11/10/2024 | News release | Distributed by Public on 11/10/2024 16:47
This article was co-authored with Masooma Saberi and Alyssya Warty-Hasan.
We previously provided a short summary of the Scams Prevention Framework (the Framework) to highlight the important changes Australian entities can expect with this exposure draft legislation and the importance of implementing measures to prevent scams; Prevention (and disruption) is better than cure: The new framework for stopping scams before they start
Submissions on the exposure draft legislation closed on 4 October 2024 and the Scams Prevention Framework Bill 2024 was introduced into Parliament on 7 November 2024.
In this article we provide further practical insights on the exposure draft legislation, particularly highlighting certain obligations that will be placed on regulated entities to prevent scams.
It is essential for Australian entities captured by the Framework to ensure that they are well prepared for these sweeping changes. Here are some actions to consider:
The Framework is an economy-wide reform to protect Australian consumers from scams. Scammers stole some $2.7 billion from Australian consumers in 2023 and the government has described the growth in scams as 'unacceptable', particularly given the wider financial, psychological and emotional harm caused to Australian consumers.
In essence, the Framework sets out clear responsibilities for regulated entities to take various steps to address scams with the endorsement of the Government and regulators. The Framework provides a streamlined and overarching regulatory approach that has been introduced as part of the government's efforts to modernise Australia's laws for the digital age.
The Framework seeks to build upon and consolidate various sectoral initiatives within a responsive and adaptable framework. The intent is to implement consistent overarching principles yet still enable sector-specific codes to articulate bespoke regulatory detail in each sector. The underlying sectoral codes will contain a set of minimum standards for each industry sector included within the Framework. Non-compliance will have severe consequences, including serious penalties.
The Framework will be introduced as a new Part IVF of the existing Competition and Consumer Act 2010 (Cth) (CCA). It builds upon Australia's increasing use of industry codes to implement sectoral competition and consumer protection regulation. The Australian Competition and Consumer Commission (ACCC) will be the lead regulator.
The Framework has the following key features:
The Framework implements six overarching scam prevention principles (called SPF principles) which apply to all regulated entities:
Under the Framework, a Treasury Minister (or an appropriately delegated authority) may make a sectoral code for a regulated sector, known as an "SPF Code". An SPF Code will generally contain detailed but not exhaustive, sector-specific obligations for regulated entities to comply with the SPF principles.
A Treasury Minister may also authorise an external dispute resolution scheme for the Framework. The government's current intention is to authorise the Australian Financial Complaints Authority (AFCA) in this role for all initially regulated sectors. A single scheme is intended to ensure consistency in consideration of complaints and a less burdensome approach for regulated entities and consumers.
Regulated entities are required to take reasonable steps under several of these principles, to combat scams. 'Reasonable' or 'reasonable steps' are not defined. This will require an objective assessment, to be considered against a range of factors such as entity size, the services they provide, who their consumers are and the exposure to specific kinds of scam activities.
The Minister, through a legislative instrument, will set out the regulated sectors. The following sectors are expressly identified as potential sectors that could be included within the Framework:
Of these, the government currently intends to initially designate 3 sectors, namely banking, telecommunication services, and digital platform services (social media, paid search engine advertising and direct messaging services), given the significance these sectors have in the lifecycle of scam activities.
There is also a mechanism to expand the designation into more sectors depending on the evolving nature of scam activities. This could include, for example, superannuation funds, digital currency exchanges, payment providers, and online marketplaces.
SPF principle 1: Governance |
|
Regulated entities must develop and implement governance measures in the form of policies, procedures, metrics and targets to combat scams. Such governance measures are intended to be dynamic. Policies and procedures must be developed with reference to multiple factors such as the risk of scams faced by the entity, the consumer base it services, as well as any shift in scam activities. Regulated entities must also:
Practical considerations:
|
|
SPF principle 2: Prevent |
|
Regulated entities must take reasonable steps to prevent scams, and proactivity is the key to demonstrating compliance with this principle. The draft legislation makes it clear that it is insufficient to merely act on relevant information relating to scams provided to the regulated entity. Examples of reasonable steps includes identifying consumers who have a higher risk of being targeted by scams, providing warnings to at-risk consumers and making resources accessible to consumers to assist them to identify scams and to minimise the risk of harm from scams. This principle is intended to stop scam activity from reaching or impacting consumers, as opposed to disrupting scam activity (see principles 3 and 5 below). Practical Considerations:
|
|
SPF principle 3: Detect |
|
Regulated entities must take reasonable steps to detect scams. This includes actions to do the following as the scam is occurring or after it has occurred:
Where the regulated entity has "actionable scam intelligence" about a suspected scam, it must take reasonable steps to act on that intelligence to identify each consumer who is or could be impacted by the suspected scam. Practical Considerations:
|
|
SPF principle 4: Report |
|
When a regulated entity has reasonable grounds to suspect that a communication, transaction or other activity on, or relating to, a regulated service of the entity is a scam, it must report this to the ACCC (in its capacity as the SPF general regulator) as soon as reasonably practicable (if no other time period is prescribed) containing specific information. It is contemplated that the information collected will generally only include information relating to the mechanism or identifier used for the scam activity, including bank account details that scammers instruct victims to transfer funds to, phone number used by scammers to get in touch with victims). Similarly, the entity must provide a report about a scam to the ACCC if it so requests within a certain timeframe containing specific information (which could include de-identified demographic information about the impacted consumer, date and kind of scam, the loss or harm caused by the scam). The ACCC may disclose information about scams to other entities across the ecosystem to help disrupt the scam. Practical Considerations:
|
|
SPF principle 5: Disrupt |
|
Regulated entities must take reasonable steps to disrupt scams and prevent losses from scams. Reasonable steps include actions to stop an actual or suspected scam from continuing or further impacting consumers, such as putting payments on hold to allow the regulated entity to alert the consumer, blocking phone numbers of bank accounts, or removing scam advertisements on websites. Moreover, where a regulated entity has reasonable grounds to suspect that a communication, transaction or other activity on, or relating to, a regulated service of the entity is a scam:
Practical Considerations:
|
|
SPF principle 6: Respond |
|
Regulated entities must have an accessible mechanism for their consumers to report scams. Entities may choose to set up a mechanism for consumers to report scams in a variety of ways, such as in-person, over the phone, or through an app or via its website. Each entity must have an accessible and transparent internal dispute resolution mechanism for its consumers to lodge complaints about scams or the entity's conduct in relation to scams and may choose to make available its complaints handling process on its website. If the entity provides services which are regulated by the Framework, it must become a member of an authorised external dispute resolution (EDR) scheme for dealing with scam complaints. While more than one SPF EDR scheme may be authorised, the intention of the proposed legislation is to have a single EDR scheme for multiple regulated sectors to streamline the process. Practical Considerations:
|
The Framework will be enforced through a multi-regulator model with the ACCC being the lead or 'general' regulator responsible for monitoring, investigating, and enforcing compliance with these provisions. The ACCC will be supported by other regulators designated for each sector incorporated into the Framework. The Australian Communications and Media Authority (ACMA) will be the regulator for telecommunications services, while the Australian Securities and Investment Commission (ASIC) will be the regulator for banking services.
The Framework contains provisions for information-sharing between the various SPF regulators, to coordinate their regulatory activities and enforcement via an arrangement such as a memorandum of understanding. As such, the Framework builds upon the existing initiatives undertaken by the ACCC to better co-ordinate the regulation of scam activity between the various Australian regulators.
The Framework will work under a two-tier system, with a Tier 1 contravention attracting a higher maximum penalty and reserved for the most egregious breaches. The relevant breaches include failing to prevent, detect, disrupt or respond to a scam. The maximum penalty for a Tier 1 contravention is the greater value of:
|
A Tier 2 contravention occurs where a regulated entity has contravened a sector code or a breach of the governance or reporting principles. A Tier 2 contravention will attract a maximum penalty of the greater value of:
|
The civil penalty regime will be supported by other administrative enforcement tools, including injunctions, enforceable undertakings, and infringement notices.
We expect that the introduction of the Bill into Parliament is imminent. The government's intention is to introduce the Bill into Parliament by the end of this calendar year, subject to Parliamentary sitting dates and legislative priorities.
The current draft bill does not contain any information as to when the regime would actually become operative, but we assume the regime will be implemented relatively quickly for various reasons, including political priorities and continuing media attention.
The consensus among regulators is that there needs to be stricter regulation of scam prevention, with ASIC Deputy Chair Sarah Court stating in 2023 that "combatting scams is a critical task for all of corporate Australia - financial institutions, telecommunication providers, digital platforms and other organisations."
The draft legislation implementing the Framework and its explanatory materials were released for public consultation here. The legislation is complex and there are many nuances that will need to be considered, including the resources that will need to be allocated by regulated entities to ensure compliance and the interaction of the Framework with existing procedures and approaches.
Please contact any of the lawyers identified below if you have any questions or would like to discuss the potential application of the Framework to your business. We are also happy to share any intelligence as to the current status of the Bill as it is introduced into Parliament and likely enacted in the coming months.