Australia's Department of the Treasury launches consultation on Scams Prevention Framework codes and rules and publishes draft sector designation and AFCA authorisation instruments

Australia's Department of the Treasury released a position paper and draft legislative instruments setting out preliminary policy views on how sector codes and supporting rules would operationalise the Scams Prevention Framework (SPF) for banks, telecommunications providers and certain digital platforms, alongside proposals to designate those sectors under the regime and to use the Australian Financial Complaints Authority (AFCA) as the external dispute resolution scheme for scam complaints across the three sectors. The position paper outlines proposed minimum obligations aligned to the SPF principles of governance, prevent, detect, disrupt and respond, built around a scalable “reasonable steps” test and a mix of prescriptive and principle-based requirements. Indicative cross-sector obligations include multi-factor authentication for logins from new devices, consumer-facing scam information, brand-impersonation protections, staff training, investigation and consumer-identification processes once “actionable scam intelligence” is held, targeted scam alerts and restoration of services where activity is found not to be a scam, and 24/7 free scam reporting and complaint handling with acknowledgements within 24 hours. For internal dispute resolution, proposals include remedies within 30 calendar days, written statements of compliance within 30 calendar days (unless resolved within five days), and guidance for cooperation and default equal apportionment of compensation in multi-party disputes. Sector-specific examples include bank payee name-checking, warnings before high-risk payments and account freezing or payment recall actions, telecom traffic analysis and blocking or withholding calling line identifiers, and digital platform advertiser licence checks for high-risk products plus proactive detection and removal of scam content and accounts. The draft designation instrument would cover authorised deposit-taking institutions (excluding restricted ADIs), carriers and carriage service providers for voice call and message services not carried wholly over the internet, and digital platform services meeting size thresholds, with ASIC as banking sector regulator, the Australian Communications and Media Authority for telecommunications, and the Australian Competition and Consumer Commission for digital platforms. The SPF is intended to commence on 1 July 2026, with foundations in place by 30 June 2026 and full implementation for the three sectors by end 2027. The draft AFCA authorisation would commence on 1 September 2026 and apply to SPF-related complaints made to AFCA on or after 1 January 2027, while supplementary rules enabling intelligence-sharing and certain reporting and disruption-related obligations are proposed to be made by 31 March 2027 with obligations commencing by end 2027; consultation on intelligence-sharing rules under the SPF reporting principle is flagged for 2026, and exposure draft codes and rules are expected to be consulted on in early to mid-2026.