The Scams Prevention Framework Bill has passed through the national legislature. The expectation is that it will set out consistent and enforceable obligations for businesses in key sectors, with overarching principles for compliance by all members of designated sectors.
The ACCC has announced that the Commission will 'closely monitor regulated entities’ compliance with principles to prevent, detect, disrupt, respond to and report scams. The legislation empowers the ACCC to investigate potential breaches and take enforcement action where entities do not take reasonable steps to fulfill obligations under the principles, with fines of up to $50 million and scope for consumers to seek redress from regulated businesses. The ACCC will be involved in development of the formal designation of sectors, sector codes, and consumer and industry guidance. The initial sectors will be banks, certain digital platforms (including social media) and telecommunications providers.
Under the Framework, the ACCC will enforce the digital platforms sector scams code and take enforcement action where digital platforms breach obligations. The Australian Securities and Investments Commission will be the regulator for the banking sector code. The Australian Communications and Media Authority will be the regulator for the telecommunications sector code. There will be a single external dispute resolution body under the new Framework, involving the Australian Financial Complaints Authority (AFCA).
A Treasury Minister may, by legislative instrument, designate one or more businesses or services to be a regulated sector for the purposes of the Framework. This designation instrument is subject to Parliamentary scrutiny through the disallowance process and sunsetting. The Treasury Minister may designate an individual business or service, or designate businesses or services by class, meaning that the Minister may in effect designate specific entities to be a 'regulated sector' within a designation instrument.
Without limiting the businesses or services that may be designated, a Treasury Minister may designate the following classes of businesses or services to be a regulated sector (or a subset of those business or services):
• banking businesses, other than State banking (within the meaning of paragraph 51(xiii) of the Constitution) not extending beyond the limits of the State concerned;
• insurance businesses, other than State insurance (within the meaning of paragraph 51(xiv) of the Constitution) not extending beyond the limits of the State concerned;
• postal, telegraphic, telephonic or other similar services (within the meaning of paragraph 51(v) of the Constitution), which can include, but is not limited to: - carriage services within the meaning of the Telecommunications Act; - electronic services within the meaning of the Online Safety Act 2021, such as social media services within the meaning of that Act; - broadcasting services within the meaning of the Broadcasting Services Act 1992.
The description of the businesses and services are based on the relevant constitutional heads of power and provide flexibility for the Framework to be expanded to a wide range of sectors over time. It is not intended to provide a roadmap of the exact sectors the Government is proposing to designate. The Government's intention is to initially designate telecommunications services, banking services and certain digital platform services.
Before designating a sector to be subject to the Framework, the Minister must consider all the following matters:
• Scam activity in the sector. For example, the Minister may identify that certain businesses or services experience high levels of scam activity.
• The effectiveness of existing industry initiatives to address scams in the sector. For example, there may be existing initiatives in a sector seeking to protect against scams but do not appropriately address scam activity in that sector.
• The interests of persons who would be Framework consumers of regulated services for the sector if the Minister were to make the designation. For example, designation may be appropriate if the Minister considers that consumers would be better protected against scams arising out of activity in a sector if it is subject to the Framework, rather than relying on existing frameworks.
• The likely consequences (including benefits and risks) to the public and to the businesses or services making up the sector if the Minister were to make the designation.
• Any other matters the Minister considers relevant to the decision to designate a sector to be subject to the SPF. For example, this could include the compliance and regulatory costs of designating sectors, the privacy or confidentiality of consumers' information, the regulatory impact of designation, the outcomes of consultation with impacted entities and consumers, and scam activity in the relevant sector in another jurisdiction.
Before designating a sector, the Minister must also consult relevant consumer groups and the businesses or services making up the sector, or such associations or other bodies representing them as the Minister thinks appropriate. Given the nature and scope of the requirements under the Framework, this is 'appropriate to ensure consumers and affected entities are given notice of the Government's intention to designate the relevant sector. It will also provide these stakeholders with an opportunity to give feedback on the details of the designation instrument, including on any application provisions or transition period before the SPF comes into effect for the sector'.
What is a 'Scam'? The legislation seeks to provide certainty on the scope of harms intended to be captured by the Framework, with a scam being a direct or indirect attempt (whether or not successful) to engage an Framework consumer of a regulated service where it would be reasonable to conclude that the attempt:
• involves deception; and
• would, if successful, cause loss or harm including the obtaining of SPF personal information of, or a benefit (such as a financial benefit) from, the SPF consumer or the SPF consumer's associates.
The elements of the definition of 'scam' are objective in nature and do not require the scammer's state of mind to be established. This definition is deliberately broad to capture the wide range of activities scammers engage in and their ability to adapt and to adopt evolving behaviours over time. The Framework rules can also provide an appropriate safeguard to exclude conduct that is not intended to be captured under the Framework.
The definition of scam captures both successful scams which have caused loss or harm to a Framework consumer, and scam attempts which have not yet resulted in loss or harm to a Framework consumer. This reflects the obligations in the principles, which require regulated entities to take action against scams, regardless of whether the scam has resulted in loss or harm to a Framework consumer or an associate of the consumer. The use of 'attempt' in the definition of scam has its ordinary meaning, which is intended to cover efforts made to engage a Framework consumer. There may be an attempt to engage a Framework consumer even if the attempt is indirect, such as where it is directed at a cohort which includes the consumer or is directed at the public more generally. The attempt to engage an SPF consumer may be a single act or a course of conduct.
The legislation introduce the concept of an 'SPF consumer'. The obligations imposed on regulated entities are often in relation to a Framework consumer. This is intended to clearly set out the scope of obligations under the Framework and who they are designed to protect. A Framework consumer of a regulated service is: • a natural person, or a small business operator, who is or may be provided or purportedly provided the service in Australia; or • a natural person who is ordinarily resident in Australia and is or may be provided or purportedly provided the service outside of Australia by a regulated entity that is either an Australian resident or is providing or purportedly providing the service through a permanent establishment in Australia. The meaning of 'Australian resident' and 'permanent establishment' with respect to the regulated entity in this context leverages the existing established definitions in the ITAA 1997.
A Framework consumer is intended to cover any natural person or small business operator who is in Australia when they are provided the regulated service, regardless of where that service is based (for example, the regulated service may be based overseas). This includes natural persons who are only temporarily in Australia. The definition also intends to cover any natural person who is ordinarily resident in Australia but is overseas when they are provided a regulated service that is based in Australia. A Framework consumer could be
• an Australian resident in Australia using either an Australian-based or overseas-based messaging service that is offered in Australia;
• a person ordinarily resident in Australia who is overseas but using an Australian-based banking service; or
• a tourist visiting Australia using an Australian-based or overseas-based telecommunication service that is offered in Australia.
It is not intended that a foreign entity will be regulated with respect to consumers in foreign markets. For example, where an Australian consumer is overseas and is impacted by a scam on a social media service offered by an entity based overseas, this is not intended to be within the scope of the Framework.
Small businesses are not excluded from being Framework consumers based on their corporate structure. The small business may be in the form of a sole trader, company, unincorporated association, partnership or trust. Whether a small business is a small business operator for the purposes of the Framework will differ slightly depending on whether the small business is a body corporate or not.
If a small business is a body corporate, it is a small business operator if it meets all of the following conditions: • the sum of the business' employees and the employees of any body corporate related to the business, is less than 100 employees; • the annual turnover of the business during the last financial year is less than $10 million; and • the business has a principal place of business in Australia. If a small business is not a body corporate, it is a small business operator if it meets all of the following conditions: • the business has less than 100 employees; • the annual turnover of the business, worked out as if the person were a body corporate, during the last financial year is less than $10 million; and • the business has a principal place of business in Australia.
