• Legal database
Legal database
Senate

Scams Prevention Framework Bill 2024

Scams Prevention Framework Act 2025

Revised Explanatory Memorandum

(Circulated by authority of the Assistant Treasurer and Minister for Financial Services, the Hon Stephen Jones MP and Minister for Communications the Hon Michelle Rowland MP)
THIS MEMORANDUM TAKES ACCOUNT OF AMENDMENTS MADE BY THE HOUSE OF REPRESENTATIVES TO THE BILL AS INTRODUCED

Chapter 1: Scams Prevention Framework

Outline of chapter

1.1 The Bill implements a legislative framework to prevent and respond to scams impacting the Australian community, called the SPF. The amendments introduce a framework for regulated entities to implement measures to prevent, combat and respond to scams. The SPF includes the following features:

overarching principles (SPF principles) that apply to regulated entities;
sector-specific codes (SPF codes) that apply to regulated entities in certain regulated sectors;
rules (SPF rules) to support the effective operation of the framework;
a multi-regulator framework;
regulatory and enforcement mechanisms, including a two-tier civil penalty framework; and
dispute resolution mechanisms.

1.2 The legislative framework allows a Treasury Minister to designate sectors of the economy to be subject to the SPF principles, make an SPF code for that sector, and designate a regulator to enforce that code.

1.3 Legislative references in this Chapter are to the CCA unless otherwise specified.

Context of amendments

1.4 The digital economy has revolutionised the way Australians communicate, conduct business, access services and make payments, bringing significant efficiencies to individuals and businesses. These gains in speed and convenience have been accompanied by an evolution of the risks when conducting business, communicating and making payments. This includes a rise in sophisticated scams over recent years, which manipulate consumers and undermine trust in digital services.

1.5 Scammers stole $2.7 billion from Australian consumers in 2023. Scams not only have a financial toll on victims but can also cause psychological and emotional harm. Regardless of the value stolen, the impact on victims can be irreversible.

1.6 The SPF is an economy-wide reform to prevent and respond to scams impacting the Australian community by requiring the private sector to adhere to consistent principles-based obligations and enforceable mandatory codes. The consistent and enforceable approach of the SPF will ensure that incentives and obligations are in place across key sectors where scammers act to cause harm in the community.

1.7 Current scam protections are piecemeal and inconsistent across the economy. As a result, Australian consumers face inconsistent protections with differing service providers. While some sectors have industry codes to address scam activity, other sectors have no formal scam protection requirements, providing scammers with an avenue to target consumers. As it is common for scammers to use multiple platforms and services to steal from consumers, the SPF will ensure that all participants in the ecosystem are held accountable.

The telecommunications sector has taken action to combat scams by implementing the Reducing Scam Calls and Scam SMs Code in 2022. It requires telecommunication providers to take steps to identify, trace and block scam calls and messages. The Government also passed legislation in August 2024 for the SMS Sender ID Register, which will require the telecommunications sector to check whether messages being sent under a brand name match the legitimate registered sender.
The banking sector plays a pivotal role in the scams ecosystem, with banks usually being the terminating point of a scam when a consumer transfers money to the scammer. In 2023, ASIC found the overall approach to scams strategies and governance in Australia's major banks was variable and less mature than expected, with gaps in scam detection, response and victim support.
In late 2023, members of the Australian Banking Association and Customer Owned Banking Association committed to implement a range of measures to improve scam protections and consumer outcomes through the industry-led Scam Safe Accord. Since its introduction, banks have reported a disruption of scams through a range of approaches. As part of the Scam Safe Accord, banks, credit unions and building societies are deploying confirmation of payee technology in 2024 or 2025.
Digital platforms remain a point of vulnerability in the scams ecosystem and have taken limited action to protect Australian consumers from scams. While economy-wide scam losses decreased in 2023, scam losses originating from social media were up by 17 per cent and scam reports were up by 31 per cent. As part of the 5th Interim Report of the Digital Platform Services Inquiry, the ACCC recommended that digital platforms should be required to implement processes to prevent and remove scams, including a notice and action mechanism and verification of certain business users, including advertisers of financial services and products.
Some digital platforms have begun moving towards improving scam protections, as outlined in the voluntary Australian Online Scams Code, published by the Digital Industry Group Inc. in July 2024. An uplift in protections is welcome, however there needs to be consistency and a common standard adopted by all with binding obligations.

1.8 The Government has committed to initially designating telecommunications services, banking services and digital platform services relating to social media, paid search engine advertising and direct messaging, as each of these sectors represent a significant vector of scam activity. The SPF is responsive and adaptable, and enables other sectors to be brought under the framework where scam harms arise.

1.9 The dispute resolution obligations imposed on regulated sectors will be critical for the effectiveness of the SPF. The SPF will require regulated entities to have an IDR process in place and to become a member of a designated EDR scheme. In September 2024, the Government announced it will authorise the AFCA as the designated EDR scheme for the three initial sectors designated under the SPF.

1.10 It is intended that there will be a 'no wrong door' approach for IDR and a 'single door' approach for the EDR scheme for the three initial sectors to be designated under the SPF. This means consumers will have access to fair and transparent dispute resolution processes if they are the victim of a scam where a regulated entity has not met its obligations.

1.11 The consumer protections introduced through the SPF will help safeguard the benefits of the digital economy and provide the community with confidence to embrace the efficiency and convenience of the digital economy without fear of exploitation.

1.12 The SPF is being introduced as part of a broader effort to modernise Australia's laws for the digital age and consumer protection agenda. This includes reforms to Australia's privacy laws, payment systems, and money laundering and cyber settings, as well as the introduction of online safety measures, safe and responsible use of artificial intelligence measures, product safety standards, unfair trading practices and Digital ID.

1.13 The transnational nature of scam activity reiterates the importance for global collaboration. The SPF will facilitate further engagement on how economies can disrupt and share intelligence to increase the effectiveness of the fight against scammers.

1.14 The SPF is a robust whole-of-ecosystem approach that will make Australia the toughest target for scammers.

Summary of new law

1.15 The amendments introduce a framework for preventing and responding to scams impacting the Australian community with the following features:

overarching principles (SPF principles) that apply to regulated entities;
sector-specific codes (SPF codes) that apply to regulated entities in certain regulated sectors;
rules (SPF rules) to support the effective operation of the framework;
a multi-regulator framework;
regulatory and enforcement mechanisms, including a two-tier civil penalty framework; and
dispute resolution mechanisms.

1.16 The SPF principles apply to all regulated entities. These principles are enforced by the ACCC as the SPF general regulator (or an appropriately delegated person or authority) under the CCA. The SPF principles are about governance arrangements relating to anti-scam actions, and preventing, detecting, reporting, disrupting and responding to scams.

1.17 SPF codes will provide sector-specific, prescriptive obligations for each regulated sector that are consistent with the SPF principles. In assessing whether a regulated entity has complied with the SPF principles, a relevant consideration is the extent to which the entity has complied with any relevant SPF code obligations. However, SPF codes will not set out an exhaustive list of obligations to satisfy compliance with SPF principles. Rather, the SPF codes will provide a set of minimum standards that may be directed at addressing sector-specific harms related to scams.

1.18 This means that in some cases, taking reasonable steps to meet one or more of the SPF principles may require a regulated entity to take steps beyond the sector-specific obligations set out in an SPF code.

1.19 An SPF code applies in relation to a regulated sector. An SPF code will be enforced by a designated regulator, known as the SPF sector regulator for the sector.

1.20 The tiered regulatory design of the SPF will be administered and enforced via a multi-regulator model. This will deliver a whole-of-ecosystem approach to enforcement, and leverage existing regulatory relationships, supervision and surveillance frameworks already established by regulators.

1.21 This approach is supported by the ability of the SPF general regulator to delegate its functions and powers to an SPF sector regulator to ensure the effective regulation of regulated sectors.

1.22 Regulated entities that provide a service that is regulated by the SPF must have an accessible and transparent IDR mechanism and become a member of the EDR scheme that is authorised by a Treasury Minister for the regulated sector.

1.23 The Minister's intention is to authorise the AFCA scheme as the single SPF EDR scheme for the initially designated sectors. This will offer SPF consumers a holistic experience where multiple regulated entities are involved in a complaint. It will also bring consistency in consideration of complaints and be less burdensome for SPF consumers and regulated entities when compared with multi-scheme alternatives.

1.24 The SPF enables arrangements for the sharing of information about scams by regulated entities to SPF regulators (including through authorised third-party data gateways, portals or websites), by the SPF general regulator to regulated entities, between SPF regulators in the multi-regulator model, and between SPF regulators and the operator of the SPF EDR scheme. The SPF also enables arrangements for the sharing of information about scams by the SPF general regulator with foreign agencies responsible for scam prevention, provided the SPF regulator is satisfied the foreign agency has given an undertaking to control the storage, handling and use of any information received and that it will be used only for the purpose for which was disclosed to the agency.

1.25 The commencement of the SPF does not in itself impose any obligations on entities until a designation is made with respect to a regulated sector, and that designation instrument is in force (and any transitional arrangements in the instrument are taken into account). Upon designation of a regulated sector:

regulated entities operating in the sector are then subject to the obligations in the SPF principles, enforced by the ACCC as the SPF general regulator; and
if an SPF code is made for the sector, regulated entities operating in that sector are then also subject to the obligations in the SPF code, enforced by the relevant SPF sector regulator.

Detailed explanation of new law

Division 1 - Preliminary

1.26 The amendments introduce Part IVF to the CCA, which establishes an overarching SPF. The object of the SPF is to prevent and respond to scams that impact the Australian community that relate to, are connected with, or use certain services.

[Schedule 1, item 1, section 58AA]

1.27 Simplified outlines throughout Part IVF provide a succinct overview of the relevant provisions to assist readers. However, readers should rely on substantive provisions as the outlines are not intended to be comprehensive. The simplified outline in Division 1 provides that:

The SPF is a multifaceted approach for preventing and responding to scams impacting the Australian community by requiring regulated entities in selected sectors of the economy to take a variety of steps to combat scams relating to, connected with, or using their services.
Regulated entities must comply with the overarching principles of SPF, which are about governance arrangements relating to scams, and preventing, detecting, reporting, disrupting and responding to scams.
Under the SPF, a Treasury Minister (or an appropriately delegated authority) may make an SPF code for a regulated sector. An SPF code will generally contain detailed (but not exhaustive) sector-specific obligations for regulated entities to comply with the SPF principles.
The SPF also provides that a Treasury Minister may authorise an SPF EDR scheme for a regulated sector. An SPF EDR scheme will provide pathways for redress (including compensation) where regulated entities have not met their SPF obligations.
The ACCC is the SPF general regulator that regulates and enforces compliance with the SPF principles. A Treasury Minister may also select other Commonwealth entities to be SPF sector regulators to regulate and enforce compliance with SPF codes.

[Schedule 1, item 1, section 58AB]

Regulated sectors, entities and services

1.28 The SPF applies to regulated entities in regulated sectors with respect to the regulated services of those entities. A Treasury Minister may designate a sector of the economy to be a regulated sector. A regulated sector covers the businesses or services referred to in the designation instrument. The persons that carry on or provide these businesses or services are the regulated entities subject to the SPF.

[Schedule 1, item 1, sections 58AC and 58AD]

Regulated sectors

1.29 A Treasury Minister may, by legislative instrument, designate one or more businesses or services to be a regulated sector for the purposes of the SPF.

[Schedule 1, item 1, subsection 58AC(1)]

1.30 This designation instrument is subject to Parliamentary scrutiny through the disallowance process and sunsetting.

1.31 The Treasury Minister may designate an individual business or service, or designate businesses or services by class (see subsection 13(3) of the Legislation Act 2003). This means that the Minister may in effect designate specific entities to be a 'regulated sector' within a designation instrument.

[Schedule 1, item 1, note 1 to subsection 58AC(1)]

1.32 This legislation-making power is appropriate as the designation instrument may contain complex and specific details to ensure the relevant businesses and services are appropriately described for the purposes of sector designation. This may involve designating an individual person, business or service and is therefore more suited to being set out in delegated legislation.

1.33 The legislation-making power also ensures there is sufficient flexibility for the Government to respond quickly to changing scam methods and trends which may target particular sectors of the economy. A legislative instrument can be made quickly to bring additional sectors into the SPF to require regulated entities in those sectors to uplift their anti-scam practices.

1.34 Alongside the power to designate a sector, a Treasury Minister may also designate a Commonwealth entity to be an SPF sector regulator for a regulated sector (see Division 5 - Regulating the SPF). For example, if the banking sector is a regulated sector, the Minister may designate ASIC to be the SPF sector regulator for that sector in the same or separate instruments.

1.35 The Treasury Minister may vary or repeal the designation instrument once made (see subsection 33(3) of the Acts Interpretation Act 1901).

[Schedule 1, item 1, note 2 to subsection 58AC(1)]

1.36 Without limiting the businesses or services that may be designated, a Treasury Minister may designate the following classes of businesses or services to be a regulated sector (or a subset of those business or services):

banking businesses, other than State banking (within the meaning of paragraph 51(xiii) of the Constitution) not extending beyond the limits of the State concerned;
insurance businesses, other than State insurance (within the meaning of paragraph 51(xiv) of the Constitution) not extending beyond the limits of the State concerned;
postal, telegraphic, telephonic or other similar services (within the meaning of paragraph 51(v) of the Constitution), which can include, but is not limited to:

-
carriage services within the meaning of the Telecommunications Ac t;
-
electronic services within the meaning of the Online Safety Act 2021, such as social media services within the meaning of that Act;
-
broadcasting services within the meaning of the Broadcasting Services Act 1992.

[Schedule 1, item 1, subsection 58AC(2)]

1.37 The description of the businesses and services in the preceding paragraph are based on the relevant constitutional heads of power and provide flexibility for the SPF to be expanded to a wide range of sectors over time. It is not intended to provide a roadmap of the exact sectors the Government is proposing to designate. The Government's intention is to initially designate telecommunications services, banking services and certain digital platform services.

Designation of a regulated sector

1.38 Before designating a sector to be subject to the SPF, the Treasury Minister must consider all the following matters:

Scam activity in the sector. For example, the Minister may identify that certain businesses or services experience high levels of scam activity.
[Schedule 1, item 1, subparagraph 58AE(1)(a)(i)]
The effectiveness of existing industry initiatives to address scams in the sector. For example, there may be existing initiatives in a sector seeking to protect against scams but do not appropriately address scam activity in that sector.
[Schedule 1, item 1, subparagraph 58AE(1)(a)(ii)]
The interests of persons who would be SPF consumers of regulated services for the sector if the Minister were to make the designation. For example, designation may be appropriate if the Minister considers that consumers would be better protected against scams arising out of activity in a sector if it is subject to the SPF, rather than relying on existing frameworks.
[Schedule 1, item 1, subparagraph 58AE(1)(a)(iii)]
The likely consequences (including benefits and risks) to the public and to the businesses or services making up the sector if the Minister were to make the designation.
[Schedule 1, item 1, subparagraphs 58AE(1)(a)(iv) and (v)]
Any other matters the Minister considers relevant to the decision to designate a sector to be subject to the SPF. For example, this could include the compliance and regulatory costs of designating sectors, the privacy or confidentiality of consumers' information, the regulatory impact of designation, the outcomes of consultation with impacted entities and consumers, and scam activity in the relevant sector in another jurisdiction.
[Schedule 1, item 1, subparagraph 58AE(1)(a)(vi)]

1.39 Before designating a sector, the Treasury Minister must also consult relevant consumer groups and the businesses or services making up the sector, or such associations or other bodies representing them as the Minister thinks appropriate. Given the nature and scope of the requirements under the SPF, this is appropriate to ensure consumers and affected entities are given notice of the Government's intention to designate the relevant sector. It will also provide these stakeholders with an opportunity to give feedback on the details of the designation instrument, including on any application provisions or transition period before the SPF comes into effect for the sector.

[Schedule 1, item 1, paragraphs 58AE(1)(b) and (c)]

1.40 This consultation requirement is intended to operate alongside the general consultation requirement in section 17 of the Legislation Act 2003. This means the Treasury Minister may undertake additional consultation, including public consultation, on the designation instrument as appropriate.

1.41 Failure by the Treasury Minister to consult consumer groups or the relevant businesses or services, or to consider the above matters in making a designation, does not invalidate the designation instrument. This provides certainty on the regulated sectors within the scope of the SPF. The provision reflects the general position in section 19 of the Legislation Act 2003 that the validity or enforceability of a legislative instrument is not affected by a failure to consult. This approach also ensures certainty for regulated entities who may have undertaken investment and preparatory work to comply with the SPF.

[Schedule 1, item 1, subsection 58AE(2)]

Delegation of Treasury Minister's designation power

1.42 A Treasury Minister may, in writing, delegate the power to make an instrument designating businesses or services to be a regulated sector to another Minister. This may be appropriate when the sector sits outside of the Treasury Minister's portfolio and another Minister is responsible for policy matters in that sector.

[Schedule 1, item 1, section 58AF]

1.43 The provisions relating to delegation in sections 34AA to 34A of the Acts Interpretation Act 1901 apply to a delegation of the Treasury Minister's power to make a designation instrument. For example, under section 34A of that Act, if the Treasury Minister delegates this power to the Communications Minister, then the matters the Treasury Minister must consider before designating a sector and relevant consultation requirements must be satisfied by the Communications Minister before the Communications Minister makes a designation instrument as a delegate.

[Schedule 1, item 1, note to section 58AF]

Regulated entities and their regulated services

1.44 The amendments set out which entities are regulated entities, and the regulated services for those entities, for a regulated sector. A regulated entity for a regulated sector must comply with the obligations of the SPF and any SPF code for the sector, subject to any carve outs. Generally, the obligations are framed by reference to the regulated services of the regulated entity for that sector.

Entities with businesses or services within the banking, insurance or communications constitutional powers

1.45 To the extent that a regulated sector includes a business or service covering banking businesses, insurance businesses, or communication services (within the meaning of paragraph 51(xiii), (xiv) or (v) of the Constitution respectively - see above), or a subset of such a business or service:

the person who carries on or provides that business or service is a regulated entity for the sector; and
that business or service if a regulated service of the regulated entity for the sector.

[Schedule 1, item 1, subsection 58AD(1)]

1.46 For example, if banking services were to be designated as a regulated sector, a banking entity that offers both insurance and banking services would only be regulated as part of the banking sector under the SPF for the purposes of its banking services, not its insurance services.

1.47 The designation instrument and explanatory materials will also confirm these matters to ensure affected entities and consumers have a clear understanding of who is a regulated entity and what the regulated services are.

1.48 References to 'person' in the SPF have the same meaning as in section 2C of the Acts Interpretation Act 1901, which defines 'person' as encompassing individuals, bodies politic and bodies corporate. Division 7 of the SPF (see below) extends this definition to also cover partnerships, unincorporated associations and trusts.

[Schedule 1, item 1, note 2 to subsections 58AD(1) and (2)]

Other regulated entities and regulated services

1.49 Beyond those entities already discussed, the following entities and services will be regulated entities and regulated services for a regulated sector:

A corporation (as defined in section 4 of the CCA) that carries on or provides a business or service that is part of the regulated sector. That business or service is a regulated service of the regulated entity for the sector.
A person to the extent that the person is carrying on or providing a business or service that is part of the regulated sector, and is either:

-
acting using a postal, telegraphic, telephonic or other like service (within the meaning of paragraph 51(v) of the Constitution); or
-
acting in the course of, or in relation to, trade or commerce between Australia and places outside Australia, trade or commerce between the States, or trade or commerce within a Territory, between a State or Territory, or between two Territories (noting this reflects various heads of power under the Constitution).

The business or service that is part of the regulated sector, to the extent that it relates to the person acting in that way, is a regulated service of the regulated entity for the sector.

[Schedule 1, item 1, subsections 58AD(2) and (3)]

1.50 These provisions are mainly relevant for future sectors that may be designated under the SPF, beyond the Government's intention to initially designate telecommunications services, banking services, and certain digital platform services.

Exceptions

1.51 The SPF rules may specify that a person is not a regulated entity to the extent the specified exception applies to the person.

[Schedule 1, item 1, paragraph 58AD(4)(a)]

1.52 The SPF rules will set out additional detail in relation to information sharing obligations (see SPF Principle 4: Report). It may be appropriate to exclude certain regulated entities or classes of entities in a regulated sector from these obligations, for example, due to their size or role in the scams ecosystem. The SPF rules may exclude certain entities from these obligations where appropriate, to avoid undue regulatory burden. It is appropriate for this exclusion to sit in the SPF rules, so that the scope of information sharing obligations and their application is specified in the same instrument.

1.53 Similarly, the SPF rules may specify that a business or service is not a regulated service of a person for a regulated sector, to the extent that the specified exception applies to the business or service.

[Schedule 1, item 1, paragraph 58AD(4)(b)]

1.54 This may occur, for example, where an entity within a regulated sector is unlikely to be susceptible to a risk of scam harm due to the limited number of SPF consumers that interact with its services.

1.55 In addition, a Treasury Minister may designate a regulated sector, but exclude the application of specified SPF provisions for particular regulated entities or regulated services within the sector. This is appropriate given the SPF is an economy-wide reform and there may be instances where some of the obligations under the SPF are unsuitable for a particular sector or entity. Without this mechanism, these entities and services could not be designated or would be subjected to undue and disproportionate requirements if they were designated, which would limit the effectiveness and benefits of the SPF.

[Schedule 1, item 1, subsection 58AD(5)]

1.56 For example, the Treasury Minister may designate a particular sector or entity only for the purposes of the information sharing provisions under the SPF. This would allow entities within that sector to report information about suspected scams to the SPF general regulator and obtain information from the SPF general regulator (which could enable the entity to disrupt the scam), without contravening the privacy law.

1.57 The SPF rules or designation instrument may specify or declare an individual person, business or service, or do so by class (see subsection 13(3) of the Legislation Act 2003).

[Schedule 1, item 1, notes to subsections 58AD(4) and (5)]

Meaning of key terms

1.58 The amendments introduce the following key terms to support the operation of the SPF:

'scam';
'SPF consumer'; and
'actionable scam intelligence'.

Meaning of scam

1.59 'Scam' is defined to provide certainty on the scope of harms intended to be captured by the SPF.

1.60 A scam is a direct or indirect attempt (whether or not successful) to engage an SPF consumer of a regulated service where it would be reasonable to conclude that the attempt:

involves deception; and
would, if successful, cause loss or harm including the obtaining of SPF personal information of, or a benefit (such as a financial benefit) from, the SPF consumer or the SPF consumer's associates.

[Schedule 1, item 1, subsection 58AG(1)]

1.61 The elements of the definition of 'scam' are objective in nature and do not require the scammer's state of mind to be established. This definition is deliberately broad to capture the wide range of activities scammers engage in and their ability to adapt and to adopt evolving behaviours over time. The SPF rules can also provide an appropriate safeguard to exclude conduct that is not intended to be captured under the SPF.

1.62 The definition of scam captures both successful scams which have caused loss or harm to an SPF consumer, and scam attempts which have not yet resulted in loss or harm to an SPF consumer. This reflects the obligations in the SPF principles (see Division 2), which require regulated entities to take action against scams, regardless of whether the scam has resulted in loss or harm to an SPF consumer or an associate of the SPF consumer.

1.63 The use of 'attempt' in the definition of scam has its ordinary meaning, which is intended to cover efforts made to engage an SPF consumer. There may be an attempt to engage an SPF consumer even if the attempt is indirect, such as where it is directed at a cohort which includes the SPF consumer or is directed at the public more generally.

1.64 The attempt to engage an SPF consumer may be a single act or a course of conduct.

[Schedule 1, item 1, subsection 58AG(3)]

1.65 Where the attempt to engage an SPF consumer involves ongoing engagement with that consumer, the regulated entity may be required to take several and ongoing steps to, for example, detect and disrupt the scam activity to satisfy its obligations under the SPF principles (see Division 2). For example, if a scam involves a series of phone calls or text messages between the scammer and the SPF consumer over a protracted period of time, the obligation to take reasonable steps to disrupt a scam is intended to apply to the series of conduct, rather than an individual phone call or text message.

1.66 'SPF personal information' means personal information as defined in the Privacy Act and information relating to a person that may be used to access a service or an account, or funds, credit or other financial benefits. This definition therefore includes one-time passwords and verification codes that may be used to access a bank account or social media account.

[Schedule 1, item 5, subsection 4(1)]

1.67 The concept of 'benefit' is broad and includes non-monetary benefits and assets, such as cryptocurrency or loyalty and rewards points.

[Schedule 1, item 1, subparagraph 58AG(1)(b)]

1.68 An 'associate' of an SPF consumer is an associate (within the meaning of section 318 of the ITAA 1936) of the SPF consumer who is a natural person who is in Australia or is ordinarily resident in Australia. This generally includes the entity's relative, spouse, child, a partner of a partnership or a trustee of a trust.

[Schedule 1, item 5, subsection 4(1)]

1.69 The conduct covered within the meaning of scam may interact with other regulatory frameworks, such as the ePayments Code. This is to ensure that key scam typologies including remote access scams and phishing scams are covered by the SPF. The intention is that where there are interactions with other regulatory frameworks, a regulated entity should not be required to compensate for the same loss or damage twice, under two different regimes. However, regulated entities must comply with all relevant requirements under each regime. This ensures that overall, the SPF strengthens protections for consumers affected by scams.

1.70 An attempt will involve deception if the attempt:

deceptively represents something to be, or to be related to, the regulated service;
impersonates a regulated entity in connection with the regulated service;
is an attempt to deceive the SPF consumer into either performing an action using the regulated service or facilitating another person to perform such an action; or
is an attempt to deceive the SPF consumer that is made using the regulated service.

[Schedule 1, item 1, subsection 58AG(2)]

1.71 In practice, these types of conduct may not be mutually exclusive, and often end-to-end scam activity involves a number of these types of conduct. If the attempt in question is consistent with one or more of the four types of conduct, and would, if successful, cause loss or harm to an SPF consumer or their associates, the conduct is a scam. Each of these types of conduct is explained in further detail in the following sections.

Deceptively representing something to be, or to be related to, a regulated service

1.72 The reference to deceptively representing something to be, or to be related to, the regulated service, refers to conduct where a scammer deceives (or attempts to deceive) an SPF consumer by making a representation in relation to a regulated service.

1.73 For example, where the banking sector is a regulated sector, this may include an imposter bond scam, where a scammer impersonates a financial advisor and makes a false representation in relation to an investment product or bond offered by a banking entity that does not exist to obtain a benefit from the consumer. The scammer may demonstrate specialised financial knowledge and provide convincing documents, fake websites and fake information. This type of scam involves deceptively representing something to be related to a regulated service (banking services) by making false representations about the product offered. This is distinct from poor financial advice (which is not considered to be a scam), as in this case the scammer is making false representations about a product offered by a regulated service that does not exist. Conversely, poor financial advice may be where a financial advisor recommends a risky or inappropriate strategy by failing to appropriately assess a consumer's circumstances.

[Schedule 1, item 1, paragraph 58AG(2)(a)]

Impersonating a regulated entity in connection with its regulated service

1.74 The reference to impersonating a regulated entity in connection with its regulated service refers to, for example, impersonation scams where a scammer mirrors the brand of the regulated entity to mislead an SPF consumer into providing personal information, transferring money or otherwise providing a benefit to the scammer.

1.75 For example, where the banking sector is a regulated sector, this may include an impersonation scam where a consumer receives a text message that uses the alphanumeric tag from a well-known banking entity. The text message appears in the existing chain of text messages from that entity and notifies the consumer that an irregular payment had been detected. It also provides a phone number to contact. The consumer was told their account had been compromised and their funds needed to be transferred to a specific new safe account that had been opened. The consumer then transfers their funds to the scammer. This type of scam involves deceiving a consumer by impersonating a brand of a banking entity related to its regulated service (a banking service).

[Schedule 1, item 1, paragraph 58AG(2)(b)]

Deceiving an SPF consumer into performing an action using a regulated service, or facilitating another person to perform such an action

1.76 The reference to deceiving an SPF consumer into performing an action using a regulated service, or facilitating another person to perform such an action includes circumstances where the SPF consumer is deceived into undertaking an action using the regulated service under false pretences.

1.77 This limb includes circumstances where, if the banking sector is a regulated sector, an SPF consumer is deceived into performing an action themselves, for example where an SPF consumer sends money from their bank account to the scammer. It also includes circumstances where an SPF consumer facilitates an action performed by the scammer, for example where an SPF consumer provides a scammer with access to their personal device, or provides personal information or a one-time passcode over the phone that is then used by the scammer to make a transfer of money. As the SPF consumer has facilitated the action performed by the scammer, this comes within the meaning of involving deception and is therefore a scam.

[Schedule 1, item 1, paragraph 58AG(2)(c)]

Deceiving an SPF consumer using a regulated service

1.78 An attempt will involve deception where a scammer uses a regulated service to make a false representation or to otherwise deceive an SPF consumer.

1.79 For example, where paid search advertising services are a regulated sector, this would include false advertisements that trick consumers into providing their personal information or transferring money. Where telecommunications services are a regulated service, this would include circumstances where text messages or phone calls are used to initiate contact between a scammer and an SPF consumer to deceive the consumer.

[Schedule 1, item 1, paragraph 58AG(2)(d)]

SPF rules may prescribe attempts that are not scams

1.80 The SPF rules may prescribe specific kinds of attempts to engage an SPF consumer of a regulated sector that are not scams for the purposes of the SPF. This empowers a Treasury Minister, by legislative instrument, to exclude specific activities or conduct that are not intended to fall within the broad scope of the definition of a 'scam'. This power is not able to expand on what a scam is for the purpose of the SPF - it may only limit the definition.

[Schedule 1, item 1, subsections 58AG(4) and 58GE(1)]

1.81 Examples of exclusions from the meaning of scam may include:

certain subsets of fraud that involve dishonestly obtaining a benefit without any action from the consumer (such as credit card fraud);
cybercrime (including information obtained as part of a data breach or hack);
certain conduct regulated under anti-money laundering and counter-terrorism financing legislation;
misleading and deceptive conduct in trade or commerce, as defined in Schedule 2 to the CCA; or
performing a transaction under the threat of imminent violence (such as burglary or mugging).

Examples of attempts that may be considered a scam

1.82 Without limiting what may be considered a scam for the purposes of the SPF, some examples of attempts that may be considered a scam and an example that may not be considered a scam for the purposes of the SPF are outlined below. It is assumed that the businesses and services being described in the examples are regulated by the SPF.

Example 1.1 Scam attempt that is not successful

An SPF consumer is exposed to an online advertisement prompting them to invest in financial products, with the promise of high returns. The advertised product does not exist and is an attempt to deceive potential consumers into transferring funds to the advertiser's account. The SPF consumer considers this to be 'too good to be true' so they do not transfer money from their bank account for the product.

Scam: This is a scam because it is an attempt to deceive the SPF consumer using a regulated service (display advertising). This is because a scammer uses a fake advertisement to attempt to engage an SPF consumer into believing that they are obtaining investment products that do not exist. This is also an attempt to deceive the SPF consumer into performing an action using a regulated service (by transferring money from their bank account to the scammer). While the attempt in the example was not successful, it still meets the definition of a scam because it would cause loss or harm if successful, in the form of financial loss in seeking to obtain non-existent investment products.
In this example, SPF obligations are triggered in relation to the display advertising service used to attempt to deceive the consumer. SPF obligations may also be triggered in relation to the banking entity to take preventative steps, if it is reasonable to do so in the circumstances.

Example 1.2 Successful scam that involves ongoing conduct across multiple sectors
An SPF consumer gets contacted on a social media platform seeking a relationship. The profile, operated by a scammer, fosters a fake relationship with the consumer and takes the communication 'offline' to SMS.
Over weeks or months, the SPF consumer is deceived into believing they have built a relationship and trust with the scammer. The scammer then discloses that they have been in an accident and urgently need money, which is paid by the SPF consumer to the scammer via bank transfer. The SPF consumer begins expressing suspicion about the money, after which they never hear from the scammer again.

Scam: This is a scam because it is an attempt to deceive the SPF consumer using a regulated service, including both the social media service as the original communication channel and subsequently via SMS. The scammer creates a fake profile posing as a fictitious person to convince a consumer to send money through a financial transaction. This creates several touchpoints to regulated entities across the life of the scam. These are attempts to deceive the SPF consumer using a regulated service (initially social media messaging and then shifting to a telecommunications service), with the consumer also deceived into performing an action using a regulated service by transferring money via their bank account to the scammer.
This ongoing engagement in its entirety is a scam, which triggers the relevant obligations under the SPF for each regulated entity involved (social media messaging, telecommunications, and banking).

Example 1.3 Conduct that involves consumer-facilitated action
An SPF consumer is contacted by a third party using a telecommunications service offering to check their broadband. The consumer downloads a remote access tool and then makes a small payment from their banking app on the same device to pay for the 'service'. The scammer then uses the remote access tool to make further large transactions using the banking service through the consumer's device.

Scam: This course of conduct is a scam because an SPF consumer has been deceived into facilitating an action performed by the scammer, by downloading a remote access tool which is then used by the scammer to make transactions through the consumer's device. There is also an attempt to deceive the SPF consumer using the regulated service (telecommunications) and an attempt to deceive the SPF consumer into facilitating an action performed by the scammer using a regulated service (banking service).
In this example, SPF obligations are triggered in relation to the telecommunications service provider because the telecommunications service was used to deceive the consumer into facilitating an action (downloading the remote access tool). SPF obligations are also triggered in relation to the banking entity as its banking service was used by the scammer to perform the action of making large transactions out of the SPF consumer's account. Although the consumer's action of downloading the remote access tool was not made using a regulated service, the action subsequently performed by the scammer is using a regulated service (banking) and therefore the SPF obligations apply in relation to that activity.

Example 1.4 Conduct that involves consumer-facilitated action
An SPF consumer receives a text message using a telecommunications service purporting to be from a trusted postal service, asking them to confirm their credit card details. The consumer clicks a link and provides their credit card details. The scammer then uses the credit card details to make online purchases.

Scam: This course of conduct is a scam because there is an attempt to deceive the consumer that is made using a regulated service (telecommunications service) and an attempt to deceive the consumer into facilitating an action performed by the scammer using a regulated service (banking service). The SPF consumer has facilitated online purchases made by the scammer using a banking service, by providing their credit card credentials.
In this example, SPF obligations are triggered in relation to the activity on the telecommunications service used to deceive the consumer. SPF obligations are also triggered in relation to the banking service as this was the service used by the scammer, as facilitated by the consumer, to perform the action of making online purchases.

Example 1.5 Not a scam for the purposes of the SPF - Conduct already regulated by consumer law
An SPF consumer is looking to buy a trailer and comes across an advertisement on the internet for a trailer. The advertisement is from a legitimate business. The SPF consumer visits the legitimate business website and calls the dealer to place a deposit and settle the details of the payment. They agree that the SPF consumer will pay using a direct transfer. The SPF consumer makes the payment but does not receive the trailer within the agreed time.

Scam: This does not fall within the definition of a scam as there was no deceptive impersonation of a regulated entity or attempt to deceive the consumer into facilitating an action using the regulated service. The consumer made a payment via bank transfer for the intended purpose and did not engage in the payment on false pretences. The issues in relation to the delay in receiving the trailer may be dealt with in other consumer law provisions.

Meaning of SPF consumer

1.83 The amendments introduce the concept of an 'SPF consumer'. The obligations imposed on regulated entities are often in relation to an SPF consumer. This is intended to clearly set out the scope of obligations under the SPF and who they are designed to protect.

1.84 An SPF consumer of a regulated service is:

a natural person, or a small business operator, who is or may be provided or purportedly provided the service in Australia; or
a natural person who is ordinarily resident in Australia and is or may be provided or purportedly provided the service outside of Australia by a regulated entity that is either an Australian resident or is providing or purportedly providing the service through a permanent establishment in Australia.

[Schedule 1, item 1, subsections 58AH(1) and (2)]

1.85 The meaning of 'Australian resident' and 'permanent establishment' with respect to the regulated entity in this context leverages the existing established definitions in the ITAA 1997.

1.86 An SPF consumer is intended to cover any natural person or small business operator who is in Australia when they are provided the regulated service, regardless of where that service is based (for example, the regulated service may be based overseas). This includes natural persons who are only temporarily in Australia. The definition also intends to cover any natural person who is ordinarily resident in Australia but is overseas when they are provided a regulated service that is based in Australia.

1.87 For example, an SPF consumer could be (assuming the following services are regulated services):

an Australian resident in Australia using either an Australian-based or overseas-based messaging service that is offered in Australia;
a person ordinarily resident in Australia who is overseas but using an Australian-based banking service; or
a tourist visiting Australia using an Australian-based or overseas-based telecommunication service that is offered in Australia.

1.88 It is not intended that a foreign entity will be regulated with respect to consumers in foreign markets. For example, where an Australian consumer is overseas and is impacted by a scam on a social media service offered by an entity based overseas, this is not intended to be within the scope of the SPF.

1.89 Small businesses are not excluded from being SPF consumers based on their corporate structure. The small business may be in the form of a sole trader, company, unincorporated association, partnership or trust.

[Schedule 1, item 1, note 2 to subsection 58AH(2)]

1.90 However, whether a small business is a small business operator for the purposes of the SPF will differ slightly depending on whether the small business is a body corporate or not.

1.91 If a small business is a body corporate, it is a small business operator if it meets all of the following conditions:

the sum of the business' employees and the employees of any body corporate related to the business, is less than 100 employees;
the annual turnover of the business during the last financial year is less than $10 million; and
the business has a principal place of business in Australia.

[Schedule 1, item 1, subsection 58AH(5)]

1.92 If a small business is not a body corporate, it is a small business operator if it meets all of the following conditions:

the business has less than 100 employees;
the annual turnover of the business, worked out as if the person were a body corporate, during the last financial year is less than $10 million; and
the business has a principal place of business in Australia.

[Schedule 1, item 1, subsection 58AH(5)]

1.93 The meaning of annual turnover and related body corporate in this context leverages the existing and established definitions in the Corporations Act.

[Schedule 1, item 1, subsection 58AH(5)]

1.94 A small business operator that is an SPF consumer at the time it is impacted by a scam continues to be an SPF consumer for that time, even if, for example, that business later has 100 or more employees.

[Schedule 1, item 1, note 1 to subsection 58AH(2)]

1.95 As stated above, an SPF consumer of a regulated service is a particular kind of person to whom the regulated service is or may be provided or purportedly provided. This includes, but is not limited to, the provision or purported provision of a regulated service:

directly or indirectly to the SPF consumer;
whether or not under a contract, arrangement or understanding with the SPF consumer;
whether or not the provider of the service knows that the person is an SPF consumer; or
that involves the supply of goods.

[Schedule 1, item 1, subsection 58AH(3)]

1.96 A person can be an SPF consumer of a regulated service even if they do not have a direct customer relationship with the regulated entity providing or carrying on that regulated service for the regulated sector. This reflects that an individual's experience with a scam is often not limited to entities the individual has a direct customer relationship with. For example:

where an individual makes a payment to the scammer which is received by a banking service that the individual does not have a direct customer relationship with; or
where an individual is deceived through an impersonation scam involving an entity that the individual does not have a direct customer relationship with; or
where an individual receives a phone call or text message from a scammer, from a carriage service provider or intermediary that the individual does not have a direct customer relationship with.

1.97 SPF codes may set out more specific obligations on regulated entities, which could include obligations that relate to certain classes of SPF consumers. An example of such a class is SPF consumers that have a direct customer relationship with the regulated entity. This reflects that it may not be appropriate or practical to extend certain obligations beyond SPF consumers with a direct customer relationship with the regulated entity.

1.98 Without limiting who may be considered an SPF consumer of a regulated service, some examples are outlined below. It is assumed that the businesses and services being described in the examples are regulated under the SPF.

Example 1.6 SPF consumer - No direct relationship or contract

An individual observes a fraudulent advertisement impersonating a known banking entity selling a banking service on a social media service. The individual is not a direct customer of the banking entity and does not hold an account to use the banking service. The individual holds an account with the social media service provider.

SPF consumer: The individual is an SPF consumer of the banking service being impersonated by the fraudulent advertisement, and the social media service. This is because while the individual does not have a direct contract with the banking service, its banking service may be provided to the individual. The individual is also an SPF consumer of the social media service, as they directly hold an account and receive the service from the provider.
In this example, SPF obligations are triggered in relation to the banking entity and the social media service provider. However, as the banking entity does not have a direct relationship with the SPF consumer, it is likely that the reasonable steps it may take in relation to preventing, detecting, disrupting and responding to the scam may be more limited than the social media service provider who has a direct relationship with the SPF consumer. For example, if the banking entity has actionable scam intelligence regarding the impersonation scam, it may be expected to engage with the social media service provider to request the content be removed, and issue public warnings to notify the community that there is a scam advertisement impersonating its brand. In contrast, the social media service provider may be expected to take more direct steps to identify impacted SPF consumers and remove the advertisement.

Example 1.7 Indirect relationship involving the supply of goods and services
An individual receives a scam text message impersonating the Australian Taxation Office in relation to outstanding taxes.

SPF consumer: A text message from a scammer to an individual involves one or more carriage services, as it may need to be carried by one or more transit (or intermediary) carriage services. A transit carrier or carriage service providers may or may not know whether the services it provides are to an SPF consumer through another entity. However, it is assumed that the transit carrier service is being provided indirectly to an SPF consumer (unless otherwise known) and therefore the individual is an SPF consumer of the sending carriage service provider (used by the scammer to send the text message), the receiving carriage service provider (the SPF consumer's telecommunications service provider) and any intermediaries (used to facilitate the message being received by the SPF consumer).
As a result, transit carriers or carriage service providers that connect other transit carriers or carriage service providers and International Operators to pass call traffic or SMS traffic between them will need to treat the service they are providing as having one or more SPF consumers. This is unless the transit carrier or carriage service provider knows the transited call or SMS is not being directly provided to or for an SPF consumer.
In this example, SPF obligations are triggered in relation to the transit carrier and carriage service provider. However, as the transit carrier does not have any direct engagement with the SPF consumer, it may have more limited means to detect or validate the legitimacy of the traffic, meanwhile it may be more equipped to take preventative action. This will be a relevant consideration in determining reasonable steps in the context of satisfying the SPF principles.

Example 1.8 Australian resident accessing a service overseas
A person ordinarily resident in Australian who is overseas is using a social media service to check for updates. The individual comes across a scam advertisement impersonating a well-known figure, clicks on the link and makes a payment through their Australian banking service.

SPF consumer: The individual is an SPF consumer for the purposes of the banking service. This is because although they are accessing the service overseas, the banking entity is an Australian resident and providing the service through a permanent establishment in Australia. The individual is not an SPF consumer for the purposes of the social media service, as the social media service provider does not meet Australian residency requirements and the content is being accessed overseas.
In this example, SPF obligations are triggered in relation to the banking service only, and protection to the SPF consumer under the SPF will only apply in relation to the course of conduct involving the Australian banking service.

1.99 A person is not an SPF consumer of the regulated service if a condition prescribed by the SPF rules applies to the person in relation to regulated services of that kind.

[Schedule 1, item 1, subsection 58AH(4)]

1.100 To avoid doubt, an 'SPF consumer' under the SPF is distinct from a 'consumer' as defined in section 4B of the CCA.

[Schedule 1, item 1, subsection 58AH(6)]

Meaning of actionable scam intelligence

1.101 Several obligations in the SPF relate to a regulated entity having actionable scam intelligence.

1.102 A regulated entity identifies or has actionable scam intelligence if and when there are reasonable grounds for the entity to suspect that a communication, transaction or other activity relating to, connected with, or using a regulated service of the entity is a scam.

[Schedule 1, item 1, section 58AI]

1.103 As this definition relies on the meaning of scam, it is inherently tied to information about an SPF consumer.

1.104 A regulated entity may receive or identify actionable scam intelligence from a range of sources, including (but not limited to):

a report about a scam made to a regulated entity;
information provided by SPF regulators; or
a regulated entity's own investigation into suspected scam activity.

1.105 Whether there are reasonable grounds for an entity to suspect that an activity is a scam is an objective test. Rather than a requirement to have formed a suspicion, the test is whether it is reasonable in the circumstances for the regulated entity to form a suspicion.

[Schedule 1, item 1, note 1 to section 58AI]

1.106 Relevant information that may lead a regulated entity to have reasonable grounds to suspect that an activity is a scam includes:

information about the mechanism or identifier being used to scam SPF consumers, such as URLs, email addresses, phone numbers, social media profiles, digital wallets and bank account information of the scam promotors;
information about the suspected scammer; and
information (including complaints) provided by SPF consumers.

[Schedule 1, item 1, note 1 to section 58AI]

1.107 For example, a regulated entity (such as a banking entity offering a banking service) receives several consumer reports about a phishing scam tricking consumers into making a payment that is not owed. The consumer reports indicate that the phishing scam originates via text message, with a link that sends consumers to a fraudulent website impersonating the brand of the regulated entity. The regulated entity does not communicate with consumers via text message and observes that the website link is fraudulent. In this case, the regulated entity has actionable scam intelligence because there are reasonable grounds to suspect that an activity related to its regulated service is a scam. The actionable scam intelligence may include the phone numbers used to send messages to the SPF consumers, the website where payments were facilitated and the bank account the SPF consumers were asked to make payments to.

1.108 Actionable scam intelligence may include information about how other entities and services are being used to facilitate scam activity, as long as there is a connection between the scam and the regulated service of the regulated entity holding the information. This includes information about sectors that are not regulated under the SPF. In the example above, the regulated entity holds information about the digital platform hosting the website, telecommunications providers and other banking services. This information all forms part of the actionable scam intelligence that the regulated entity has, because the information relates to a scam that uses a regulated service of the regulated entity.

1.109 A regulated entity has several obligations under the SPF in relation to actionable scam intelligence. For example, SPF Principle 4: Report includes requirements for regulated entities to provide the SPF general regulator with reports of and about actionable scam intelligence if required by the SPF rules. SPF Principle 5: Disrupt includes requirements for regulated entities to take reasonable steps to disrupt scams on receipt of actionable scam intelligence. Gathering and reporting this information is intended to minimise the harm to SPF consumers from scams.

[Schedule 1, item 1, note 2 to section 58AI]

Extension to external territories

1.110 Each SPF provision extends to every external Territory. SPF provisions are:

provisions of Part IVF (about the SPF);
provisions of legislative instruments made under Part IVF (including the SPF rules and SPF codes);
provisions of the CCA to the extent that they relate to a provision of Part IVF or a provision of a legislative instrument made under Part IVF; and
provisions of the Regulatory Powers Act to the extent they apply in relation to a provision of Part IVF or a provision of legislative instrument made under Part IVF.

[Schedule 1, item 1, subsection 58AJ(1)]

1.111 The SPF provisions also extend to acts, omissions, matters and things outside of Australia.

[Schedule 1, item 1, subsection 58AJ(2)]

Application to acts done by agents of regulated entities

1.112 If an element of the SPF provisions is done by or in relation to agents of regulated entities and section 97 of the Regulatory Powers Act is applicable, the conduct is also attributed to the regulated entities.

[Schedule 1, item 1, subsection 58AK(1)]

1.113 If an element of the SPF provisions is done by a person in relation to an agent who is acting on behalf of a regulated entity, and the agent is acting within the scope of their actual or apparent authority, the conduct is also taken as having been done in relation to the regulated entity.

[Schedule 1, item 1, subsection 58AK(2)]

Division 2 - Overarching principles of the SPF

1.114 The simplified outline in Division 2 provides that:

All regulated entities must comply with the overarching principles of the SPF.
These principles require each regulated entity to document and implement governance arrangements to combat scams and take reasonable steps to prevent, detect, report, disrupt and respond to scams relating to, connected with, or using the entity's regulated service.
Obligations contained in the SPF principles are civil penalty provisions. Compliance with the SPF principles will be monitored, investigated and enforced by the ACCC as the SPF general regulator. Division 6 of the SPF sets out further remedies for non-compliance with these provisions.

[Schedule 1, item 1, section 58BA]

1.115 The SPF principles will generally be supported by an SPF code for each regulated sector. An SPF code is a legislative instrument which will set out detailed and sector-specific obligations relating to the SPF principles (excluding SPF Principle 4: Report).

1.116 SPF codes are intended to ensure that there are robust and targeted obligations for each regulated sector, recognising their different roles in the scams ecosystem and the differing action that is needed by each sector to combat scams. The SPF codes are expected to include more tailored obligations that a regulated entity must comply with to support their compliance with the SPF principles.

Meaning of reasonable steps

1.117 The SPF principles are principle-based obligations that require a regulated entity to take a comprehensive approach to compliance. Accordingly, a number of the provisions in the SPF principles require a regulated entity to take 'reasonable steps'. This includes the requirement to take reasonable steps to prevent scams from being committed in section 58BJ and the requirement to take reasonable steps to detect a scam relating to, connected with, or using a regulated service of the entity in section 58BM.

1.118 Whether a regulated entity has taken reasonable steps is an objective assessment that depends on the particular facts and circumstances. Relevant matters to be considered in determining whether a regulated entity has taken reasonable steps include:

the size of the entity;
the regulated services of the entity;
the consumer base of those services;
the kinds of scam risks those services face; and
whether the entity has complied with any relevant SPF code obligations relating to the provision concerned.

[Schedule 1, item 1, section 58BB]

1.119 The factors in determining reasonable steps are to be considered collectively, rather than in isolation.

1.120 All regulated entities must comply with the 'reasonable steps' obligations under the SPF, subject to any applicable exceptions or carve outs in the SPF rules or designation instrument. However, how they give effect to the obligations may differ depending on the matters set out above.

1.121 For example, the size of the entity may reflect its capability to implement measures to address scams. While some larger entities may be able to make direct changes to systems and processes to fulfill their obligations under the SPF, other entities may have to manage arrangements with third party service providers that manage processes and systems. The reasonable steps test recognises that different sized entities may appropriately meet their obligations in different ways.

1.122 An assessment of reasonable steps also involves consideration of what is practical in the circumstances based on, for example, the regulated service provided by the entity. For example, if a transit carrier or a regulated entity without any direct engagement with an SPF consumer has limited or no means to detect or validate the legitimacy of an interaction, and could not take steps to do so, this would be a relevant factor in determining what the reasonable steps are in the circumstances, for the purposes of relevant SPF principles.

1.123 The principles-based nature of these obligations goes beyond requiring only strict administrative steps, which may not otherwise be effective to prevent and respond to scams impacting SPF consumers. By requiring a regulated entity to take reasonable steps (which depend on the particular facts and circumstances), the SPF principles ensure the integrity of a regulated entity's response to scams, regardless of the kind of entity it is or the nature of the scams impacting that entity. This also reflects that the SPF is designed to be an economy-wide framework that is flexible enough to apply across entities in differing sectors that face unique scams-related challenges.

1.124 The meaning of reasonable steps makes clear that compliance with any relevant SPF code obligations is a relevant factor in determining whether a regulated entity has taken reasonable steps for the purposes of meeting a relevant SPF principle. This reflects that a regulated entity is required to comply with the SPF code for its sector and the matters that an SPF code can deal with must be consistent with the SPF principles.

1.125 However, given the SPF will apply to a diverse range of entities, both across and within regulated sectors, it is not intended that the SPF codes will set out an exhaustive list of requirements that would be reasonable for every entity in every set of circumstances. Consequently, compliance with SPF code obligations will not automatically equate to compliance with the corresponding SPF principles.

1.126 While compliance with the SPF code provisions may be sufficient to satisfy compliance with the SPF principles in certain circumstances, there may cases where it is reasonable for a regulated entity to take additional steps beyond SPF code obligations. This may occur, for example, where an entity is facing a specific, targeted and heightened risk that requires action above and beyond the sector-wide measures set out in the SPF code.

SPF Principle 1: Governance

1.127 The simplified outline in Subdivision B of Division 2 provides that:

Regulated entities must document and implement governance policies, procedures, metrics and targets for combatting scams relating to, connected with, or using a regulated service of the entity.
These policies, procedures, metrics and targets must be certified annually by a senior officer of the entity.
The regulated entities must keep records in relation to its SPF governance policies and procedures and share these with the SPF general regulator or applicable SPF sector regulator upon request.
An SPF code for a regulated sector may include sector-specific obligations for this SPF principle, which a regulated entity in that sector must also comply with.

[Schedule 1, item 1, section 58BC]

Developing and implementing policies, procedures, metrics and targets

1.128 A regulated entity must:

document and implement governance policies and procedures that set out the entity's approach to scam prevention, detection, disruption, response and reporting, in relation to scams relating to, connected with, or using the entity's regulated services for the sector; and
develop and implement performance metrics and targets to measure the effectiveness of its governance policies and procedures, and comply with any requirements prescribed by the SPF rules.

[Schedule 1, item 1, subsection 58BD(1)]

1.129 Policies and procedures may include the steps an entity is taking to:

comply with SPF provisions;
identify actionable scam intelligence;
assess and address the risk of scams relating to, connected with, or using the entity's regulated services for the sector; and
meet performance metrics and targets developed for those policies and procedures.

1.130 Failure to comply with this obligation may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BD(2)]

Annual certification requirements

1.131 A regulated entity's SPF governance policies, procedures, metrics and targets must be approved by a senior officer of the entity in writing on an annual basis. This approval must state whether those governance policies, procedures, metrics and targets comply with this SPF principle for the regulated sector.

[Schedule 1, item 1, subsection 58BE(1)]

1.132 This requirement ensures that regulated entities consider and approve their governance arrangements at least on a yearly basis, so they remain fit for purpose over time.

1.133 The approval by the senior officer must occur within 12 months of the day the entity becomes a regulated entity for the sector and within seven days after each 12-month anniversary of that day.

[Schedule 1, item 1, paragraphs 58BE(1)(a) and (b)]

1.134 As the SPF could apply to a range of businesses with varying structures, 'senior officer' is intended to apply broadly and is defined as an 'officer' or 'senior manager' within the meaning of the Corporations Act. For example, this includes a director or secretary of a company, a partner in a partnership or an office holder of an unincorporated association.

[Schedule 1, item 5, subsection 4(1)]

1.135 Failure to comply with this obligation may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BE(2)]

Record-keeping requirements

1.136 A regulated entity must keep records of information of a material nature relating to activities taken to comply with certain obligations under the SPF for at least six years. These records include information on:

the initial documenting, and each revision of the documenting, of the entity's SPF governance policies, procedures, metrics and targets;
the initial implementation, and each reimplementation, of those SPF governance policies, procedures, metrics and targets by the entity;
each consideration (including certification) by the entity's senior officer of those SPF governance policies, procedures, metrics and targets, including in relation to their documenting, implementation and review; and
any other activities that are prescribed by the SPF rules.

[Schedule 1, item 1, subsection 58BF(1)]

1.137 The requirement to keep records of information of a 'material nature' ensures entities are not required to keep records of documents that are inconsequential to these activities. For example, an entity may not be required to retain every meeting invitation, email, or text message relating to the above matters. Rather, it is intended to ensure that only relevant and meaningful information about those matters is kept.

1.138 Failure to comply with this obligation may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BF(2)]

Providing information about governance arrangements to an SPF regulator

1.139 Copies of a regulated entity's SPF governance policies, procedures, metrics and targets, and any other records the entity is required to keep under this SPF principle, must be given to the SPF general regulator and the relevant SPF sector regulator upon written request. The regulated entity must comply with the request within 10 business days after receiving the request, or a longer period as allowed by the SPF regulator.

[Schedule 1, item 1, subsection 58BG(1)]

1.140 This requirement allows for effective regulation and enforcement of this SPF principle and any SPF code relating to this principle for the regulated sector.

1.141 Failure to comply with this obligation may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BG(2)]

Sector-specific obligations relating to SPF Principle 1: Governance

1.142 An SPF code may be made for a regulated sector setting out detailed, sector-specific obligations consistent with this SPF principle.

[Schedule 1, item 1, section 58BH]

1.143 An SPF code may include, for example, sector-specific provisions about governance arrangements, including:

the policies and procedures to be documented;
the implementation of policies and procedures;
the development of performance metrics and targets;
the certification of these policies, procedures, metrics and targets;
the publication of information about these policies, procedures, metrics and targets;
record keeping of compliance with the SPF provisions; and
reporting about compliance with this SPF principle.

SPF Principle 2: Prevent

1.144 The simplified outline in Subdivision C of Division 2 provides that:

Regulated entities must take reasonable steps to prevent scams relating to, connected with, or using a regulated service of the entity.
An SPF code for the sector may include sector-specific provisions in relation to this SPF principle.

[Schedule 1, item 1, section 58BI]

1.145 This SPF principle is aimed at stopping scams from reaching or impacting SPF consumers, rather than stopping or identifying scams that are already underway (covered in SPF Principle 3: Detect and SPF Principle 5: Disrupt).

1.146 This means that the reasonable steps a regulated entity may take to meet its obligations under this SPF principle may include steps to educate its consumers, educate its staff, and implement robust measures or processes to prevent scammers from accessing or using its regulated service in any way to perpetuate scams.

Overarching obligation to take reasonable steps to prevent scams

1.147 Under this SPF principle, a regulated entity must take reasonable steps to prevent another person from committing a scam relating to, connected with, or using a regulated service of the entity.

[Schedule 1, item 1, subsection 58BJ(1)]

1.148 The provisions in Division 7 of the amendments extend the meaning of 'person' for partnerships, unincorporated associations and trusts.

[Schedule 1, item 1, note to subsection 58BJ(1)]

1.149 A contravention of this obligation does not occur merely because an individual scam has not been prevented. Whether a regulated entity meets the obligation in taking reasonable steps to prevent scams is an objective test which will depend on the circumstances, including the relevant matters set out in section 58BB (about the meaning of reasonable steps). The SPF code for a regulated sector may also include sector-specific provisions describing what are reasonable steps for the purposes of this obligation.

1.150 In addition to those matters, taking reasonable steps in this context requires more than merely acting on actionable scam intelligence that is provided to the regulated entity. This makes clear that in complying with this obligation, a regulated entity must be proactive and take a comprehensive approach to prevent scams as they relate to, connect with, or use the entity's regulated service or services.

[Schedule 1, item 1, subsection 58BK(1)]

1.151 Reasonable steps in this context may include (but are not limited to):

introducing additional identity verification requirements for new accounts to use the regulated service;
providing warnings to SPF consumers about scams related to, connected with or using the regulated service and steps that SPF consumers can take to minimise the risk of harm;
proactively seeking out information and data from other sources on emerging scams, to understand scam trends and identify whether there are any particular vulnerabilities associated with the regulated service; and
training staff on emerging scams to assist them in identifying and responding to scams.

1.152 Failure to comply with this obligation may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BJ(2)]

Sector-specific obligations relating to SPF Principle 2: Prevent

1.153 An SPF code may be made for a regulated sector setting out detailed, sector-specific obligations consistent with this SPF principle.

[Schedule 1, item 1, section 58BK(2)]

1.154 An SPF code may, for example, include sector-specific provisions:

describing what reasonable steps are to prevent scams;
requiring each regulated entity for that sector to identify its SPF consumers that are at risk, or who have a higher risk, of being targeted by a scam; or
requiring each regulated entity for the sector to provide information about such scams to an SPF consumer at risk, or who have a higher risk, of being targeted.

[Schedule 1, item 1, subsection 58BK(2)]

1.155 An SPF code may therefore require an entity to identify classes of its SPF consumers that are at a heightened risk of scams, so that additional preventative steps can be taken with respect to these consumers where appropriate. This may include consideration of how an SPF consumer is using the regulated service or specific vulnerabilities the consumer may have that could be targeted by a scammer.

1.156 The obligations included in any SPF code made for a regulated sector are not intended to be exhaustive in relation to the reasonable steps the regulated entity for the sector must take. A regulated entity may still be in breach of their obligations under the SPF principles even if they comply with the obligations in an SPF code, although compliance with the SPF code obligations is a relevant factor in considering whether a regulated entity has taken reasonable steps.

SPF Principle 3: Detect

1.157 The simplified outline in Subdivision C of Division 2 provides that:

Regulated entities must take reasonable steps to detect scams, which includes timely investigations of activities that are the subject of its actionable scam intelligence and identifying SPF consumers that are or may have been impacted by such activities in a timely way.
An SPF code for the sector may include sector-specific obligations in relation to this SPF principle.

[Schedule 1, item 1, section 58BL]

1.158 A regulated entity's obligations under this SPF principle are linked to and flow through other obligations in the SPF principles. For example, identifying suspected scams through detection activities triggers the:

obligation to report actionable scam intelligence to the SPF general regulator under SPF Principle 4: Report; and
obligation to take reasonable steps to disrupt scam activity under SPF Principle 5: Disrupt.

Overarching obligation to take reasonable steps to detect scams

1.159 A regulated entity must take reasonable steps to detect a scam related to, connected with, or using an entity's regulated service. This includes (but is not limited to) taking reasonable steps to detect such scams as they are happening or after they have happened, regardless of whether an SPF consumer or their associate has already incurred a loss or before a loss has occurred.

[Schedule 1, item 1, subsections 58BM(1) and (3)]

1.160 The obligation to take reasonable steps to detect a scam as it is happening reflects that a scam may extend over a long period of time. For example, a scam advertisement may be available on a digital platform service for an extended period of time, so the obligation to take reasonable steps to detect scams as they are happening will apply in this context over the period of time that the advertisement is available.

1.161 The obligation to take reasonable steps to detect a scam after it has happened supports broader disruptive and preventative activity. For example, where an SPF consumer has made a payment to a scammer using a regulated service, it is important that the regulated entity takes reasonable steps to detect that activity to ensure that steps can be taken to protect that consumer from further harm, and to protect other consumers.

1.162 Some regulated entities may have more limited means to detect scams than others, particularly those without direct relationships with SPF consumers. For example, in the telecommunications sector where there are multiple parties involved in the delivery of a telecommunications call or SMS, typically, only the originating carriage service provider will have visibility over a customer's rights to use a number, and therefore will have the greatest ability to detect scams.

1.163 A contravention of this obligation does not occur merely because an entity fails to detect a single scam. Whether an entity has taken reasonable steps is an objective test that will depend on the particular circumstances, including the relevant matters in section 58BB (about the meaning of reasonable steps). The SPF code for a regulated sector may also include sector-specific provisions describing what are reasonable steps for the purposes of this obligation.

1.164 Depending on the circumstances, taking reasonable steps to detect scams may involve (but is not limited to) detecting scams using:

information received in consumer reports;
actionable scam intelligence received from the SPF general regulator;
the entity's internal systems which flag higher risk transactions or suspicious activity.

1.165 Failure to comply with this obligation may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BM(2)]

Investigating actionable scam intelligence

1.166 Where a regulated entity has actionable scam intelligence about an activity relating to, connected with, or using the entity's regulated service, the entity must take reasonable steps to investigate whether the activity is a scam within 28 days. This 28-day period starts on day the intelligence became actionable scam intelligence for the entity, which is the day the entity has reasonable grounds to suspect the activity to be a scam.

[Schedule 1, item 1, subsection 58BN(1)]

1.167 This 28-day period is consistent with the safe harbour in section 58BZA for actions taken to disrupt an activity while investigating whether the activity is a scam (see SPF Principle 5: Disrupt). This ensures that a regulated entity is required to take reasonable steps to investigate actionable scam intelligence during the same period in which the safe harbour protection applies.

1.168 This obligation is designed to ensure regulated entities act on actionable scam intelligence within a reasonable period.

1.169 A contravention of this obligation does not occur merely because the regulated entity fails to conclude whether or not the actionable scam intelligence is associated with scam activity in 28 days. Whether a regulated entity meets this obligation is an objective test that will depend on the circumstances, including consideration of the matters set out in section 58BB (about the meaning of reasonable steps). The SPF code for a regulated sector may also include sector-specific provisions describing what reasonable steps are for the purposes of this obligation.

1.170 If, after taking reasonable steps to investigate whether actionable scam intelligence about an activity is a scam, the regulated entity has not been able to come to a conclusion within 28 days, the safe harbour protection for disruptive action in 58BZA will no longer apply. However, the regulated entity will still be required to comply with the overarching obligation to take reasonable steps to detect scam activity and is therefore expected to continue to take steps to act on the actionable scam intelligence.

1.171 Failure to comply with this obligation may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BN(2)]

Identifying impacted SPF consumers

1.172 If a regulated entity has actionable scam intelligence about an activity relating to, connected with, or using a regulated service of the entity, the entity must take reasonable steps in a reasonable time to identify the persons who were SPF consumers of that service at the time when the persons were or may have been impacted by the activity.

[Schedule 1, item 1, subsection 58BO(1)]

1.173 It will generally be reasonable for a regulated entity to identify SPF consumers with whom they have a direct customer relationship under this obligation. However, given the broad definition of SPF consumers and depending on the circumstances, it may not be reasonable for a regulated entity to identify every impacted SPF consumer, particularly those that do not have a direct customer relationship with the regulated entity.

1.174 A contravention of this obligation does not occur merely because the regulated entity has failed to identify each SPF consumer who was or may have been impacted. Whether a regulated entity meets this obligation is an objective test which will depend on the circumstances, including the relevant matters set out in section 58BB (about the meaning of reasonable steps). The SPF code for a regulated sector may also include sector-specific provisions describing what are reasonable steps and what is a reasonable time for the purposes of this obligation.

1.175 Failure to comply with this obligation may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BO(2)]

Sector-specific obligations relating to SPF Principle 3: Detect

1.176 An SPF code may be made for a regulated sector setting out detailed, sector-specific obligations consistent with this SPF principle. An SPF code may include, for example, sector-specific provisions describing:

what reasonable steps are to detect scams, investigate actionable scam intelligence and identify impacted SPF consumers; or
what a reasonable time is for the purpose of identifying impacted SPF consumers.

1.177

[Schedule 1, item 1, section 58BP]

1.178 An SPF code may also include obligations requiring regulated entities to identify the nature of the impact of that activity on SPF consumers. This may include both financial and non-financial harm, including the loss of any SPF personal information. This is important in informing the proportionate disruptive action that is then taken by the regulated entity.

SPF Principle 4: Report

1.179 The simplified outline in Subdivision E of Division 2 provides that:

Regulated entities must give the SPF general regulator reports of any actionable scam intelligence the entity has about activities relating to, connected with, or using the entity's regulated services.
Regulated entities must give an SPF regulator (either the SPF general regulator or relevant SPF sector regulator) a report about a scam on request.
The SPF general regulator may disclose information about scams to specified entities.

[Schedule 1, item 1, section 58BQ]

1.180 Efficient and timely sharing of scam-related information by regulated entities and the SPF general regulator is critical to meet the object of the SPF, as it will ensure SPF regulators, law enforcement agencies and other regulated entities are equipped to take action to prevent and respond to scams that impact the Australian community.

1.181 The reporting obligations in the SPF, including in SPF Principle 5: Disrupt, are designed to operate alongside other Commonwealth frameworks. Accordingly, where a regulated entity provides information required under the SPF, this is not intended to result in a breach of any requirements under other Commonwealth legislation. This includes under the privacy law, relevant secrecy provisions, and the anti-money laundering and counter terrorism financing legislation.

Actionable scam intelligence reports

1.182 Where a regulated entity has actionable scam intelligence about an activity relating to, connected with, or using a regulated service of the entity, the entity must give the ACCC, as the SPF general regulator, a report about the actionable scam intelligence within the period prescribed by the SPF rules. The report must contain the kinds of information, and be in the manner and form, prescribed by the SPF rules. This requirement only applies to a regulated entity when the SPF rules, as made by a Treasury Minister, prescribe these matters.

[Schedule 1, item 1, subsections 58BR(1) and (2)]

1.183 The SPF rules may, for example, prescribe that the report is to include the sources or evidence that the entity has for that intelligence, or provide that the report may be given via access to a specified data gateway, portal or website. Different matters may be prescribed for different kinds of regulated entities. Further information about how a report may be given via access to a specified data gateway, portal or website is set out under the heading 'Authorised third party schemes for giving reports'.

[Schedule 1, item 1, subsection 58BR(5)]

1.184 This approach to using the SPF rules is appropriate and necessary to ensure the reporting requirements can be quickly adapted as new scam trends emerge. It will also provide flexibility to adjust reporting requirements as data sharing capabilities mature across different sectors.

1.185 The actionable scam intelligence that must be reported under the SPF rules is expected to be information that is necessary to disrupt scam activity. As a result, this will likely focus on information about the mechanism or identifier used to perpetuate the scam. This means the regulated entity may need to include SPF personal information in the report, such as:

the bank account an SPF consumer has transferred a payment to (as instructed by the scammer);
a phone number used by the scammer to contact SPF consumers, or a phone number advertised on a scam advertisement; or
details in relation to a scam advertisement or social media account used to perpetuate a scam.

[Schedule 1, item 1, subsection 58BR(6)]

1.186 An entity is not required to report actionable scam intelligence in certain circumstances prescribed by the SPF rules. For example, the SPF rules may specify that entities are not required to report actionable scam intelligence it received from the SPF general regulator to avoid duplication. The SPF rules may also specify an entity is not required to share information where doing so would be inconsistent with an overseas privacy law that also applies to the actionable scam intelligence. The defendant bears an evidential burden in relation to establishing that the circumstance in the SPF rules applies to the entity (see section 96 of the Regulatory Powers Act) because this operates as an exception to a general obligation of the SPF.

[Schedule 1, item 1, subsection 58BR(4)]

1.187 This refers to the burden of adducing or pointing to evidence that suggests a reasonable possibility that the exception in the SPF rules apply. This is appropriate as the relevant matters are peculiarly within the knowledge of the regulated entity, and would avoid costly and difficult investigations by the regulator to enforce the reporting requirement.

1.188 Failure to comply with this reporting requirement may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BR(3)]

1.189 For the avoidance of doubt, regulated entities and other entities may voluntarily share actionable scam intelligence that is not required under the SPF rules with the SPF general regulator, provided they comply with any relevant laws (such as the privacy law and any applicable secrecy provisions).

Reporting scams to SPF regulators on request

1.190 A regulated entity must give an SPF regulator (whether the SPF general regulator or SPF sector regulator) a report about a scam relating to, connected with, or using the entity's regulated service on written request from that regulator, within the period set out in the request. The report must be in the manner and form, and contain the kinds of information, set out in the request.

[Schedule 1, item 1, subsections 58BS(1) and (2)]

1.191 Examples of the kinds of information the SPF regulator may request in the report relate to the:

loss or harm that may have resulted from the scam;
disruptive actions the entity has taken in relation to the scam and whether any of those actions have been reversed;
steps the entity is taking to disrupt similar scams; and
steps the entity is taking to prevent loss or harm resulting from similar scams.

[Schedule 1, item 1, paragraph 58BS(4)(b)]

1.192 For example, the ACCC, as the SPF general regulator, may request scam reports, to obtain qualitative information about a widespread scam that may not be available through the actionable scam intelligence routinely shared with the ACCC, or for individual instances where there are significant losses to better understand those circumstances. It is expected that the ACCC will provide more detailed guidance on reporting requirements for regulated entities once the legislation has passed and subordinate instruments are further developed.

1.193 The request may also ask for the report to include SPF personal information. Where this occurs, the request must require the entity to de-identify the information unless the SPF regulator reasonably believes that doing so would not achieve the object of the SPF. Information is 'de-identified' if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.

[Schedule 1, items 1 and 5, subsections 4(1) and 58BS(5)]

1.194 The SPF regulator's request may also provide the report be given via access to a specified data gateway, portal or website. Further information about this process is set out in the next section.

[Schedule 1, item 1, paragraph 58BS(4)(a)]

1.195 If a regulated entity has already provided a scam report to an SPF regulator, and another SPF regulator later requests a scam report about the same matter, then the entity only needs to provide to the second SPF regulator a report setting out that an earlier scam report about these matters was given to the first SPF regulator on a specified date and time. This avoids duplication of reporting requirements for regulated entities.

[Schedule 1, item 1, subsection 58BS(6)]

1.196 Failure to comply with this reporting requirement may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BS(3)]

1.197 If the SPF regulator makes a request to a regulated entity for specific information and the entity cannot reasonably locate that information (for example, because they do not have access to the information and cannot otherwise obtain the information), it is not intended that they would be in breach of this obligation.

1.198 SPF regulators may share scam reports with another SPF regulator upon request or on their own initiative under Subdivision C of Division 5. Further information about this is set out under the heading 'Division 5 - Regulating the SPF'.

[Schedule 1, item 1, note to subsection 58BS(6)]

Authorised third party schemes for giving reports

1.199 A regulated entity is required to give the following reports:

reports of actionable scam intelligence to the SPF general regulator under SPF Principle 4: Report;
reports about scams to an SPF regulator under SPF Principle 4: Report; and
reports on the outcomes of investigations of activities relating to actionable scam intelligence to the SPF general regulator under SPF Principle 5: Disrupt.

1.200 These reports may be given via a data gateway, portal or website prescribed by the SPF rules.

[Schedule 1, item 1, paragraphs 58BR(5)(a), 58BS(4)(a) and 58BY(4)(a)]

1.201 The SPF rules may prescribe a scheme for authorising third parties to operate data gateways, portals or websites that give access to reports under the SPF principles, including reports given by regulated entities and the SPF regulators.

[Schedule 1, item 1, subsection 58BT(1)]

1.202 The use of a third-party scheme is intended to streamline and standardise the process of giving reports by regulated entities, and reports by SPF regulators to regulated entities, including by leveraging existing schemes that may already receive scam-related information.

1.203 As part of prescribing the scheme, the SPF rules may include (but are not limited to):

provisions conferring functions or powers on the SPF general regulator under the scheme;
the criteria for a person to be authorised under the scheme;
provisions providing that authorisations may be granted subject to conditions, and that conditions may be imposed on an authorisation after it has been granted;
provisions providing that authorisations may be granted at different levels corresponding to different risks;
provisions specifying what a person authorised at a particular level is authorised to do (or not authorised to do);
provisions dealing with the period, renewal, transfer, variation, suspension, revocation or surrender of authorisations;
notification requirements on persons whose authorisations have been varied, suspended, revoked or surrendered;
transitional rules for when an authorisation is varied, is suspended or ends, including in relation to SPF personal information; and
provisions for the making of applications for internal review, or of applications to the Administrative Review Tribunal for review, of decisions of a person under the scheme.

[Schedule 1, item 1, subsection 58BT(2)]

1.204 These rules are intended to provide clarity on the role and scope of any authorised third-party scheme, to ensure regulated entities understand their reporting obligations. The ability for the SPF rules to confer functions or powers on the SPF general regulator under the scheme is intended to ensure any new third-party scheme which might be made for the purpose of the SPF, is governed and administered by an appropriate body.

1.205 A person authorised under the scheme may use or disclose SPF personal information to the extent that is reasonably necessary to achieve the object of the SPF.

[Schedule 1, item 1, subsection 58BT(3)]

Duty of confidence and authorised disclosures

1.206 A duty of confidence, which is a legally enforceable obligation to maintain confidence, owed under an agreement or arrangement has no effect to the extent that it would otherwise prevent information from being reported as required under this SPF principle.

[Schedule 1, item 1, section 58BU]

1.207 Duties of confidence are overridden to ensure all required and relevant information is reported to the relevant SPF regulator. The significant financial and emotional harm caused by scams warrants prioritising information sharing to combat scams over a duty of confidence. It is expected that in most cases the party owed the duty of confidence will directly benefit from the sharing of information to disrupt scams.

1.208 The requirements for a regulated entity to give reports of actionable scam intelligence and scam reports are also a requirement by law to disclose the information that is required to be contained in those reports. Therefore, a regulated entity's compliance can be a defence to a secrecy provision, such as section 276 of the Telecommunications Act (see paragraph 280(1)(b) of that Act) and is authorised under Australian Privacy Principle 6 in the Privacy Act (see paragraph 6.2(b) of that Principle).

[Schedule 1, item 1, note to section 58BU]

SPF general regulator may share information with specified persons

1.209 The ACCC, as the SPF general regulator, may disclose information relating to an action which is a 'scam' (as defined in the Bill or within the ordinary meaning of that expression) to a specified entity. In this context, actions which constitute a scam are referred to as a 'scamming action'.

[Schedule 1, item 1, subsection 58BV(1)]

1.210 The intention for including both scams as defined in the Bill and within the ordinary meaning of the expression is to ensure the ACCC is not unnecessarily restricted by the definition of scam in the SPF in its ability to share information, when doing so would support a coordinated response to scams and support the objectives of the SPF. For example, this will allow the ACCC to share information to a specified person about a scam within the ordinary meaning of scam, but which is not a scam associated with a regulated entity in the SPF and therefore not a scam within the definition of scam in the Bill.

1.211 Under this provision, the ACCC may disclose information relating to scamming action to the following entities:

a regulated entity;
a Commonwealth agency or authority involved in developing Government policy relating to the SPF;
a law enforcement agency of the Commonwealth, or of a State or Territory;
an agency of a foreign country, or of part of a foreign country, that is a law enforcement agency, or is a regulatory agency responsible for scam prevention, if the ACCC is satisfied that:

-
the agency has given an undertaking for controlling the storage, handling and use that will be made of the information and ensuring that the information will be used only for the purpose for which it is disclosed to the agency; and
-
it is appropriate, in all the circumstances, to disclose the information to the agency.

[Schedule 1, item 1, subsections 58BV(2) and (3)]

1.212 SPF regulators may also disclose information and documents to each other under Division 5. Further information about this is set out under the heading 'Division 5 - Regulating the SPF'.

1.213 The information that may be disclosed includes SPF personal information, which may include information about:

a person reasonably suspected of committing a scam, or being involved in the commission of a scam;
an SPF consumer who was engaged (or was attempted to be engaged) as part of a scam;
a person who reports a scam on behalf of an SPF consumer; or
a person who is impersonated in connection with a scam.

[Schedule 1, item 1, subsection 58BV(4)]

1.214 The sharing of SPF personal information to the specified entities is necessary to support the SPF's object to prevent and respond to scams impacting SPF consumers as it will ensure these entities have the intelligence necessary to take appropriate action to prevent, detect, disrupt and respond to scams as quickly as possible and reduce the possibility of harm to consumers. In particular, the sharing of this information will ensure:

regulated entities across the scams ecosystem have the information they need to take preventative and disruptive action in relation to scams;
a Commonwealth agency or authority involved in developing Government policy relating to the scams can provide up-to-date policy advice to the Government on the regulatory environment to combat scams, noting the fast-evolving nature of scams;
SPF sector regulators have relevant information about scams occurring in their regulated sectors so inadequate action taken by regulated entities or potential breaches can be quickly identified and enforcement action taken, where appropriate;
law enforcement agencies have information to support criminal proceedings and action being taken in response to scams, against scammers; and
international law enforcement and regulatory agencies responsible for scams prevention have relevant scams information, recognising that the transnational nature of scams requires a coordinated international approach to minimise scam harms.

1.215 For example, if a banking entity provides a report to the SPF general regulator about a scam that originated through a fraudulent advertisement on a social media platform, this will allow the SPF general regulator to share this information with the social media service provider. The social media service provider can then quickly remove an advertisement or suspend an account suspected to be associated with scam activity and prevent further consumers from being impacted.

1.216 However, if the disclosure is to another Commonwealth agency or authority involved in developing the Government policy relating to the SPF, then any SPF personal information must first be de-identified. This reflects that de-identified information will be sufficient in any policy development or consideration regarding the SPF.

[Schedule 1, item 1, subsection 58BV(4)]

1.217 Enabling the SPF general regulator to share scam information with international law enforcement and regulatory agencies responsible for scam prevention is consistent with Australia's commitment made as a signatory of the Global Fraud Summit Communiqué on 11 March 2024 to 'share learning, information, and resources across government, law enforcement, industry and regulators'. The Communiqué was agreed between the Assistant Treasurer on behalf of the Australian Government and ministers and representatives of Canada, France, Germany, Italy, Japan, New Zealand, the Republic of Korea, Singapore, the United Kingdom and the United States of America.

1.218 This will enable the SPF general regulator to enter into agreements with partner jurisdictions to share valuable scam information, and therefore better support domestic efforts to curb the harms caused by scams.

1.219 For example, if the SPF general regulator has information that an overseas bank account has been used by suspected scammers, the SPF general regulator could share that information with the relevant regulator or law enforcement agency to enable it to take prompt action, helping to prevent and respond to scams impacting SPF consumers.

1.220 This would also support the SPF general regulator to enter into bilateral information sharing arrangements with partner jurisdictions. For example, if the SPF general regulator has an information sharing arrangement with an overseas regulator, the overseas regulator may share information relating to a suspected scam account in its jurisdiction that is being used to facilitate scams in Australia. The SPF general regulator would be able to share this information with banking entities once they are designated, who could take reasonable steps to disrupt the scam domestically by blocking payments to the international account that is suspected of being part of a scam, in order to prevent and respond to scams impacting SPF consumers.

1.221 The SPF general regulator can only share scam information with an international agency under the SPF if the agency has given an undertaking for controlling the storage, handling and use of the information and ensuring that the information will be used only for the purpose for which it is disclosed to the agency. For the avoidance of doubt, this does not require an undertaking to be provided for every isolated instance of data sharing, rather a general undertaken can be provided up front to enable ongoing data sharing, provided it is consistent with the general undertaking.

Example 1.9 The SPF general regulator disclosing a scam in the banking, telecommunications and digital platforms sectors

In this example, the banking sector, telecommunications sector and digital platforms sector (including social media services) are regulated sectors. The ACCC, as the SPF general regulator, receives actionable scam intelligence from a banking entity about an investment scam. The report included the suspected scammer's bank account and an advertisement on social media that included the suspected scammer's phone number.

Disclosure: The SPF general regulator may disclose the suspected scam advertisement to the social media company that is hosting the advertisement. The disclosure would enable the social media company to take reasonable steps to disrupt the scam, for example, by taking down the advertisement or social media account and blocking the relevant users.
Disclosure: The SPF general regulator may disclose the suspected scammer's banking details to banking entities. This would enable banking entities to take reasonable steps to disrupt the scam, for example, by adding friction or blocking payments made to the suspect account.
Disclosure: The SPF general regulator may disclose the suspected scammer's phone number to telecommunications providers. This would enable telecommunications providers to take reasonable steps to disrupt the scam, for example, by screening calls to and from the suspect number.

SPF Principle 5: Disrupt

1.222 The simplified outline in Subdivision F of Division 2 provides that:

Regulated entities must take reasonable steps to disrupt an activity suspected of being a scam and prevent losses arising from such an activity.
Regulated entities must give a report to the SPF general regulator about whether the entity reasonably believes that an activity is a scam following their investigation.
The entity will not be liable for damages when taking certain actions to disrupt such an activity during the investigation period.
An SPF code for the sector may include sector-specific obligations in relation this SPF principle.

[Schedule 1, item 1, section 58BW]

Overarching obligation to take reasonable steps to disrupt scams

1.223 Where a regulated entity has actionable scam intelligence about an activity relating to, connected with or using a regulated service of the entity, the entity must take reasonable steps within a reasonable time to disrupt the activity and prevent loss or harm (including further loss or harm) arising from the activity.

[Schedule 1, item 1, subsection 58BX(1)]

1.224 To avoid doubt, this includes taking reasonable steps to disrupt activity that is already underway from continuing or further impacting SPF consumers.

1.225 A contravention of this obligation does not occur merely because an entity fails to disrupt a scam. Whether an entity has taken reasonable steps is an objective test that will depend on the particular circumstances, including the relevant matters in section 58BB (about the meaning of reasonable steps). The SPF code for a regulated sector may also include sector-specific provisions describing what are reasonable steps and what is a reasonable time for the purposes of this obligation.

1.226 The steps taken by a regulated entity to disrupt the activity should also be proportionate to the actionable scam intelligence that the entity has.

[Schedule 1, item 1, subsection 58BX(3)]

1.227 Depending on the regulated service of a regulated entity, reasonable steps may include:

removing content associated with scam activity (including scam advertisements or fraudulent accounts);
blocking phone numbers, accounts, or content associated with scam activity;
rejecting payments to enable the regulated entity to contact the consumer and provide them with information that the account they are making a payment to has been identified as associated with scam activity; or
confirming payee details.

1.228 Failure to comply with this obligation may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BX(2)]

Safe harbour for proportionate disruptive action

1.229 A safe harbour applies for any proportionate disruptive action taken by a business while it is investigating actionable scam intelligence it has about an activity relating to, connected with, or using a regulated service of the entity.

1.230 Where a regulated entity has actionable scam intelligence about an activity relating to, connected with, or using a regulated service of the entity, the entity will not be liable in relation to a civil action or proceeding for taking action to disrupt that activity.

[Schedule 1, item 1, subsections 58BZA(1) and (2)]

1.231 However, this protection will only apply if:

the regulated entity is acting in good faith and in compliance with the SPF provisions;
the disruptive action is reasonably proportionate to the activity that is the subject of the actionable scam intelligence, and to the information that would be reasonably expected to be available to the entity about the activity;
the action is taken during the period starting on the day that the information becomes actionable scam intelligence for the entity, and ending when the entity reasonably believes that the activity is or is not a scam, or after 28 days (whichever is the earlier); and
the action is promptly reversed if the entity identifies the activity is not a scam and it is reasonably practicable to reverse the action.

[Schedule 1, item 1, subsections 58BZA(1) and (2)]

1.232 To determine whether the action is reasonably proportionate, the relevant matters include the potential loss or damage to SPF consumers or to persons carrying on the activity if the action is not taken, and such loss or damage if the action is taken and the activity is not a scam.

[Schedule 1, item 1, subsection 58BZA(3)]

1.233 In assessing the likely loss or damage to SPF consumers if no action is taken and the activity is a scam, a regulated entity may consider the number of consumers that have interacted with the suspected scam conduct, the information available providing the reasonable suspicion about the conduct, and the suspected losses associated with the activity (if known). This information provides the regulated entity with an understanding of the potential risk to SPF consumers if no action is taken.

1.234 In assessing the likely loss or damage if the action is taken and the activity is not a scam, the regulated entity may consider the potential economic, commercial, and social impacts of the disruption based on the nature of the activity. The safe harbour does not provide a protection for blunt and disproportionate action, such as stopping all real-time payments, blocking calls and text messages at mass based on a word or phrase (for example, blocking all texts that say 'mum' following the 'hi mum' scam), or taking down a small business's social media page after receiving a single report that suggests it may be associated with scam without any other corroborating evidence. Action taken that constitutes a proportionate step will depend on the level of certainty the regulated entity has that the identified activity is a scam.

1.235 Whether an action is reasonably proportionate should also involve some consideration of competitive interests. Anti-competitive action is not proportionate action, and it is expected that regulated entities will have regard to the circumstances and information available in determining what action is appropriate. The safe harbour protection will not apply where the action taken is not considered to be proportionate and in good faith.

1.236 For example, a regulated entity has received a number of reports in relation to an advertisement on its regulated service. However, some of these complaints appear to use the term 'scam' in an incorrect context and raise issues with other areas of consumer law, such as poor product quality. It is unclear whether the advertisement is associated with scam activity based on the information available to the entity. In determining proportionate action in this case, the regulated entity must assess the potential loss or damage to SPF consumers if action is not taken. This may involve assessing the information available about the activity, the level of consumer interaction with this account, and the losses reported to date. The regulated entity must also consider the loss or damage if the action is taken, and the activity is not a scam. This may include consideration of the potential commercial interests of the advertiser if the content is legitimate and taken down. On balance, given the information available and the risks to commercial interests, it may be appropriate for the entity to determine that no action is proportionate in the circumstances.

1.237 The intention of the safe harbour provision is to enable timely and responsive disruptive action where a regulated entity reasonably suspects scam activity, while also setting clear guardrails and parameters to ensure third parties are protected from ongoing disruptive action where they are not involved in scam activity. For example, a regulated entity may take down a legitimate business's website based on actionable scam intelligence while the regulated entity investigated whether the conduct or activity was associated with a scam. Once the regulated entity concludes that the website has not been used for scam activities, the regulated entity must reverse its actions promptly to minimise disruption to the business.

1.238 The safe harbour protection applies to allow proportionate action for a maximum of 28 days. After the conclusion of an investigation, or after 28 days, whichever is sooner, the regulated entity must:

if the activity is a scam, implement ongoing disruptive steps, such as permanently removing a scam advertisement or social media account associated with scam activity; or
if the activity is not a scam, promptly reverse the proportionate action taken during the safe harbour period where practicable; or
if the entity has not concluded its investigation, continue to take reasonable steps to investigate the activity under the overarching obligation to detect. The safe harbour protection will no longer apply to any proportionate disruptive action taken after the 28-day period.

1.239 In some cases, it will not be possible to reverse specific disruptive action that has been taken during the safe harbour period. For example, it will not be possible for a telecommunications provider to restore a blocked text message or for a banking entity to restore a blocked payment. The intent in these instances is to require the regulated entity to cease the action that is leading to the disruption and enable the use of that service to resume. For example, where text messages from a certain phone number were blocked during the 28-day safe harbour period and it is later identified that the number is not associated with scam activity, the reversal of this action refers to the regulated entity allowing the use of that phone number to resume.

1.240 A regulated entity who wishes to rely on this protection from liability bears an evidential burden in relation to all elements of the safe harbour protection. This refers to the burden of adducing or pointing to evidence that suggests a reasonable possibility that the elements of the safe harbour protection apply. This is appropriate as the relevant matters are peculiarly within the knowledge of the regulated entity, and are not readily available to other parties in a civil action or civil proceeding.

Reporting outcomes of investigations

1.241 Where a regulated entity has actionable scam intelligence about an activity relating to, connected with, or using the entity's regulated service, the entity must give a report about that intelligence to the ACCC as the SPF general regulator before the end of the period prescribed by the SPF rules. The report must contain the kinds of information and be in the manner and form prescribed by the SPF rules.

[Schedule 1, item 1, subsections 58BY(1) and (2)]

1.242 This reporting requirement only applies to a regulated entity when the SPF rules prescribe these matters.

[Schedule 1, item 1, note to subsection 58BY(2)]

1.243 The intention of this requirement is to ensure the ACCC as the SPF general regulator has oversight of the investigations undertaken by regulated entities and the outcomes of those investigations. This is critical for monitoring and enforcement of the requirement to investigate actionable scam intelligence and will ensure the ACCC can then share any relevant information with other entities to support the SPF's object to prevent and respond to scams impacting SPF consumers.

1.244 Failure to comply with this obligation may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BY(3)]

1.245 The SPF rules may prescribe:

that the report may be given via access to a specified data gateway, portal or website (discussed above under the heading 'Authorised third party schemes for giving reports');
that the report sets out whether the entity reasonably believes that the activity that is the subject of the intelligence is a scam; and
different matters for different kinds of activities.

[Schedule 1, item 1, subsection 58BY(4)]

1.246 Consistent with the obligation to report actionable scam intelligence, the report may be required to include SPF personal information, and a duty of confidence owed under any agreement or arrangement is of no effect to the extent that it is contrary to the entity's obligation to report.

[Schedule 1, item 1, subsections 58BY(5) and (6)]

Sector-specific obligations relating to SPF Principle 5: Disrupt

1.247 An SPF code may be made for a regulated sector setting out detailed, sector-specific obligations consistent with this SPF principle. An SPF code may include, for example, sector-specific provisions that:

describe what are reasonable steps or what is a reasonable time for the purposes of the overarching obligation to disrupt scam activity; and
require each regulated entity for the sector to provide its SPF consumers with information about activities that are the subject of the entity's actionable scam intelligence.

[Schedule 1, item 1, section 58BZ]

1.248 For example, SPF codes may include provisions requiring a regulated entity to:

quickly respond to information that identifies scams, such as through requirements to block or suspend an account or a transaction;
disclose information to impacted SPF consumers in a specified timeframe which may include steps for those consumers about how to prevent further harm or losses; and
introduce new systems or functionality to enable SPF consumers to take action to stop scams (for example, technology that allows an SPF consumer to stop a transaction or freeze their own accounts).

SPF Principle 6: Respond

1.249 The simplified outline in Subdivision G of Division 2 provides that:

Regulated entities must have an accessible mechanism for its SPF consumers to report activities that are or may be scams.
Regulated entities must also have an accessible and transparent IDR mechanism for SPF consumers to make complaints about scam activities and the entity's conduct relating to such activities.
When undertaking IDR, the entity must give a statement, relevant to the complaint, about whether it has complied with its obligations.
When undertaking IDR, the regulated entity must have regard to any processes prescribed by the SPF rules and any guidelines prescribed by the SPF rules for apportioning liability.
A regulated entity must be a member of an authorised EDR scheme for dealing with complaints about scams if it provides a regulated service.
Regulated entities must publish information about these reporting and dispute resolution mechanisms.
An SPF code for a regulated sector may set out additional conditions relating to consumer reporting, IDR and EDR requirements.

[Schedule 1, item 1, section 58BZB]

Reporting mechanism

1.250 Regulated entities must have an accessible mechanism for a person to report to the entity a scam or possible scam that relates to, is connected with, or uses a regulated service of the entity. This mechanism needs to allow a person who was an SPF consumer of the service at the time they were impacted by the scam or possible scam to make such a report, even if they are no longer an SPF consumer of the service at the time they are making the report.

[Schedule 1, item 1, subsection 58BZC(1)]

1.251 Given the broad definition of SPF consumer, this reporting mechanism will also need to extend to scams and possible scams impacting a person at a time when the regulated service is only purportedly being provided to the person.

[Schedule 1, item 1, note to subsection 58BZC(1)]

1.252 For a reporting mechanism to be accessible to SPF consumers, all classes of SPF consumers must be able to easily locate, access and use the mechanism to make a scam report. This will require a regulated entity to consider the classes of consumers using its service and how they use those services. For example, if a regulated entity has a diverse consumer base, it may be appropriate to go beyond a purely digital mechanism for reporting scams and offer a telephone line.

1.253 Therefore, the relevant form of the reporting mechanism may be different for each regulated entity, depending on its regulated services and SPF customer base. This may involve an entity allowing SPF consumers to report scams in-person, via phone, or online on a website or a digital application. A combination of methods may be available.

1.254 A regulated entity may also enable an authorised person or organisation to assist with or make a report on behalf of an SPF consumer.

1.255 The reporting mechanism is a critical element of the SPF. It will provide regulated entities with necessary information to fulfil their other obligations under the SPF regarding the prevention, detection, disruption and reporting of scams.

1.256 Failure to comply with the obligation to have an accessible reporting mechanism may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BZC(2)]

Internal dispute resolution

1.257 Regulated entities must have an accessible and transparent IDR mechanism to deal with an SPF consumer's complaint. Under the IDR mechanism, a person can bring a complaint about:

an activity that is or may be a scam and that relates to, is connected with, or uses a regulated service of the entity, provided the activity impacted the person at the time when they were an SPF consumer of the service; or
the entity's conduct relating to such an activity.

[Schedule 1, item 1, subsection 58BZD(1)]

1.258 An effective IDR mechanism will benefit both SPF consumers and regulated entities. IDR will provide regulated entities with an opportunity to assess their conduct and resolve the SPF consumer's complaints in a timely and efficient manner. The IDR obligation is intended to encourage the early resolution of complaints, including for compensation or other remedies to be provided to SPF consumers where there has, or may have, been a breach of an SPF provision.

1.259 The relevant IDR mechanism must be accessible to SPF consumers and should provide flexibility in how complaints can be lodged. For example, a complaint may be made in-person, via phone, letter, online or a combination of these methods. The regulated entity may enable an authorised person or organisation to assist or progress a complaint on behalf of an SPF consumer.

1.260 To ensure the IDR mechanism is accessible for SPF consumers, the regulated entity should set out its complaints handling process in writing and make it available on the entity's website. This would also support the obligation on regulated entities to publish information about the rights of SPF consumers, discussed in further detail below.

1.261 Failure to comply with these obligations may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BZD(2)]

Processes and guidelines for undertaking IDR

1.262 When undertaking IDR in dealing with a person's complaint, regulated entities must have regard to any processes prescribed by the SPF rules and any guidelines prescribed by the SPF rules for apportioning any liability arising from the complaint.

[Schedule 1, item 1, subsection 58BZE(1)]

1.263 Prior to making the SPF rules, the Treasury Minister must be satisfied that appropriate and reasonably practicable consultation is undertaken. This is required under section 17 of the Legislation Act 2003.

1.264 Any processes or guidelines prescribed by the SPF rules are intended to assist regulated entities to effectively deal with complaints, including those involving multiple regulated entities that have not met their SPF obligations. For example, a complaint might involve a regulated entity in the telecommunications sector and a regulated entity in the banking sector where a scammer engages an SPF consumer via a text message, which results in the consumer making an electronic bank payment to the scammer.

1.265 In these instances, without guidance, consumers may undergo IDR with multiple entities and be unsuccessful due to each regulated entity shifting responsibility to another entity or entities. This may prevent quick and fair resolutions at the IDR stage and result in a higher number of complaints escalating to EDR.

1.266 The processes and guidelines prescribed by the SPF rules will assist in streamlining IDR for complaints involving multiple regulated entities. For example, the Minister may prescribe a process outlining how regulated entities should interact with each other at the IDR stage to allow for early resolution of disputes where more than one entity may not have met its obligations under the SPF. The Minister may also prescribe guidance on how to apportion liability between multiple regulated entities that have breached their SPF obligations in a particular type of scam.

1.267 Using the SPF rules to prescribe processes and guidelines that regulated entities must have regard to is appropriate as it provides the flexibility to include details about specific types of scams. This would not be appropriate for inclusion in the primary law given the evolving and often complex nature of scams. It is also appropriate for these processes to be prescribed in the SPF rules rather than SPF codes that only apply to a particular regulated sector because scams are likely to involve multiple regulated entities across various sectors. Using the SPF rules is also appropriate to ensure the IDR obligations about the process regulated entities must have regard to will apply in the absence of an SPF code.

1.268 Failure to comply with the obligation to have regard to the processes and guidelines prescribed by the SPF rules may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BZE(2)]

Giving a statement of compliance

1.269 A regulated entity undertaking IDR to deal with a person's complaint must also provide the person with a statement of compliance.

[Schedule 1, item 1, subsection 58BZDA(1)]

1.270 The statement of compliance must:

include a statement by the regulated entity about whether, based on information reasonably available to the entity at the time of making the statement, it has complied with its obligations under the SPF provisions that are relevant to the complaint;
contain the kinds of information prescribed by the SPF rules that are relevant to the complaint and need to be included in the statement;
exclude any kinds of information prescribed by the SPF rules that are relevant to the complaint, but need to be excluded from the statement;
be in writing and signed by an authorised representative of the entity, noting the SPF rules will prescribe kinds of authorised representatives; and
be given in accordance with the timeframes, and in the manner and form, prescribed by the SPF rules.

[Schedule 1, item 1, subsection 58BZDA(2)]

1.271 The requirement to provide a statement of compliance only applies to a regulated entity when the SPF rules prescribe the kinds of information to be included in the statement, the kind of authorised representative who can sign a statement, and the timeframes, manner and form in which the statement is to be provided.

[Schedule 1, item 1, note to subsection 58BZDA(1)]

1.272 In relation to the information that must be included or excluded from the statement of compliance, the SPF rules may be used to:

require information to be included about how the regulated entity has complied with the relevant obligations under the SPF, including specific steps it has taken to comply with a reasonable steps requirement under the SPF (where relevant); and
exclude information from being included that is commercially sensitive or may contravene other legislative obligations, including under the privacy law and anti-money laundering and counter-terrorism financing legislation.

1.273 The SPF rules may also prescribe the kinds of authorised representatives who can sign a statement of compliance on behalf of the regulated entity. For example, this may be used to ensure the authorised representative is the person responsible for the entity's IDR mechanism under the SPF, or the person set out in the entity's governance policies and procedures as being the authorised representative for the purpose of signing a statement of compliance. As required under SPF Principle 1: Governance, a regulated entity's governance policies and procedures need to be certified annually by a senior officer of the entity. If SPF rules are made to this effect, these authorised representatives will be responsible for signing any statements of compliance issued by the entity.

1.274 Using the SPF rules to prescribe these matters, as well as the timeframes, manner and form in which the statement of compliance needs to be given, is appropriate as it will likely contain significant administrative and technical detail. This approach will ensure the relevant matters can be prescribed with respect to specific types of scams, and with reference to the complexity of the complaint.

1.275 The requirement to provide a statement of compliance at IDR is intended to ensure a consumer understands a regulated entity's position in response to their complaint and is equipped with the necessary information to determine whether to escalate the complaint to EDR or to take court action for loss or damages (see Subdivision G of Division 6 of the Bill for further information about actions for damages). In particular, it is intended to address the information asymmetry between regulated entities and consumers at the IDR stage, where the consumer is unlikely to have sufficient information about whether and how a regulated entity has complied with its SPF obligations. In effect, the responsibility is shifted to the regulated entity to demonstrate these matters in response to the complaint brought by the consumer.

1.276 If a regulated entity provides a statement of compliance to the effect that it has not complied with the relevant obligations under the SPF, the entity is expected to consider whether this has caused loss or damage to the consumer (noting the SPF rules may require information about such a consideration to be included in the statement of compliance). If so, the regulated entity is expected to provide compensation and/or another appropriate remedy to the consumer, taking into account matters such as:

the amount of compensation and/or other remedies that could be awarded at EDR or by a court if the matter is not resolved at IDR, given the SPF introduces new avenues and rights for an SPF consumer to seek redress, including compensation for loss or damage, from regulated entities for failures relating to their SPF obligations; and
the role of any other regulated entity in the scam, including any relevant processes for undertaking IDR or guidelines for apportioning liability in the SPF rules.

1.277 Remedies other than compensation may be appropriate depending on the particular complaint. These remedies may include the forgiveness or variation of a debt, a refund or waiver of a fee or charge, or changes to the terms of a contract between the entity and the consumer.

1.278 The expectation for regulated entities to provide compensation and/or another appropriate remedy to the consumer at IDR in certain circumstances reflects that the SPF strengthens protections for SPF consumers, including by providing them with new avenues and rights to seek redress from regulated entities for failures relating to their SPF obligations.

1.279 If a regulated entity determines that its failure to comply with the relevant obligations under the SPF has caused loss or damage to the consumer, but does not provide compensation and/or another appropriate remedy to the consumer at IDR, the regulated entity should be prepared to justify this position if the matter proceeds to EDR or court action for damages.

1.280 To support this, the provisions make clear that a statement of compliance given by a regulated entity is admissible in any proceeding relating to the complaint in the EDR stage as prima facie evidence of the entity's position on the matters in the statement, at the time the entity made the statement.

[Schedule 1, item 1, subsection 58BZDA(4)]

1.281 Further, nothing in this section limits or affects the admissibility of any other statement or evidence in a proceeding. This means the existing rules around admissibility of evidence will apply in any court proceedings, including actions for damages initiated by the consumer or civil penalty proceedings initiated by an SPF regulator.

[Schedule 1, item 1, subsection 58BZDA(5)]

1.282 If the matter progresses to EDR, the operator of the SPF EDR scheme may request information from the regulated entity to verify and substantiate the matters in the statement of compliance. The SPF enables the operator of an SPF EDR scheme to refer any false or misleading information within the statement to an SPF regulator for investigation where appropriate.

[Schedule 1, item 1, subsection 58DD(1)]

1.283 Knowingly providing false or misleading information in the statement of compliance is a criminal offence under the Criminal Code Act 1995.

1.284 An SPF regulator may also obtain a statement of compliance given to a consumer by a regulated entity through its monitoring and investigation powers set out in the Bill or in response to the SPF regulators' request for a scam report. If the SPF regulator considers that there is false or misleading information in the statement, or has concerns about how the regulated entity is complying with its obligations under the SPF, the SPF regulator may take regulatory action, including enforcement action where appropriate.

1.285 Failure to comply with the requirement to give a statement of compliance, including in accordance with the relevant SPF rules, may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BZDA(3)]

Example 1.10 Statement of compliance requirements provided by a bank set out in SPF rules.

ABC Bank is a regulated entity in the banking sector. Sector codes have been made for the banking sector, which require banks to confirm payee details before making payments; warn consumers of scam risks when paying new accounts; and issue recall notices as soon as practicable when a consumer reports a scam.
A consumer makes a complaint to ABC Bank relating to a scam. When undertaking IDR, ABC Bank must provide the consumer with a statement of compliance.
SPF rules set out information that must be included in a statement of compliance, which includes requiring a regulated entity to provide information about how it has complied with its SPF obligations that are relevant to the consumer's complaint. For ABC Bank, this may include:

information about when and how ABC Bank provided a warning to a consumer before making a relevant payment to a new payee;
confirming ABC Bank's confirmation of payee technology was operational and performing as expected at the time of making a relevant payment;
information about when ABC Bank issued a recall notice to the receiving bank following a scam report; and
other steps ABC Bank took to prevent, detect and disrupt a scam.

The SPF rules do not require the regulated entity to include information that is commercial in confidence or where the regulated entity reasonably believes could enable scammers to take steps to circumvent prevention steps.

Publishing information about the rights of SPF consumers

1.286 A regulated entity must make information about the rights of its SPF consumers publicly available. Specifically, the entity must publish information about SPF consumers' rights with respect to the entity's reporting mechanism, IDR mechanism and SPF EDR scheme for which the entity is a member.

[Schedule 1, item 1, subsection 58BZF(1)]

1.287 This will ensure SPF consumers can easily access relevant information to understand their options for dealing with an activity that is or may be a scam and how to make a complaint about the regulated entity's conduct with respect to the SPF.

1.288 Failure to comply with obligation may attract civil penalties. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsection 58BZF(2)]

External dispute resolution

1.289 A Treasury Minister may authorise an SPF EDR scheme for the purposes of the SPF and one or more regulated sectors. This may include an existing scheme (such as the AFCA scheme that is authorised under Part 7.10A of the Corporations Act) or a new scheme. More than one SPF EDR scheme may be authorised for the purposes of the SPF - for example, a different SPF EDR scheme for each regulated sector.

[Schedule 1, item 1, section 58DB]

1.290 A regulated entity must not provide a regulated service if they are not a member of an SPF EDR scheme.

[Schedule 1, item 1, subsection 58BZG(1)]

1.291 An EDR mechanism is intended to provide a pathway for redress, including compensation, for an SPF consumer of a regulated service where a regulated entity has not complied with its obligations under the SPF.

1.292 The authorised SPF EDR scheme is intended to offer an independent, impartial and fair mechanism for SPF consumers to escalate their complaints where they are not resolved at the IDR stage or if the IDR outcome is unsatisfactory. It is not intended for SPF consumers to be charged any fee for escalating their complaints to an SPF EDR scheme.

1.293 Although more than one SPF EDR scheme may be authorised, the intention is that a single authorised SPF EDR scheme will cover multiple regulated sectors. In particular, the Minister has announced his intention to authorise AFCA as the single EDR scheme for the initially designated sectors.

1.294 This will provide SPF consumers with a straightforward path to EDR where multiple regulated entities are involved in a single complaint, and therefore lower the administrative burden for both SPF consumers and regulated entities compared to if multiple SPF EDR schemes were available for a particular complaint. This is also intended to ensure consistency in the experience of SPF consumers and in the consideration of complaints.

1.295 A regulated entity that is a member of an SPF EDR scheme must give reasonable assistance to, and cooperate with, the operator of the scheme. The entity must do so regardless of whether the entity is subject to a complaint under the scheme.

[Schedule 1, item 1, subsection 58BZG(2)]

1.296 This requirement to cooperate with the operator of the SPF EDR scheme includes:

giving effect to any determination made by the operator in relation to the complaint; and
identifying, locating and providing to the operator any documents and information that it reasonably requires for the purposes of resolving the complaint within a reasonable time.

1.297 Failure to comply with the EDR obligations, including any relevant obligations in the SPF code for the regulated sector, may attract a civil penalty. Subdivision C of Division 6 deals with civil penalty provisions. Further information is set out under the heading 'Division 6 - Enforcing the SPF'.

[Schedule 1, item 1, subsections 58BZG(3) and (4)]

Sector-specific obligations relating to SPF Principle 6: Respond

1.298 An SPF code may be made for a regulated sector setting out detailed, sector-specific obligations consistent with this SPF principle. An SPF code may include, for example, sector-specific provisions setting out:

conditions that must be met for the reporting mechanism;
conditions (such as standards and requirements) that must be met for the IDR mechanism;
obligations that must be met in relation to an SPF EDR scheme.

[Schedule 1, item 1, section 58BZH]

1.299 For example, the SPF codes may contain requirements about the type of information that the regulated entity must include in its reporting form, such as contact details used by the scammer, the type of scam or outcome of the scam.

1.300 These requirements are more suitable to be included in SPF codes as they may vary depending on the regulated sector and to allow for flexibility to quickly update requirements in response to changes in scam trends in certain sectors.

1.301 In relation to the conditions that must be met for the IDR mechanism, the SPF code may set out the timeframes for responding to a complaint, requirements for regulated entities to engage and cooperate with other relevant parties (including other regulated entities) during the IDR process, record-keeping obligations and obligations relating to the process to escalate a complaint beyond IDR.

1.302 For example, the SPF codes may set out mandatory maximum periods for regulated entities to provide an IDR response to complaints. This could include different timeframes depending on the complexity of a complaint or the particular sector.

1.303 As the Treasury Minister may authorise more than one EDR scheme for the purposes of the SPF, it is necessary that the SPF codes are able to set out requirements on regulated entities relating to the relevant EDR scheme.

Application of the SPF principles

Example 1.11 A scam in the banking sector

ABC Bank is a regulated entity in the banking sector. It has been targeted by a large-scale spoofing scam where scammers' messages are appearing on the same SMS message chain as the legitimate SMS message chain from the bank. The scammer impersonates the banking entity to deceive the consumer to authorise a transfer of money from the consumer's account to another account by asking the consumer to provide their one-time passcode to authorise that transfer. For the purposes of the example, there is not yet an SPF code made for the sector.
While obligations will also apply to the telecommunications provider in relation to this activity, this example focuses on how ABC Bank may meet its obligations under the SPF. ABC Bank will not have contravened its obligations merely because the scam activity is occurring using its service, rather it will be found to have breached its obligations if it failed to take reasonable steps in the circumstances. Without setting out an exhaustive list of reasonable steps under each obligation, examples of steps the entity may be expected to take are set out below:

Prevent: ABC Bank publishes a warning on its website in relation to this scam and the steps it is taking to protect consumers. This warning clearly communicates that ABC Bank will never ask a consumer for their one-time passcode so consumers can easily identify scam activity. ABC Bank works with its telecommunications provider to better protect its SMS Alphanumeric Tag so that scammers are unable to impersonate it.
Detect: ABC Bank takes steps to investigate consumer reports and trace actionable scam intelligence received within 28 days.
Report: ABC Bank shares actionable scam intelligence as prescribed by the SPF rules in relation to the SMS and bank accounts used by the scammer, identified through reports by consumers, with the SPF general regulator.
Disrupt: ABC Bank rejects high value transfers and contacts consumers to understand the nature of the transaction before authorising the payment. It also displays a visible warning in apps and online banking services to consumers before they finalise payment to disrupt the scam attempt.

Example 1.12 A scam in the telecommunications sector
XYZ Mobile is a regulated entity in the telecommunications sector providing services as a carriage service provider. It receives information from the SPF general regulator that consumer reports indicate that a significant number of impersonation scams are being received by its customers.
XYZ Mobile will not have contravened its obligations merely because the scam activity is occurring and affecting its customers, rather it will be found to have breached its obligations if it failed to take reasonable steps in the circumstances. Without setting out an exhaustive list of reasonable steps under each obligation, examples of steps the entity may be expected to take are set out below:

Prevent: XYZ Mobile makes information available on its website about an increase in scam activity observed and provides updated information on what steps it is taking to manage scam activity.
Detect: XYZ Mobile strengthens mechanisms to detect recent abnormally high volumes of traffic from a service provider and traces the originating point of spoofed phone calls.
Report: XYZ Mobile shares information about any consumer reports received in relation to scam activity to the SPF general regulator.
Disrupt: Where XYZ Mobile has formed a reasonable view that it has detected a number being used for scam calls, it blocks those numbers.

Example 1.13 A scam in the digital platforms sector
FriendZone is a regulated social media service provided by FriendZone Ltd as the regulated entity under the SPF. FriendZone receives an increase in consumer reports relating to fraudulent advertisements on its service for cryptocurrency investment schemes. Upon examination, the cryptocurrency is non-existent, and the advertisement involves deceiving victims to enter their personal details on a fake exchange platform.
FriendZone will not have contravened its obligations merely because the scam activity is occurring using its service, rather it will be found to have breached its obligations if it failed to take reasonable steps in the circumstances. Without setting out an exhaustive list of reasonable steps under each obligation, examples of steps the entity may be expected to take are set out below:

Prevent: FriendZone has additional identity verification for accounts looking to post advertisements on its service. FriendZone makes information available to consumers about an increase in fraudulent investment advertisements in their feed and steps they can take to stay vigilant.
Detect: FriendZone scans its systems using algorithms to identify suspicious businesses and account holders involved in cryptocurrency advertisements. It takes steps to investigate the actionable scam intelligence received through consumer reports within 28 days.
Report: FriendZone shares actionable scam intelligence about the fraudulent accounts reported by consumers with provides the SPF general regulator.
Disrupt: FriendZone suspends reported fraudulent advertisements and associated accounts for a period of 28 days while undertaking investigative action to verify the nature of those advertisements. Any verified scam advertisements are removed, and disruptive action is unwound for any legitimate advertisements and accounts identified within the 28-day period.

Division 3 - Sector-specific SPF codes

1.304 The simplified outline in Division 3 provides that:

A Treasury Minister may make an SPF code for each regulated sector.
Each SPF code is to include sector-specific provisions relating to the SPF principles, other than SPF Principle 4: Report.
Requirements in a code can be civil penalty provisions. The relevant SPF sector regulator will monitor, investigate and enforce compliance with these provisions. Division 6 sets out remedies for non-compliance.

[Schedule 1, item 1, section 58CA]

1.305 A Treasury Minister may by legislative instrument make an SPF code for a regulated sector.

[Schedule 1, item 1, section 58CB]

1.306 These SPF codes are intended to support the SPF principles that underpin the framework to prevent and respond to scams impacting SPF consumers. However, the SPF is designed to operate even if an SPF code is not made for a regulated sector, as the overarching SPF principles will generally apply when an entity becomes a regulated entity.

1.307 SPF codes will be subject to sunsetting and Parliamentary scrutiny through the disallowance process.

1.308 An SPF code must:

be consistent with the SPF principles;
only deal with the themes or matters covered by the following SPF principles: governance, prevent, detect, disrupt, and respond, and
if applicable, include provisions about matters prescribed by the SPF rules.

[Schedule 1, item 1, subsection 58CC(1)]

1.309 An SPF code is expected to set out detailed obligations that are specific to a regulated sector. This recognises the differing roles each regulated sector has in the broader scams ecosystem and the unique scams-related challenges faced by regulated entities in different sectors.

1.310 Subordinate legislation is necessary to impose sector specific obligations to effectively prevent scam activity. These obligations may be technical and detailed in nature to address the different kinds of behaviours exhibited by scam perpetrators in the specific sector, and are therefore more suited to subordinate legislation. For example, SPF code obligations may include prescriptive obligations on banks to undertake certain authorisation and authentication steps when a higher-risk transaction is undertaken by an SPF consumer.

1.311 The Bill places an important constraint on what may be included in an SPF code, namely that obligations contained in an SPF code must be consistent with, and only deal with the themes and matters in the SPF principles (other than SPF Principle 4: Report). In addition, SPF codes and any amendments to those codes will be informed by consultation with relevant stakeholders, as required by the Bill, and will also be subject to sunsetting and Parliamentary scrutiny through the disallowance process.

1.312 It is also important that obligations that are imposed on regulated entities continue to address the behaviours of scammers as they evolve. The flexibility of amending an SPF code, balanced with the restrictions on what may be in an SPF code, will support the ability of the SPF to address the fluid nature of scam activity.

1.313 There may also be circumstances where the provisions of an SPF code only apply to certain regulated entities within the sector. For example, different obligations may apply to regulated entities in the sector that are at different stages of the supply chain. For example, an SPF code for the telecommunications sector may set out different obligations for carriage service providers and transit carriers, given their different role in the supply chain.

1.314 The SPF code obligations will generally only create minimum standards for that sector, which an entity may be required to go beyond to comply with the SPF principles. Accordingly, compliance with relevant provisions of an SPF code is relevant to, but not determinative of, whether a regulated entity has taken reasonable steps for the purposes of an SPF principle (see section 58BB for the meaning of reasonable steps).

1.315 Under the Attorney-General's Department's Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, serious pecuniary penalties are most appropriately placed in primary Acts of Parliament rather than subordinate legislation. While there the SPF codes may include obligations that are civil penalty provisions, the maximum penalty that can be ordered for a contravention of such a provision has been placed in primary law. As such, the amendments broadly meet the principles set out in the Guide.

1.316 An SPF code may also deal with related or incidental matters, including (but not limited to):

provisions relating to only certain types of regulated services for the sector;
provisions relating to only certain kinds of SPF consumers of regulated services for the sector;
circumstances where persons are relieved from compliance with SPF requirements that would otherwise apply to them;
provisions that confer powers on the SPF sector regulator or on another person (subject to the constraint that SPF code provisions must be consistent with the SPF principles);
provisions that depend on the SPF sector regulator being satisfied of one or more specified matters;
the internal review processes that persons acting under the SPF code must establish and have in place or for making applications to the Administrative Review Tribunal;
the manner in which persons or bodies may exercise powers or must meet the requirements under the SPF code. For example, requiring the use of a form approved by the SPF sector regulator or SPF general regulator;
whether a regulated entity for the sector may charge a fee, the manner in which the fee may be charged, the time in which a fee can be paid and how the fee needs to be communicated (including how notice may be given to the person that is required to pay the fee);
provisions that require an agent of a regulated entity to do or not do specific things when acting on behalf of the regulated entity and within the scope of the agent's actual or apparent authority;
provisions that authorise a regulated entity for the sector to use or disclose SPF personal information to the extent necessary to comply with the entity's obligations under the code; and
any other matters that the provisions in Part IVF provide may be included or dealt with in the SPF code.

[Schedule 1, item 1, subparagraph 58CC(1)(b)(ii) and subsection 58CC(2)]

1.317 Provisions of the SPF code may be civil penalty provisions (within the meaning of the Regulatory Powers Act).

[Schedule 1, item 1, subsection 58CC(3)]

1.318 An SPF code may make provisions that apply, adopt, or incorporate other instruments or writing in force at a particular time or from time to time. This is necessary to ensure that where there are existing scam prevention frameworks already in place for a particular sector, they can be brought into the SPF to ensure that the new obligations under the SPF apply alongside and in respect of those existing frameworks. This ability to incorporate other documents in writing is explicitly provided for in the primary law, to ensure subsection 14(2) of the Legislation Act 2003 does not prevent this effect.

[Schedule 1, item 1, subsections 58CC(4) and (5)]

1.319 The Treasury Minister's power to make an SPF code may be delegated in writing to another Minister, the ACCC, or the entity that is, or will be, the SPF sector regulator.

[Schedule 1, item 1, section 58CD]

1.320 This delegation may be exercised where the Treasury Minister considers that another Minister or another regulator has the necessary industry knowledge, understanding and information to best address scams in that sector and to make an appropriate SPF code. Some sectors will have regulators that have experience monitoring and enforcing comparable regulatory regimes to the SPF who will also have the capability to develop an SPF code for that sector. They may also have strong stakeholder relationships and industry expertise that could be leveraged during the instrument development process. For example, the telecommunications industry is already regulated by ACMA, and it may be appropriate for the delegation to be made to ACMA with respect to the telecommunications sector.

Division 4 - External dispute resolution

1.321 The simplified outline in Division 4 provides that:

One or more EDR schemes may be authorised for dealing with complaints about scams in designated sectors.
An existing EDR scheme such as AFCA could be authorised, or new schemes could be developed and authorised.

[Schedule 1, item 1, section 58DA]

1.322 A key component of the SPF is the availability of EDR to resolve disputes relating to scams that could not be satisfactorily resolved through IDR, and to provide pathways for redress where regulated entities have not met their SPF obligations.

1.323 The amendments provide that a Treasury Minister may, by legislative instrument, authorise an EDR scheme, called an SPF EDR scheme, for the purposes of the SPF and for one or more regulated sectors. This may include an existing scheme or a new scheme.

[Schedule 1, item 1, section 58DB]

1.324 A regulated entity must not provide a regulated service if they are not a member of an SPF EDR scheme authorised by the Treasury Minister for their regulated sector.

[Schedule 1, item 1, subsection 58BZG(1)]

1.325 More than one EDR scheme may be authorised under the SPF. However, the intention is that the AFCA scheme (within the meaning of the Corporations Act) will be authorised as the single SPF EDR scheme for the three initially designated sectors.

1.326 Having the AFCA scheme as the single SPF EDR scheme ensures SPF consumers in these sectors have access to straightforward, 'single door', free and fair complaints resolution mechanism for their scams-related complaints. This will lower the administrative burden for consumers and regulated entities as multiple SPF EDR schemes will not need to be involved in a single complaint involving multiple regulated entities across different sectors. A single scheme is also intended to ensure consistency in consumers' experiences accessing EDR under the SPF and in the consideration of complaints.

Authorisation of an EDR scheme

1.327 A Treasury Minister may, by legislative instrument, authorise an SPF EDR scheme for the purposes of the SPF and one or more regulated sectors if:

the scheme is already authorised under a Commonwealth law for another purpose; or
the Minister is satisfied that the requirements prescribed by the SPF rules are met by the scheme.

[Schedule 1, item 1, subsection 58DB(1)]

1.328 This instrument will be subject to sunsetting and Parliamentary scrutiny through the disallowance process.

1.329 Before authorising a scheme, the Minister must consider the accessibility, independence, fairness, accountability, efficiency and effectiveness of the scheme, and any other matters the Minister considers relevant. However, failure to consider these matters does not invalidate the instrument authorising the scheme. This provides certainty for regulated entities that undertake investment and preparatory work in anticipation of a particular EDR scheme being authorised and limits the risk of unnecessary expenditure by those entities.

[Schedule 1, item 1, subsection 58DB(2)]

1.330 In accordance with subsection 33(3) of the Acts Interpretation Act 1901, the Minister may also vary and repeal the authorising instrument.

[Schedule 1, item 1, note 2 to subsection 58DB(1)]

1.331 The Minister may specify conditions relating to the authorisation of the SPF EDR scheme in the instrument authorising the scheme. For example, a condition may be that the operator of the SPF EDR scheme is required to consider specified guidelines for apportioning liability arising from the complaint at EDR, where there is more than one regulated entity that has breached its obligations under the SPF. If such a condition is prescribed, the intention is these guidelines will mirror the guidelines that may be prescribed by the SPF rules for apportioning liability at the IDR stage, where appropriate.

[Schedule 1, item 1, subsection 58DB(3)]

1.332 If the Minister chooses to authorise a new SPF EDR scheme, the Minister must set out the details of the scheme in the legislative instrument which authorises that scheme.

[Schedule 1, item 1, subsection 58DB(4)]

1.333 More than one SPF EDR scheme may be authorised under the SPF. The Minister may also authorise an SPF EDR scheme that applies to one or more regulated sectors.

[Schedule 1, item 1, subsection 58DB(5)]

1.334 However, the Minister is expected to authorise the AFCA scheme (within the meaning of the Corporations Act) as the single SPF EDR scheme for the three initial sectors that will be designated to be regulated sectors under the SPF. The AFCA scheme is authorised under Part 7.10A of the Corporations Act and is overseen by ASIC. If the Minister chooses to authorise the AFCA scheme as the SPF EDR scheme for one or more regulated sectors, all of ASIC's existing functions and powers to oversee the AFCA scheme under Part 7.10A of Corporations Act (for example, section 1052A of that Act) will apply to regulate the scheme for the purposes of the SPF and those sectors.

[Schedule 1, item 1, note 1 to subsection 58DB(1)]

1.335 The Minister may authorise a new SPF EDR scheme for the purposes of the SPF and one or more regulated sectors if the Minister is satisfied that the requirements prescribed by the SPF rules are met by the scheme.

[Schedule 1, item 1, paragraph 58DB(1)(b)]

1.336 The SPF rules may prescribe the following requirements for a new SPF EDR scheme:

organisational requirements for membership of the scheme;
requirements for the operator of the scheme;
requirements for how the scheme is to operate;
requirements to be complied with by members of the scheme; and
requirements for making changes to the scheme.

[Schedule 1, item 1, subsection 58DC(1)]

1.337 For example, the SPF rules may require that the complaints mechanism under the scheme is appropriately accessible, that appropriate expertise is available to deal with complaints, or that determinations made by the operator of the new SPF EDR scheme be binding on members of the scheme but not binding on complainants under the scheme.

1.338 The instrument authorising a new SPF EDR scheme may also deal with the following matters:

powers of one or more of the Minister, an SPF regulator, or a Commonwealth entity within the meaning of the PGPA Act under the scheme;
powers of the scheme's operator under the scheme, including powers to seek information, make determinations of complaints and make determinations imposing financial and non-financial remedies;
appeals to the Federal Court of Australia from determination by the scheme's operator;
information sharing and reporting;
a provision that depends on the scheme's operator or another person being satisfied of one or more specified matters; and
provisions about any other matters that provisions of the SPF provide may be specified, or otherwise dealt with, in the scheme.

[Schedule 1, item 1, paragraphs 58DC(2)(a) to (e) and (g)]

1.339 In relation to dealing with appeals to the Federal Court, it is not intended that determinations made by the SPF EDR scheme operator would be subject to appeals to the Federal Court of Australia. This provision allows the Minister to set this out in the legislative instrument authorising a new SPF EDR scheme. Importantly, this does not limit an SPF consumer's right to take action in court for loss or damage they have suffered from an entity's breach of the SPF.

1.340 Such an instrument may also include provisions about the manner in which the scheme's operator may charge a fee under the scheme, the time for paying a fee and giving notice of, or publicising, a fee or matters about a fee. For example, the scheme may require that operations of an SPF EDR scheme be financed through fees charged to members of the scheme. It is not intended that such a scheme would ever require SPF consumers to be charged a fee to submit a complaint to the scheme.

[Schedule 1, item 1, paragraph 58DC(2)(f)]

1.341 Prescribing certain kinds of provisions in the SPF rules does not automatically include those provisions in any new SPF EDR scheme. The SPF rules can only prescribe provisions that can be validly included in the instrument authorising a new SPF EDR scheme. Allowing the SPF rules to prescribe matters that a new SPF EDR scheme may deal with is necessary as the relevant SPF EDR scheme may vary depending on the regulated sector.

Reporting obligations

1.342 Under the SPF, the operator of an SPF EDR scheme has certain obligations to report to SPF regulators.

1.343 The operator of an SPF EDR scheme must give particulars of a matter to the SPF general regulator and the SPF sector regulator for the sector, if the operator becomes aware that:

a serious contravention of any law may have occurred in connection with a complaint under the scheme; or
a party to a complaint under the scheme may have failed to give effect to a determination by the operator relating to the complaint (including a refusal to give effect to that determination); or
there is a systemic issue arising from the consideration of complaints under the scheme.

[Schedule 1, item 1, subsection 58DD(1)]

1.344 If the matter relates to multiple entities in different sectors, the operator of an SPF EDR scheme must provide particulars of the matter to each of the relevant SPF sector regulators, as well as the SPF general regulator.

1.345 In relation to serious contraventions of law, this reporting requirement is intended to relate to laws that are relevant to the complaint made to the SPF EDR scheme, rather than necessarily a contravention of any law. At a minimum, the operator of the SPF EDR scheme must report serious contraventions of SPF provisions. However, other laws, such as the privacy law or corporations law, may also be relevant to the subject matter and circumstances of the complaint. The operator of the SPF EDR scheme should consult with the SPF general regulator and the SPF sector regulator for the sector (as appropriate) if it is unsure about whether or not to refer a particular matter.

1.346 If the parties to a complaint made to an SPF EDR scheme for a regulated sector agree to settle a complaint, and the operator of the scheme thinks the settlement may require investigation, the operator may give particulars of the settlement to the SPF general regulator and to the SPF sector regulator for the sector. This may include providing particulars to multiple SPF sector regulators if the settlement relates to multiple entities in more than one sector.

[Schedule 1, item 1, subsection 58DD(2)]

1.347 The matters that may be relevant for the operator of the SPF EDR scheme to consider in deciding whether a settlement requires regulatory investigation includes where:

the settlement precludes an SPF consumer from referring a complaint to an SPF regulator, lodging further action or taking other action in relation to matters that are not subject to the complaint; or
the settlement was offered on onerous or unjust terms, or entered into as a result of duress or misrepresentation.

1.348 If these reporting obligations require the operator of the SPF EDR scheme to give any SPF personal information, the operator must de-identify that information unless the operator reasonably believes that doing so would not achieve the object of the SPF.

[Schedule 1, item 1, subsection 58DD(3)]

Information sharing

1.349 The amendments also provide for information sharing from SPF regulators to the operator of an SPF EDR scheme, to ensure the scheme can operate efficiently and effectively.

1.350 An SPF regulator may disclose information to the operator of an SPF EDR scheme for the purposes of enabling or assisting the operator to perform any of the operator's functions or powers. Any SPF personal information disclosed must be de-identified unless the SPF regulator reasonably believes that doing so would not achieve the object of the to prevent and respond to scams impacting SPF consumers.

[Schedule 1, item 1, subsections 58DE(1) and (3)]

1.351 An SPF regulator may impose conditions to be complied with by the operator in relation to the information. For example, the SPF regulator may require the operator to observe any confidentiality requirements that apply to the information or require the operator to disclose information to an SPF consumer and regulated entity who are participating in EDR.

[Schedule 1, item 1, subsection 58DE(2)]

Division 5 - Regulating the SPF

1.352 The simplified outline in Division 5 provides that:

The ACCC, as the SPF general regulator, is the regulator of most aspects of the SPF, including the overarching principles.
Commonwealth entities may be selected to be regulators of each of the SPF codes (SPF sector regulators).
The SPF general regulator must enter into arrangements with the SPF sector regulators about the regulation and enforcement of the SPF.
The regulators may share information and documents about the regulation and enforcement of the SPF.

[Schedule 1, item 1, section 58EA]

1.353 The SPF will be administered and enforced through a multi-regulator framework comprising of an SPF general regulator and SPF sector regulators.

1.354 The multi-regulator model is intended to deliver a whole-of-ecosystem approach to the administration and enforcement of the SPF. This approach will support and harness each regulator's mandate and leverage existing supervision, surveillance and enforcement frameworks already established by regulators.

1.355 The multi-regulator model also recognises existing regulatory relationships and the existing roles and expertise various regulators have across the scams ecosystem.

1.356 The ACCC is the SPF general regulator, responsible for monitoring compliance and administering the SPF, in particular, the SPF principles.

1.357 Commonwealth entities with regulatory functions may be selected to be an SPF sector regulator for an SPF code. The ACCC may also be selected to be the SPF sector regulator. If no other entity is selected, the ACCC will be the SPF sector regulator for an SPF code. SPF sector regulators are responsible for administering and taking enforcement action for breaches of an SPF code.

1.358 To support the multi-regulator framework, the amendments provide for:

delegation of the SPF general regulator's functions and powers to SPF sector regulators;
arrangements between SPF regulators concerning the regulation and enforcement of the SPF;
information sharing between SPF regulators, where relevant to the operation (including enforcement) of the SPF;
a suite of investigation, monitoring and enforcement powers available to SPF regulators; and
the power for a Treasury Minister to declare alternative powers (monitoring and investigation powers) apply for an SPF sector regulator.

Regulators of the SPF

SPF general regulator

1.359 The ACCC is the SPF general regulator.

[Schedule 1, item 1, subsection 58EB(1)]

1.360 The SPF general regulator's role in overseeing the SPF provisions across all regulated sectors will support an ecosystem wide approach to the administration and enforcement of the SPF. This is particularly important given the cross-sectoral nature of scam activity. This approach also enables a sector to be brought within the SPF before there is an SPF code or SPF sector regulator designated for the sector.

1.361 The ACCC, in its capacity as the SPF general regulator, has the following functions and powers:

reviewing and advising the Treasury Minister about the operation of the SPF provisions;
the ACCC's functions and powers under section 155 of the CCA (which concerns the power to obtain information, documents and evidence) to the extent that section 155 relates to:

-
SPF provisions (other than provisions of SPF codes); or
-
a 'designated scams prevention framework matter' (within the meaning of that section), other than the performance or exercise of a function or power conferred by or under an SPF code;

developing and publishing non-binding guidance and material relating to the SPF provisions (other than provisions of SPF codes); and
the functions and powers of the SPF general regulator conferred by any other SPF provisions (for example, powers under the Regulatory Powers Act conferred by an SPF provision).

[Schedule 1, item 1, subsection 58EB(2)]

1.362 The SPF general regulator may also monitor and supervise compliance with the SPF provisions through undertaking activities such as thematic reviews, and undertaking investigation and enforcement of breaches of the SPF in the following circumstances:

where there has not been a breach of an SPF code, but a regulated entity has breached an obligation in the overarching SPF provisions (such as the SPF principles);
where an SPF sector regulator refers a matter to the SPF general regulator to take action;
where the SPF general regulator considers enforcement action under the CCA is appropriate (such as in cases of suspected systemic or cross-sectoral breaches).

1.363 A 'designated scams prevention framework matter' in section 155 of the CCA is a reference to the performance of a function, or the exercise of power, conferred on the ACCC as the SPF general regulator by or under Part IVF of the CCA (introduced by the Bill), legislative instruments (such as an SPF code) made under the CCA for the purposes of Part IVF, or the Regulatory Powers Act to the extent that it applies in relation to provisions of Part IVF.

[Schedule 1, item 11, subsection 155(9AC)]

Delegation by the ACCC (the SPF general regulator)

1.364 To ensure the effective regulation of regulated sectors, the amendments permit the ACCC, or a member of the ACCC, to delegate their respective functions and powers to certain persons.

1.365 Specifically, the ACCC may, by resolution, delegate its functions and powers (as the SPF general regulator) under SPF provisions and under section 155 of the CCA (as described in paragraph 58EB(2)(b)). A member of the ACCC may also delegate, by writing, any of the member's functions and powers under section 155 to the extent that section relates to SPF provisions (other than provisions of SPF codes) or a 'designated scams prevention framework matter' (within the meaning of section 155), other than the performance or exercise of a function or power conferred by or under an SPF code.

[Schedule 1, item 1, subsections 58EC(1) and (2)]

1.366 However, the delegation may only be to any of the following persons:

a person who is an employee of the ACCC who is an SES employee (or acting SES employee), or holds or performs the duties of an Executive Level 1 or 2 position, if the ACCC is satisfied that person has the appropriate qualifications, training, skills or experience;
an SPF sector regulator;
a member of an SPF sector regulator;
an employee of an SPF sector regulator who holds or performs the duties of a position that is equivalent to an SES employee (or acting SES employee) or Executive Level 1 or 2 position.

[Schedule 1, item 1, paragraphs 58EC(3)(b) to (e)]

1.367 The ACCC may also delegate the above mentioned powers and functions to a member of the ACCC.

[Schedule 1, item 1, paragraph 58EC(3)(a)]

1.368 The ability to delegate the SPF general regulator's powers and functions to an SPF sector regulator supports an efficient and comprehensive approach to the operation of the multi-regulator model. It also recognises that in certain circumstances, it may be more appropriate for an SPF sector regulator to take forward enforcement action for a breach of the overarching SPF principles. This may occur, for example, where an SPF sector regulator is taking forward enforcement action for related misconduct and breaches across other areas of law, and it is more efficient to pursue all breaches for related misconduct collectively. It may also occur where it is determined that there are separate breaches of both the SPF principles and SPF code provisions. This will enable one regulator to take forward enforcement action against a regulated entity, where appropriate, rather than multiple regulators.

1.369 However, a delegation by the ACCC or a member of the ACCC must not be made to an SPF sector regulator or a member or employee of an SPF sector regulator unless the relevant SPF sector regulator has agreed to the delegation in writing.

[Schedule 1, item 1, paragraph 58EC(4)(a)]

1.370 If the delegation is to an employee of an SPF sector regulator, that SPF sector regulator must also be satisfied that the person has appropriate qualifications, training, skills or experience to perform or exercise the functions or powers.

[Schedule 1, item 1, paragraph 58EC(4)(b)]

1.371 In performing or exercising any functions or powers under a delegation, the delegate must comply with any directions of the delegator (being either the ACCC or a member of the ACCC).

[Schedule 1, item 1, subsection 58EC(5)]

SPF sector regulators

1.372 The amendments provide for the designation of a Commonwealth entity with existing regulatory functions to be an SPF sector regulator for an SPF code for a regulated sector. This recognises existing regulatory relationships, and the roles and expertise regulators have across the ecosystem.

1.373 SPF sector regulators will be responsible for monitoring compliance with SPF codes and pursuing enforcement actions for suspected breaches. SPF regulators may share information on their regulatory activities in relation to the administration of SPF codes with the SPF general regulator, and in some cases, other SPF sector regulators.

1.374 A Treasury Minister may, by legislative instrument, designate a Commonwealth entity (within the meaning of the PGPA Act) that is already conferred functions by or under a law, to be the SPF sector regulator for a regulated sector. Designation of an SPF sector regulator for a regulated sector may be included in the same instrument as the instrument designating the regulated sector, or the SPF code for the regulated sector.

[Schedule 1, item 1, subsection 58ED(1)]

1.375 This instrument will be subject to sunsetting and Parliamentary scrutiny through the disallowance process.

1.376 For example, the Minister may designate telecommunications services to be a regulated sector under the SPF, and designate ACMA to be the SPF sector regulator for that sector, in either the same or separate instruments. Consequently, any SPF code made for the telecommunications sector will be regulated and enforced by ACMA. The ACCC will continue to regulate the telecommunications sector in relation to the SPF principles, and any other SPF provisions not in SPF codes, that apply to the sector. Similarly, the Minister may designate banking services to be a regulated sector under the SPF and designate ASIC to be the sector regulator for that sector.

1.377 The ACCC is the SPF sector regulator for a regulated sector if, and while, there is no Commonwealth entity designated as the SPF sector regulator for the sector. The ACCC may also be designated to be the SPF sector regulator for a regulated sector.

[Schedule 1, item 1, subsection 58ED(2)]

1.378 The functions and powers of the SPF sector regulator for a regulated sector include those conferred by the SPF code for the sector or any other SPF provisions (for example, powers under the Regulatory Powers Act as conferred by an SPF provision).

[Schedule 1, item 1, paragraph 58ED(3)(a) and (b)]

1.379 If the SPF sector regulator is the ACCC, the SPF sector regulator also has the ACCC's functions and powers under section 155 (which concerns the power to obtain information, documents and evidence). However, only to the extent that section relates to the provisions of the SPF code for the sector or a 'designated scams prevention framework matter' (within the meaning of that section) involving the performance or exercise of a function or power conferred by or under the SPF code for the sector.

[Schedule 1, item 1, paragraph 58ED(3)(c)]

1.380 If the SPF sector regulator is not the ACCC, the functions and powers of the SPF sector regulator include the monitoring and investigation functions and powers set out in Division 6.

[Schedule 1, item 1, note to subsection 58ED(3)]

1.381 A Treasury Minister may, in writing, delegate the power to designate a Commonwealth entity to be an SPF sector regulator for a regulated sector to another Minister. Sections 34AA to 34A of the Acts Interpretation Act 1901 contain relevant provisions relating to delegations.

[Schedule 1, item 1, subsection 58ED(4)]

Delegation by an SPF sector regulator

1.382 An SPF sector regulator may by writing delegate any of the SPF sector regulator's functions and powers under an SPF provision (other than a provision of the Regulatory Powers Act). Where the SPF sector regulator is the ACCC, the ACCC's functions and power under section 155 as described in paragraph 58ED(3)(c) may also be delegated.

[Schedule 1, item 1, subsection 58EE(1)]

1.383 If the ACCC is the SPF sector regulator, a member of the ACCC may also by writing delegate any of the member's functions and powers under section 155 as a described in paragraph 58ED(3)(c).

[Schedule 1, item 1, subsection 58EE(2)]

1.384 The delegation may be to a member of the SPF sector regulator, or to a person who is an employee of the SPF sector regulator who is an SES employee (or acting SES employee) or holds or performs the duties of an Executive Level 1 or 2 position, or otherwise holds or performs the duties of an equivalent position. The SPF sector regulator must be satisfied the person has appropriate, training, skills or experience to perform or exercise the functions or powers to make the delegation.

[Schedule 1, item 1, subsection 58EE(3)]

1.385 However, where the SPF sector regulator is the ACCC, a member of the ACCC cannot delegate to their functions and powers to another member of the ACCC.

[Schedule 1, item 1, subsection 58EE(2)]

1.386 The delegate must comply with any directions of the delegator when performing or exercising any of the functions or powers under a delegation.

[Schedule 1, item 1, subsection 58EE(4)]

1.387 An SPF sector regulators' functions or powers under the Regulatory Powers Act may be delegated in specified circumstances where provided in a provision of Division 6. This includes for example, under subsection 58FF(4) which relates to investigating compliance with an SPF code.

[Schedule 1, item 1, note to subsection 58EE(1)]

Arrangements between SPF regulators

1.388 The ACCC, as the SPF general regulator, and each SPF sector regulator must enter into an arrangement relating to the regulation and enforcement of the SPF provisions.

[Schedule 1, item 1, subsection 58EF(1)]

1.389 Arrangements between the SPF general regulator and SPF sector regulators are intended to support the efficient operation of the multi-regulator model.

1.390 These arrangements are required to manage the risks associated with a multi-regulator model, including unclear roles and responsibilities, an inconsistent regulatory and enforcement approach and duplication in regulatory or enforcement action. These arrangements are intended to establish clear roles and responsibilities and mechanisms to facilitate effective cooperation between regulators. They may also set out agreed priorities for the administration and enforcement of the SPF to support coordinated and targeted action.

1.391 The ACCC may enter into a single arrangement with all, or one or more, SPF sector regulators, or a separate arrangement with each SPF sector regulator. This requirement does not apply to the extent the ACCC is also the SPF sector regulator for a regulated sector.

[Schedule 1, item 1, subsection 58EF(2)]

1.392 The arrangement must include provisions relating to the matters prescribed by the SPF rules, if any. This is intended to ensure that the arrangement deals with all matters relevant to the regulation of the SPF, to ensure effective and efficient regulation by the SPF regulators.

[Schedule 1, item 1, subsection 58EF(3)]

1.393 For example, the SPF rules could require an SPF regulator to notify other SPF regulators of any requests for scam reports made to a regulated entity and require the requesting regulator to share a copy of the scam report to other regulators on request. The details on how the SPF regulators will carry out this requirement may be agreed between the regulators.

[Schedule 1, item 1, note to subsection 58EF(3)]

1.394 To provide flexibility to the SPF regulators as to the specific arrangements that may suit them best, it is not intended that the SPF rules will prescribe how the SPF regulators are to agree on those matters or what kind of arrangement the SPF general regulator must enter into with each SPF sector regulator.

1.395 Each SPF sector regulator that is a party to such an arrangement must publish the arrangement on its website to promote transparency and enable regulated entities to understand the respective SPF regulator's roles and responsibilities.

[Schedule 1, item 1, subsection 58EF(4)]

1.396 These arrangements should be entered into and published as soon as practicable after an SPF sector regulator is designated for a regulated sector.

1.397 A failure to comply with these arrangement requirements does not invalidate the performance of a function or exercise of a power by an SPF regulator. This is to ensure any administrative failings or other instances of non-compliance do not invalidate the general operation and enforcement of the SPF. It also provides certainty to regulated entities regarding the performance of functions or exercise of powers by an SPF regulator, to ensure that enforcement of the SPF is not compromised.

[Schedule 1, item 1, subsection 58EF(5)]

Information sharing between SPF regulators

1.398 The amendments provide for disclosure between the SPF regulators of information or documents relevant to the operation of the SPF. This is intended to support the effective administration and enforcement of the SPF and the practical operation of the multi-regulator model.

1.399 Where information is shared, it is intended to be either for the purpose of notifying another SPF regulator that action is being taken to avoid dual action, or where the information will be acted upon or used in some way to support the relevant SPF regulator's role in administering and enforcing the SPF.

Authorised disclosure

1.400 An SPF regulator may disclose to another SPF regulator particular information or documents, or information or documents of a particular kind, held by the first mentioned SPF regulator that are relevant to the operation (including enforcement) of the SPF provisions. An SPF regulator may make such a disclosure on request or on its own initiative.

[Schedule 1, item 1, subsections 58EG(1) and (2)]

1.401 SPF personal information may be disclosed between SPF regulators. This is appropriate because this information may be necessary for the SPF regulator to carry out its functions and powers under the SPF. Having sufficient information to undertake effective monitoring, investigation and enforcement action with respect to SPF provisions is therefore critical to achieve the object of the SPF, to prevent and respond to scams impacting the Australian community.

[Schedule 1, item 1, subsection 58EG(3)]

1.402 This requirement has the effect of authorising disclosure between the SPF regulators for the purposes of the privacy legislation, as well as secrecy provisions in the CCA or other Commonwealth laws that otherwise restrict information sharing. For example, disclosures made under this provision would be authorised by law for the purposes of:

paragraph 155AAA(1)(b) of the CCA in relation to protected information;
section 59DB of the ACMA Act;
subsection 127(2) of the ASIC Act; and
Australian Privacy Principle 6 (see the exception in paragraph 6.2(b) of Schedule 1 to the Privacy Act).

[Schedule 1, item 1, note to subsection 58EG(2)]

1.403 An SPF regulator must have regard to the object of the SPF when deciding whether to make a disclosure under these powers. Arrangements between SPF regulators may also deal with when disclosures should be made.

[Schedule 1, item 1, section 58EH]

1.404 For completeness, an SPF regulator is not required to disclose information or documents that:

concern the internal administrative functioning of the regulator;
disclose a matter in respect of which the regulator or any other person has claimed legal professional privilege; or
are of a kind prescribed in the SPF rules.

[Schedule 1, item 1, section 58EJ]

Notice of use or disclosure not required

1.405 An SPF regulator does not have to notify any person that the regulator plans to make a disclosure or has made a disclosure of information or documents under the SPF, or plans to use or has used information or documents disclosed under the SPF. Further, the SPF regulator does not need to notify any person that the regulator has collected SPF personal information under the SPF.

[Schedule 1, item 1, section 58EI]

1.406 This has the effect of removing procedural fairness from the use or disclosure of information by SPF regulators. This approach is necessary to enable the quick flow of information between SPF regulators and drive efficient and expedient enforcement action. This ensures that any inadequate action by regulated entities in complying with the SPF is promptly addressed. Given the fast-moving nature of scams, timely enforcement action in response to potential breaches of the SPF is critical to prevent and respond to scams impacting SPF consumers.

1.407 Removing notification requirements will also ensure that a suspected scammer, who may be the subject of the SPF personal information, is not given notice that an SPF regulator has become aware of their suspected activities, which could otherwise reasonably prejudice a law enforcement investigation.

Division 6 - Enforcing the SPF

1.408 The simplified outline in Division 6 provides that:

The ACCC, in its role as the SPF general regulator or an SPF sector regulator, may use its powers under the CCA (including section 155) to monitor and investigate compliance with the relevant aspects of the SPF.
If ACMA or ASIC is an SPF sector regulator, it must use powers in its own legislation to monitor and investigate compliance with an SPF code for the sector.
Other SPF sector regulators may monitor and investigate compliance with an SPF code using the powers set out in this Division, or a Treasury Minister may declare that it can use the powers in its own legislation.
The amendments set out the maximum penalties for contraventions of the civil penalty provisions of the SPF by a regulated entity. The amendments create two tiers of contraventions, with a tier 1 contravention attracting a higher maximum penalty than a tier 2 contravention.
The civil penalty regime will be supported by other enforcement tools as an alternative to court proceedings. These include:

-
infringement notices;
-
enforceable undertakings;
-
injunctions;
-
actions for damages;
-
public warning notices;
-
remedial directions;
-
adverse publicity orders; and
-
other punitive and non-punitive orders.

Some of these remedies may also be available against a person involved in a contravention of the SPF by a regulated entity, such as a senior officer of the regulated entity.

[Schedule 1, item 1, section 58FA]

1.409 The amendments provide SPF regulators with powers to monitor, investigate and enforce compliance with the SPF. Broadly, the powers of the SPF regulators under Division 6 align with existing powers of the SPF regulators or otherwise incorporate by reference Parts of the Regulatory Powers Act.

1.410 Civil penalties are specified within relevant provisions of the new Part. Each penalty reflects the potential seriousness of a contravention of the relevant provision, with the ultimate aim to deter contravention.

1.411 The tiered approach to civil penalties is intended to reflect that higher penalties would be imposed on obligations where breaches would be the most egregious and have the most significant impact on consumers. Higher penalties for those breaches will incentivise compliance and provide a meaningful deterrent to poor behaviour that is not just seen as a cost of doing business. This is particularly important where regulated entities may profit from scammers using their services.

1.412 The enforcement framework of the SPF is consistent with the Attorney-General's Department's Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers. Consistent with this Guide, the enforcement framework is based on existing powers in law, including in the Regulatory Powers Act, the CCA and the Telecommunications Act. In particular, the standard provisions of the Regulatory Powers Act are an accepted baseline of powers required for an effective monitoring, investigation and enforcement regulatory regime, while providing adequate safeguards and protecting important common law privileges.

1.413 The enforcement framework is also set out in the primary law, rather than being left to subordinate legislation. SPF sector regulators will be designated through subordinate legislation, but their enforcement powers are set out in the primary law. Where the ACCC, ACMA or ASIC is the relevant SPF regulator, their monitoring and investigation powers under the SPF are also contained in the primary law.

Appointing an inspector

1.414 An SPF regulator may appoint a person to be an inspector. An inspector has specified powers with respect to monitoring and investigating compliance with the SPF, as well as the power to issue infringement notices for alleged contraventions of the civil penalty provisions of the SPF.

1.415 The term inspector is included in the definitions section of the CCA.

[Schedule 1, item 5, subsection 4(1)]

1.416 An SPF regulator may, in writing, appoint a person who is one of the following to be an inspector of that regulator for the purposes of this Division:

an employee of the regulator who is an SES employee or acting SES employee (or equivalent), or who holds or performs the duties of an Executive Level 1 or 2 position (or equivalent);
a member or special member of the Australian Federal Police.

[Schedule 1, item 1, subsection 58FB(1)]

1.417 However, an SPF regulator must not appoint a person as an inspector unless it is satisfied that the person has the appropriate qualifications, training, skills to exercise the powers of an inspector. Given the key role of inspectors in overseeing compliance with the SPF, this requirement is intended to ensure only suitably experienced and qualified people are appointed as inspectors.

[Schedule 1, item 1, subsection 58FB(2)]

1.418 A person must, in exercising their powers as an inspector, comply with any directions of the SPF regulator that appointed the inspector. These directions must be of an administrative character.

[Schedule 1, item 1, subsection 58FB(3)]

1.419 If an SPF regulator has not appointed an inspector, the SPF regulator itself is the inspector of the SPF regulator for the purposes of Subdivision A of this Division.

[Schedule 1, item 1, subsection 58FB(4)]

Monitoring and investigating compliance with an SPF Code

1.420 The SPF is designed to respond and adapt to evolving areas of scam activity. The legislation therefore allows for the designation of any number of SPF sector regulators, each with differing powers available under their own legislation which have been developed to reflect the various sectors overseen by the regulator.

1.421 The amendments provide a baseline set of powers to any future SPF sector regulator in relation to monitoring, investigating, and enforcing the SPF. This will ensure that any SPF sector regulator has access to adequate investigative and enforcement powers for the purpose of administering the relevant SPF code. This approach supports a flexible and future-proof SPF, and the expansion of the multi-regulator model, if needed, as scam activity shifts.

1.422 The ACCC, ACMA, and ASIC are all expected to be SPF sector regulators. For these regulators, it is intended that they would have access to their existing monitoring and investigation powers under their respective legislation, as those tools are most effective in monitoring and investigating compliance within their respective sectors.

1.423 Where appropriate, a Treasury Minister may declare that alternative monitoring and investigation powers apply to an SPF sector regulator in relation to a specified provision or provisions of the SPF code. The default powers apply unless such a declaration is in force, or the ACCC, ASIC or ACMA is the SPF sector regulator for the sector. The ACCC, ASIC and ACMA will automatically have alternative monitoring and investigation powers under their own respective legislation if they are designated as an SPF sector regulator for a regulated sector.

[Schedule 1, item 1, sections 58FE, 58FF, 58FG and 58FH]

1.424 This type of declaration is expected to be made to enable an SPF sector regulator, where appropriate, to exercise powers under their own legislation for monitoring and investigative purposes. This will allow SPF sector regulators to continue to use established procedures and processes, and will support the efficient monitoring and investigation of compliance of the relevant SPF code. Similarly, regulated entities would also likely be familiar with the sector regulator's existing powers and have established procedures to respond to those powers. Accordingly, the availability of alternative existing powers will enable regulated entities to respond efficiently to an SPF sector regulator's monitoring and investigation activities.

1.425 It is necessary and appropriate for the Minister to have this power as it is most relevant to the designation of an SPF sector regulator for a particular sector. As the SPF is designed to prevent and respond to scams impacting SPF consumers, it is important that these designations and declarations can be made quickly and effectively to respond to the emergence of scams and shifting of scam activity in different sectors.

1.426 Scam activity is fluid and could become more active in a previously untouched sector of the Australian economy. The Ministerial power is appropriate so that compliance with an SPF code can be effectively monitored and investigated by a regulator who may have sector specific tools available to them that are appropriate to be used in the SPF context. Leveraging existing monitoring and investigation tools by a sector regulator may also reduce compliance costs on industry participants, who will be more familiar with existing regulatory arrangements.

Default monitoring powers

1.427 Default monitoring powers apply for the SPF code for a regulated sector unless the ACCC, ASIC or ACMA is the SPF sector regulator for the sector or a declaration that alternative monitoring powers apply to another SPF sector regulator is in force.

[Schedule 1, item 1, subsection 58FE(1)]

1.428 Each provision of the SPF code is subject to monitoring under Part 2 of the Regulatory Powers Act, including any provision that is not a civil penalty provision. Part 2 of that Act creates a framework for monitoring whether these provisions have been complied with and includes powers of entry and inspection.

[Schedule 1, item 1, subsection 58FE(2)]

1.429 Information given in compliance or purported compliance with the SPF code is subject to monitoring under Part 2 of the Regulatory Powers Act, which creates a framework for monitoring whether the information given is correct. This framework includes powers of entry and inspection.

[Schedule 1 item 1, subsection 58FE(3)]

1.430 The amendments include a range of modifications to the application of Part 2 of the Regulatory Powers Act to ensure they operate effectively in the SPF context. For the purposes of Part 2 of the Regulatory Powers Act, as that Part applies in relation to provisions of an SPF code and the information given in compliance or purported compliance with the SPF code:

there are no related provisions;
the inspector of the SPF sector regulator is an authorised applicant and is an authorised person;
a magistrate is an issuing officer;
the SPF sector regulator is the relevant chief executive; and
the Federal Court, the Federal Circuit and Family Court of Australia (Division 2) and a court of a State or Territory that has jurisdiction in relation to the matter are each a relevant court.

[Schedule 1, item 1, subsection 58FE(4)]

1.431 The relevant chief executive (being the SPF sector regulator) may, in writing, delegate the following powers and functions to an SES employee or acting SES employee, of the SPF sector regulator (or to an employee of the SPF sector regulator who holds or performs the duties of an equivalent position):

powers and functions under Part 2 of the Regulatory Powers Act in relation to provisions in the SPF code for the relevant regulated sector and the information given in compliance or purported compliance with that SPF code; and
powers and functions under the Regulatory Powers Act that are incidental to those powers or functions.

[Schedule 1, item 1, subsections 58FE(5) and (6)]

1.432 The relevant chief executive may only make the delegation if they are satisfied that the employee has appropriate qualifications, training, skills or experience to perform or exercise the functions or powers.

[Schedule 1, item 1, subsection 58FE(5)]

1.433 A person exercising powers or performing functions under such a delegation must comply with any directions of the relevant chief executive (being the SPF sector regulator).

[Schedule 1, item 1, subsection 58FE(7)]

1.434 An authorised person (being the inspector appointed by the SPF sector regulator) may be assisted by other persons in exercising those powers or performing those functions or duties as set out above.

[Schedule 1, item 1, subsection 58FE(8)]

Default investigation powers

1.435 Default investigation powers apply for the SPF code for a regulated sector unless the ACCC, ASIC or ACMA is the SPF sector regulator for the sector or a declaration that alternative investigation powers apply to another SPF sector regulator is in force.

[Schedule 1, item 1, subsection 58FF(1)]

1.436 Each civil penalty provision of the SPF code is subject to investigation under Part 3 of the Regulatory Powers Act. Part 3 of that Act creates a framework for investigating whether a provision has been contravened, and includes powers of entry, search and seizure.

[Schedule 1, item 1, subsection 58FF(2)]

1.437 The amendments include a range of modifications to the application of Part 3 of the Regulatory Powers Act to ensure they operate effectively in the SPF context. For the purposes of Part 3 of the Regulatory Powers Act, as that Part applies in relation to evidential material that relates to a civil penalty provision of an SPF code:

there are no related provisions;
the inspector of the SPF sector regulator is an authorised applicant and is an authorised person;
a magistrate is an issuing officer;
the SPF sector regulator is the relevant chief executive; and
the Federal Court, the Federal Circuit and Family Court of Australia (Division 2) and a court of a State or Territory that has jurisdiction in relation to the matter are each a relevant court.

[Schedule 1, item 1, subsection 58FF(3)]

1.438 The relevant chief executive (being the SPF sector regulator) may, in writing, delegate the following powers and functions to an SES employee, or acting SES employee, of the SPF sector regulator (or to an employee of the SPF sector regulator who holds or performs the duties of an equivalent position):

powers and functions under Part 3 of the Regulatory Powers Act in relation to evidential material that relates to a civil penalty provision of an SPF code; and
powers and functions under the Regulatory Powers Act that are incidental to those powers or functions.

[Schedule 1, item 1, subsections 58FF(4) and (5)]

1.439 The relevant chief executive may only make the delegation if they are satisfied that the employee has appropriate qualifications, training, skills or experience to perform or exercise the functions or powers.

[Schedule 1, item 1, subsection 58FF(5)]

1.440 A person exercising powers or performing functions under such a delegation must comply with any directions of the relevant chief executive (being the SPF sector regulator).

[Schedule 1, item 1, subsection 58FF(6)]

1.441 An authorised person (being the inspector appointed by the SPF sector regulator) may be assisted by other persons in exercising those powers or performing those functions or duties as set out above.

[Schedule 1, item 1, subsection 58FF(7)]

Monitoring and investigation powers of the ACCC

1.442 If the ACCC is an SPF sector regulator, the ACCC may use its powers under the CCA, including section 155 to monitor and investigate compliance with an SPF code for the sector. As a consequential amendment to the inclusion of the SPF in the CCA, section 155 is also amended accordingly.

[Schedule 1, items 6 and 7, subparagraph 155(2)(b)(i) and paragraph 155(2)(a)]

1.443 Obtaining complete and accurate information is central to the ACCC's ability to determine whether certain conduct contravenes the CCA or the Australian Consumer Law, and whether enforcement action is required to address any harm to competition and/or consumers.

1.444 For the purposes of the SPF, the ACCC's powers in section 155 would generally be used to investigate matters that constitute or may constitute a contravention of the SPF obligations. This is consistent with its existing robust and considered processes for investigation into the CCA and Australian Consumer Law. In the majority of cases, the ACCC will request that information be provided voluntarily before relying on its section 155 powers.

1.445 Under section 155, the ACCC can require a person to provide information, documents and/or give evidence under oath or affirmation. The ACCC must consider factors including the value of the information to the ACCC's investigation and the burden of the notice on the recipient.

1.446 The ACCC does not use its powers under section 155 to conduct a 'fishing expedition' for information, documents or evidence. It does not, and cannot, issue a section 155 notice unless the ACCC, its Chair or Deputy Chair has a reason to believe that a person is capable of furnishing relevant information, producing relevant documents or giving relevant evidence that relates to the subject matter of the notice. This is distinct from a belief that a person is capable of providing information, documents or evidence that will establish or is likely to establish a contravention.

Monitoring and investigation powers of ACMA

1.447 If ACMA is the SPF sector regulator for a regulated sector, ACMA has access to its existing monitoring and investigating powers for the purposes of the SPF. It is expected that ACMA would be the SPF sector regulator for the telecommunications sector under the SPF.

[Schedule 1, item 1, section 58FG]

1.448 For clarity, ACMA would have access to monitoring and investigation powers in Parts 26 and 27 of the Telecommunications Act.

1.449 Generally, these powers align ACMA's compliance and investigation tools across telecommunications laws.

1.450 The Minister may by legislative instrument, specify modifications to one or more of ACMA's referenced powers to remove doubt as to how those powers would apply in the context of the SPF code. Where there is possible uncertainty, this modification is necessary and appropriate to ensure that ACMA can effectively enforce the SPF code, which is aimed at preventing and responding to scams impacting the Australian community. The intended effect is that the modification is limited only to ensuring that the application of ACMA's existing powers would apply to the SPF effectively, and in a corresponding way. It is not intended to modify the referenced powers as they ordinarily apply.

1.451 This instrument is subject to sunsetting and Parliamentary scrutiny through the disallowance process.

Monitoring and investigation powers of ASIC

1.452 If ASIC is the SPF sector regulator for a regulated sector, ASIC has access to its monitoring and investigating powers for the purposes of the SPF. It is expected that ASIC would be the SPF sector regulator for the banking sector for the purposes of the SPF.

[Schedule 1, item 1, section 58FH]

1.453 The provisions in Divisions 1, 2, 3, 7, 9 and 10 of Part 3 of the ASIC Act (with some exceptions) would be available to ASIC, and apply to the regulated sector for which ASIC is the SPF sector regulator in the corresponding way to how they currently apply to the corporations legislation. These ASIC Act provisions include monitoring and investigation powers.

1.454 These powers include powers to require persons to provide ASIC with documents or information, which ASIC might use when conducting proactive or reactive monitoring and surveillance activities concerning the relevant SPF code, and in formal investigations into suspected contraventions of the relevant SPF code. Additional powers, such as the power to require a person to attend an examination to answer questions, and to provide reasonable assistance to ASIC, would be available for formal investigations only.

1.455 Some examples of how ASIC may use these powers are outlined below. It is assumed that the banking sector is a designated sector and ASIC is the designated SPF regulator for that sector.

Example 1.14 Formal investigation

ASIC has reason to suspect there may have been a contravention by Bank X of an obligation in the SPF banking sector code, regarding Bank X's systems to prevent scams.
ASIC commences a formal investigation in relation to the suspected contravention, under section 13 of the ASIC Act.
In relation to the suspected contravention of the code, ASIC issues Bank X notices to produce certain books relating to the affairs of Bank X, using powers under Division 3 of Part 3 of the ASIC Act such as sections 30 or 33 of the ASIC Act.
ASIC also conducts examinations of key staff of Bank X under section 19 of the ASIC Act, whom ASIC suspects on reasonable grounds can give ASIC information relevant to the matter it is investigating.
Example 1.15 Surveillance
ASIC is conducting a surveillance of Bank Y's compliance with certain obligations in the SPF banking sector code.
For the purposes of ensuring Bank Y's compliance with the relevant Code obligations, ASIC issues Bank Y a notice to produce certain books relating to the affairs of Bank Y, using powers under Division 3 of Part 3 of the ASIC Act such as sections 30 or 33 of the ASIC Act.

1.456 The Minister may by legislative instrument, specify modifications to one or more of ASIC's referenced powers to remove doubt as to how those powers would apply in the context of the SPF code. This modification is necessary and appropriate to ensure that ASIC can effectively enforce the SPF code, which is aimed at preventing and responding to scams impacting the Australian community. The intended effect is that the modification is limited only to ensuring that the application of ASIC's existing powers would apply to the SPF effectively, and in a corresponding way. It not intended to modify the referenced powers as they ordinarily apply.

1.457 This instrument is subject to sunsetting and Parliamentary scrutiny through the disallowance process.

When alternative powers apply

1.458 Alterative power provisions are provisions of another law that:

provide an entity with powers to monitor compliance or purported compliance with provisions of a law;
provide an entity with powers to investigate the provisions of a law; or
enables the effective operation and enforcement of these powers (which covers, for example, a provision making it an offence to fail to appear to answer questions in relation an investigation).

[Schedule 1, item 1, subsection 58FI(1)]

1.459 A Treasury Minister may, by legislative instrument, declare that specified alternative power provisions apply:

to the entity in the entity's capacity as the SPF sector regulator for a regulated sector; and
in relation to specified provisions of the SPF code for the sector, in a way that corresponds to the way the alternative power provisions ordinarily apply.

[Schedule 1, item 1, subsections 58FI(2) and (4)]

1.460 The instrument may specify modifications to one or more of the alternative power provisions to remove doubt as to how those powers would apply in the context of the SPF code. Where there is any uncertainty, this modification is necessary and appropriate to ensure that the SPF sector regulator can effectively enforce the SPF code, which is aimed at preventing and responding to scams impacting the Australian community. The intended effect is that the modification is limited only to ensuring that the application of SPF sector regulator's existing powers would apply to the SPF effectively, and in a corresponding way. It is not intended to modify the existing powers as they ordinarily apply.

[Schedule 1, item 1, subsection 58FI(3)]

1.461 This instrument is subject to sunsetting and Parliamentary scrutiny through the disallowance process.

1.462 The ability to specify modifications is necessary to avoid the risk of an SPF sector regulator's monitoring and investigations powers not operating as intended, which would jeopardise fulfilling the object of the SPF to prevent and respond to scams impacting the Australian community.

Civil penalty provisions

1.463 Various provisions of the SPF principles are civil penalty provisions. Where made, SPF codes may also include civil penalty provisions. These penalties are necessary to deter non-compliance with the SPF provisions by regulated entities, to achieve the object of the SPF to prevent and respond to scams impacting the Australian community. Rather than including a general penalty provision for the Part, civil penalty provisions are specified throughout the Bill. This is consistent with the Attorney-General's Department's Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers.

1.464 A civil penalty provision of an SPF principle means:

a provision of the SPF principles (see Division 2) that is a civil penalty provision (within the meaning of the Regulatory Powers Act); or
subsection 58FZM(3) in relation to compliance with a remedial direction given by the SPF general regulator.

[Schedule 1, item 5, subsection 4(1)]

1.465 A civil penalty provision of an SPF code means:

a provision of an SPF code that is a civil penalty provision (within the meaning of the Regulatory Powers Act); or
subsection 58FZM(3) in relation to compliance with a remedial direction by an SPF sector regulator.

[Schedule 1, item 5, subsection 4(1)]

1.466 A civil penalty provision of an SPF principle or an SPF code is enforceable under Part 4 of the Regulatory Powers Act. Part 4 of that Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for contravention of the provision. This is known as an SPF civil penalty order.

[Schedule 1, items 1 and 5, subsections 4(1) and 58FJ(1)

1.467 For the purposes of Part 4 of the Regulatory Powers Act:

the SPF general regulator is an authorised applicant in relation to each civil penalty provision of an SPF principle; and
the SPF sector regulator for a regulated sector is an authorised applicant in relation to each civil penalty provision of the SPF code for the sector.

[Schedule 1, item 1, subsection 58FJ(2)]

1.468 In relation to a civil penalty provision of an SPF principle or SPF code, the Federal Court, the Federal Circuit and Family Court of Australia (Division 2) and a court of a State or Territory that has jurisdiction in relation to the matter are each a relevant court for the purposes of Part 4 of the Regulatory Powers Act.

[Schedule 1, item 1, subsection 58FJ(3)]

1.469 The amendments establish two tiers of contraventions of the SPF civil penalty provisions. A tier 1 contravention attracts a higher maximum penalty than a tier 2 contravention.

Maximum penalty for tier 1 contraventions

1.470 A tier 1 contravention is a contravention of a civil penalty provision of an SPF principle in Subdivisions C, D, F, or G of Division 2 of Part IVF, being:

SPF Principle 2: Prevent;
SPF Principle 3: Detect;
SPF Principle 5: Disrupt; and
SPF Principle 6: Respond.

[Schedule 1, item 1, paragraph 58FK(1)(b)]

1.471 The maximum penalty amount for a tier 1 contravention by a body corporate is the greater of the following:

159,745 penalty units (which is currently $50,000,185);
if the relevant court can determine the total value of the benefit that the body corporate and any body corporate related to that body corporate have obtained directly or indirectly and is reasonably attributable to the contravention - three times that total value;
if the court cannot determine that total value - 30 per cent of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

[Schedule 1, item 1, subsection 58FK(2)]

1.472 The maximum penalty amount for a tier 1 contravention by a person other than a body corporate is 7,990 penalty units (which is currently $2,500,870).

[Schedule 1, item 1, subsection 58FK(3)]

1.473 Despite subsection 82(5) of the Regulatory Powers Act, the pecuniary penalty payable under an SPF civil penalty order and for a tier 1 contravention must not be more than the maximum penalty worked out as outlined above for such a contravention by the person. Subsection 82(5) of that Act would otherwise limit the pecuniary penalty for civil penalty orders.

[Schedule 1, item 1, subsection 58FK(1)]

1.474 The maximum penalty amount of a tier 1 contravention is intended to deter contravention of the provisions and is commensurate to the consequences of contravention of the provision. The penalty also aligns with penalty amounts in other legislative frameworks designed to protect consumers, such as the Australian Consumer Law. Consistent with the Attorney-General's Department's Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, this penalty is a maximum penalty, and reflects an appropriate deterrence for the worst breach of the SPF provisions, which could contribute to substantial consumer loss.

1.475 High penalties reflect the importance of regulated entities complying with the obligations under the SPF, which is expected to substantially minimise scam losses for SPF consumers. Significant penalties recognise the ongoing damage and loss in the Australian economy, and the role that regulated entities play in preventing and combatting scam activity.

1.476 Further, it is expected that regulated entities will often be large entities that may have little incentive to take steps to combat scams but benefit from the advances in the digital economy that support those scams. Some sectors that are the most significant vectors for scam activity also profit from allowing scammers to use their services. A high maximum penalty is therefore necessary to achieve an effective and meaningful level of deterrence from breaching the relevant SPF principles.

Maximum penalty for tier 2 contraventions

1.477 A tier 2 contravention is a contravention of a civil penalty provision of:

an SPF code; or
an SPF principle in Subdivision B (SPF Principle 1: Governance) or Subdivision E (SPF Principle 4: Report).

[Schedule 1, item 1, subparagraph 58FL(1)(b)(i)]

1.478 The maximum penalty amount for a tier 2 contravention by a body corporate is the greater of the following:

31,950 penalty units (which is currently $10,000,350);
if the relevant court can determine the total value of the benefit that the body corporate and any body corporate related to that body corporate have obtained directly or indirectly and is reasonably attributable to the contravention - three times that total value;
if the court cannot determine that total value - 10 per cent of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

[Schedule 1, item 1, subsection 58FL(2)]

1.479 The maximum penalty amount for a tier 2 contravention by a person other than a body corporate is 1,600 penalty units (which is currently $500,800).

[Schedule 1 ,item 1, subsection 58FL(3)]

1.480 Despite subsection 82(5) of the Regulatory Powers Act, the pecuniary penalty payable under an SPF civil penalty order and for a tier 2 contravention must not be more than the maximum penalty as outlined above for such a contravention by the person. Subsection 82(5) of that Act would otherwise limit the pecuniary penalty for civil penalty orders.

[Schedule 1, item 1, subsection 58FL(1)]

1.481 The maximum penalty amount of a tier 2 contravention is intended to deter contravention of the relevant provisions and is commensurate to the consequences of contravention of the provision.

1.482 Contraventions of the civil penalty provisions in SPF codes and the SPF principles related to governance and reporting have a lower maximum penalty because these obligations are more systems and process-focused, with more minimal direct consequences for consumers.

Multiple remedies can be sought for a single contravention however civil penalty double jeopardy applies to the same conduct

1.483 A provision of Division 6 does not limit a court's power under any other provision of the CCA or any other Act (for example, under the Federal Court of Australia Act 1976). This means that an SPF regulator may seek multiple remedies for a single contravention where appropriate.

[Schedule 1, item 1, section 58FC]

1.484 However, if a person is required under an SPF civil penalty order to pay a pecuniary civil penalty in respect of particular conduct, the person is not liable to a pecuniary penalty for contravening another civil penalty provision of an SPF principle or of an SPF code, or under some other provision of a law of the Commonwealth, in respect of that conduct. In this context, conduct means an act or omission, and is not necessarily tied to a particular scam. This operates to prevent civil penalty double jeopardy.

[Schedule 1, item 1, sections 58FC and 58FM]

1.485 This is intended to avoid the multi-regulator model and tiered structure of the framework leading to an outcome where a regulated entity is penalised twice for the same conduct. However, a court may make other kinds of orders under Division 6 - for example, an order relating to an action for damages - in relation to particular conduct even if the court has made an SPF civil penalty order in relation to that conduct.

[Schedule 1, item 1, note to section 58FM]

Infringement notices

1.486 The infringement notice regime in the SPF is broadly consistent with existing frameworks in the CCA, as well as the Regulatory Powers Act.

1.487 Under this framework, the inspector of the SPF regulator may issue an infringement notice to a person for an alleged contravention of a civil penalty provision of an SPF principle or a civil penalty provision of an SPF code. This power can be used as an alternative to proceedings for an SPF civil penalty order.

[Schedule 1, item 1, subsection 58FN(1)]

1.488 The amendments do not require an SPF regulator to issue an SPF infringement notice for an alleged contravention of a civil penalty provision. Nor does the Subdivision affect a person's liability to proceedings for an SPF civil penalty order in relation to an alleged contravention of a civil penalty provision if an SPF infringement notice is not issued to the person for the contravention or if an SPF infringement notice issued to the person for the contravention is withdrawn or not paid. Further, the amendments do not prevent a court from imposing a higher penalty than specified in the SPF infringement notice if the person does not comply with the notice.

[Schedule 1, item 1, subsection 58FN(2]

1.489 The inspector may issue an SPF infringement notice to a person that the inspector reasonably believes has contravened a civil penalty provision of an SPF principle or a civil penalty provision of the SPF code for a sector.

[Schedule 1, item 1, subsections 58FO(1) and (2)]

1.490 Inspectors of an SPF regulator must not issue more than one SPF infringement notice to the person for the same alleged contravention of a civil penalty provision.

[Schedule 1, item 1, subsection 58FO(3)]

1.491 An infringement notice will not have effect if the notice is issued more than 12 months after the day the relevant contravention is alleged to have occurred or relates to more than one alleged contravention of a civil penalty provision by a person. This supports appropriate regulation of the SPF as it provides the person receiving the infringement notice with clear reasons for the notice.

[Schedule 1, item, 1, subsection 58FO(4)]

1.492 An SPF infringement notice must include certain information to ensure traceability and accuracy. This information includes the following:

a unique number;
the date on which it was issued;
the name of the person to which it was issued;
the name of the inspector issuing the notice with confirmation that the inspector is an inspector of the applicable SPF regulator and how that SPF regulator may be contacted;
details of the alleged contravention including the day it occurred and the civil penalty provision that was contravened;
the maximum pecuniary penalty a court could order the person to pay if the court were to make an SPF civil penalty order for the alleged contravention;
specify the penalty that is payable in relation to the alleged contravention;
that the penalty is payable within the compliance period;
that the penalty is payable to the SPF regulator on behalf of the Commonwealth;
how the payment of the penalty is to be made;
explain the effects of compliance with the SPF infringement notice, the effects of failure to comply, the compliance period for the infringement notice and withdrawal of the infringement notice.

[Schedule 1, item 1, section 58FP]

1.493 The penalty specified in an SPF infringement notice issued to a person must be a penalty equal to 60 penalty units for a body corporate or 12 penalty units otherwise.

[Schedule 1, item 1, section 58FQ]

1.494 A person will not be regarded as having contravened the civil penalty provision just because they have paid a penalty specified in the notice. This applies if an SPF infringement notice for an alleged contravention of a civil penalty is issued to a person, the person pays the penalty specified in the notice within the infringement notice compliance period and in accordance with the notice and the notice is not withdrawn.

[Schedule 1, item 1, subsections 58FR(1) and (2)]

1.495 No proceedings can be started or continued against the person, by or on behalf of the Commonwealth in relation to the alleged contravention of the civil penalty provision where there has been compliance with the infringement notice.

[Schedule 1, item 1, subsection 58FR(3)]

1.496 However, a person is liable to proceedings for an SPF civil penalty order in relation to the alleged contravention of the civil penalty provision if the SPF infringement notice for an alleged contravention of a civil penalty provision is issued to a person, the person fails to pay the penalty specified in the notice within the infringement notice compliance period, and the notice has not been withdrawn.

[Schedule 1, item 1, section 58FS]

1.497 The infringement notice compliance period for an SPF infringement notice issued to a person is the period of 28 days, beginning on the day after the day that an inspector of an SPF regulator issues the notice.

[Schedule 1, item 1, subsection 58FT(1)]

1.498 The SPF regulator may, by giving written notice to the person, extend the infringement notice compliance period if the SPF regulator is satisfied that it is appropriate to do so. Only one extension may be given, which must not be for longer than 28 days.

[Schedule 1, item 1, subsections 58FT(2) and (3)]

1.499 Failure to give the person notice of an extension to the infringement notice compliance period does not affect the validity of that extension.

[Schedule 1, item 1, subsection 58FT(4)]

1.500 If an infringement notice compliance period for an SPF infringement notice is extended under this section, a reference in this Subdivision to the infringement notice compliance period is taken to be a reference to that period as so extended.

[Schedule 1, item 1, subsection 58FT(5)]

1.501 A person to whom an SPF infringement notice has been issued for an alleged contravention of a civil penalty provisions by an inspector of an SPF regulator may make representations to the SPF regulator seeking withdrawal of the notice.

[Schedule 1, item 1, subsection 58FU(1)]

1.502 Evidence or information that the person or a representative of the person gives to the SPF regulator in the course of making representations is not admissible in evidence against the person or representative in any proceedings (other than proceedings for an offence based on the evidence or information given being false or misleading).

[Schedule 1, item 1, subsection 58FU(2)]

1.503 An SPF regulator may, by giving written notice to the person, withdraw the infringement notice issued by the inspector if the SPF regulator is satisfied it is appropriate to do so. This withdrawal can be made even if no representations are made by the person seeking withdrawal.

[Schedule 1, item 1, subsections 58FU(3) and (4)]

1.504 The withdrawal notice must state:

the name and address of the person; and
the day on which the SPF infringement notice was issued to the person; and
that the SPF infringement notice is withdrawn; and
that proceedings for an SPF civil penalty order may be started or continued against the person in relation to the alleged contravention of the civil penalty provision.

[Schedule 1, item 1, subsection 58FU(5)]

1.505 The withdrawal must also be given to the person within the infringement notice compliance period for the SPF infringement notice.

[Schedule 1, item 1, subsection 58FU(6)]

1.506 If an SPF regulator withdraws an SPF infringement notice given to a person after the person has paid the penalty specified in the SPF infringement notice, the SPF regulator must refund to the person an amount equal to the amount paid.

[Schedule 1, item 1, subsection 58FU(7)]

Enforceable undertakings

1.507 Enforceable undertakings are a common feature in regulatory regimes across Australia as they are an effective and efficient way to address non-compliance without court proceedings.

1.508 The ACCC, as the SPF general regulator, may accept a written enforceable undertaking from a person in connection with compliance with an obligation under the SPF principles.

[Schedule 1, item 1, subsection 58FV(1)]

1.509 Similarly, an SPF sector regulator may accept a written enforceable undertaking from a person in connection with compliance with an obligation under an SPF code for the sector.

[Schedule 1, item 1, subsection 58FV(2)]

1.510 An undertaking by a person may be withdrawn or varied at any time with the consent of the SPF regulator who accepted it.

[Schedule 1, item 1, subsection 58FV(3)]

1.511 If an SPF regulator considers that a person who gave them an undertaking has breached any of its terms, the SPF regulator may apply to a court with jurisdiction for an order:

directing the person to comply with the terms of the undertaking;
directing the person to pay to the Commonwealth an amount up to the amount of any financial benefit that the person has obtained directly or indirectly and that is reasonably attributable to the breach;
that the court considers appropriate directing the person to compensate any other person who has suffered loss or damage as a result of the breach, such as a scam victim;
the court considers appropriate.

[Schedule 1, item 1, subsections 58FV(4) and (5)]

1.512 Where appropriate, an SPF regulator may accept an enforceable undertaking at the same time as taking other regulatory actions.

1.513 For example, an SPF regulator may accept an undertaking from a regulated entity to take steps to comply with their obligation to take reasonable steps to detect scams and also remediate impacted SPF consumers that they have direct customer relationships with who were impacted by an alleged breach of the relevant SPF obligations. In addition, if the regulated entity breached any term contained in an enforceable undertaking accepted by an SPF regulator, a court may order that a regulated entity compensate any person who has suffered loss or damage as a result of the breach.

Injunctions

1.514 An application for an injunction may be made by an SPF regulator or any other person.

[Schedule 1, item 1, subsection 58FZA(1)]

1.515 The intention is that an SPF regulator will apply to a court with jurisdiction for an injunction for a breach of an obligation under the overarching principle. Similarly, it is intended that an SPF sector regulator may apply to a court with jurisdiction for an injunction for a breach of an obligation under a sector-specific code.

1.516 A court may grant that injunction in such terms as it considers appropriate if it is satisfied that the person has engaged, or is proposing to engage, in conduct that constitutes or would constitute:

a contravention of a civil penalty provision of the SPF principles or a civil penalty provision of an SPF code; or
attempting to contravene such a provision; or
aiding, abetting, counselling or procuring a person to contravene such a provision; or
inducing, or attempting to induce, whether by threats, promises or otherwise, a person to contravene such a provision; or
being in any way, directly or indirectly, knowingly concerned in, or party to, the contravention by a person of such a provision; or
conspiring with others to contravene such a provision.

[Schedule 1, item 1, subsection 58FW]

1.517 A court may grant an injunction restraining a person from engaging in conduct:

whether or not it appears to the court that the person intends to engage again, or to continue to engage, in conduct of that kind;
whether or not the person has previously engaged in conduct of that kind; and
whether or not there is an imminent danger of substantial damage to any person if the first mentioned person engages in conduct of that kind.

[Schedule 1, item 1, subsection 58FX(1)]

1.518 A court may grant an injunction requiring a person to do an act or thing:

whether or not it appears to the court that the person intends to refuse or fail again, or to continue to refuse or fail, to do that act or thing;
whether or not the person has previously refused or failed to do that act or thing; and
whether or not there is an imminent danger of substantial damage to any person if the first mentioned person refuses or fails to do that act or thing.

[Schedule 1, item 1, subsection 58FX(2)]

1.519 A court may grant an injunction by consent of all the parties to the proceedings, whether or not the court is satisfied that a person has engaged or is proposing to engage in conduct described at section 58FW (see above).

[Schedule 1, item 1, subsection 58FX(3)]

1.520 A court may grant an interim injunction pending determination of an application for an injunction.

[Schedule 1, item 1, section 58FY]

1.521 A court may rescind or vary an injunction granted in relation to the SPF.

[Schedule 1, item 1, section 58FZ]

1.522 If an SPF regulator applies for an injunction, the court must not require the application or any other person, as a condition of granting an interim injunction, to give an undertaking as to damages.

[Schedule 1, item 1, subsection 58FZA(2)]

1.523 If a person other than an SPF regulator applies for an injunction and would normally be required to give an undertaking as to damages or costs, and an SPF regulator gives the undertaking, the court must accept the undertaking by the SPF regulator and must not require a further undertaking from any other person.

[Schedule 1, item 1, subsection 58FZA(3)]

1.524 The powers given to a court to grant an injunction by Subdivision F of Division 6 do not affect any powers of the court, whether conferred by the CCA or otherwise.

[Schedule 1, item 1, section 58FZB]

Accessing compensation through an action for damages

General rule

1.525 A person who suffers loss or damage by conduct of another person that was done in contravention of a civil penalty provision of an SPF principle or SPF code may recover the amount of the loss or damage by taking action against that other person. Additional rules apply where there are concurrent wrongdoers.

[Schedule 1, item 1, subsections 58FZC(1) and (4)]

1.526 An SPF regulator may also make a claim on behalf of the victim where there is written consent by the victim. This may occur alongside proceedings initiated by the SPF regulator against a regulated entity for an alleged contravention of a provision of an SPF principle or SPF code, to streamline the process for compensating victims.

[Schedule 1, item 1, subsection 58FZC(2)]

1.527 A claim for loss or damages may be made at any time within six years after the day the cause of action that relates to the conduct accrued. This is consistent with the general principles relating to the statute of limitations.

[Schedule 1, item 1, subsection 58FZC(3)]

1.528 For example, if an SPF consumer is not satisfied with the outcomes of an IDR and/or EDR process, they may pursue action and initiate proceedings in court to recover an amount of loss or damage suffered as a result of an alleged breach by one or more regulated entities subject to the SPF provisions. A court may find that a regulated entity breached its obligation to take reasonable steps to prevent a scam which led to the SPF consumer suffering financial loss and may make an order in favour of the consumer for an appropriate amount of compensation.

1.529 To avoid doubt, a claim for loss and damages under the SPF cannot be made against an unregulated entity, as these entities do not have obligations under the SPF.

Proportionate liability for concurrent wrongdoers

1.530 Where there are multiple regulated entities involved in a claim brought by a victim for loss or damages, the SPF enables the court to consider the proportionate liability of these entities. These provisions are modelled on the existing proportionate liability provisions that apply to claims for damages relating to misleading and deceptive conduct in the CCA, ASIC Act and Corporations Act.

Meaning of concurrent wrongdoer

1.531 In any claim for loss or damages under the SPF, a concurrent wrongdoer is a person who is one of two or more persons:

who each contravened a civil penalty provision of an SPF principle or an SPF code (whether or not the same civil penalty provision); and
whose contraventions caused the loss or damage that is the subject of the claim.

[Schedule 1, item 1, subsection 58FZD(1)]

1.532 As only regulated entities may contravene a civil penalty provision of an SPF principle or an SPF code, only regulated entities may be a concurrent wrongdoer. A concurrent wrongdoer could therefore be a regulated entity who contravened the obligation to take reasonable steps to prevent a scam, and a second regulated entity who contravened the obligation to take reasonable steps within a reasonable time to disrupt the scam, where the contraventions together caused the loss or damage that is the subject of the claim.

1.533 A person may be a concurrent wrongdoer even if the person is insolvent, being wound up or has ceased to exist or died.

[Schedule 1, item 1, subsection 58FZD(2)]

Notifying plaintiff of concurrent wrongdoers

1.534 A defendant in proceedings involving a claim under the general rule that has reasonable grounds to believe that a particular person may be a concurrent wrongdoer in relation to the claim must give the plaintiff, as soon as practicable, written notice of the information the defendant has about the identity of that person and the circumstances that may make that person a concurrent wrongdoer.

[Schedule 1, item 1, paragraphs 58FZG(1)(a) and (b)]

1.535 The court may order that the defendant pay all or any of the costs unnecessarily incurred by the plaintiff in the proceedings because the plaintiff was not aware that the other person may be a concurrent wrongdoer. The costs may be assessed on an indemnity basis or otherwise.

[Schedule 1, item 1, paragraph 58FZD(1)(c) and subsection 58FZG(2)]

1.536 A reference to a 'defendant' includes any person joined as a defendant or other party in the proceedings (except as a plaintiff), no matter how joined.

[Schedule 1, item 1, subsection 58FZF(5)]

Claims involving concurrent wrongdoers

1.537 In any claim to recover an amount of loss or damage under the general rule, the liability of a defendant who is a concurrent wrongdoer in relation to the claim is limited to an amount reflecting that proportion of the loss or damage that the court considers just having regard to the extent of the defendant's responsibility for the loss or damage. The court may give judgment against the defendant for not more than that amount.

[Schedule 1, item 1, subsection 58FZF(1)]

1.538 If the proceedings involve another claim that is not a claim under the general rule, liability for the other claim is to be determined in accordance with any relevant legal rules.

[Schedule 1, item 1, subsection 58FZF(2)]

1.539 This may occur where there are other causes of action available to the claimant in relation to the same loss or damage, such as breach of contract or negligence.

1.540 In apportioning responsibility between defendants in the proceedings, the court must exclude that proportion of the loss or damage to which the plaintiff is contributorily negligent under any relevant law. The court may also have regard to the comparative responsibility of any concurrent wrongdoer who is not a party to the proceedings. This applies whether or not all concurrent wrongdoers are parties to the proceedings.

[Schedule 1, item 1, subsections 58FZF(3) and (4)]

1.541 The court may give leave for any one or more concurrent wrongdoers to be joined as defendants in proceedings involving a claim under the general rule, except for any person who was party to any previously concluded proceedings in respect of the claim.

[Schedule 1, item 1, subsections 58FZJ(1) and (2)]

1.542 The plaintiff referred to in subsections 58FZC(1) and (2) is the victim or an SPF regulator.

[Schedule 1, item 1, note to subsection 58FZG]

1.543 A defendant against whom judgment is given as a concurrent wrongdoer cannot be required to contribute any damages or contribution recovered from another concurrent wrongdoer in respect of the claim (whether or not recovered in the same proceedings in which judgment is given against the deferent) nor to indemnify any such wrongdoer.

[Schedule 1, item 1, section 58FZH]

Certain concurrent wrongdoers not to have benefit of apportionment

1.544 The liability of a concurrent wrongdoer in proceedings involving a claim under the general rule to recover an amount of loss or damage is not excluded if the concurrent wrongdoer intended to cause the loss or damage, or the concurrent wrongdoer fraudulently caused the loss or damages. The liability of such a concurrent wrongdoer is to be determined in accordance with any relevant legal rules (apart from the proportionate liability framework in this Subdivision). Consequently, these concurrent wrongdoers do not have the benefit of apportionment under the proportionate liability framework in this Division.

[Schedule 1, item 1, subsections 58FZE(1) and (2)]

1.545 The liability of any other concurrent wrongdoer is to be determined in accordance with the proportionate liability framework in this Division.

[Schedule 1, item 1, subsection 58FZE(3)]

Subsequent actions by plaintiff

1.546 A plaintiff (or a victim) who has previous recovered judgment against a concurrent wrongdoer for an apportionable part of any loss or damage is not precluded from bringing another action against any other concurrent wrongdoer for that loss or damage.

[Schedule 1, item 1, subsection 58FZI(1)]

1.547 However, an amount of damages cannot be recovered by or for the victim that, having regard to damages previously recovered for the loss or damage, would result in the victim receiving compensation for the loss or damage that is greater than the loss or damage actually sustained by the victim.

[Schedule 1, item 1, subsection 58FZI(2)]

Application of proportionate liability framework

1.548 The proportionate liability framework in this Division does not prevent a person being held vicariously liable for a proportion of a claim under the general rule for which another person is liable. Nor does it prevent a person being held being severally liable with another person for the proportion of a claim for which the other person is liable. Further, it does not affect the operation of any other provision of the CCA or any other Act to the extent that the provision imposes several liability on any person in respect of what would otherwise be a claim under the general rule.

[Schedule 1, item 1, section 58FZK]

Preference to be given to victim compensation

1.549 There may be some circumstances where a court considers it is appropriate to order a person to pay both a pecuniary penalty under an SPF civil penalty order in relation to a contravention or conduct and compensation to a person who has suffered loss or damage as a result of that contravention or conduct.

1.550 Where this occurs, the court must give preference to making an order for compensation if the defendant does not have sufficient financial resources to pay both.

[Schedule 1, item 1, section 58FD]

1.551 This approach is consistent with the object of the SPF to prevent and respond to scams impacting SPF consumers.

Public warning notices

1.552 The SPF general regulator may issue to the public a written notice containing a warning about the conduct of a person if the SPF general regulator:

reasonably suspects that the person's conduct may constitute a contravention of a specified provision of the SPF principles; and
is satisfied that one or more persons has suffered, or is likely to suffer, detriment as a result of the conduct; and
is satisfied that it is in the public interest to issue the notice.

[Schedule 1, item 1, subsection 58FZL(1)]

1.553 An SPF sector regulator may issue an equivalent notice, under the same conditions stated above, in relation to conduct related to a sector code for which they are an SPF sector regulator.

[Schedule 1, item 1, subsection 58FZL(2)]

1.554 An SPF regulator that issues a public warning notice as outlined above must publish the notice on the SPF regulator's website. The notice is not a legislative instrument. This notice is merely declaratory, and is covered by item 19 of the table in section 6 of the Legislation (Exemptions and Other Matters) Regulations 2015.

[Schedule 1, item 1, subsection 58FZA(3), subsection 58FZL(4)]

1.555 Public warning notices allow SPF regulators to inform the public about a person engaged in business practices that may amount to a contravention of the SPF. Such notices are intended to stop or reduce the detriment caused by regulated entities engaging in conduct that may be in breach of the SPF. They provide SPF regulators with an enforcement tool that can be used in a preventative manner to avoid consumers being adversely affected by conduct that may breach the SPF.

Remedial directions

1.556 If the SPF general regulator reasonably suspects that a regulated entity is failing, or will fail, to comply with an SPF principle, it may, by written notice given to the entity, direct the entity to take specified action to comply with that SPF principle.

[Schedule 1, item 1, subsection 58FZM(1)]

1.557 If an SPF sector regulator reasonably suspects that a regulated entity for the regulated sector is failing, or will fail, to comply with a provision of the SPF code it is the SPF sector regulator for, the regulator may, by written notice given to the entity, direct the entity to take specified action to comply with that provision of the SPF code. The direction may relate to one or more failures.

[Schedule 1, item 1, subsection 58FZM(2)]

1.558 For example, an SPF regulator may direct a regulated entity that is a digital platform that it considers has breached its obligation to take reasonable steps detect and disrupt scams under the SPF principles to take down a scam advertisement on its platform or service in order to comply with its obligations in the SPF provisions.

1.559 An SPF regulator may also issue a remedial direction to a regulated entity to comply with its obligation to give reasonable assistance or cooperate with the operator of the SPF EDR scheme if it believes that it is failing to comply with this obligation.

1.560 A regulated entity must take action to comply with the direction in the time specified in the direction. This time must be reasonable. If the direction does not specify a reasonable time, the entity must take action to comply with the direction within a reasonable time. The SPF regulator may also extend the time for complying with the direction by written notice given to the entity.

[Schedule 1, item 1, subsections 58FZM(3) and (5)]

1.561 Failure to comply with these directions is subject to civil penalties. (See the definitions of 'civil penalty provision of an SPF principle', and 'civil penalty provision of an SPF code' in subsection 4(1) of the CCA).

[Schedule 1, item 1, subsection 58FZM(4)]

1.562 It is appropriate for an SPF regulator to specify a time for the regulated entity to take action with reference to the potential severity of negative impact on SPF consumers of a regulated entity failing to act quickly when engaging in conduct that may breach the SPF.

1.563 Prior to giving a regulated entity a direction, an SPF regulator must give the entity an opportunity to make submissions to the SPF regulator on the matter.

[Schedule 1, item 1, subsection 58FZM(6)]

1.564 An SPF regulator may vary or revoke a direction in like manner and subject to like conditions (see subsection 33(3) of the Acts Interpretation Act 1901).

[Schedule 1, item 1, subsection 58FZM(7)]

1.565 An SPF regulator must, as soon as practicable after a direction is given, varied or revoked, publish a notice of its action on its website.

[Schedule 1, item 1, subsection 58FZM(8)]

Adverse publicity orders

1.566 A court with jurisdiction may, on application by an SPF regulator, make an adverse publicity order against a person who has been ordered to pay a pecuniary penalty under an SPF civil penalty order.

[Schedule 1, item 1, subsection 58FZN(1)]

1.567 Such an order may require the person to:

disclose, in the way and to the persons specified in the order, specified information that the person has possession of or access to; and
publish, at the person's expense and in a specified way, an advertisement in the terms specified in, or determined in accordance with, the order.

[Schedule 1, item 1, subsection 58FZN(2)]

1.568 An application for such an order may only be made by the SPF general regulator if the SPF civil penalty order was for a contravention of a civil penalty provision of an SPF principle.

[Schedule 1, item 1, paragraph 58FZN(3)(a)]

1.569 An application for such an order may only be made by an SPF sector regulator if the SPF civil penalty order was for a contravention of a civil penalty provision of an SPF code for the relevant regulated sector.

[Schedule 1, item 1, paragraph 58FZN(3)(b)]

Non punitive orders

1.570 A court with jurisdiction may on application, make one or more of the following orders in relation to a person who has engaged in conduct contravening an SPF principle or a provision of an SPF code:

a community service order;
a probation order for a period of no longer than 3 years;
an order requiring the person to disclose, in the way and to the persons specified in the order, specified information that the person has possession of or access to;
an order requiring the person to publish, at the person's expense and in a specified way, an advertisement in the terms specified in, or determined in accordance with, the order.

[Schedule 1, item 1, subsection 58FZO(1)]

1.571 An application for such an order may only be made by the SPF general regulator in relation to conduct contravening an SPF principle.

[Schedule 1, item 1, paragraph 58FZO(2)(a)]

1.572 An application for such an order may only be made by an SPF sector regulator in relation to conduct contravening an SPF code.

[Schedule 1, item 1, paragraph 58FZO(2)(b)]

1.573 The following definitions are applied for the purpose of non-punitive orders of the SPF.

1.574 A 'probation order' is an order made to ensure that a person does not engage in the conduct that resulted in the order, or similar conduct or related conduct during the period of the order. It includes an order directing a person to establish a compliance program, or an education and training program that is for employees or other persons involved in the person's business, and is designed to ensure awareness of responsibility and obligation relating to conduct covered by the probation order. It also includes an order directing a person to revise the internal operations of the person's business that lead to conduct covered by paragraph (3)(a) or (b).

[Schedule 1, item 1, subsections 58FZO(3) and (4)]

1.575 'Community service orders' means an order directing a person perform a service that is specified in the order or relates to the conduct that resulted in the order for the benefit of the community or a section of the community.

[Schedule 1, item 1, subsection 58FZO(5)]

1.576 Conduct 'contravening' an SPF principle or a provision of an SPF code includes conduct that constitutes being involved in such a contravention. For the meaning of 'involved', see subsection 4(1) of the CCA.

[Schedule 1, item 1, subsection 58FZO(5)]

Orders (other than damages) to redress loss or damage

1.577 A court with jurisdiction may, on application, make such orders as the court thinks appropriate against a person who engaged in conduct contravening a civil penalty provision of an SPF principle or a civil penalty provision of an SPF code or is involved in that contravening conduct if that conduct caused, or is likely to cause, a class of persons (the victims) to suffer loss or damage. This power does not include an order to make an award of damages. The amendments set out the orders that the court may make.

[Schedule 1, item 1, subsection 58FZP(1)]

1.578 This power applies even if the victims have not been a party to an enforcement proceeding relating to the contravening conduct.

[Schedule 1, item 1, subsection 58FZP(2)]

1.579 When making such orders as the court thinks appropriate, the court must not make such an order unless it consider that the order will:

redress, in whole or in part, the loss or damage suffered by the victims in relation to the contravening conduct; or
prevent or reduce the loss or damage suffered, or likely to be suffered, by the victims in relation to the contravening conduct.

[Schedule 1, item 1, subsection 58FZP(3)]

1.580 An application for such an order may only be made by the SPF general regulator in relation to conduct contravening an SPF principle, or by an SPF sector regulator in relation to conduct contravening an SPF code. The application may be made even if an enforcement proceeding in relation to the contravening conduct has not been instituted but must be made any time within 6 years after the day on which the cause of action that relates to the contravening conduct accrues.

[Schedule 1, item 1, subsection 58FZP(4)]

1.581 In working out whether to make such orders against the person, the court may have regard to the conduct of the person and the victims in relation to the contravening conduct since the contravention occurred. This may include for example, any efforts made by the person to remediate the victims. However, the court does not need to make a finding about which persons are victims in relation the contravening conduct or the nature of the loss or damage suffered, or likely to be suffered by such persons.

[Schedule 1, item 1, subsections 58FZP(5) and (6)]

1.582 If the court makes such an order against a person, and the loss or damage suffered, or likely to be suffered, by a victim that is not a party to the proceeding (non-party victim) in relation to the contravening conduct has been redressed, prevented or reduced in accordance with the order and that has been accepted by the non-party victim, then:

the non-party victim is bound by the order; and
any other order made by the court as it considered appropriate, in relation to that loss or damage, has no effect in relation to the non-party victim; and
despite any other provision of the CCA or any other law of the Commonwealth, or a State or Territory, no claim, action or demand may be made or taken against the person by the non-party victim in relation to that loss or damage.

[Schedule 1, item 1, subsection 58FZP(7)]

1.583 The kinds of orders that a court may make against a person include all or any of the following (but are not limited to the following):

an order declaring the whole or any part of a contract made between the person and a victim (including a non-party victim), or a collateral arrangement relating to such a contract to be void, including to have been void ab initio or void at all times on and after such date as is specified in the order. This may be a date before the date on which the order is made;
an order varying a contract or arrangement in such manner as is specified in the order, and if the court thinks fit-declaring the contract or arrangement to have had effect as varied on and after a date specified in the order. This may be a date before the date on which the order is made;
an order refusing to enforce any or all of the provisions of a contract or arrangement;
an order directing the respondent to refund money or return property to a victim (including a non-party victim);
an order directing a respondent, at the respondent's own expense, to repair, or provide parts for, goods that have been supplied under the contract or arrangement to a victim (including a non-party victim);
an order directing the respondent, at the respondent's own expense, to supply specified services to a victim (including a non-party victim);
an order, in relation to an instrument creating or transferring an interest in land, directing a person to execute an instrument that varies or terminates or otherwise affects the relevant instrument, or that has the effect of varying, terminating or otherwise affecting, the operation or effect of the relevant instrument.

[Schedule 1, item 1, subsection 58FZQ(1)]

1.584 An interest in land means:

a legal or equitable estate or interest in the land; or
a right of occupancy of the land, or of a building or part of a building erected on the land, arising by virtue of the holding of shares, or by virtue of a contract to purchase shares, in an incorporated company that owns the land or building; or
a right, power or privilege over, or in connection with, the land.

[Schedule 1, item 1, subsection 58FZQ(2)]

1.585 These powers are mirrored, in part, on existing provisions in the CCA (for example in Part IVB). They are intended to give scope for a court with jurisdiction to make an order compensating a victim (which can also include a non-party victim that was not, for example, an SPF consumer in relation to some other proceeding under Part IVF) for loss or harm suffered as a result of contravening conduct. This ensures there is some form of remedial power in relation to persons who may not have recourse available to them through, for example, the EDR mechanisms in the SPF.

1.586 There may be circumstances when an SPF regulator initiates proceedings against a regulated entity, and the court considers it appropriate, in making certain orders against the regulated entity, to also make orders in favour of a non-party victim (who may or may not be an SPF consumer). This allows for the remediation of loss or damage to be streamlined and save victims the time and cost of pursuing a matter in court or through a dispute resolution process. For example, if a court finds in a proceeding between an SPF regulator and a regulated entity that the entity's contravening conduct resulted in a non-party victim suffering financial loss, the court may consider it appropriate to order the regulated entity to provide a remedy.

[Schedule 1, item 1, subsection 58FZC(2)]

Division 7 - Other provisions

1.587 The amendments include a number of mechanical provisions that ensure a consistent treatment for the purposes of the SPF obligations across different types of entities. These specific provisions provide for the application of the SPF obligations to an entity that is a partnership, unincorporated association, or a trust. This ensures the scope of the SPF is not unnecessarily limited by the structure of a relevant entity.

[Schedule 1, item 1, sections 58GA, 58GB and 58GC]

1.588 The SPF provisions apply to a partnership as if it were a person but with the following changes:

An obligation that would otherwise be imposed on the partnership by an SPF provision is imposed on each partner and may be discharged by any of the partners.
Permitted activities may be done by one or more of the partners on behalf of the partnership.
Despite each partner being accountable to obligations and being permitted to act on behalf of the entity, a change in the composition of a partnership does not affect the continuity of the partnership. This ensures minimum disruption is involved in applying the SPF to a partnership.

[Schedule 1, item 1, section 58GA]

1.589 The SPF provisions apply to unincorporated associations as if they are persons but in a way that reflects their status as unincorporated associations.

An obligation otherwise imposed on the association by an SPF provision is imposed on each member of the association's committee of management instead but may be discharged by any of the members.
If an SPF provision would otherwise permit something to be done by the unincorporated association, the thing may be done by one or more of the members of the association's committee of management on behalf of the association.

[Schedule 1, item 1, section 58GB]

1.590 The SPF provisions apply to a trust as if it were a person with applicable changes.

If the trust has a single trustee, an obligation otherwise imposed on the trust by an SPF provision is imposed on the trustee, and if an SPF provision would otherwise permit something to be done by the trust, the thing may be done by the trustee.
If the trust has more than one trustee, an obligation otherwise imposed on the trust by an SPF provision is imposed on each trustee instead, but may be discharged by any of the trustees, and if an SPF provision would otherwise permit something to be done by the trust, the thing may be done by any of the trustees.

[Schedule 1, item 1, subsection 58GC(1) to (3)]

1.591 Where the operation of the SPF results in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution), a person who acquires the property from a person otherwise than on just terms is liable to pay the first person compensation. If there is a dispute as to the compensation, the person to whom compensation is payable may institute proceedings for the recovery of the reasonable amount of compensation from the other person, as determined in the Federal Court or the Supreme Court of a State or Territory.

[Schedule 1, item 1, section 58GD]

The SPF rules

1.592 A Treasury Minister may make SPF rules by legislative instrument. To avoid doubt, the SPF rules may not create an offence or civil penalty, provide powers of arrest or detention or entry, search or seizure, impose a tax, set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in the CCA or directly amend the text of the CCA.

[Schedule 1, item 1, subsections 58GE(1) and (3)]

1.593 The SPF rules are subject to sunsetting and Parliamentary scrutiny through the disallowance process.

1.594 Consistent with section 17 the Legislation Act 2003, prior to making the SPF rules, the Minister must be satisfied that there has been appropriate and reasonably practicable consultation. This will include appropriate consultation on aspects of the obligation on regulated entities to share information under SPF Principle 4: Report, including in relation to the kinds of information, timing, manner and form of the report that regulated entities are required to give to SPF regulators.

1.595 The Minister may, in writing, delegate the Minister's power to make SPF rules to another Minister or to an SPF regulator. This would be appropriate where the Minister considers that another Minister or a regulator has the necessary industry knowledge, understanding and information to best address scams in that sector and to make appropriate SPF rules.

[Schedule 1, item 1, subsection 58GE(2)]

1.596 For example, the Minister may consider it appropriate for the SPF general regulator to make rules relating to reporting arrangements, noting the SPF general regulator will be required manage any information it receives under the SPF.

Statutory review of the SPF

1.597 To evaluate the effectiveness of the SPF, a Treasury Minister must cause a review of the SPF provisions to be conducted as soon as practicable after the end of the three-year period starting on the day the first SPF code is made under section 58CB.

[Schedule 1, item 1, subsections 58GF(1) and (2)]

1.598 This review will examine the operation of the SPF provisions, which include:

provisions in Part IVF;
provisions of a legislative instrument made under Part IVF, including the SPF codes and SPF rules;
another provision of the CCA that relates to a provision in Part IVF or in a legislative instrument made under Part IVF; and
provisions of the Regulatory Powers Act to the extent it applies in relation to a provision in Part IVF.

1.599 For example, the review may focus on:

the effectiveness of the dispute resolution framework under the SPF (including IDR and EDR), including the experiences of consumers in accessing compensation and AFCA's role as the authorised SPF EDR scheme for the three initially designated sectors;
the effectiveness of the penalty provisions in deterring contraventions of the SPF;
the broader impact of the SPF on Australian consumers and businesses; and
other related legislation and regulatory initiatives, including emerging trends and developments internationally as they relate to the SPF.

1.600 The person who conducts the review must give a written report to the Minister, which must be tabled in each House of Parliament within 15 sitting days after the Minister receives the report.

[Schedule 1, item 1, subsection 58GF(3) and (4)]

Consequential amendments

1.601 Part 2 of Schedule 1 makes consequential amendments to various Acts to accommodate the SPF and related changes.

1.602 The intention is that if the telecommunications sector is designated to be a regulated sector, then ACMA would be the SPF sector regulator for that sector. Accordingly, the ACMA Act is amended to ensure the functions and powers that are conferred on ACMA under the SPF provisions are part of ACMA's telecommunications functions.

[Schedule 1, item 2, subparagraph 8(1)(j)(vii) of the ACMA Act) ]

1.603 To facilitate the multi-regulator model and allow for effective information sharing between regulators, a new section is inserted into the ACMA Act to allow an authorised ACMA official to make authorised disclosures to an SPF regulator or an operator of an SPF EDR scheme for the purpose of the operation of the SPF provisions. The primary law amendments provide for a framework of regulated sectors and their sector regulator. It is the intention that ACMA would be designated as the sector regulator for the telecommunications sector when that sector is designated as a regulated sector.

[Schedule 1, item 3, section 59DB of the ACMA Act]

1.604 The intention is that if the banking sector is designated to be a regulated sector, then ASIC would be the SPF sector regulator for that sector. Accordingly, the ASIC Act is amended to reflect that ASIC will have the functions and powers that are conferred on it under the SPF provisions.

[Schedule 1, item 4, subsection 12A(1) of the ASIC Act]

1.605 The amendments also introduce a number of definitions into subsection 4(1) of the CCA:

'ACMA' meanings the Australian Communications and Media Authority.
'actionable scam intelligence' has the same meaning given by section 58AI.
'associate' of an SPF consumer means an associate within the meaning of section 318 of the ITAA 1936 of an SPF consumer, who is a person who carries on a business having a principal place of business in Australia or is a natural person who:

-
is in Australia; or
-
is ordinarily resident in Australia.

'civil penalty provision of an SPF code' refers to the provisions that create civil penalties in the SPF under an SPF code.
'civil penalty provision of an SPF principle' refers to the provisions that create civil penalties in the SPF under an SPF principle.
'de-identified' information is information which is no longer about an identifiable individual or an individual who is reasonably identifiable.
'infringement notice compliance period' refers to this period under section 58FT.
'inspector' of an SPF regulator, has the meaning given by section 58FB.
'involved' in a contravention of a civil penalty provision (whether of an SPF code or SPF principle) means:

-
aiding, abetting, counselling or procuring a contravention of the provision;
-
inducing, whether by threats or promises or otherwise, such a contravention;
-
being in any way, directly or indirectly, knowingly concerned in, or party to, such a contravention; or
-
conspiring with others to effect such a contravention.

'reasonable steps' for the purposes of the SPF principles has a meaning which is affected by section 58BB.
'regulated entity' refers to an entity to which the SPF applies. These entities (unless excluded) carry out a business or provide a service under a regulated sector. See section 58AD.
'regulated sector' refers to a sector that has been designated for the SPF to apply. This designation is made by legislative instrument. See subsection 58AC(1).
'regulated service' has the meaning given by section 58AD.
'scam' has the meaning given by section 58AG.
'SPF civil penalty order' means a civil penalty under Part 4 of the Regulatory Powers Act (as that Part applies because of section 58FJ).
'SPF code' refers to sector-specific codes that apply to regulated entities of a regulated sector. SPF codes are legislative instruments. See section 58CB.
'SPF consumer' has the meaning given by section 58AH. They are generally those who may be provided the regulated services of a regulated entity, and thus, be exposed to scams in that sector. An SPF consumer must also be a natural person, or small business in Australia.
'SPF EDR scheme' for a regulated sector means an EDR scheme authorised under subsection 58DB(1) for that sector.
'SPF general regulator' has the meaning given by section 58EB. By default, the ACCC is the SPF general regulator with oversight of the SPF.
'SPF governance policies, procedures, metrics and targets' refer to a regulated entity's policies and procedures required under paragraph 58BD(1)(a) for the regulated sector and the performance metrics and targets required under paragraph 58BD(1)(c) for those policies and procedures.
'SPF infringement notice' means an infringement notice issued under subsection 58FO(1) or (2).
'SPF personal information' means personal information, or information relating to a person, that may be used alone or in conjunction with other information to access a service or an account, or funds, credit, or other financial benefits.
'SPF principles' means the provisions in Subdivisions B to G of Division 2 of Part IVF. These refer to the overarching principles under the SPF of governance, prevent, detect, report, disrupt, and respond.
'SPF provisions' means a provision of Part IVF, a provision of a legislative instrument made under that Part (such as any SPF codes), another provision of the CCA that relates to a provision of Part IVF or a legislative instrument made under that Part and a provision of the Regulatory Powers Act to the extent that it applies in relation to a provision of Part IVF or a legislative instrument made under that Part. See section 58AJ.
'SPF regulator' means either the SPF general regulator (by default, the ACCC) or the SPF sector regulator for a regulated sector.
'SPF rules' means the rules made under section 58GE. The SPF rules are a legislative instrument.
'SPF sector regulator' refers to the sector regulator that has been designated for a regulated sector. See section 58ED. It is intended that for the banking and telecommunications sectors (once designated as regulated sectors):

-
ASIC would be the SPF sector regulator for the banking sector; and
-
ACMA would be the SPF sector regulator for the telecommunications sector.

'senior officer' of a regulated entity means an officer or a senior manager of the entity, within the meaning of the Corporations Act.

[Schedule 1, item 5, subsection 4(1)]

1.606 Consequential amendments are made to repeal definitions of 'ACMA' in the CCA because ACMA is now defined in subsection 4(1) of the CCA (the interpretation provision). Accordingly, a reference to 'Australian Communications and Media Authority' in section 155AAA of the CCA has also been updated to 'ACMA'.

[Schedule 1, items 6, 7, 8 and 12, sections 52A, 151AB and 152AC and paragraph 155AAA(12)(b))

1.607 Consequential amendments are made to section 155 of the CCA, which relates to the ACCC's information gathering powers, to ensure these powers can be used for the purposes and operation of the SPF.

[Schedule 1, items 9, 10 and 11, subsection 155(9AC)]

1.608 The amendments provide for the ACCC as SPF regulator to exercise its existing powers under section 155 of the CCA in relation to obtaining information, documents and evidence, for the purposes of the SPF.

1.609 Specifically, the ACCC as an SPF regulator may exercise its powers under section 155 to the extent a matter constitutes, or may constitute, a contravention of an SPF code or is relevant to a 'designated scams prevention framework matter', as defined by subsection 155(9AC.

[Schedule 1, items 9 and 10, subparagraph 155(2)(b)(i) and paragraph 155(2)(a)]

1.610 A 'designated scams prevention framework matter' in section 155 is a reference to the performance of a function, or the exercise of power, conferred on the ACCC, as the SPF general regulator, by or under Part IVF (being the SPF), a legislative instrument made under that Part or the Regulatory Powers Act to the extent that it applies in relation to a provision of that Part.

[Schedule 1, item 11, subsection 155(9AC)]

1.611 Consequential amendments are made to subsection 1051(2) of the Corporations Act to insert a legislative note which clarifies that a law, instrument or condition requiring entities to be members of the scheme need not be a law, instrument or condition regulating providers of financial products or services. The constitutional basis for that law, instrument or condition would need to support the contention that those entities are required to be members of the scheme.

[Schedule 1, item 13, section 1051 of the Corporations Act]

1.612 Consequential amendments are made to section 1052A of the Corporations Act to insert a legislative note which clarifies that ASIC's power to issue regulatory requirements extends to any application of the AFCA scheme in relation to members of the scheme who are not providers of financial products or services.

[Schedule 1, item 14, section 1052A of the Corporations Act]

1.613 Consequential amendments are made to subsection 1052B(1) to omit "Note" and substitute "Note 1".

[Schedule 1, item 15, section 1052B of the Corporations Act]

1.614 Consequential amendments are made to subsection 1052B(1) to insert a legislative note which clarifies that ASIC's power to give directions extends to any application of the AFCA scheme relating to members of the scheme that are not providers of financial products or services.

[Schedule 1, item 16, section 1052B of the Corporations Act].

1.615 Consequential amendments are made to subsections 1052BA(1) and 1052C(1) to insert a legislative note which clarifies that ASIC's power to give directions extends to any application of the AFCA scheme relating to members of the scheme that are not providers of financial products or services.

[Schedule 1, item 17, section 1052BA and section 1052C of the Corporations Act]

1.616 Consequential amendments are made to subsection 1052D(1) to omit "Note" and substitute "Note 1".

[Schedule 1, item 18, section 1052D of the Corporations Act]

1.617 Consequential amendments are made to subsection 1052D(1) to insert a legislative note which clarifies that AFCA's right to make a request extends to any application of the AFCA scheme relating to members of the scheme that are not providers of financial products or services. ASIC's power under subsection 1052D(2) to approve a material change requested by AFCA is consequentially extended, to reflect the expanded scope of the request able to be made by AFCA.

[Schedule 1, item 19, section 1052D of the Corporations Act]

1.618 Consequential amendments are made to subsection 1052E(1) to insert a legislative note which clarifies that the referral obligation extends to any application of the AFCA scheme in relation to members that are not providers of financial products or services.

[Schedule 1, item 20, section 1052E of the Corporations Act]

Commencement, application, and transitional provisions

1.619 The Bill commences the day after Royal Assent.

1.620 The amendments apply from commencement.


View full documentView full documentBack to top