Australia to introduce comprehensive scam prevention legislation

The Australian government’s Scams Prevention Framework (SPF), which was released by the Treasury in the form of a draft exposure Bill for public consultation in September, aims to implement new mandatory and comprehensive scam obligations  across all sectors of the economy, beginning with three designated sectors - banking, telecommunication providers and digital platform services. The Bill to insert the new SPF into the Competition and Consumer Act 2010 is expected to be introduced to the federal parliament in November.

The framework follows a significant increase in scams over the past year which has cost Australians as much as AU$2.7 billion (US$1.8 billion) according to the Australian Competition and Consumer Commission (25-page / 767.12MB PDF), as well as causing psychological harm and undermining consumers’ trust in digital services.

It expands on the government’s current package of reforms intended to protect Australians from scams, including the launch of the Sender ID Register which aims to prevent fake SMS.

The SPF will be administered and enforced by the Australian Competition and Consumer Commission (ACCC) which will delegate its functions and powers to SPF ‘sector regulators’.

Principles based and reasonable steps

The SPF is based on five overarching principles: obligations to prevent, detect, report to sector regulators, disrupt and respond to scams. Regulated entities will be required to take ‘reasonable steps’ to comply with the prevention, detection and disruption principles, which are subject to civil penalty provisions. These steps are not defined in the Bill or the explanatory materials.

The SPF also provides for the development of sector-specific codes that would outline the minimum standards required by each regulated sector which will be enforced by the relevant SPF sector regulator and may include sector specific details of what are reasonable steps.   These could include the use of technical measures and solutions.

Dispute Resolution

Regulated entities will also be required to provide accessible and transparent ‘internal dispute resolution’ (IDR) and ‘external dispute resolution’ (EDR) mechanisms. The SPF code will set out the types of complaints that IDR mechanisms can apply to, timeframes for response and the process of escalating a complaint to the SPF EDR scheme.

In addition, the government intends to engage the Australian Financial Complaints Authority (AFCA) as the sole EDR scheme for the first three designated sectors. The EDR scheme will provide SPF consumers with a pathway for redress and compensation where a regulated entity has not complied with their SPF obligations.

Veronica Scott, a privacy and cyber law expert at Pinsent Masons, said the new framework, once implemented, would be a “gamechanger”, providing enhanced protections across the scam lifecycle supported by a robust penalty regime.

“The Bill will introduce a tough new unified framework of scam prevention obligations which will eventually apply across all sectors of the economy as part of the Australian government’s package of initiatives to modernise Australia’s consumer laws for the digital age,” she said.

“It will replace current scam protections which are inconsistent across sectors by establishing comprehensive protections which are responsive and adaptable to the digital age, but will allow sector regulators to develop sector specific codes which we hope will provide more tailored guidance.”

The framework provides Australia’s first legislative definition of terms including ‘scam’, ‘SPF consumer’ and ‘actionable scam intelligence’.

The Bill proposed to define a ‘scam’ as: “… a direct or indirect attempt to engage an SPF consumer of a regulated service that (a) involves deception and (b) would, if successful cause loss or harm including the obtaining of personal information of, or a benefit (such as financial benefit) from, the SPF consumer or the SPF consumer’s associates.”

According to Scott, the deliberately broad definition accounts for non-monetary benefits - such as cryptocurrency, data, loyalty and reward points - and includes attempts to scam as well.

“This captures the wide range of scam activities scammers may engage in the current digital age, including attempts to steal personal information” she said.

Enforcement and penalties

The SPF will be enforced through substantial fines ranging from AU$10 million for minor breaches and AU$50 million for severe violations.

It establishes two sets of contraventions of the SPF and sets out the maximum penalties for each. Tier 1 contraventions include failures to uphold a civil penalty provision of SPF principles and are considered more serious breaches likely to have a significant impact on consumers.

The penalties for Tier 1 contraventions include the greater of 159,745 penalty units (which currently amounts to AU$50,000,185); three times the total value of the benefit that the body corporate and any body corporate related to that body corporate have obtained directly or indirectly and is reasonably attributable to the contravention; or 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

Tier 2 contraventions include a contravention of a civil penalty provision of an SPF code or the SPF principles including governance and report. Penalties include the greater of 31,950 penalty units (which currently amounts to AU$10,000,350); three times the total value of the benefit that the body corporate and any body-corporate related to that body corporate have obtained directly or indirectly and is reasonably attributable to the contravention; or 10% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

According to Scott, entities that will be regulated under the SPF should begin preparing as soon as possible for the likely introduction of the new legislation in the final parliamentary sitting of the year.

“Regulated entities need to understand the impact of their new obligations. They need to consider what governance procedures and process may need to be implemented internally to be able to report and share information on possible scam activity with the ACCC, on the basis that this may be distributed across the ecosystem to support disruptive actions,” Scott said.