Australia’s Scams Prevention Framework took effect on 1 July, making banks, telcos and digital platforms legally accountable for scam prevention.
From 1 July 2026, banks, telecommunications providers and certain digital platforms are legally required to take reasonable steps to prevent, detect and disrupt scams before they reach consumers. The obligations apply under the Scams Prevention Framework, which passed Parliament in February 2025 and has been moving through sector designation and code development since.
Australian scam losses totalled $2.18 billion in 2025, reversing a downward trend from a peak of $3.1 billion in 2022, with investment scams the largest source of losses followed by payment redirection and romance scams. The framework is designed to address the structural problem that has allowed those losses to persist: scams typically originate across multiple platforms and channels before a payment is made, but accountability has historically fallen on the individual who lost the money rather than the organisations whose services enabled the scam.
The three regulators overseeing the framework have divided responsibilities by sector. The ACCC is the general regulator, ASIC oversees the banking sector code, and the Australian Communications and Media Authority oversees the telecommunications sector code. Fines of up to $50 million per contravention apply for failure to meet obligations under the framework.
Why real-time payments make this harder
Trent Gunthorpe, General Manager Pacific Region at payments technology company ACI Worldwide, identified the specific challenge that Australia’s advanced payments infrastructure creates for scam prevention under the new regime.
“Australia has built one of the world’s most advanced real-time payments systems through the NPP, PayID and Osko, meaning institutions have only a small window to identify suspicious behaviour, make decisions and stop fraudulent transactions before funds move,” he said.
“The challenge from 1 July is ensuring scam detection and intervention can operate at the same speed as the payments themselves.”
Gunthorpe also noted that the framework’s focus on demonstrating preventative action changes the compliance equation for regulated entities. “Organisations will need to show not only what protections existed, but how effectively those protections were applied before a scam occurred, because in a real-time payments environment accountability ultimately comes down to evidence,” he said.
On AI’s growing role in fraud prevention, Gunthorpe cited ACI Worldwide’s own global survey data showing 51% of organisations have already deployed AI for fraud prevention, with a further 47% implementing AI capabilities expected to go live within the next 24 months. “AI is rapidly shifting from a competitive advantage to a core requirement for effective fraud and scam prevention,” he said.
The framework’s direct obligations fall on banks, telcos and digital platforms, not on small businesses themselves. But the practical implications flow in both directions.
As consumers of those services, small business owners and their customers now have stronger protections when scams occur. A proposed $3,000 automatic reimbursement threshold for verified scam losses below that amount is included in the Treasury’s draft sector codes, meaning businesses that lose money to scams through banking channels may be able to recover losses without a full investigation, provided the loss is verified and the regulated entity failed to meet its obligations.
As operators, the framework changes the landscape around payment redirection scams, one of the most common forms of fraud targeting small businesses, where scammers impersonate suppliers or clients and redirect payment to fraudulent accounts. With banks now required to implement technology to help consumers verify that payments reach the intended recipient, and with telcos required to disrupt scam communications before they reach customers, the infrastructure supporting those scams is under greater pressure than before.
Gunthorpe framed the broader shift in terms of where accountability now sits. “Consumers increasingly expect banks, telecommunications providers and digital platforms to work together to identify risks earlier and intervene before funds leave an account,” he said. “The effectiveness of the framework will depend on whether intelligence can be shared quickly enough to disrupt a scam before a payment is executed.”
What comes next
Yesterday’s activation of sector designations is the beginning of implementation, not the end. The SPF Rules commence on 1 September 2026. Regulated entities must become AFCA members by 1 September 2026, with AFCA beginning to handle scam complaints from 1 January 2027. Full sector code compliance for banks, telcos and digital platforms is targeted by the end of 2027.
The framework also includes a proposed $3,000 automatic reimbursement threshold, where scam victims with verified losses below that amount would be automatically reimbursed without a full investigation, representing a notable shift from the government’s earlier position against mandatory reimbursement.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.
