Developing the Scams Prevention Framework: Treasury consults on draft rules and codes
03 June 2026
The Federal Government has now designated the banking, digital platforms, and telecommunications sectors under Australia’s new Scams Prevention Framework (SPF), which will come into full effect from 31 March 2027. This designation was accompanied by a Treasury consultation on a suite of draft codes and rules designed to implement substantive obligations for these sectors under the SPF.
With Treasury now defining the scope of the SPF and core requirements that entities will need to comply with, regulated entities should assess whether they can meet these new obligations and actively consider how they engage with Treasury in the consultation.
The consultation is open until 25 June 2026.
Operation of the SPF
By way of recap, the SPF requires designated sectors to implement reasonable steps to prevent, detect, disrupt and report scams and to provide an avenue for customers to raise a complaint where a scam has occurred. Complaints need to be managed via an internal dispute resolution (IDR) mechanism and, where that fails, customers can refer the complaint to the Australian Financial Complaints Authority (AFCA) for determination as part of an external dispute resolution (EDR) framework. Each entity will be required to prepare a statement of compliance in response to complaints demonstrating how it has complied with the SPF obligations.
Substantive obligations under the draft SPF Code
Under the SPF, codes will be made to prescribe general and sector-specific obligations for regulated entities. The May 2026 consultation materials include a draft code (and telecommunications specific code) applicable to regulated sectors that establishes the first definitive examples of what entities will be expected to do in order to meet their SPF obligations. It is proposed that each obligation triggers a civil penalty where there is a breach. The following obligations will be of key importance to regulated entities:
SPF Principle | Obligation | Detail |
|---|---|---|
All regulated entities | ||
Principle 1 (Governance) | Policies and training | Develop risk-based governance policies and train staff at least annually. |
Principle 2 (Prevent) | Third party service providers | Develop reasonable systems and processes to ensure that agents and third-party service providers have reasonable systems, processes and resources and act consistently with SPF obligations. This includes taking due skill and care when selecting providers, monitoring their ongoing performance, and appropriately dealing with any non-compliance. |
Principle 2 (Prevent) | Brand impersonation | Develop reasonable systems and processes to prevent your business’ brand and likeness from being used to facilitate scams. This obligation includes notifying customers of approved communication channels, and monitoring for brand impersonation and taking action when required to remove impersonating content. |
Principle 3 (Detect) | Identifying scams and affected customers | Identify activities as scams where it has actionable scam intelligence and reasonable grounds to believe an activity is a scam; and identify and notify affected consumers. We expect further details on how regulated entities will be expected to report and respond to actionable scam intelligence in further rounds of consultation with Treasury. |
Principle 5 (Disrupt) | Risk assessment | Entities with actionable scam intelligence must undertake a risk assessment to inform proportionate disruptive action. The assessment must consider whether the entity suspects or believes the activity is a scam, the likelihood and severity of potential harm, high-risk indicators, known systemic issues, and (for suspected but unidentified scams) the strength of intelligence, potential harm from disruption if not a scam, and reversibility. This does not prevent immediate disruptive action where reasonable grounds exist. |
Principle 6 (Respond) | Multi-party cooperation | Cooperate with other regulated entities under the SPF in relation to reported scams. This includes setting up systems and processes to apportion liability between entities, and share information to assess liability for loss or harm suffered by the complainant. |
| Banks | ||
Principle 2 (Prevent) | Payee confirmation | Banks must allow customers to see payee names prior to making transfers, if the payee identifier has been registered for use for electronic funds transfers; and notify customers if the payee name they have provided does not match the information held by the bank. They must also verify the identity of each direct SPF customer (something we expect is likely already done by most banks). |
Principle 2 (Prevent) | Systems and processes to identify scams activity | Have in place systems and processes to identify activities with a high risk of scams, take steps to limit the use of those high-risk activities, and warn customers if they try to undertake a high-risk activity. |
Principle 3 (Detect) | Transaction and account monitoring | Monitor transactions and accounts to identify actionable scam intelligence, and identify and notify customers who have been affected by scams. |
Principle 5 (Disrupt) | Payment recall and account blocking | Take reasonable steps to reverse transactions that are suspected to be facilitating a scam, and block accounts associated with scams. |
| Digital platforms | ||
Principle 2 (Prevent) | Terms of service | Platforms must include an explicit prohibition of scam activity in their terms of service, state their SPF responsibilities, and reserve the right to suspend or ban users and disable accounts. |
Principle 2 (Prevent) | User verification | For each new user, platforms must verify identity, check against banned account records, and (for business accounts) confirm the user is an authorised representative. Re-verification is required where information may no longer be accurate, i.e. where an account has potentially been taken over. This is not intended to require collection of additional personal information (e.g. ID documents or biometrics) beyond existing standard operating procedures. |
Principle 2 (Prevent) | Advertiser and advertisement verification | Before publishing an advertisement, platforms must: verify the advertiser has not been previously banned; confirm authorised representatives against ASIC registers/business registers/trademarks; check that any required Australian licence is held in order to sell the product (including for ads where the product or service does not actually exist); and confirm charity registration where relevant. |
Principle 2 (Prevent) | Targeted warnings | Platforms must warn consumers assessed as being at higher risk of a particular scam type, based on user behaviour and content attributes. Warnings must be clear, concise, timely and include educational resources and reporting information. |
Principle 3 (Detect) | Advertisement monitoring | Platforms must also have systems to review ads for potential scam content before publication. |
Principle 3 (Detect) | Cross-service monitoring | Platforms must have reasonable systems to monitor for scam activity across their services, assessed by reference to factors including scale, scam history, emerging threats, potential consumer harm and must be commensurate with their business. Entities that allow users to operate on multiple regulated services under one account must have collective detection processes across all their services. |
Principle 5 (Disrupt) | Disrupt and remove | Where the platform has actionable scam intelligence, it must suppress or limit the content while investigating and attach a warning. Once a scam is confirmed, the platform must remove the content, block same or substantially similar content, and disable associated accounts. For advertising specifically, suspected scam ads must be suspended pending investigation and confirmed scam ads must be removed with associated persons banned. |
| Telecommunications | ||
Principle 2 (Prevent) | Verifying user identity | Before entering into a contract with a customer, regulated entities must verify the customer’s identity, and if a high-risk telco service, verify the person has the rights of use in respect of the number with the service and establish a legitimate use case. The carrier must prevent the carriage of a call or message if the customer does not have the rights of use. |
Principle 2 (Prevent) | Not carrying certain calls/messages | Regulated entities must not carry certain calls or messages, including: those without an attached call line identification (CLI), those carrying ‘spoofed’ Australian numbers, those with incorrect trust markings, and those using numbers from ‘Do Not Originate’ lists held by other regulated entities. They must also conduct a number of checks on inbound international voice calls and carry international CLI exactly as received. |
Principle 2 (Prevent) | Blocking inbound foreign calls | A terminating carriage service provider must give customers the ability to block all inbound voice calls and messages from numbers other than Australian numbers. |
Principle 2 (Prevent) | Network trust information | Originating carriage service providers and interconnected carriers and carriage service providers are required to attach network trust information to all calls and messages where they are satisfied that they are legitimate |
Principle 2 (Prevent) | Limits on volume of messages for prepaid mobile carriage services | The regulated entity must, before activating the prepaid mobile carriage service, impose a maximum limit on the volume of messages the customer may send, within a set period, to multiple numbers using the service. |
Principle 2 (Prevent) | Providing assistance to customers | Regulated entities are expected to provide assistance to SPF consumers who request help or indicate they may be falling victim to a scam or are at a higher risk of doing so, and take reasonable steps to implement secure systems and processes to prevent the network or facility from being used to commit scams |
Principle 2 (Prevent) | Do Not Originate List | Regulated entities must establish and maintain a list of numbers, which are not used to make outbound voice calls or messages, to be known as the Do Not Originate List, and share those with other regulated entities. |
Principles 3 and 5 (Detect and Disrupt) | Monitoring for scams | Regulated entities are required to monitor for suspicious activity on their telecommunications networks. Any actionable scam intelligence must be passed to regulated entities that originated or passed on the relevant traffic, so they might also investigate the identified traffic, within five business days. They must also interrupt voice calls or messages if they have investigated scam intelligence, and give SIP response codes or notices of interrupted voice calls or messages. |
Principle 3 (Detect) | Filtering messages | Regulated entities must use fully automated filtering technology for the detection of any scam material in messages carried by the entity using a covered telecommunications service. |
The draft SPF rules
Under the SPF, rules provide cross-sector procedural and administrative requirements including intelligence sharing arrangements, dispute resolution processes, the contents of statements of compliance and threshold definitions. These Draft Rules clarify the following issues:
Excluded entities
Digital platforms/services that do not satisfy either test below will be exempt from the SPF. We expect most digital platforms in Australia to meet both tests:
- Revenue test - gross revenue of $1 billion or more (calculated taking into account the gross revenue of the entity that controls the Australian entity); and
- Active user test - average monthly active Australian users of the service is 200,000 or more.
For banks:
- An entity is not a regulated entity for covered banking services if it is a provider of purchased payment facilities. This recognises that provision of purchased payment facilities is generally not considered ‘banking business’ within the meaning of the Banking Act 1959 (Cth).
- The SPF excludes business-to-business banking services not directly servicing retail customers.
Statement of compliance
- Information to be included. A statement of compliance must include a description of each matter raised, findings on material questions of fact and the information relied on to support those findings, the process followed, the outcome (including apportionment of compensation), information about any other entity's conduct that affected the outcome, and a summary of EDR rights. The regulated entity must also identify whether it has complied with its obligations under the SPF.
- Exclusions. Statements must not include commercially sensitive information or personal information, and businesses must also consider information restrictions under other legislative regimes (e.g. AML/CTF laws).
- Timing. A statement of compliance must be given within 21 calendar days after the complaint is received. Where an entity cannot comply with the 21-day requirement, it must give written notice, set out the reasons for delay, a summary of EDR rights, and the reasonable time by which the statement will be provided. The materials indicate that businesses should only exceed the 21 calendar days sparingly (e.g. where the entity needs to reconstruct account information).
- Short statement of compliance. Where a complaint is resolved to the complainant's satisfaction within 5 business days, a simpler statement may be provided, with the complainant retaining the right to request a full statement.
- Authorised representative. A statement of compliance must be signed by a senior officer with governance oversight of matters relevant to the complaint.
Where a ‘short statement’ is issued, it must be given within 5 business days of the entity being satisfied that the complaint is resolved.
Record keeping requirements
Records must be in English (or readily convertible), kept in or electronically accessible from Australia, and retained for six years.
Proposed IDR regime under the IDR Position Paper
Treasury has also published a Position Paper on IDR which puts forward suggestions for how IDR should operate under the SPF. In summary:
- Cooperation will be mandatory. Entities will be required to cooperate with each other (including across sectors) on scam complaints, regardless of whether they join the centralised IDR model currently being developed by industry participants. The paper does not propose a multi-party IDR solution but notes that several industry participants are cooperating to develop a centralised IDR model.
- Auto-reimbursement for claims under $3,000. The paper suggests entities should automatically reimburse scam victims for verified scam losses below $3,000. This expectation will be set out as Ministerial Guidance in the SPF rules.
- Liability for claims over $3,000. Entities that breach their SPF obligations will be liable for scam complaints above $3,000. These claims will undergo more detailed IDR investigation and determination.
- Equal apportionment by default. Where the scam involved multiple regulated entities that breached their SPF obligations, reimbursement will be shared equally. Entities can agree to adjust this default apportionment in exceptional circumstances (e.g. where one entity clearly played a larger role). Additional rules will be published on apportionment. However, the liability apportionment guidelines will not support consideration of the role of non-regulated entities in IDR.
Key takeaways for each sector
Banks
For banks, scams prevention has long been part of their controls repertoire, with most banks having dedicated scams prevention measures in place already. The proposed new SPF requirements will add an additional layer of protection for customers, with most banks needing to verify whether their current controls sufficiently address all SPF requirements and whether any gaps exist.
Digital platforms
For digital platforms broadly, the focus on advertising material, and advertiser and user verification will create an additional layer of controls.
Telecommunications
The proposed SPF reforms sit alongside new requirements under the SMS Sender ID Register that commence on 1 July 2026. Under the SMS Sender ID Register, the Australian Communications and Media Authority will now need to approve (via the register) any Sender IDs used in messages sent to recipients in Australia. Those reforms will provide an early indication of the uplift required to enable the verification methods envisaged under the SPF.
All sectors
For all sectors, the most significant challenge will be how liability will be apportioned between the three sectors at IDR and EDR, and what level of detail will need to be included in each entity’s statement of compliance to show they complied with the SPF and are not liable for the customer’s loss.
Lindsey Cullen and Hannah Shaw also contributed to this article.
Authors
Partner
Head of Intellectual Property
Partner
Lawyer
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.
Key Contact
Other Contacts
