The New Scam Prevention Framework and It’s Impact on Businesses

The new scam prevention framework and its impact on businesses

Australians have lost billions of dollars to scams in recent years. As part of its response to this ‘scam pandemic’, the Australian Government introduced into the Scams Prevention Framework Bill 2024 (Bill) into the Parliament on 7 November 2024. While concerned with consumer protection, the Bill is equally concerned with making small businesses ‘harder targets for scammers’.[1] The Bill, if passed, means that certain specified businesses must implement governance arrangements ‘to combat scams and take reasonable steps to prevent, detect, report, disrupt and respond to scams.’[2]

What are scams?

In the small business context, the Bill considers that scams are attempted and successful activities designed to deceive the victim business and cause them loss. For example:

• a fake online investment advertisement promising high returns on a financial product with payment directions into the advertiser’s account
• an unsolicited SMS purportedly from a trusted telecommunications provider with a link to ‘confirm’ and re-enter credit card details
• a telephone call from someone impersonating the bank of the small business and asking for account login details.

Scams don’t cover all types of unlawful activity designed to take money from a business. The Explanatory Memorandum to the Bill has flagged that the following may be excluded from the Bill’s definition of ‘scam’:

• Fraud that does not involve any action from the business
• Cybercrime (including information obtained as part of a data breach)
• Certain conduct under anti-money laundering and counter-terrorism financing laws
• Misleading and deceptive conduct under the Australian Consumer Law
• Physically mugging someone so that they perform a transaction.

Introduction of the Scam Prevention Framework

If passed, the Bill will introduce a Scam Prevention Framework (SPF) into the Competition and Consumer Act 2010. The idea behind it is to prevent and respond to scams impacting consumers and small businesses by requiring certain members of the private sector (called regulated entities) to comply with certain principles, governance arrangements and enforceable mandatory codes. Multiple regulators will be involved but the main one will be the ACCC.

Small businesses protected by the SPF

The SPF intends to protect small business operators who qualify for the Bill’s definition of ‘SPF consumer’. Any type of Australian business structure may qualify for this definition. That is, a small business may be a company, sole trader, unincorporated association, partnership or trust. To qualify as a ‘SPF consumer’, the business must have:

• a principal place of business in Australia
• less than 100 employees and
• less than an annual turnover of $10 million.

Different tests apply for determining the employee numbers and annual turnover amount, depending on whether the business is a body corporate or not.

The members of the private sector who must comply with the SPF

The Bill authorises the Australian Government to designate regulation under the SPF of certain businesses and services sectors (each called a regulated sector). Persons who carry on provide these businesses or services are regulated entities for the sector and must comply with the SPF. The designated business or service is a ‘regulated service’ of the regulated entity.

Currently it appears that the businesses which will need to comply with the SPF are in the banking, insurance, telecommunications and digital platform provider sectors. Businesses providing social media, paid search engine advertising and direct messaging services are among the contemplated digital platform providers. In the future, it appears that the Government may also require superannuation funds, digital currency exchanges, payment providers and online marketplaces to comply.

The overarching principles of the SPF

Regulated entities must comply with the overarching principles of the SPF. Generally, these require each regulated entity to document and implement governance arrangements to combat scam, and take reasonable steps to prevent, detect, report, disrupt and respond to scams.

There are six overarching principles:

1. Governance: Each regulated entity must document and implement governance policies, procedures, metrics and targets for combatting scams. These must be reviewed and certified by a senior officer of the entity, at least annually. The entity must also keep records and give reports about its compliance with the principle.
2. Prevent: Each regulated entity must take reasonable steps to prevent scams. This may include implementing VOI requirements and training staff on how to identify scam activity.
3. Detect: Each regulated entity must take reasonable steps to detect scam. This includes, in a timely way, investigating activities that are the subjects of its actionable scam intelligence and identifying its consumers (including small businesses) that have or may have been impacted.
4. Report: Each regulated entity must give the ACCC reports of any actionable intelligence the entity has about activities relating to, connected with, or using the entity’s regulated services. A regulated entity must give SPF regulators reports about scams on request.
5. Disrupt: Each regulated entity must take reasonable steps to disrupt an activity that is the subject of actionable scam intelligence and prevent losses from such an activity. The entity must report the outcomes of its investigation into whether such an activity is a scam to the ACCC. The report may need to describe any disruptive actions the entity has taken in relation to the activity. The entity isn’t liable for damages in taking certain disruptive actions.
6. Respond: Each regulated entity must have an accessible mechanism for its consumers to report activities that are or may be scams. The entity must have an accessible and transparent internal dispute resolution mechanism for consumers to complain about activities that may be scams or the entity’s conduct relating to such activities. The entity must publish information about these mechanisms. When undertaking internal dispute resolution, the entity must abide by the processes and liability apportionment guidelines prescribed by the SPF rules. It must also become a member of an authorised external dispute resolution scheme for dealing with complaints about scams.

Mandatory SPF codes

The Bill intends that the overarching principles will be supported by mandatory and enforceable sector-specific SPF codes. These codes will be set by a Minister or one of the regulators under the SPF. The codes aren’t intended to be an exhaustive list of obligations. Instead, they are to act as mandatory minimum requirements to be satisfied.

Penalties for compliance failures

Regulated entities which fail to comply with the SPF risk substantial monetary penalties. Depending on the contravention involved, the penalties for a body corporate may be the greater of $50 million, three times the value of the benefit obtained, or 30% of the adjusted turnover during the breach turnover period for the contravention. Regulators may also have recourse to injunctions, enforceable undertakings, public warning notices, adverse publicity notices and infringement notices.

What relief is there for small business where there are compliance failures?

The requirement under the ‘Respond’ principle that regulated entities have internal dispute resolution mechanisms is intended to benefit SPF consumers (including small business victims of scams). The idea is ‘to encourage the early resolution of complaints, including for compensation or other remedies to be provided.’[3]

In addition, the mandatory membership of an authorised external dispute resolution scheme is intended to provide consumers and small businesses with a pathway for redress (including compensation). The idea with availing external dispute resolution is to offer an independent, impartial and fair mechanism for small businesses and consumers to escalate their complaints where they are not resolved through internal dispute resolution or have an unsatisfactory outcome. The current plan is to not charge consumers or small businesses any fee if they use external dispute resolution.[4]

Alternatively, or after fully pursuing internal and external dispute resolution, small businesses may pursue an action for damages in Court against regulated entities for contraventions under the Bill. That is, a small business victim which suffers loss or damage by conduct of another person, done in contravention of a civil penalty provision of an SPF principle or code, may recover the amount of the loss or damage by action against that other person. The small business has six years to bring their claim. In circumstances where both a regulator and a victim sue, the court must prefer making an order for victim compensation if the regulated entity doesn’t have sufficient resources to pay both a pecuniary penalty and compensation.

The court remedies available to small businesses from SPF contraventions are not limited to damages claims. Under the Bill, small business victims may also pursue injunctive relief and orders to set aside, vary, or limit the terms of contracts they have with a contravening regulated entity.

Next steps for businesses

There are positives in this Bill for small businesses. The Bill if enacted will avail them statutory compensation claims against large financial institutions, telcos and digital platform providers who do not comply with the SPF. The Bill also mandates a more unified and coherent approach for regulated entities when addressing scams.

Nonetheless there remain challenges with the Bill. For small businesses there remains concern about whether the SPF sufficiently supports them in seeking redress. It is also unclear about whether the SPF in practice will enable small businesses to quickly return to normal operations in the event they are a scam victim.

Across all business sizes there is concern over the uncertainty, complexity and compliance burden with the obligations introduced by the Bill. There is also criticism about whether the penalty regime imposes disproportionately higher penalties on smaller regulated entities.

[1] Explanatory Memorandum, Scams Prevention Framework Bill 2024 (Cth) 142.

[2] Commonwealth, Parliamentary Debates, House of Representatives, 7 November 2024, 8 (Stephen Jones, Assistant Treasurer and Minister for Financial Services).

[3] Explanatory Memorandum, Scams Prevention Framework Bill 2024 (Cth) 142 [1.258].

[4] Ibid 55 [1.277].