kingdom, Singapore, and Malta have established regulatory regimes to combat scams, each with distinct approaches that provide insight into how the SPF might develop in practice. The Australian regime stands out for its comprehensive approach to disrupting the entire lifecycle of scams. It aims to regulate multiple sectors where scams originate and spread - banks, telecommunications providers and digital platforms.

In contrast, overseas frameworks have so far focused only on banks, payment service providers and in the case of Singapore, telecommunication companies. However, the approaches abroad were considered by Treasury in developing the SPF and may provide insights into how the SPF Codes may be developed, particularly in relation to apportionment of liability, scams controls and regulator intervention.

United Kingdom

The UK Authorised Push Payments (APP) regime commenced in October 2024 and differs from the SPF in key respects:

AustraliaUK

Sectors

Banks, digital platforms, telecommunications

Only banks and other payment service providers (PSPs)

Scope

Payments by Australian residents (including when abroad), visitors to Australia, small businesses

Only UK-UK payments via Faster Payments and CHAPs

Mandatory repayment

No
(but an expectation of compensation or ‘another appropriate remedy’ at IDR; pathway to compensation at EDR; and claim for loss in court)

Yes
(even where PSP is not at fault, subject to ‘consumer standard of caution’ factors)

Compensation cap

No

£85,000 (approx. $168,000 AUD)

Mandated apportionment

Not yet
(for IDR/ EDR stage to be set out in guidelines; at court action stage, what a court thinks justly reflects responsibility)

50:50 split between sending & receiving PSP

Limitation period

Six years

13 months

Mandated time to reimburse

Not yet

Within five business days (subject to exceptions)

Scam prevention obligations

Yes, to take ‘reasonable steps’ to prevent and detect scams

No
(but FCA has published ‘expectations’)


Insights from the UK for the forthcoming SPF consultations include:

  • Consumer standard of caution: Payment Service Providers (PSPs), including banks, do not have to reimburse consumers who fail to meet any of four requirements: regard for interventions (such as pop-ups or other warnings); prompt reporting; response to reasonable and proportionate requests for information by the PSP; or consent to police reporting. The failure must meet a high standard of carelessness amounting to ‘gross negligence’.

  • Compensation cap and liability split: The UK regime is focussed on prompt reimbursement of scam victims, facilitated by the mandatory liability split between PSPs and a cap on compensation.

  • Reasonable steps: The Financial Conduct Authority, the financial services regulator in the UK, expects scam prevention controls to include:

    • enhancing anti-fraud control frameworks;

    • improving checks at onboarding;

    • ongoing customer, account and device level monitoring;

    • improving use of intelligence, including behavioural biometrics and use of risk-based, automated warning messages; and

    • implementing manual intervention processes for high-risk payments.

Singapore

Singapore’s Shared Responsibility Framework (SRF) came into effect in December 2024 and differs from the SPF in key respects:

AustraliaSingapore

Sectors

Banks, digital platforms, telecommunications

Banks (and PSPs) and telecommunications

Scope

Payments by Australian residents (including when abroad), visitors to Australia, small businesses

Phishing scams where the impersonated entity has a Singapore nexus

Mandatory repayment

No
(but an expectation of compensation or ‘another appropriate remedy’ at IDR; pathway to compensation at EDR; and claim for loss in court)

No
(unless the regulated entity or a regulator finds a failure to comply with a SRF duty)

Compensation cap

No

No

Mandated apportionment

Not yet
(for IDR/ EDR stage to be set out in guidelines; at court action stage, what a court thinks justly reflects responsibility)

Yes
(using a ‘waterfall’ approach)

Limitation period

Six years

No later than 30 calendar days after receiving a notification alert

Mandated time to reimburse

Not yet

21 business days for straightforward cases/45 business days for complex cases

Scam prevention obligations

Yes, to take ‘reasonable steps’ to prevent and detect scams

Yes


Insights from Singapore for the forthcoming SPF consultations include:

  • Waterfall apportionment: If the bank does not comply with its SRF duties, it must fully compensate the consumer. If the bank is compliant and the telco is not, the telco must fully compensate the consumer. If both the bank and telco have fulfilled their respective SRF duties, the consumer bears the full loss.

  • Regulator intervention: Following internal investigation by the bank and telco, a dissatisfied consumer can complain to sector regulators who will assess whether the entity has fulfilled its duties.

  • Scam prevention obligations: The SRF contains detail on the steps regulated entities are expected to take to meet their obligations.

            In particular, banks must:

    • implement a 12-hour cooling off period after the activation of a digital security token;

    • provide real time notifications of transactions, including activation of digital security tokens or high risk activities;

    • establish a 24/7 reporting channel and a self-service feature through which consumers can immediately block their account; and

    • establish surveillance systems to detect unauthorised transactions and block them until positive confirmation from the customer is obtained.

      Telcos must:

    • block Sender ID SMS that are not from authorised aggregators; and

    • implement an anti-scam filter over SMS to block malicious URLs listed in a database.

Malta

In Malta, scam complaints are managed by the Office of the Arbiter for Financial Services (AFS). The Maltese regime differs from the SPF in key respects:

AustraliaMalta

Sectors

Banks, digital platforms, telecommunications

Financial service providers (FSP)

Scope

Payments by Australian residents (including when abroad), visitors to Australia, small businesses

Any type of scam involving an FSP, including PSPs under Directive (EU) 2015/2366 (PDS2)

Mandatory repayment

No
(but an expectation of compensation or ‘another appropriate remedy’ at IDR; pathway to compensation at EDR; and claim for loss in court)

Yes, for scams under PDS2 (except where gross negligence by consumer)

No for other types of scams (but AFS can award compensation)

Compensation cap

No

Yes, for PDS2 scams: €250,000 (approx. $420,000)

No for other types of scams (AFS will award amount it considers appropriate)

Mandated apportionment

Not yet
(for IDR/ EDR stage to be set out in guidelines; at court action stage, what a court thinks justly reflects responsibility)

Yes, between PSP and consumer for PDS2 scams, via a ‘reasonability allocation’ model

No for other types of scams

Limitation period

Six years

Complaint must be raised in writing with the FSP within two years; and brought to the AFS within five years

Mandated time to reimburse

Not yet

AFS specifies the period within which the FSP must provide compensation

Scam prevention obligations

Yes
to take ‘reasonable steps’ to prevent and detect scams

No
(but the AFS has published ‘technical notes’)


Insights from Malta for the forthcoming SPF consultations include:

  • IDR: The AFS strongly recommends that all major banks adopt the allocation model for their IDR procedures. This has reportedly resulted in more cases being resolved at the pre-mediation or mediation stages, rather than progressing to external despite resolution through the AFS.

  • Responsibility allocation model: The model, introduced in December 2023, sets out mitigating or aggravating factors used by the AFS to calculate the percentage of the consumer’s loss that the PSP must reimburse a scam victim (with the AFS empowered to depart from the model upon providing reasons):
Allocation of responsibility criteriaPSPConsumer

Unquestionable gross negligence by consumer

0%

100%

Fraudster used PSP’s normal channels of communication giving the clear impression of being a genuine communication

add 50%

reduce by 50%

Consumer actively participated in the fraud beyond disclosure of credentials

reduce by 30%

add 30%

PSP notified consumer by direct communication to beware of such scams in: last three months

reduce by 20%

add 20%

last six months

reduce by 10%

add 10%

over six months

no reduction

no addition

Special circumstances apply

add 20%

reduce by 20%

Consumer made no similar genuine payments in last 12 months or payment amount is atypical

add 20%

reduce by 20%

What’s next?

Businesses within the sectors which are anticipated to be designated initially under the new Australian SPF regime (banking, telecommunications, and digital platforms) should take steps to prepare for the rollout of the SPF regime, including by considering the insights from abroad in:

  • designing and implementing (further) scams controls to prevent, detect, disrupt and report scams, as well as systems to gather scams data and scams intelligence; and

  • engaging in consultations on the development of the SPF Codes and potential models for apportionment of liability.

Harriet Codd, Jasper Rasmussen, Nicole Jackson, Ciara Lavendar and Sebastian Judge also contributed to this Insight.


Authors


Tags

Banking and Financial Services Board Advisory Investigations Litigation and Dispute Resolution Technology, Media and Telecommunications

This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.