Australia's Scams Prevention Framework: What the New Obligations Mean for Banks

For two years, Australia's Scams Prevention Framework lived comfortably in the future tense. Banks knew it was coming. Everyone agreed something had to be done. The questions were always when and how much and what exactly. 

Those questions now have answers. 

On 29 May 2026, the Federal Government issued formal sector designations, confirming that banks, telecommunications providers, and certain digital platforms — including social media and search engines — will be the first sectors regulated under the SPF. Treasury simultaneously released for consultation a full suite of draft industry codes, explanatory statements, draft rules, and guidance on internal dispute resolution. The consultation window closes on 25 June 2026. Full effect: 31 March 2027. 

That is less than nine months away. 

The extension from the originally mooted mid-2026 deadline might look like breathing room. It is not. The designation is done. The codes are being finalized, not started. And the scams the framework was designed to address are not waiting for anyone's implementation timeline. 

What the SPF requires 

The framework is built around six overarching principles. They apply to every designated entity, not just banks. 

Govern. Establish governance, policies, metrics, and senior accountability for scam prevention. This is not a line item on a risk register — the framework expects documented policies and procedures, defined metrics and targets, and a senior officer who can sign off on compliance. 

Prevent. Take reasonable steps to stop scams from reaching customers. That includes protecting official communication channels and reducing the risk of brand impersonation being used to facilitate scams. The prevent principle is where brand protection moves from a security hygiene issue to a codified obligation. 

Detect. Identify scam activity and high-risk transactions or interactions while they are happening — not just after the loss. For banks, that means both internal signals (unusual payment patterns, behavioral anomalies) and external ones (impersonation campaigns, fake ads, spoofed websites targeting your customers). 

Disrupt. Act to stop scam campaigns. Request removal of impersonating websites, block identified scam infrastructure, and intervene in high-risk payment flows. Detection without disruption is awareness — not prevention. 

Respond. Provide clear, accessible pathways for customers to report scams and resolve complaints. That includes both internal dispute resolution and membership in the external dispute resolution scheme, which is AFCA. 

Report. Share actionable scam intelligence with regulators and cooperate with other designated entities to improve detection and disruption across the ecosystem. 

These are not optional aspirations. Each principle carries enforceable obligations and civil penalty exposure. 

The penalties have edges, too 

The SPF introduces a two-tier civil penalty regime. Tier 1 contraventions — covering the prevent, detect, disrupt, and respond principles — carry a maximum of the greater of approximately A$50 million, three times the benefit gained, or 30% of adjusted turnover during the breach period. Tier 2 contraventions — covering governance, report, and sector-code breaches — top out at the greater of approximately A$10 million, three times the benefit, or 10% of turnover. 

Below the headline fines sits a cascade of regulator tools: enforceable undertakings, injunctions, representative damages actions, public warning notices, remedial directions, and adverse-publicity orders. 

Then the part most banks have not yet fully priced in: the private right of action. Consumers who suffer losses because a regulated entity breached the framework have a direct route to compensation. AFCA is scaling up its resources, adding specialist hires and expert panel members. Applications for AFCA membership open from 1 July 2026. 

Three regulators are now aligned around the same framework. The ACCC is the general regulator. ASIC oversees banks. ACMA oversees telcos. That is not one enforcement body with a crowded docket. It is three. 

What "reasonable steps" actually means 

The SPF does not prescribe a technology stack or a vendor list. It asks regulated entities to take "reasonable steps" — a phrase that is doing an enormous amount of work in this legislation. 

What counts as reasonable will depend on several factors: the size and complexity of the organization, the nature and scale of its scam exposure, the customer base and how those customers are targeted, the current and emerging threat environment, the available technology, and the entity's capacity for continuous improvement. 

That flexibility is deliberate. A tier-one bank will be held to a different standard than a small mutual — but both need a process, not just a policy. A process that can be shown, measured, and improved over time. 

The trap for many organizations is treating "reasonable" as a permission to do the minimum. It is not. Reasonable is far more likely to be judged against what a well-resourced, well-informed organization in a similar position could be expected to do. If the technology exists to detect brand impersonation at scale, monitor across multiple channels, and disrupt threats within hours rather than days, then relying on customer reports and occasional manual takedown requests may not clear the bar. 

The safest interpretation of "reasonable" is this: a system you can defend when someone asks what happened and why. 

What is settled vs. what is still landing 

Not everything is final. The regulatory picture has clear zones, though, and knowing which is which matters for planning. 

Settled. The Scams Prevention Framework Act 2025 is law, commenced 21 February 2025. Banks, telcos, and digital platforms are formally designated. The six principles are defined and each carries enforceable civil penalty provisions. AFCA is confirmed as the single external dispute resolution body for scam complaints. The two-tier penalty structure and private right of action are in the legislation. None of this is ambiguous. 

In final consultation — closing 25 June 2026. Draft industry codes, including a common code that applies across sectors and sector-specific codes for banking, telcos, and digital platforms. Draft rules covering complaint handling, dispute resolution, and related areas. Guidance on internal dispute resolution. This is where the detailed, operational requirements live — the obligations that will shape what banks actually have to build and demonstrate. Banks should be reading and responding to these drafts now, not waiting for the final versions to land. 

Still coming. Rules around actionable scam intelligence sharing are expected to be made by 31 March 2027, with substantive obligations commencing toward the end of 2027. Further sectors — potentially superannuation, crypto-asset exchanges, online dating platforms, and marketplaces — may be designated in the future. The ABA has specifically urged the Government to extend the framework to dating apps and crypto, arguing that these are significant scam-initiation channels currently outside the regulatory perimeter. 

Why this is an operating model, not a compliance project 

The instinct for many organizations will be to treat SPF readiness as a compliance workstream: update the governance documents, draft some policies, add a line item to the risk register, and call it done. 

That will not work. 

The SPF is structured around a lifecycle — prevent, detect, disrupt, respond — where each principle requires operational capability, not just documented intent. Governance sets the foundation, but governance without execution is a filing cabinet. And the framework's emphasis on continuous improvement makes it clear that regulators expect capabilities to evolve, not just exist at the point of designation. 

What does operational readiness actually look like? Start with a few practical questions. 

Where are your customers encountering scams? Not just phishing emails. Fake investment ads. Spoofed banking websites. Lookalike domains. Social media impersonation. Fraudulent mobile apps. Scam phone calls and SMS. Scam campaigns move across channels; detection that lives in one channel will miss most of the problem. 

What happens after you detect something? If a spoofed domain is identified, how quickly can it be taken down? Who approves it? Is the workflow automated or does it sit in someone's inbox? Can you show evidence of the action and the outcome? A dashboard full of detected threats is not scam prevention if nothing happens to them. 

Can you prove what you did? The framework's record-keeping and reporting expectations mean that evidence is part of the control, not an afterthought. What was detected, when it was detected, what action was taken, whether it was effective, and how the process has improved — all of this needs to be documentable. 

Does the process scale? Scam campaigns are increasingly industrialized. A manual process that works for a handful of threats per month will not hold when a campaign spins up hundreds of impersonation domains in a week. The organizations most exposed are not the ones with the most scams — they are the ones whose response cannot keep pace with the volume. 

What banks should do now 

March 2027 is further away than the original mid-2026 target, and the extension is welcome. But it is an extension, not a reprieve. The consultation closes in weeks. The designation is done. The question is no longer whether these obligations will land — it is whether your organization will be ready when they do. 

Read the drafts. If your team has not yet reviewed the draft codes, rules, and guidance, start there. Understand what the obligations will look like in practice — not in the abstract — for your specific size, customer base, and scam exposure profile. Respond to the consultation by 25 June if you have concerns. 

Map your visibility. Ask where your customers encounter your brand outside of your own channels: websites, social media, search, ads, app stores, messaging, phone. Ask whether you can see threats across those surfaces, or whether your current process relies on customers telling you about impersonation after the harm has already happened. 

Assess your detection-to-disruption workflow. Detection without action is awareness, not prevention. The disrupt principle makes that distinction explicit. Measure how quickly you move from seeing a threat to removing, blocking, or neutralizing it — and whether that speed is defensible. 

Build the evidence layer now. If you wait until a regulator or a complainant asks what you did, it is too late to generate the records. Evidence should be a byproduct of the workflow, not a retrofit. 

Do not mistake the runway for leisure. The scams that the SPF was designed to address are happening now. The fake investment ads, the spoofed banking sites, the impersonation on social media, the mule accounts — they are not waiting for 31 March 2027. The organizations that start now will have a defensible, tested system by the time the obligations take effect. The ones that wait will have a very expensive calendar problem. 

The regulator has not asked you to eliminate every scam on the internet. That would be unreasonably optimistic. It has asked you to build, monitor, review, and improve a serious process for reducing the harm. That is the difference between a policy and an operating model. And under Australia's SPF, only one of them will count.