Business Insight

Operationalising the SPF

By Jonathan Perkinson, Hong-Viet Nguyen, Hannah Glass and Felicity Healy

16 December 2025

Share Share
coral arrows background
Share

    What you need to know

    • On 28 November 2025 Treasury published for consultation its draft law package and position paper to implement the Scam Prevention Framework (SPF), with the consultation period to close 5 January 2026.
    • The consultation package includes:
      • A draft instrument to designate banks, telecommunications providers and certain digital platforms under the SPF from 1 July 2026;
      • A draft instrument to authorise the Australian Financial Complaints Authority (AFCA) to be the SPF's external dispute resolution (EDR) scheme from 1 September 2026 (AFCA will be required to accept SPF complaints for EDR from 1 January 2027); and
      • A position paper that outlines early thinking on the sector codes and rules.
    • Subject to any changes that result from the consultation process, the consultation package clarifies a number of key questions regarding how the SPF will take effect:
      • Designation scope – The designation instrument provides technical details of the businesses and services included and excluded for designation;
      • Timing – The SPF will take effect on 1 July 2026 where we expect the sector codes and rules will be finalised ahead of that date, and the SPF will be fully implemented for the 3 initially designated sectors by the end of 2027;
      • Scope of Actionable Scam Intelligence – Actionable Scam Intelligence (ASI), defined as forming a reasonable belief activity is or may be a scam, will be continuously generated from prevent, detect, report and respond pillar activities. Newly generated ASI triggers obligations to detect, disrupt and report based on the ASI.
      • Timeliness of SPF obligations – A number of SPF obligations are time-bound, reflecting that time is of the essence when acting on ASI. For example, if a bank is aware that a customer has been scammed, a bank must 'immediately' issue a recall request to the receiving bank and the receiving bank must 'immediately' act upon a payment recall request made by another bank.
      • Disruptive actions and notifications – A number of SPF obligations require businesses to stop transactions, suspend accounts and ban parties from designated services. Businesses must notify customers impacted by disruption activities which will attract tensions with AUSTRAC tipping off rules.
      • Statement of compliance – Businesses must provide customers with a statement regarding their compliance with their SPF obligations within 30 days of receiving an internal dispute resolution (IDR) scam compliant in order to reduce information asymmetry between businesses and customers.
    • The consultation package also leaves certain key details unaddressed for the time being:
      • Reporting of Actionable Scam Intelligence – Rules related to some obligations under SPF Principle 4 Report and SPF Principle 5 Disrupt dealing with ASI will be made by 31 March 2027 with industry obligations to commence by the end of 2027; and
      • Compensation rules – The position paper contains little discussion on compensation rules. The position paper leaves to presumption that a regulated entity may be required to compensate customers for scam losses if the entity has not met its obligations under the SPF, and that failure can be seen to have contributed to the customer scam loss. The position paper states that where multiple regulated entities are involved in a single scam, regulated entities are expected to work together cooperatively through IDR to compensate customers, but does not outline how this may work in practice.

    What you need to do

    • Review the consultation package and identify any elements that (i) require additional guidance to implement and (ii) are at risk of leading to unintended consequences;
    • Confirm that governance arrangements for SPF oversight are in place and that they meet relevant requirements;
    • Review the scope of your operations to understand what activities provide designated services to SPF consumers;
    • Confirm that you are on track to meet relevant industry code requirements by 1 July 2026, including operating at the speed that time-bound obligations require;
    • Implement a robust and scalable approach for managing a continuous flow of ASI and taking the required detect, disrupt and report actions accordingly;
    • Develop an approach to support providing IDR customers with a statement of compliance regarding complaints related to scams; and
    • Review your compensation rules for alignment with SPF obligations.

    Our take

    The consultation package brings the SPF timeline into view and elaborates specific and principles-based obligations that will take effect from 1 July 2026.

    A summarised version of industry code obligations presented in the position paper are as follows (with obligations in bold where we envision implementation complexity):

    Pillar Banks Digital platforms Telecos
    Governance
    • Embed responsibility for scam prevention within governance frameworks including strategic risk management and oversight
    Prevent
    • Have systems in place to identify vulnerabilities that could be exploited by scammers
    • Require multi-factor authentication (MFA) for new devices
    • Provide accessible information to customers regarding scam risks
    • Protect brand from being used in scams (including social media and search)
    • Provide scam prevention training to staff

    Banks

    • Targeted warnings for high-risk payments
    • Confirmation of Payee
    • Systems to verify identity of customers and nature of their transactions

    Digital platforms

    • Verify advertisers hold licenses to provide high-risk products
    • Warnings to customers of high-risk circumstances
    • Authentication processes to ensure accounts are legitimate (and not previously banned)
    • Business users and advertisers provide appropriate identification

    Telecos

    • Verify customer has valid use case before providing certain services (such as originating calls using another number)
    Detect
    • Businesses must investigate ASI
    • Maintain systems capable of identifying customers potentially impacted by a scam

    Banks

    • Monitor all transactions for suspicious activity and identify ASI
    • Identify customers who have made a payment to a known scam account

    Digital platforms

    • Proactively delete accounts, content, messages and advertisements suspected of being a scam
    • Identify, notify and warn owners of an account that may be compromised
    • Identify, notify and warn customers who have communicated with a scam account or interacted with scam advertisements

    Telecos

    • Analyse calls and messages for patterns or indicators of a scam
    • Identify customers who have received scam calls or messages, with a focus on those who have interacted with the communication
    Disrupt
    • Alert customers where there is a risk they are involved in an ongoing scam
    • Issue targeted scam alerts to customers where there is a reasonable suspicion that a specific scam threat may impact them
    • Restore disrupted services when an investigation clears the service of being involved in a scam
    • Notify customers impacted by disruption activities

    Banks

    • Close and block payments to and from accounts controlled by scammers (or freeze account and return it to the owner)
    • Act urgently to make and receive payment recall requests
    • Suspend accounts under investigation
    • Enable customers to freeze accounts

    Digital platforms

    • Permanently ban users and advertisers found to have been operating scams and prevent them from creating new accounts
    • Permanently remove or delist scam content
    • Limit visibility of content of advertisers under investigation
    • Flag content and messages under investigation
    • Suspend visibility of advertising under investigation

    Telecos

    • Block calls and messages to and from calling line identifiers (CLI) confirmed to be a scam
    Report
    • Consultation to occur via a subsequent process
    Respond
    • Publish information about how to urgently report a scam that may be in progress
    • Accept scam reports 24/7
    • Provide acknowledgement of receipt of scam report within no more than 24 hours

    It is evident that the intent behind the industry codes is to harness the power of ASI to disconnect scammers from designated services, making it difficult for scammers to reach customers and perpetrate scams.

    Each designated sector will face a unique set of implementation challenges. These will call for businesses to balance the objective of protecting consumers from scams with the desire to provide services to legitimate customers in a seamless and efficient manner.

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    Ashurst Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.

    Ashurst Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

    This material is current as at 15 Dec 2025 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    Key Contacts