Business Insight

Scams Prevention Framework Draft Rules and Codes released. Is your business ready?

By Felicity Healy, Jonathan Perkinson and Josh Krechman

19 June 2026

Share Share
Print
corridor with lights
Share
Print

    What you need to know

    • Treasury released its exposure draft package for the Scams Prevention Framework (SPF) on 28 May 2026, including draft SPF Codes, SPF Rules, and sector-specific codes for the banking, telecommunications and digital platforms sectors.
    • The SPF Codes translate five of the six SPF Principles (governance, prevent, detect, disrupt and respond) into mandatory obligations backed by civil penalties, commencing by at least 31 March 2027.
    • Treasury also released a Position Paper on Internal Dispute Resolution (IDR) under the SPF.  Key IDR proposals include automatic reimbursement of verified scam losses under $3,000 and equal liability apportionment between breaching entities.

    What you need to do

    • Consultation: Those wishing to make submissions in response to the exposure draft package have until 25 June 2026 to file them. 
    • Get ready for the SPF: Regulated entities have until 31 March 2027 to prepare for the significant changes under the SPF.  We recommend taking the following steps to prepare:
      • First, determine if you're in scope.  Check whether your organisation qualifies as a regulated entity under the SPF.
      • Next, conduct a gap analysis.  Map your organisation's current systems and processes against the draft SPF Rules and Codes to identify gaps in your compliance posture.
      • Finally, establish an "uplift roadmap".  If you've identified gaps, create a clear plan to uplift your systems and processes by the end of March 2027.
    • Stay up to date: Watch out for further developments from Treasury as the process continues through to final implementation and operation.  In particular, in relation to the reporting obligations that Treasury has flagged will be part of a separate consultation in 2026.

    The exposure draft package

    In the first three months of 2026 (1 January to 31 March 2026), Scamwatch (the National Anti-Scam Centre) and ReportCyber (reports to law enforcement) received a combined total of 60,657 scams with reported losses totalling $248.3 million. Treasury's long-awaited exposure draft package for the Scams Prevention Framework (SPF) aims to address these issues.

    The exposure draft package released on 28 May 2026 contains the following key documents:

    • a draft Common Code setting out obligations that apply to regulated entities;
    • separate draft sector-specific codes for telcos (Telco Code), banks (Banking Code) and digital platforms (Digital Platforms Code);
    • draft SPF Rules, with detailed operational requirements;
    • an Internal Dispute Resolution (IDR) Position Paper outlining Treasury’s proposed approach to IDR; and
    • explanatory statements and a guide to the SPF Codes and SPF Rules.

    The SPF Codes are set to take effect by at least 31 March 2027, introducing mandatory obligations, with many backed by civil penalties. This reform will reshape how regulated entities prevent, detect and respond to scams. While the consultation package outlines much of how the SPF will look on paper, significant questions remain about how the regime will operate in practice, especially in relation to IDR.

    In this note, we outline who is covered by the new obligations, unpack the consultation and implementation timelines, what's changed since Treasury's November 2025 position paper, the obligations that regulated entities should be thinking about, and the road ahead.

    Who is designated as a regulated entity?

    The banking, telecommunications and digital platforms sectors have been designated as regulated sectors under the SPF. However, not all entities in these sectors will be captured, with the draft SPF Rules including exceptions and thresholds:

    Sector 

    Covered services 

    Exceptions

    Banking

    Services by an authorised deposit-taking institution (ADI) in carrying on its banking business in Australia, and the provision of purchased payment facilities (PPFs) by ADIs.

    The SPF Rules exclude:

    • standalone PPF providers; and
    • business-to-business banking services not provided to retail customers.

    Digital platforms

    Any of the following:

    • Designated instant messaging services: an electronic service that is an instant messaging service (including real-time non-text communication), is not ancillary to another service, does not have a significant purpose of facilitating internal business communication, and is not a designated social media service or covered telecommunications service. 
    • Designated internet search services: the provision of advertising material to users of an internet search engine that enables searches of the internet broadly (not limited databases or price comparisons), where that advertising is provided for consideration. 
    • Designated social media services: an electronic service with a sole or significant purpose of enabling online social interaction between 2 or more end-users, where users can link to or interact with other users and post material, and the service is not ancillary to another electronic service.

    The SPF Rules crucially provide that an entity is only captured if it meets both: 

    • the Active Australian User Test (200,000 or more average monthly active Australian users); and 
    • the Revenue Test ($1 billion AUD or more global gross revenue). 

    Both tests are assessed as at 1 January each year.

    Telecommunications

    Voice call services and message services where the service is provided: 

    • by a carrier and a public carriage service provider; and 
    • using a listed carriage service.

    This structure means that entities operating only private lines (i.e. closed, controlled networks not using listed carriage services) are not captured.  It also excludes those services delivered wholly over the internet.

    Consultation and implementation timeline

    Notable shifts since November 2025

    The exposure draft package contains several notable amendments and additions since the November 2025 draft package and position paper which we have outlined in the table below.

    Issue

    November 2025

    May 2026 

    Automatic reimbursement for low-value losses up to $3,000

    Not foreshadowed.

    While an IDR mechanism has been a long-anticipated feature of the SPF, the IDR Position Paper released as part of the exposure draft states that "Ministerial Guidance will make it clear that entities should reimburse consumers for scam losses under $3,000". See below for further analysis on this proposed reimbursement scheme. 

    Commencement date

    SPF was intended to commence on 1 July 2026, with the foundations of the SPF in place by no later than 30 June 2026.

    SPF Rules: commence 1 September 2026.  Parts 2 and 7 (which deal with statements of compliance and record keeping) are not operational until at least 31 March 2027.

    SPF Codes: at least 31 March 2027 (approximately 9 months later than the 1 July 2026 commencement date that was set out in the November 2025 position paper).

     

    Timeframe to lodge an IDR Statement of compliance (SOC) 

    30 calendar days.

    21 calendar days.

    Fast-tracked statement for complaints

    Treasury indicated that no SOC would be required if the complaint was resolved to a consumer's satisfaction within 5 calendar days.

    The new exposure draft package includes a 'fast-track' SOC mechanism: if an entity is satisfied on reasonable grounds that a complaint is resolved to a consumer's satisfaction within 5 business days, it may issue a brief explanation of how the complaint was resolved, instead of the full SOC.  However, the consumer retains the right to request the full SOC, and must be told that they remain entitled to do so.

    Consumer contribution ('excess')

    Not foreshadowed.

    In the Guide to the SPF Rules and Codes, Treasury has specifically requested feedback on whether the IDR guidance in the SPF Rules should allow regulated entities to apply a consumer contribution or excess to scam reimbursements.  

    This echoes the UK's APP fraud scheme, which allows (but doesn’t enforce) the application of an 'excess' of up to £100 to encourage consumer caution while minimising harm. 

     

    The standards set by the SPF Codes

    The SPF Codes translate five of the six SPF Principles set out in the SPF Act into concrete, enforceable obligations with many backed by civil penalties.

    It appears that SPF Principle 4 (Report) has not been included in the SPF Codes at this point in time, noting that in November 2025 Treasury indicated in its position paper that this principle would be addressed through a separate consultation in 2026.

    With the 31 March 2027 commencement date approaching, regulated entities should be assessing now whether their existing systems, processes and governance frameworks can meet these requirements.

    SPF Principles with common SPF Code obligations only

    SPF Principle 

    Obligations 

    Principle 1: Governance
    • Policies and procedures: Regulated entities must develop governance policies and procedures that account for scam risks, consumer vulnerability, service delivery methods, emerging threats, and recent major scam events, and must document how those risks were assessed.  
    • Staff training: Staff must be trained upon commencement and annually thereafter to identify scams, support affected consumers, and handle reports and complaints.

    Principle 6: Respond
    • Systems: Entities must offer a free, accessible, multi-channel scam reporting mechanism which is available at all times.
    • Acknowledge and assist: Entities must acknowledge reports within 24 hours, and provide timely assistance.
    • IDR and complaints: Entities must maintain a parallel IDR mechanism, acknowledge complaints as soon as practicable, and notify complainants of External Dispute Resolution rights if a complaint is unresolved after 30 days.  Entities must cooperate across sectors on complaints, may decline frivolous or vexatious complaints (with written notice within five business days), and must keep analysable complaints records.

    SPF Principles with common and sector-specific SPF Code obligations

    SPF Principle

    Common Code

    Banking Code

    Digital Platforms Code

    Telco Code 

    Principle 2: Prevent
    • Systems: Entities must have and maintain reasonable and secure systems to protect consumer information and accounts, including regular vulnerability assessments and software patching.  
    • Supervise: Entities must supervise agents and third-party service providers for compliance with scam-prevention obligations.  
    • Monitor: Entities must prevent their brands from being used in brand impersonation scams by monitoring the internet and seeking removal of infringing material.
    • Inform: Entities must publish accessible, up-to-date scam awareness information.
    • Confirm payee details: Banks must enable payee confirmation before electronic funds transfers, warn consumers if the payee details do not match and offer the option not to proceed.  
    • Verify identity: Banks must also verify consumers' identity.
    • Systems: Banks must maintain systems to identify high-risk transactions.
    • Warnings and action: Banks must issue targeted warnings, and take proportionate action to identify and limit suspect transactions.
    • Verify identity: Digital platforms must verify new users' identity, confirm users have not been previously banned, and verify authorised representative status for business accounts.  In addition, platforms must conduct licence and charity registration checks for advertisers.
    • Review: Platforms must review advertisements for scam activity before publication.
    • Warnings: Platforms must issue targeted warnings to high-risk consumers about specific scam types.
    • Verify identity and rights of use: Telcos must verify customer identity before supplying services, and for high-risk services must also confirm rights of use and establish a legitimate use case.  
    • Disallow and block: Telcos must not carry calls without a caller ID (CLI), and must block calls or messages using Do Not Originate List numbers or bearing incorrect trust markings.  
    • Verify inbound calls: Inbound international calls with an Australian CLI must be verified or flagged, and unverified calls must have their CLI blocked or over-stamped.
    • Provide trust info: Originating providers must attach network trust information to legitimate traffic.
    • Secure: Telcos must secure their infrastructure against scam use.
    • Limit bulk messaging: Prepaid mobile services must impose message volume limits calibrated to scam traffic indicators.
    • Assist: Telcos must assist at-risk consumers by activating available tools and providing accessible scam information.

    The above proposed obligations complement the introduction of the SMS Sender ID Register from 1 July 2026, which aims to prevent scammers using branded text messages to impersonate well-known brands.

    Principle 3: Detect
    • Systems and processes: Entities must have reasonable systems, processes, and resources for scam detection.
    • Identify and record: Upon receiving actionable scam intelligence (ASI), entities must assess whether the activity is a scam, record investigation details, and maintain systems to identify affected consumers as soon as practicable.
    • Monitor: Banks must monitor transactions for unusual activity, and monitor accounts for suspicious changes to credentials or contact details.
    • Identify: On receiving ASI, Banks must identify relevant transactions, accounts, and affected consumers.
    • Monitor: Platforms must monitor for suspicious user behaviour, content, and messages, though they need not decrypt encrypted messages on designated instant messaging services.  Digital platforms must also monitor and assess advertisements, including re-verifying advertisers if details change, and monitor for suspicious content.
    • Monitor: Telcos must monitor networks in real time to validate traffic and identify scam indicators (e.g., high-volume calls, CLI spoofing, routing irregularities). 
    • Filter: Originating carriers and message aggregators must use automated filtering to detect scam material in messages.
    • Notify: Telcos that identify ASI must notify the originating or interconnected provider within five business days, with acknowledgment from that entity due within two business days.

    Principle 5: Disrupt
    • Notify: Regulated entities must notify affected consumers promptly and proportionately.
    • Assess, act, and reverse where necessary: Entities other than telecommunications providers must also conduct a risk assessment before taking disruptive action, and must reverse that action if the activity turns out not to be a scam.
    • Request recalls: Banks must issue payment recall requests when they reasonably believe a transaction is facilitating a scam, and receiving banks must assist.  
    • Block, and reverse where necessary: Banks must also freeze, block or otherwise restrict accounts associated with scams.  The restriction used must be proportionate to the risk, and access must be restored if the account holder is demonstrated not to be carrying on scams.
    • Warn and suppress: During investigations, digital platforms must warn consumers about, and suppress, suspect content.  
    • Remove and block: Once a scam is confirmed, digital platforms must remove the content, block similar material, and disable associated accounts.
    • Limit scam ads: Platforms must also prevent scam advertisements by suspending suspect ads pending investigation, and permanently removing confirmed scam ads.
    • Block or warn: During investigations, telcos must block the CLI or attach a warning before delivering suspect calls or messages.  
    • Interrupt and warn: Once a scam is confirmed, telcos must interrupt traffic from the associated number, and originating providers must warn consumers before carrying calls to that number.
    • Seek assistance: Providers must use contractual arrangements to seek international service providers' help blocking material volumes of offshore scam traffic.
    • Reverse if necessary: If an activity is not a scam, disruptive action must be reversed within five business days. 

    IDR – the make-or-break component of the SPF

    The IDR Position Paper outlines how Treasury anticipates that scam complaints should be handled at the IDR stage to provide clarity to industry stakeholders and consumers.

    Our take is that this is the most complex component of the proposed SPF framework and will have a significant impact on whether the framework is viewed as a success or failure when rolled out to industry. We set out our observations on two interesting proposals from the Position Paper below.

    Efficient and proportionate handling - $3,000 automatic reimbursements

    An unexpected aspect of the proposal is that verified scam losses below $3,000 are to be automatically reimbursed and split equally where multiple regulated entities are involved. The rationale is expressed to be one of improving efficiency, with an expectation that it will lead to quick resolution of the majority of cases while reducing the burden on investigators.

    The $3,000 threshold is far lower than the UK's APP fraud scheme which provides reimbursements from banks up to £85,000. Assistant Treasurer Dr Mulino MP indicated that scams with losses of less than $3,000 constitute "a very high proportion of the total number of claims, but they're not a particularly high proportion of losses." and the proposed amount is not intended to make Australia a soft target for scammers.

    The Position Paper states the reimbursement obligation will be set out in Ministerial Guidance, which was not released as part of the consultation package. Section 58BZE provides that a regulated entity contravenes the SPF Act if, when engaged in IDR, it fails to have regard to the IDR process set out in the SPF Rules, or to any guidelines prescribed by the SPF Rules for apportioning liability arising from the complaint. Given that the scope of the foreshadowed Ministerial Guidance is not yet known, it is unclear if the proposal will even be enforceable. Furthermore, even if regulated entities have regard to the Ministerial Guidance, they may ultimately decide not to proceed with automatic reimbursement of up to $3,000 – section 58BZE does not on the face of the provision require the regulated entity to actually comply with the guidance, just to have regard to it.

    Treasury is seeking feedback on whether the automatic reimbursement is a sensible approach. Regulated entities may wish to make submissions given the cost implications and the question of whether automatic reimbursement appropriately balances consumer protection with the need to assess complaints on their merits.

    Equal split by default – the proposed liability apportionment

    Where multiple entities have breached SPF obligations, liability is to be shared equally between the breaching entities by default, with each entity reimbursing the consumer directly. The Position Paper suggests deviation from the equal share is only permitted in exceptional circumstances with unanimous agreement.

    Industry has already pushed back on this approach. Submissions made by banks and digital platforms in response to the November 2025 draft consultation package that originally floated the proposal included advocacy for "clear and deterministic" liability rules that are linked to objective criteria rather than blanket equal apportionment.

    The enforceability and operation of this proposal is uncertain. IDR is, by its nature, internal to each entity and interests between regulated entities may diverge. Treasury itself acknowledges this in the November 2025 position paper that “any settlement reached and offered through IDR requires mutual agreement” meaning the SPF can encourage cooperation but cannot mandate outcomes. How the civil penalty for non-cooperation under section 2-26 of the draft Common Code will interact with this reality is an open question.

    Interaction with the ePayments Code

    Industry submissions in response to the November 2025 consultation package included feedback that it was unclear how the SPF will interact with the ePayments Code for financial institutions. The IDR Position Paper makes clear that the SPF will take priority over other applicable frameworks, including the ePayments Code.

    Once operational, Treasury has indicated that AFCA’s determinations will be guided by an assessment of SPF Code obligations, which operate as the primary benchmark for assessing compliance under the SPF Act. The Position Paper confirms that this same framework priority order will apply at the IDR stage, which should provide banks with clarity on which regime takes precedence when assessing scam complaints. For now, Treasury has not released draft legislative instruments prescribing how the priority will be enforced.

    This is a significant change. Over time, Treasury considers that published AFCA decisions should build a body of precedent against these new SPF benchmarks, further improving transparency and predictability in the dispute resolution system.

    Banks should take steps now to ensure their IDR processes are aligned with the SPF assessment model, focusing on entity compliance rather than consumer conduct or the ‘authorised’ vs ‘unauthorised’ distinction under the ePayments Code, ahead of the SPF Codes coming into effect.

    Where to from here

    The SPF marks a fundamental shift in how Australia regulates scam prevention. The framework's cross-sector approach acknowledges that scams don't respect industry boundaries, but it also introduces additional complexity. Entities will need to coordinate across sectors that have historically operated in silos, facing regulators with different enforcement cultures. Whether this delivers better outcomes for consumers or simply adds layers of compliance cost remains to be seen.

    Critically, this exposure draft package is not the final word. Treasury has flagged that several key elements are still being developed. For example, the IDR and reimbursement settings, further refinements to the definition of a scam to exclude misleading or deceptive conduct, intelligence sharing rules, and identity verification for banks.

    Regulated entities should treat this consultation window as an opportunity to shape the framework’s final design. In particular, the contentious IDR proposals that may have material financial impacts to bottom lines.

    Other authors: Anna Gemmell-Smith, Lawyer

    Want to know more

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    Ashurst Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.

    Ashurst Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

    This material is current as at 19 June 2026 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    Key Contacts