Norton Rose Fulbright LLP

11/10/2024 | News release | Distributed by Public on 11/10/2024 16:47

Part 2: Navigating the new frontier: Unpacking the new Scams Prevention Framework

This article was co-authored with Masooma Saberi and Alyssya Warty-Hasan.

We previously provided a short summary of the Scams Prevention Framework (the Framework) to highlight the important changes Australian entities can expect with this exposure draft legislation and the importance of implementing measures to prevent scams; Prevention (and disruption) is better than cure: The new framework for stopping scams before they start

Submissions on the exposure draft legislation closed on 4 October 2024 and the Scams Prevention Framework Bill 2024 was introduced into Parliament on 7 November 2024.

In this article we provide further practical insights on the exposure draft legislation, particularly highlighting certain obligations that will be placed on regulated entities to prevent scams.

Content

Actions to take to prepare for the launch

It is essential for Australian entities captured by the Framework to ensure that they are well prepared for these sweeping changes. Here are some actions to consider:

  • Assess your organisation's maturity against each of the 6 overarching principles through a comprehensive gap analysis of your policies and processes.
  • Conduct a holistic assessment across your business and operations to understand the key areas at risk of being exploited by scammers. This may include analysing any vulnerabilities in your systems, any prior incidents (or 'near misses'), and patterns/trends in the complaints you have received.
  • Invest in educating staff across all levels to ensure you can effectively manage your scam reporting and response.

Context

The Framework is an economy-wide reform to protect Australian consumers from scams. Scammers stole some $2.7 billion from Australian consumers in 2023 and the government has described the growth in scams as 'unacceptable', particularly given the wider financial, psychological and emotional harm caused to Australian consumers.

In essence, the Framework sets out clear responsibilities for regulated entities to take various steps to address scams with the endorsement of the Government and regulators. The Framework provides a streamlined and overarching regulatory approach that has been introduced as part of the government's efforts to modernise Australia's laws for the digital age.

The Framework seeks to build upon and consolidate various sectoral initiatives within a responsive and adaptable framework. The intent is to implement consistent overarching principles yet still enable sector-specific codes to articulate bespoke regulatory detail in each sector. The underlying sectoral codes will contain a set of minimum standards for each industry sector included within the Framework. Non-compliance will have severe consequences, including serious penalties.

The Framework: A Snapshot

The Framework will be introduced as a new Part IVF of the existing Competition and Consumer Act 2010 (Cth) (CCA). It builds upon Australia's increasing use of industry codes to implement sectoral competition and consumer protection regulation. The Australian Competition and Consumer Commission (ACCC) will be the lead regulator.

The Framework has the following key features:


The Framework implements six overarching scam prevention principles (called SPF principles) which apply to all regulated entities:


Under the Framework, a Treasury Minister (or an appropriately delegated authority) may make a sectoral code for a regulated sector, known as an "SPF Code". An SPF Code will generally contain detailed but not exhaustive, sector-specific obligations for regulated entities to comply with the SPF principles.

A Treasury Minister may also authorise an external dispute resolution scheme for the Framework. The government's current intention is to authorise the Australian Financial Complaints Authority (AFCA) in this role for all initially regulated sectors. A single scheme is intended to ensure consistency in consideration of complaints and a less burdensome approach for regulated entities and consumers.

Regulated entities are required to take reasonable steps under several of these principles, to combat scams. 'Reasonable' or 'reasonable steps' are not defined. This will require an objective assessment, to be considered against a range of factors such as entity size, the services they provide, who their consumers are and the exposure to specific kinds of scam activities.

Designated sectors subject to the SPF

The Minister, through a legislative instrument, will set out the regulated sectors. The following sectors are expressly identified as potential sectors that could be included within the Framework:



Of these, the government currently intends to initially designate 3 sectors, namely banking, telecommunication services, and digital platform services (social media, paid search engine advertising and direct messaging services), given the significance these sectors have in the lifecycle of scam activities.

There is also a mechanism to expand the designation into more sectors depending on the evolving nature of scam activities. This could include, for example, superannuation funds, digital currency exchanges, payment providers, and online marketplaces.

Overarching SPF principles

SPF principle 1: Governance

Regulated entities must develop and implement governance measures in the form of policies, procedures, metrics and targets to combat scams. Such governance measures are intended to be dynamic. Policies and procedures must be developed with reference to multiple factors such as the risk of scams faced by the entity, the consumer base it services, as well as any shift in scam activities.

Regulated entities must also:

  • Review and certify their governance measures at least annually by a senior officer of the entity.
  • Publish information about their measures to protect consumers from scams and the rights of those consumers in relation to scams (including about making complaints).
  • Keep records of their governance arrangements for a least 6 years and give reports about its compliance as requested by the regulator.

Practical considerations:

  • Do you have a good understanding of the areas in your chain of operations which may be susceptible to the risk of scams?
  • Do you have appropriate frameworks to develop and maintain a scam specific policy?
  • Do you have appropriate frameworks to support your annual certification process, such as processes covering risk identification and assessments, implementation of monitoring metrics, and review and uplift of relevant policies and procedures?

SPF principle 2: Prevent

Regulated entities must take reasonable steps to prevent scams, and proactivity is the key to demonstrating compliance with this principle. The draft legislation makes it clear that it is insufficient to merely act on relevant information relating to scams provided to the regulated entity.

Examples of reasonable steps includes identifying consumers who have a higher risk of being targeted by scams, providing warnings to at-risk consumers and making resources accessible to consumers to assist them to identify scams and to minimise the risk of harm from scams.

This principle is intended to stop scam activity from reaching or impacting consumers, as opposed to disrupting scam activity (see principles 3 and 5 below).

Practical Considerations:

  • Do you conduct regular risk assessments and seek out information proactively from relevant sources on the emerging scam activities to inform your risk assessment and potential remediation activities to address any vulnerabilities on your service?
  • Are there processes in place to identify which of your consumer base are at a higher risk of being scammed?
  • Do you regularly monitor and analyse organisation and industry data for any trends to identify which cohort is more susceptible to scams and the latest tactics which scammers are using to target consumers?
  • Do you have clear protocols to guide what resources or warnings you provide to consumers which you categorise as higher risk? For instance:
    • Do you take into account any attributes of vulnerability, channels which these consumers are more likely to access (e.g. where they are less familiar with technology), and potential language barriers when making decisions with respect to these protocols?
    • Do you provide direct scam-related alerts to those consumers in plain language, which you update from time to time to alert them of the latest developments with respect to scams on your services or platforms, and what they can do to minimise the risk of harm?
  • How often do you conduct staff training on emerging scam activity and the organisation's processes to identify and respond to scams?

SPF principle 3: Detect

Regulated entities must take reasonable steps to detect scams. This includes actions to do the following as the scam is occurring or after it has occurred:

  1. Detect scam activity through information from its internal mechanisms, or external to the organisation such as those from consumers or the regulator.
  2. Identify, in a timely manner, which of its consumers are or could be affected by scams, and the nature of that impact (including both financial and non-financial harm or losses).

Where the regulated entity has "actionable scam intelligence" about a suspected scam, it must take reasonable steps to act on that intelligence to identify each consumer who is or could be impacted by the suspected scam.

Practical Considerations:

  • Do you have effective proactive procedures to identify scams and consumer cohorts that are or have been affected by actual or suspected scams?
  • How is the organisation approaching the detection of scams? For instance, is there whole-of-business coordination where different functions regularly share relevant information such as consumer complaints or intelligence, any spikes or trends in terms of irregularities in transactions, or more broadly market trends in terms of scam tactics?
  • Are you investing sufficiently in advanced technology and resources to monitor complaints from consumers, and establish procedures to address to those complaints swiftly where scams have taken place or will take place?

SPF principle 4: Report

When a regulated entity has reasonable grounds to suspect that a communication, transaction or other activity on, or relating to, a regulated service of the entity is a scam, it must report this to the ACCC (in its capacity as the SPF general regulator) as soon as reasonably practicable (if no other time period is prescribed) containing specific information. It is contemplated that the information collected will generally only include information relating to the mechanism or identifier used for the scam activity, including bank account details that scammers instruct victims to transfer funds to, phone number used by scammers to get in touch with victims).

Similarly, the entity must provide a report about a scam to the ACCC if it so requests within a certain timeframe containing specific information (which could include de-identified demographic information about the impacted consumer, date and kind of scam, the loss or harm caused by the scam). The ACCC may disclose information about scams to other entities across the ecosystem to help disrupt the scam.

Practical Considerations:

  • Do you have a defined framework and team to comply with these reporting obligations?
  • While the draft statute provides that complying with this principle will not represent a breach to the obligations to maintain a duty of confidence, are your contractual provisions sufficiently robust to cover these information sharing requirements?
  • Where personal information (within the meaning of the Privacy Act 1988 (Cth)) is expected to be captured under these reporting obligations, or where you anticipate additional personal information being collected to meet these reporting obligations, how are you aligning your relevant policies and processes to ensure you are compliant with the applicable regimes?

SPF principle 5: Disrupt

Regulated entities must take reasonable steps to disrupt scams and prevent losses from scams. Reasonable steps include actions to stop an actual or suspected scam from continuing or further impacting consumers, such as putting payments on hold to allow the regulated entity to alert the consumer, blocking phone numbers of bank accounts, or removing scam advertisements on websites.

Moreover, where a regulated entity has reasonable grounds to suspect that a communication, transaction or other activity on, or relating to, a regulated service of the entity is a scam:

  • It must disclose sufficient information to its consumers to enable them to act in relation to the suspected scam and share the relevant intelligence with the ACCC.
  • It is entitled to rely on a 28-day 'safe harbour' during its investigations whereby regulated entities will not be liable in a civil action or civil proceeding for taking certain actions to disrupt a suspected scam in specified circumstances, for example, if the disruptive action is reasonable and proportionate to the suspected scam, done in good faith and in compliance with the Framework.

Practical Considerations:

  • Regulated entities will likely need to apply enhancements to consumer communications to swiftly disrupt a scam - do you have processes around consumer communications to determine what information needs to be shared with consumers? Do your communication protocols take into account how the impacted consumer generally uses your services and whether the communications should be sufficiently tailored to maximise engagement?
  • How are you approaching the interface between this principle and your consumer complaints processes? Regulated entities may need to speed up the process of review for consumer complaints to be able to effectively disrupt an actual or suspected scam (such as introducing friction to bank transfers in high risk settings).
  • Are your processes aligned with the specific requirements that need to be met to rely on the 'safe harbour' provisions?

SPF principle 6: Respond

Regulated entities must have an accessible mechanism for their consumers to report scams. Entities may choose to set up a mechanism for consumers to report scams in a variety of ways, such as in-person, over the phone, or through an app or via its website.

Each entity must have an accessible and transparent internal dispute resolution mechanism for its consumers to lodge complaints about scams or the entity's conduct in relation to scams and may choose to make available its complaints handling process on its website.

If the entity provides services which are regulated by the Framework, it must become a member of an authorised external dispute resolution (EDR) scheme for dealing with scam complaints. While more than one SPF EDR scheme may be authorised, the intention of the proposed legislation is to have a single EDR scheme for multiple regulated sectors to streamline the process.

Practical Considerations:

  • The Australian Financial Complaints Authority (AFCA) charges regulated entities for all cases they manage based on a Fee Structure. The fees vary based on the matters in this Schedule, for example, whether they move to case management or require a decision. If AFCA is the EDR provider, this will result in additional costs to regulated entities.
  • Where you are required to comply with additional requirements with respect to your IDR mechanisms (such as Australian Securities and Investments Commission (ASIC) RG 271), how are you approaching any overlapping or related requirements to ensure you are compliant with this principle as well as other requirements?

Enforcing the SPF

The Framework will be enforced through a multi-regulator model with the ACCC being the lead or 'general' regulator responsible for monitoring, investigating, and enforcing compliance with these provisions. The ACCC will be supported by other regulators designated for each sector incorporated into the Framework. The Australian Communications and Media Authority (ACMA) will be the regulator for telecommunications services, while the Australian Securities and Investment Commission (ASIC) will be the regulator for banking services.

The Framework contains provisions for information-sharing between the various SPF regulators, to coordinate their regulatory activities and enforcement via an arrangement such as a memorandum of understanding. As such, the Framework builds upon the existing initiatives undertaken by the ACCC to better co-ordinate the regulation of scam activity between the various Australian regulators.

The Framework will work under a two-tier system, with a Tier 1 contravention attracting a higher maximum penalty and reserved for the most egregious breaches. The relevant breaches include failing to prevent, detect, disrupt or respond to a scam. The maximum penalty for a Tier 1 contravention is the greater value of:

  1. Approximately $50 million (current value);
  2. Three times the total value of the benefit gained; or
  3. 30 per cent of the turnover of the body corporate during the breach period.
The penalty for an individual is approximately $2.5 million (current value).

A Tier 2 contravention occurs where a regulated entity has contravened a sector code or a breach of the governance or reporting principles. A Tier 2 contravention will attract a maximum penalty of the greater value of:

  1. Approximately $10 million (current value);
  2. Three times the total value of the benefit gained; or
  3. 10 per cent of the turnover of the body corporate during the breach period.

  4. The penalty for an individual is approximately $500,000 (current value).

The civil penalty regime will be supported by other administrative enforcement tools, including injunctions, enforceable undertakings, and infringement notices.

Next Steps

We expect that the introduction of the Bill into Parliament is imminent. The government's intention is to introduce the Bill into Parliament by the end of this calendar year, subject to Parliamentary sitting dates and legislative priorities.

The current draft bill does not contain any information as to when the regime would actually become operative, but we assume the regime will be implemented relatively quickly for various reasons, including political priorities and continuing media attention.

The consensus among regulators is that there needs to be stricter regulation of scam prevention, with ASIC Deputy Chair Sarah Court stating in 2023 that "combatting scams is a critical task for all of corporate Australia - financial institutions, telecommunication providers, digital platforms and other organisations."

The draft legislation implementing the Framework and its explanatory materials were released for public consultation here. The legislation is complex and there are many nuances that will need to be considered, including the resources that will need to be allocated by regulated entities to ensure compliance and the interaction of the Framework with existing procedures and approaches.

Please contact any of the lawyers identified below if you have any questions or would like to discuss the potential application of the Framework to your business. We are also happy to share any intelligence as to the current status of the Bill as it is introduced into Parliament and likely enacted in the coming months.