Australia Passes Landmark Scam Prevention Legislation

Australia's scam prevention legislation, the first of its kind worldwide, will be new Part IVF of the Competition and Consumer Act 2010 (Cth), and will impose consistent overarching principles ("SPF Principles"), sector-specific codes ("SPF Codes"), and other rules and governance obligations on entities operating in designated sectors. The Bill replaces existing approaches in operation across the Australian economy. 

The framework set forth in the Bill will apply to any corporation or person who carries on or provides a business or service that is part of a regulated (i.e., designated) sector. Regulated entities include entities not only engaging in trade or commerce based within Australia, but also based overseas. The treasury minister will formally confirm the banking, telecommunications, and digital platform sectors (and any others) as designated sectors via legislative instrument in due course. 

The Bill requires regulated entities to abide by sector-specific codes, and to comply with common principles, notably the requirement for an entity to take "reasonable steps" to prevent scams from reaching or impacting consumers. Additionally, the Bill requires a regulated entity to detect scams and suspicious activity, report credible scam intelligence to the coordinating regulator, and take "reasonable steps" to disrupt a scam and prevent losses to consumers. What is considered to be "reasonable" will depend on, among other things, the size of the regulated entity, the relevant services, and the consumer base of those services. 

Regulated entities will also need to provide an accessible mechanism for consumers to report scams or suspicious activity connected with the entity's business. The Bill does not prescribe a format for this mechanism; however, SPF Codes are likely to provide more detail on this issue.

In conjunction with external reporting obligations, the Bill includes internal governance requirements. A regulated entity will be required to document and implement corporate governance policies and procedures regarding the company's scam prevention, detection, disruption, response, and reporting measures, as well as develop and implement performance metrics and targets to measure the effectiveness of those governance measures. 

The Bill prescribes significant fines of up to AUD $50 million per offence if regulated entities do not take "reasonable steps" to report, disrupt, and respond to scams and attempted scams. Additionally, the Australian Competition and Consumer Commission ("ACCC") (which will oversee and enforce the SPF Principles and the SPF Code applicable to the digital platforms sector), the Australian Securities and Investment Commission (which will oversee and enforce the SPF Code for the banking sector), or the Australian Communications and Media Authority (which will oversee and enforce the SPF Code for the telecommunications sector) may take corrective and enforcement action against regulated entities in breach of the new requirements. The powers available to the regulators via the Bill include judicially enforceable undertakings, injunctions, representative actions for damages, public warning notices, remedial directions, adverse publicity orders, declarations, and civil penalty proceedings. However, a 28-day safe-harbour provision is available for regulated entities that take good-faith and "reasonably proportionate" action to disrupt scams. 

The Bill also provides for internal and external dispute resolution mechanisms to allow individuals and small businesses affected by scams to seek redress from regulated entities that have not met their obligations. Affected consumers may also institute court proceedings to recover loss or damage, raising a potential risk of class actions. 

The ACCC has welcomed the passage of the Bill with the deputy chair, noting that "[i]ndividuals have been bearing the brunt of the responsibility to combat scammers for too long" and "[t]his Bill is a critical step in the fight against scams—creating overarching principles that all members of designated sectors must comply with. We know scammers will exploit weak links in the system—so these principles are key to a consistent approach".

The framework is a part of the Australian Labor Party's broader effort to modernize Australia's laws for the digital age and provide further consumer protections. Subject to the outcome of Australia's federal election later in 2025, the new framework may be the first of a number of reforms to Australia's privacy, payment systems, money laundering, cyber, product safety, unfair trading, and digital identification laws.