Scams Prevention Framework: the next big compliance challenge
Key takeaways
We have some details now (in draft). On 28 May 2026, Treasury released exposure draft sector codes and rules for the Scams Prevention Framework (SPF). For the first time, regulated entities can see the substantive obligations that will sit beneath the principles enacted last year, and they are extensive.
Banking, telecommunications and digital platforms are the first regulated sectors. Banks face the most developed code, building on the voluntary Scam-Safe Accord and putting it on a mandatory, enforceable footing.
A proposed automatic refund of up to $3,000. Scam victims with verified losses under $3,000 would be reimbursed automatically, without a full internal dispute resolution investigation. This is a notable shift from the Government's earlier resistance to a reimbursement model.
The clock is now running. The SPF Rules are proposed to commence on 1 September 2026 and the substantive code obligations are scheduled to apply from 31 March 2027. Backed by civil penalties of up to $50 million per contravention, three regulators and a private right of action, this is a compliance program that needs to start now.
Start with a gap assessment. Even though the drafts may change, the general direction is clear. Regulated entities should now begin to benchmark their existing anti-scam controls against the likely required standards, while there is time to close the gaps.
Finally, some contours around the framework
For some time now the Scams Prevention Framework has only been a framework in outline. The Scams Prevention Framework Act 2025 (Cth) inserted a new Part IVF into the Competition and Consumer Act 2010 (Cth) (the CCA), establishing a set of high-level, principles-based obligations and the machinery to fill them in later through sector codes and rules. Until now, the substance of those obligations has been unknown.
That changed on 28 May 2026, when Treasury released the exposure draft codes and rules. The package is the first detailed view of how the SPF will actually operate: what regulated entities must do, who enforces it, when liability is shared, and how scam complaints are to be resolved. The Treasury consultation period ended on 25 June.
The consultation material also includes Treasury's position paper on internal dispute resolution (IDR) under the SPF. That paper is important because it explains how Treasury expects multi-party scam complaints to be handled at IDR, including cooperation between regulated entities, proportionate investigation processes, liability sharing, and guidance for lower-value scam losses.
For compliance and legal teams, these consultation documents turn an abstract reform into a concrete program of work. The obligations are detailed, the penalties are significant, and the commencement timeline is now known - so preparation should begin.
How the framework fits together
The SPF is a whole-of-ecosystem regime that imposes mandatory anti-scam obligations across designated sectors. It rests on three layers:
The SPF principles in Part IVF of the CCA, which apply to every regulated entity in every regulated sector. They require reasonable steps across six themes: governance, prevent, detect, report, disrupt and respond.
SPF codes, which translate those principles into detailed, tailored obligations. The draft codes cover all of the principles except report. There is a “Common Code” applying across all sectors and additional separate obligations for each of the regulated sectors. As expected, three sectors have been designated as the first regulated sectors: banking, telecommunications and digital platforms.
The SPF rules, which provide the operational detail: sector designation thresholds and exceptions, record-keeping, and the requirements for internal dispute resolution.
Oversight is shared across three regulators: the Australian Competition and Consumer Commission (ACCC) as the SPF general regulator (and the default sector regulator), working alongside the Australian Securities and Investments Commission (ASIC) and the Australian Communications and Media Authority (ACMA) as sector regulators.
The enforcement settings are what elevate the SPF from good practice to board-level risk. The most serious breaches attract civil penalties of up to $50 million per contravention, and a private right of action for damages raises the realistic prospect of class actions where systemic failures affect large numbers of consumers.
What the Common Code requires
The Common Code applies to every regulated entity across all three sectors, and it is where most of the day-to-day compliance burden sits. It works through the SPF principles in a logical sequence, from how an entity is governed, through how it stops, finds and disrupts scams, to how it responds when a consumer is harmed.
On governance, entities must develop and document anti-scam policies and procedures calibrated to their own scam risk - the type and scale of their services, the kinds of consumers they serve, emerging threats, and any major scam event affecting them in the preceding year. Relevant staff must be trained to identify scams, support affected consumers and understand the entity's obligations, with training refreshed at least every 12 months.
The prevent obligations are broad. Entities must maintain secure systems to protect consumer information and accounts, with regular security assessments, testing and patching. They must supervise third-party providers and agents so those parties act consistently with the framework. They must take reasonable steps to stop their brand being impersonated, by telling consumers which channels are official, monitoring for impersonation and seeking its removal. And they must make accessible, up-to-date information about scam risks available to consumers.
Under detect, entities need systems to identify whether activity is in fact a scam once they hold actionable scam intelligence, to record what their investigation finds, and to identify the consumers affected, including those affected indirectly.
The disrupt obligations then require entities to notify affected consumers in a way proportionate to the risk, to undertake a risk assessment before taking disruptive action, and to reverse that action promptly if the activity turns out not to be a scam.
The respond obligations are operationally demanding. Entities must offer free, accessible, multi-channel reporting mechanisms available at all times, including a route to human assistance, and acknowledge scam reports within 24 hours. They must run accessible IDR, resolve complaints as quickly as the matter allows, and tell a complainant where a matter remains unresolved after 30 days. Critically, they must cooperate with other regulated entities, including across sectors, to share information and apportion liability. The SPF rules add a further layer here, requiring a formal statement of compliance to the consumer following IDR, generally within 21 days, with a simpler statement available where a matter is resolved quickly.
The cross-sector cooperation obligation is one of the most consequential features of the whole regime. A typical scam touches several entities; for example, a text delivered by a telco, a fraudulent advertisement on a platform, a payment processed by a bank. No single entity can easily resolve a multi-party complaint on its own. How entities meet this obligation in practice, and how they reach a shared view on liability, is one of the harder problems set by the framework.
On top of the Common Code obligations, each sector has a tailored code.
Banking Code
The Banking Code is the most developed, and banks have a head start because it builds on the voluntary Scam-Safe Accord announced in November 2023, lifting those protections onto a mandatory and enforceable footing.
On the prevention side, banks must verify customer identity, support payee confirmation between institutions, build systems to identify high-risk transactions and activities, issue clear, timely targeted warnings before a consumer proceeds with a high-risk transaction, and take proportionate steps to limit those transactions where a scam is suspected.
On detection, banks must monitor both transactions (for activity inconsistent with a customer's history) and accounts (for tell-tale changes to contact details, credentials or authentication settings).
On disruption, banks must be able to request the recall of payments and to block accounts associated with scams. The disruption obligations apply to both sending and receiving banks. Receiving institutions must assist with recall and block accounts linked to scams, a significant step given the role receiving accounts play in moving scam proceeds. This aligns with AFCA's expanded jurisdiction, which from 12 March 2026 allows it to investigate complaints against receiving banks even where the complainant is not their customer.
Disruptive action must be proportionate. Over-disruption may frustrate legitimate customers and generate complaints, while under-disruption risks regulatory breach. Calibrating disruption responses and evidencing the judgement involved will be a core compliance challenge.
Telecommunications Code
The Telecommunications Code focuses on the capacity of carriers to block, filter and trace scam communications before they reach consumers. It includes identity and rights-of-use checks, controls around calling-line identification and trust markings, a shared "do not originate" list, limits on bulk messaging over prepaid services, network monitoring and automated filtering of scam content, and obligations to interrupt scam calls and messages. The new SMS Sender ID Register, due to commence on 1 July 2026, will provide a further layer of protection.
Digital Platforms Code
The Digital Platforms Code applies to larger instant messaging, search and social media services - those meeting both an average of 200,000 monthly active Australian users and a $1 billion revenue test. Platforms must prohibit scam use in their terms of service, verify users and (with additional rigour) advertisers, review advertisements for scam activity before publication, warn high-risk users, and monitor for scam content, though monitoring is not required to extend to decrypting encrypted messages. Once a scam is confirmed, platforms must remove the content, disable associated accounts and suppress related scam advertising.
The IDR position paper
The IDR position paper is significant because scams often involve several regulated entities across different sectors, and the existing IDR model is not well suited to complaints where a bank, telco and digital platform may each have played a different role in the same scam.
Treasury's proposed approach is to require regulated entities to cooperate at the IDR stage, share relevant information and work towards a coordinated response to the consumer.
The paper also proposes that IDR processes should be efficient and proportionate to the value and complexity of the loss. Lower-value complaints may be handled through streamlined or automated processes, with verified scam losses below $3,000 to be reimbursed without a full investigation.
This is a shift away from the Government's earlier resistance to a reimbursement model and towards the approach seen overseas. It carries real exposure for banks, because a high proportion of scam losses fall below $3,000. An automatic refund at that level (together with equal apportionment and limited detail on what a "verified" loss requires) transfers significant cost and operational burden onto regulated entities, and raises an obvious question whether a fixed, automatically-refunded threshold could attract high-volume, low-value scam activity.
For higher-value or more complex complaints, entities would still need to undertake a more detailed assessment. Where more than one regulated entity has breached its SPF obligations, liability would generally be shared equally, subject to limited scope to depart from that approach where the entities agree that one played a more significant role.
According to the IDR position paper, the policy settings that it proposes “will be reflected in the final SPF codes and rules”, but some measures such as the automatic refund will be in the form of “Ministerial Guidance” in the rules. In the SPF provisions of the CCA, a regulated entity undertaking IDR must “have regard to” any process prescribed by the SPF rules for IDR and any guidelines prescribed by the SPF rules for apportioning any liability arising from the complaint. It is not clear whether the Ministerial Guidance will operate as a practical rule that entities are expected to follow in most cases, or as guidance they can depart from where they have a good reason.
The timeline
The consultation has put commencement dates on the table.
1 September 2026: The SPF Rules are proposed to commence. The designation exception provisions take effect, so that entities meeting an exception are not caught by the external dispute resolution membership requirement.
31 March 2027: The substantive, mandatory and enforceable code obligations take effect. The sector codes commence on the later of this date and the day after registration.
While 31 March 2027 may feel comfortably distant, the scale of systems, governance and process uplift required means the runway is shorter than it looks, and regulators can be expected to begin scrutinising compliance shortly after commencement.
What should you do?
The drafts may change at the margins, but the core obligations and the direction of travel are clear enough to act on. The priorities for regulated entities are:
Run a gap assessment against the likely required standards. Benchmark your existing anti-scam framework against the Common Code and your sector code.
Engage the board and senior management early. The governance principle requires documented policies, procedures and accountability. Brief the board now on the obligations, the penalty exposure and the program of work, so governance uplift is not left to the final months.
Scope the systems and resourcing build. Identify the technology, data and people needed: detection and monitoring systems, consumer notification capability, disruption controls, intelligence-sharing infrastructure and IDR processes.
Design for multi-party complaints and cross-sector cooperation. Start thinking now about how you will share information, reach a shared view on liability, and handle the proposed automatic refund and equal-liability model operationally.
Plan to the two commencement dates. Treat 1 September 2026 and 31 March 2027 as fixed planning anchors and build your implementation roadmap backwards from them.
Summary
The Scams Prevention Framework is moving from principle to practice. For banks, telecommunications providers and digital platforms, it represents one of the most significant compliance challenges on the horizon: extensive obligations, serious penalties, three regulators, a private right of action, and a proposed automatic refund of up to $3,000 that will reshape the commercial risk of low-value scam losses.
The final instruments are still some way off, but the standards are now visible and the commencement dates are set. The entities that fare best will be those that start their gap assessment and uplift now, rather than waiting for the rules to be finalised.
Get in touch if you'd like to discuss how the Scams Prevention Framework affects your business, or if you need help benchmarking your anti-scam controls against the proposed code obligations.