Commonwealth: Scams Prevention Framework Act 2025 (Cth)

Scams Prevention Framework Act 2025 No. 15, 2025 An Act to provide a framework for preventing and responding to scams, and for related purposes Contents 1 Short title 2 Commencement 3 Schedules Schedule 1—Amendments Part 1—Main amendments Competition and Consumer Act 2010 Part 2—Other amendments Australian Communications and Media Authority Act 2005 Australian Securities and Investments Commission Act 2001 Competition and Consumer Act 2010 Corporations Act 2001 Scams Prevention Framework Act 2025 No. 15, 2025 An Act to provide a framework for preventing and responding to scams, and for related purposes [Assented to 20 February 2025] The Parliament of Australia enacts: 1 Short title This Act is the Scams Prevention Framework Act 2025. 2 Commencement (1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. Commencement information Column 1 Column 2 Column 3 Provisions Commencement Date/Details 1. The whole of this Act The day after this Act receives the Royal Assent. 21 February 2025 Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act. (2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act. 3 Schedules Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms. Schedule 1—Amendments Part 1—Main amendments Competition and Consumer Act 2010 1 After Part IVE Insert: Part IVF—Scams Prevention Framework Division 1—Preliminary Subdivision A—Object and simplified outline 58AA Object of this Part The object of this Part is to prevent and respond to scams impacting: (a) either: (i) natural persons while they are in Australia; or (ii) persons who carry on small businesses in Australia; if the scams relate to, are connected with, or use certain services that are or may be provided or purportedly provided to those persons; or (b) natural persons while they are outside of Australia if: (i) they are ordinarily resident in Australia; and (ii) the scams relate to, are connected with, or use certain services that are or may be provided or purportedly provided to those persons by Australian service providers or by foreign service providers through permanent establishments in Australia. 58AB Simplified outline of this Part The Scams Prevention Framework is a multifaceted approach for protecting Australian consumers from scams. The Framework requires service providers in selected sectors of the economy to take a variety of actions to combat scams relating to, connected with, or using their services. These service providers must comply with the overarching principles of the Framework. These principles are about: (a) governance arrangements relating to scams; and (b) preventing, detecting, reporting, disrupting and responding to scams. Under the Framework, the Minister may make a code (an SPF code) setting out sector‑specific requirements for the service providers in a selected sector of the economy relating to: (a) governance arrangements relating to scams; and (b) preventing, detecting, disrupting and responding to scams. Under the Framework, the Minister may authorise external dispute resolution schemes for participation by these service providers. The operator of such a scheme will be able to determine complaints by consumers about how these service providers respond to scams. The Commission is to regulate and enforce compliance with the overarching principles of the Framework. Other Commonwealth entities will be selected by the Minister to regulate and enforce compliance with SPF codes. Subdivision B—Designating sectors subject to the Scams Prevention Framework 58AC Regulated sectors subject to the Scams Prevention Framework (1) The Minister may, by legislative instrument, designate one or more businesses or services to be a regulated sector of the Australian economy. Note 1: An individual business or service could be designated, or businesses or services could be designated by class (see subsection 13(3) of the Legislation Act 2003). Note 2: For variation and repeal, see subsection 33(3) of the Acts Interpretation Act 1901. (2) Without limiting subsection (1), the following classes of businesses or services could be designated: (a) businesses of banking, other than State banking (within the meaning of paragraph 51(xiii) of the Constitution) not extending beyond the limits of the State concerned; (b) businesses of insurance, other than State insurance (within the meaning of paragraph 51(xiv) of the Constitution) not extending beyond the limits of the State concerned; (c) postal, telegraphic, telephonic or other like services (within the meaning of paragraph 51(v) of the Constitution), such as one or more of the following: (i) carriage services (within the meaning of the Telecommunications Act 1997); (ii) electronic services (within the meaning of the Online Safety Act 2021), such as social media services (within the meaning of that Act); (iii) broadcasting services (within the meaning of the Broadcasting Services Act 1992). Note: This is not an exhaustive list. Similarly, a subset of paragraph (a), (b) or (c) could be designated. 58AD Regulated entities for regulated sectors and their regulated services Entities with businesses or services within the banking, insurance or communications constitutional powers (1) To the extent that a regulated sector includes a business or service covered by paragraph 58AC(2)(a), (b) or (c): (a) the person who carries on or provides that business or service is a regulated entity for the sector; and (b) that business or service is a regulated service of the regulated entity for the sector. Note 1: This subsection extends to a regulated sector consisting of businesses or services that are a subset of paragraph 58AC(2)(a), (b) or (c). Note 2: Sections 58GA to 58GC extend the meaning of person for partnerships, unincorporated associations and trusts. Other entities who may be regulated entities (2) Otherwise: (a) the regulated entities for a regulated sector; and (b) the regulated services of each of those regulated entities; are as set out in the following table: Other regulated entities, and their regulated services, for the regulated sector Item This person is a regulated entity: for this regulated service: 1 a corporation that carries on or provides a business or service that is part of the regulated sector that business or service. 2 a person to the extent that the person is both: so much of that business or service as relates to the person acting in that way. (a) carrying on or providing a business or service that is part of the regulated sector; and (b) acting using a postal, telegraphic, telephonic or other like service (within the meaning of paragraph 51(v) of the Constitution) 3 a person to the extent that the person is both: so much of that business or service as relates to the person acting in that way. (a) carrying on or providing a business or service that is part of the regulated sector; and (b) acting in the course of, or in relation to, a kind of trade or commerce mentioned in subsection (3) Note 1: For the meaning of corporation, see section 4. Note 2: Sections 58GA to 58GC extend the meaning of person for partnerships, unincorporated associations and trusts. (3) For the purposes of item 3 of the table in subsection (2), the kinds of trade or commerce are as follows: (a) trade or commerce between Australia and places outside Australia; (b) trade or commerce among the States; (c) trade or commerce within a Territory, between a State or Territory or between 2 Territories. Exceptions—complete (4) Despite subsections (1) and (2): (a) a person is not a regulated entity for a regulated sector to the extent that an exception prescribed by the SPF rules applies to the person; and (b) a business or service is not a regulated service of a person for a regulated sector to the extent that an exception prescribed by the SPF rules applies to the business or service. Note: A person, business or service may be specified by class (see subsection 13(3) of the Legislation Act 2003). Exceptions—partial (5) Despite subsections (1) and (2), the instrument made under subsection 58AC(1) designating a business or service to be all or part of the regulated sector may declare that: (a) the person who carries on or provides the business or service is not a regulated entity for the regulated sector for the purposes of specified SPF provisions; or (b) the business or service is not a regulated service for the regulated sector for the purposes of specified SPF provisions. Note: An individual person, business or service could be declared, or persons, businesses or services could be declared by class (see subsection 13(3) of the Legislation Act 2003). 58AE Minister must consider matters, and consult, before designating a sector (1) Before making an instrument under subsection 58AC(1) about a sector of the economy, the Minister must: (a) consider all of the following: (i) scam activity in the sector; (ii) the effectiveness of existing industry initiatives to address scams in the sector; (iii) the interests of persons who would be SPF consumers of regulated services for the sector if the instrument were made; (iv) the likely consequences (including benefits and risks) to the public if the instrument were made; (v) the likely consequences (including benefits and risks) to the businesses or services making up the sector; (vi) any other matters the Minister considers relevant; and (b) consult the businesses or services making up the sector, or such associations or other bodies representing them as the Minister thinks appropriate; and (c) consult such associations or other bodies representing the persons referred to in subparagraph (a)(iii) as the Minister thinks appropriate. Note: For the meaning of SPF consumer, see section 58AH. (2) A failure to comply with subsection (1) does not invalidate an instrument made under subsection 58AC(1). 58AF Delegation The Minister may, in writing, delegate the Minister's power to make an instrument under subsection 58AC(1) to another Minister. Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations. For example, section 34A of that Act means that section 58AE of this Act can be satisfied by the delegate. Subdivision C—Meanings of key terms 58AG Meaning of scam (1) A scam is a direct or indirect attempt (whether or not successful) to engage an SPF consumer of a regulated service where it would be reasonable to conclude that the attempt: (a) involves deception (see subsection (2)); and (b) would, if successful, cause loss or harm including obtaining SPF personal information of, or a financial or other benefit from, the SPF consumer or the SPF consumer's associates. (2) The attempt involves deception if the attempt: (a) deceptively represents something to be (or to be related to) the regulated service; or (b) impersonates a regulated entity in connection with the regulated service; or (c) is an attempt to deceive the SPF consumer into: (i) performing an action using the regulated service; or (ii) facilitating another person to perform an action using the regulated service; or (d) is an attempt to deceive the SPF consumer that is made using the regulated service. (3) The attempt may be a single act or a course of conduct. (4) However, the attempt is not a scam if the attempt is of a kind prescribed by the SPF rules. 58AH Meaning of SPF consumer (1) An SPF consumer, of a regulated service, is any of the following: (a) a natural person, or a small business operator, who is or may be provided or purportedly provided the service in Australia; (b) a natural person who: (i) is ordinarily resident in Australia; and (ii) is or may be provided or purportedly provided the service outside of Australia by a regulated entity that satisfies the residency requirements in subsection (2). (2) The regulated entity satisfies the residency requirements if it: (a) is an Australian resident (within the meaning of the Income Tax Assessment Act 1997); or (b) is so providing or purportedly providing the service through a permanent establishment (within the meaning of the Income Tax Assessment Act 1997) in Australia. Note 1: For paragraph (1)(a), a person who is a small business operator at the time the person is impacted by a scam continues to be an SPF consumer for that time even if the business later has 100 or more employees. Note 2: Sections 58GA to 58GC extend the meaning of person for partnerships, unincorporated associations and trusts. (3) Subsection (1) includes the provision or purported provision of a regulated service: (a) directly or indirectly to the person; or (b) whether or not under a contract, arrangement or understanding with the person; or (c) whether or not the regulated entity providing the service knows that the person is: (i) a natural person; or (ii) a small business operator; or (d) that involves the supply of goods. Note: This is not an exhaustive list. (4) However, the person is not an SPF consumer of the regulated service if a condition prescribed by the SPF rules applies to the person in relation to regulated services of that kind. (5) In this section: annual turnover has the same meaning as in the Corporations Act 2001. related body corporate has the same meaning as in the Corporations Act 2001. small business operator means a person who carries on a business if: (a) in the case of the person being a body corporate: (i) the sum of the person's employees, and the employees of any body corporate related to the person, is less than 100 employees; and (ii) the person's annual turnover during the last financial year is less than $10 million; and (b) in the case of the person not being a body corporate: (i) the person has less than 100 employees; and (ii) the person's annual turnover (worked out as if the person were a body corporate) during the last financial year is less than $10 million; and (c) in every case—the business has a principal place of business in Australia. (6) Section 4B (about consumers) does not apply to this Part. 58AI Meaning of actionable scam intelligence A regulated entity identifies or has actionable scam intelligence if (and when) there are reasonable grounds for the entity to suspect that a communication, transaction or other activity relating to, connected with, or using a regulated service of the entity is a scam. Note 1: Whether there are reasonable grounds for such a suspicion is an objective test. Relevant information for this test may include: (a) information about the mechanism or identifier being used to scam SPF consumers, such as URLs, email addresses, phone numbers, social media profiles, digital wallets and bank account information of the scam promotors; and (b) information about the suspected scammer; and (c) information (including complaints) provided by SPF consumers. Note 2: Gathering and reporting this information will minimise the harm from scams (see SPF principles 4 and 5 in Subdivisions E and F of Division 2). Subdivision D—Extension to external Territories and outside of Australia 58AJ Extension to external Territories and outside of Australia (1) Each of the following provisions (the SPF provisions) extends to every external Territory: (a) a provision of this Part; (b) a provision of a legislative instrument made under this Part; (c) another provision of this Act to the extent that it relates to a provision covered by paragraph (a) or (b); (d) a provision of the Regulatory Powers Act to the extent that it applies in relation to a provision covered by paragraph (a) or (b). (2) The SPF provisions extend to acts, omissions, matters and things outside Australia. Subdivision E—Application to acts done by or in relation to agents etc. of regulated entities 58AK Acts done by or in relation to agents etc. of regulated entities Conduct of agents etc. of a regulated entity is attributable to the regulated entity (1) For the purposes of the SPF provisions, section 97 of the Regulatory Powers Act (to the extent that it applies in relation to the SPF provisions) applies to a regulated entity who is not a body corporate in a corresponding way to the way that provision applies to a regulated entity who is a body corporate. Acts done in relation to an agent of a regulated entity taken to be done in relation to the regulated entity (2) For the purposes of SPF provisions, if an act is done by a person in relation to another person (the agent) who: (a) is acting on behalf of a regulated entity; and (b) is so acting within the scope of the agent's actual or apparent authority; the act is taken to have also been done in relation to the regulated entity. Division 2—Overarching principles of the Scams Prevention Framework Subdivision A—Preliminary 58BA Simplified outline of this Division Each regulated entity must comply with the overarching principles of the Scams Prevention Framework. These principles require each regulated entity to: (a) document and implement governance arrangements to combat scams; and (b) take reasonable steps to prevent, detect, report, disrupt and respond to scams. These requirements are civil penalty provisions. The Commission (in its capacity as the SPF general regulator) will monitor, investigate and enforce compliance with these provisions. Division 6 sets out remedies for non‑compliance with these provisions. 58BB Meaning of reasonable steps (1) Matters relevant to whether a regulated entity has taken reasonable steps for the purposes of a provision of this Division include: (a) the size of the regulated entity; and (b) the kind of regulated services concerned; and (c) the consumer base of those services; and (d) the kinds of scam risks those services face; and (e) whether the regulated entity has complied with any relevant SPF code obligations relating to that provision. (2) In determining whether a regulated entity has taken reasonable steps for the purposes of a provision of this Division, the primary consideration must be the matter in paragraph (1)(e) (if applicable). Subdivision B—SPF principle 1: Governance 58BC Simplified outline of this Subdivision Each regulated entity must document and implement governance policies, procedures, metrics and targets for combatting scams. These must be reviewed, and certified by a senior officer of the entity, at least annually. The entity must keep records and give reports about its compliance with this principle. The SPF code for the sector may include sector‑specific provisions for this principle. 58BD Documenting and implementing governance policies and procedures—civil penalty provision (1) A regulated entity for a regulated sector contravenes this subsection if the entity fails to do one or more of the following: (a) document governance policies and procedures about: (i) preventing, detecting and disrupting scams; and (ii) responding to scams; and (iii) reports relating to scams; relating to, connected with, or using the entity's regulated services for the sector; (b) implement those governance policies and procedures; (c) develop and implement performance metrics and targets that: (i) are for measuring the effectiveness of those governance policies and procedures; and (ii) comply with any requirements for those metrics and targets that are prescribed by the SPF rules. (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BE Annual certification about SPF governance policies, procedures, metrics and targets—civil penalty provision (1) A regulated entity for a regulated sector contravenes this subsection if: (a) no senior officer of the entity certifies in writing, within 12 months of the day the entity becomes a regulated entity for the sector, whether the entity's SPF governance policies, procedures, metrics and targets for the sector comply with this Subdivision; or (b) no senior officer of the entity certifies in writing, within 7 days after each 12‑month anniversary of the day the entity becomes a regulated entity for the sector, whether the entity's SPF governance policies, procedures, metrics and targets for the sector comply with this Subdivision. (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BF Record keeping of compliance with SPF provisions—civil penalty provision (1) A regulated entity for a regulated sector contravenes this subsection if the entity fails to keep records of information of a material nature relating to each of the following activities for at least 6 years after that activity happens: (a) the initial documenting, and each revision of the documenting, of the entity's SPF governance policies, procedures, metrics and targets for the sector; (b) the initial implementation, and each reimplementation, of those SPF governance policies, procedures, metrics and targets; (c) each consideration (including certification) by one of the entity's senior officers of those SPF governance policies, procedures, metrics and targets, including in relation to their documenting, implementation and review; (d) any other activities that are prescribed by the SPF rules. (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BG Reporting about compliance with this Subdivision—civil penalty provision (1) A regulated entity for a regulated sector contravenes this subsection if: (a) the SPF general regulator, or the SPF sector regulator for the sector, gives the entity a written request for a copy of: (i) the entity's SPF governance policies, procedures, metrics and targets for the sector; or (ii) specified kinds of other records required by this Subdivision to be kept for the sector by the entity; and (b) the entity fails to comply with the request within: (i) 10 business days after the day the entity is given the request; or (ii) such longer period as is allowed by the SPF regulator. (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BH Sector‑specific details can be set out in SPF codes For the purposes of (but without limiting) subsection 58CC(1), the SPF code for a regulated sector may include sector‑specific provisions describing: (a) the matters that a regulated entity for the sector must include in the entity's governance policies and procedures for the purposes of this Subdivision; or (b) the factors that a regulated entity for the sector must have regard to when developing the entity's governance policies and procedures for the purposes of this Subdivision. Subdivision C—SPF principle 2: Prevent 58BI Simplified outline of this Subdivision Each regulated entity for a regulated sector must take reasonable steps to prevent scams. The SPF code for the sector may include sector‑specific provisions for this principle. 58BJ Taking reasonable steps to prevent scams from being committed—civil penalty provision (1) A regulated entity contravenes this subsection if the entity fails to take reasonable steps to prevent another person from committing a scam relating to, connected with, or using a regulated service of the entity. Note: Sections 58GA to 58GC extend the meaning of person for partnerships, unincorporated associations and trusts. (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BK Further detail about certain concepts (1) Taking reasonable steps for the purposes of subsection 58BJ(1) requires more than merely acting on actionable scam intelligence in the form of information provided to the regulated entity by another person. Further sector‑specific details can be set out in SPF codes (2) For the purposes of (but without limiting) subsection 58CC(1), the SPF code for a regulated sector may include sector‑specific provisions: (a) describing what are reasonable steps for the purposes of this Subdivision (see also section 58BB); or (b) requiring each regulated entity for the sector to: (i) identify its SPF consumers who are at risk of being targeted by a scam; or (ii) identify its SPF consumers who have a higher risk of being targeted by a scam; or (c) requiring each regulated entity for the sector to provide information about such scams to an SPF consumer described in subparagraph (b)(i) or (ii). Subdivision D—SPF principle 3: Detect 58BL Simplified outline of this Subdivision Each regulated entity for a regulated sector must take reasonable steps to detect scams. This includes: (a) investigating, in a timely way, activities that are the subjects of its actionable scam intelligence; and (b) identifying, in a timely way, its consumers that have or may have been impacted by such activities. The SPF code for the sector may include sector‑specific provisions for this principle. 58BM Taking reasonable steps to detect scams—civil penalty provision (1) A regulated entity contravenes this subsection if the entity fails to take reasonable steps to detect a scam relating to, connected with, or using a regulated service of the entity. (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). (3) Without limiting subsection (1), the regulated entity fails to take reasonable steps to detect a scam relating to, connected with, or using a regulated service of the entity if the entity fails to take reasonable steps to: (a) detect such a scam as it happens; or (b) detect such a scam after it happens. Note: For further details about the meaning of reasonable steps, see sections 58BB and 58BP. 58BN Investigating actionable scam intelligence—civil penalty provision (1) A regulated entity contravenes this subsection if the entity: (a) has actionable scam intelligence about an activity relating to, connected with, or using a regulated service of the entity; and (b) fails to take reasonable steps to investigate whether or not the activity is a scam during the 28‑day period starting on the day that the intelligence becomes actionable scam intelligence for the entity. (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BO Identifying impacted SPF consumers—civil penalty provision (1) A regulated entity contravenes this subsection if the entity: (a) has actionable scam intelligence about an activity relating to, connected with, or using a regulated service of the entity; and (b) fails to take reasonable steps within a reasonable time to identify the persons who were SPF consumers of that service at the time when the persons were or may have been impacted by the activity. (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BP Sector‑specific details can be set out in SPF codes For the purposes of (but without limiting) subsection 58CC(1), the SPF code for a regulated sector may include sector‑specific provisions describing: (a) what are reasonable steps (see also section 58BB); or (b) what is a reasonable time; for the purposes of this Subdivision. Subdivision E—SPF principle 4: Report 58BQ Simplified outline of this Subdivision Each regulated entity must give the SPF general regulator reports of any actionable intelligence the entity has about activities relating to, connected with, or using the entity's regulated services. A regulated entity must give an SPF regulator a report about a scam if the SPF regulator requests. The SPF general regulator may disclose information about scams to certain other entities. 58BR Reporting actionable scam intelligence to SPF regulators—civil penalty provision (1) This section applies if a regulated entity has actionable scam intelligence about an activity relating to, connected with, or using a regulated service of the entity. Civil penalty provision (2) The entity contravenes this subsection if the entity fails to give a report about the actionable scam intelligence: (a) to the SPF general regulator within the period, and in the manner and form, prescribed by the SPF rules; and (b) that contains the kinds of information prescribed by the SPF rules. Note: This subsection only applies to the entity when the SPF rules prescribe matters for paragraphs (a) and (b) that apply to the entity. (3) Subsection (2) is a civil penalty provision. Note: This means subsection (2) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). Defence (4) Subsection (2) does not apply to the entity if circumstances of a kind prescribed by the SPF rules apply to the entity. Note: A defendant bears an evidential burden in relation to the matter in this subsection (see section 96 of the Regulatory Powers Act). Matters relevant to reports (5) For the purposes of (but without limiting) subsection (2), the SPF rules may prescribe: (a) that the report may be given via access to a specified data gateway, portal or website; and (b) that the report include the sources or evidence that the entity has for that intelligence (see section 58AI); and (c) different matters for different kinds of regulated entities. Note: For more about the data gateways, portals or websites referred to in paragraph (a), see section 58BT. (6) The report may be required to include SPF personal information. 58BS Reporting scams to SPF regulators—civil penalty provisions (1) This section applies if an SPF regulator gives a written request to a regulated entity for the entity to give the SPF regulator a report about a scam relating to, connected with, or using a regulated service of the entity. Civil penalty provision (2) The entity contravenes this subsection if the entity fails to give a report about the scam: (a) to the SPF regulator within the period, and in the manner and form, set out in the request; and (b) that contains the kinds of information set out in the request. (3) Subsection (2) is a civil penalty provision. Note: This means subsection (2) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). (4) For the purposes of (but without limiting) subsection (2), the SPF regulator's request may: (a) provide that the report may be given via access to a specified data gateway, portal or website; and (b) ask that the report set out: (i) what loss or harm may have resulted from the scam, what disruptive actions the entity has taken and whether any of those actions have been reversed; and (ii) what steps the entity is taking to disrupt similar scams, and to prevent loss or harm resulting from similar scams. Note: For more about the data gateways, portals or websites referred to in paragraph (a), see section 58BT. (5) The request may ask for the report to include SPF personal information. If so, the request must require the entity to de‑identify the information unless the SPF regulator reasonably believes that doing so would not achieve the object of this Part. (6) If: (a) a regulated entity gives a scam report to an SPF regulator under this section; and (b) another SPF regulator later requests a scam report under this section from the regulated entity about the same matters; then, despite subsection (2), the later scam report need only state that an earlier scam report about those matters was given to the first‑mentioned SPF regulator on a specified date and time. Note: The SPF regulators can share the earlier scam report under Subdivision C of Division 5. 58BT Authorised third party data gateways, portals or websites for accessing reports (1) The SPF rules may prescribe a scheme for authorising third parties to operate data gateways, portals or websites that give access to reports under this Division. (2) For the purposes of (but without limiting) subsection (1), the SPF rules may include the following: (a) provisions conferring functions or powers on the SPF general regulator under the scheme; (b) the criteria for a person to be authorised under the scheme; (c) provisions providing that authorisations may be granted subject to conditions, and that conditions may be imposed on an authorisation after it has been granted; (d) provisions providing that authorisations may be granted at different levels corresponding to different risks; (e) provisions specifying what a person authorised at a particular level is authorised to do (or not authorised to do); (f) provisions dealing with the period, renewal, transfer, variation, suspension, revocation or surrender of authorisations; (g) notification requirements on persons whose authorisations have been varied, suspended, revoked or surrendered; (h) transitional rules for when an authorisation is varied, is suspended or ends, including in relation to SPF personal information; (i) provisions for the making of applications for internal review, or of applications to the Administrative Review Tribunal for review, of decisions of a person under the scheme. (3) A person authorised under the scheme may use or disclose SPF personal information to the extent that this is reasonably necessary to achieve the object of this Part. 58BU Relationship with other duties and obligations A duty of confidence owed under an agreement or arrangement is of no effect to the extent that it is contrary to section 58BR or 58BS. Note: Each of sections 58BR and 58BS is also a requirement by law to disclose the information contained in the report referred to in that section. So, complying with that section can be a defence to a secrecy provision such as section 276 of the Telecommunications Act 1997 (see paragraph 280(1)(b) of that Act). 58BV SPF general regulator may share information relating to scamming actions with relevant entities (1) The SPF general regulator may disclose information relating to either of the following actions (a scamming action): (a) a scam (as defined in section 58AG); (b) a scam (within the ordinary meaning of that expression); to an entity mentioned in subsection (2). Note 1: This includes disclosing SPF personal information, but such information may first need to be de‑identified (see subsection (4)). Note 2: The SPF general regulator can also disclose the information to an SPF sector regulator (see section 58EG). (2) The entities are as follows: (a) a regulated entity; (b) a Commonwealth agency or authority involved in developing Government policy relating to this Part; (c) a law enforcement agency of the Commonwealth, or of a State or Territory; (d) an agency of a foreign country, or of part of a foreign country, that: (i) is a law enforcement agency; or (ii) is a regulatory agency responsible for scam prevention; if subsection (3) applies to a disclosure of information to the agency. (3) This subsection applies to a disclosure of information to a foreign agency if the SPF general regulator is satisfied that: (a) the agency has given an undertaking for the following: (i) controlling the storage and handling of the information; (ii) controlling the use that will be made of the information; (iii) ensuring that the information will be used only for the purpose for which it is disclosed to the agency; and (b) it is appropriate, in all the circumstances, to disclose the information to the agency. (4) SPF personal information may be disclosed under subsection (1). However, for a disclosure to an entity mentioned in paragraph (2)(b) such information must be de‑identified unless the SPF general regulator reasonably believes that doing so would not achieve the object of this Part. Subdivision F—SPF principle 5: Disrupt 58BW Simplified outline of this Subdivision Each regulated entity for a regulated sector must take reasonable steps to: (a) disrupt an activity that is the subject of actionable scam intelligence; and (b) prevent losses from such an activity. The entity will also need to report to the SPF general regulator the outcomes of the entity's investigation about whether such an activity is a scam. The report may also need to describe any disruptive actions the entity has taken in relation to the activity. The entity is not liable for damages etc. in taking certain actions to disrupt such an activity. The SPF code for the sector may include sector‑specific provisions for this principle. 58BX Taking reasonable steps to disrupt activities that are the subjects of actionable scam intelligence—civil penalty provision (1) A regulated entity contravenes this subsection if the entity: (a) has actionable scam intelligence about an activity relating to, connected with, or using a regulated service of the entity; and (b) fails to take reasonable steps within a reasonable time to: (i) disrupt the activity; or (ii) prevent loss or harm (including further loss or harm) arising from the activity. (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). (3) For the purposes of subsection (1), the steps taken should be proportionate to the actionable scam intelligence that the entity has. Note 1: For example, if a bank has received a substantial number of similar reports of suspicious activities, it may be appropriate to pause or delay authorised push payments while the bank investigates these suspicious activities. Note 2: For further details about the meaning of reasonable steps, see sections 58BB and 58BZ. 58BY Reporting about the outcomes of investigations of activities that are the subjects of actionable scam intelligence—civil penalty provision (1) This section applies if a regulated entity has actionable scam intelligence about an activity relating to, connected with, or using a regulated service of the entity. Civil penalty provision (2) The entity contravenes this subsection if the entity fails to give a report about the actionable scam intelligence: (a) to the SPF general regulator: (i) before the end of the period prescribed by the SPF rules that starts at the end of the period referred to in paragraph 58BZA(2)(d) for that intelligence; and (ii) in the manner and form prescribed by the SPF rules; and (b) that contains the kinds of information prescribed by the SPF rules. Note: This subsection only applies to the entity when the SPF rules prescribe matters for paragraphs (a) and (b) that apply to the entity. (3) Subsection (2) is a civil penalty provision. Note: This means subsection (2) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). (4) For the purposes of (but without limiting) subsection (2), the SPF rules may prescribe: (a) that the report may be given via access to a specified data gateway, portal or website; and (b) that the report set out whether the entity reasonably believes that the activity that is the subject of the intelligence is a scam; and (c) different matters for different kinds of regulated entities. Note: For more about the data gateways, portals or websites referred to in paragraph (a), see section 58BT. (5) The report may be required to include SPF personal information. (6) A duty of confidence owed under an agreement or arrangement is of no effect to the extent that it is contrary to this section. 58BZ Sector‑specific details can be set out in SPF codes For the purposes of (but without limiting) subsection 58CC(1), the SPF code for a regulated sector may include sector‑specific provisions: (a) describing what are reasonable steps (see also section 58BB), or what is a reasonable time, for the purposes of this Subdivision; or (b) requiring each regulated entity for the sector to provide its SPF consumers with information about activities that are the subjects of the entity's actionable scam intelligence. 58BZA Safe harbour for taking actions to disrupt an activity while investigating whether the activity is a scam (1) This section applies if a regulated entity has actionable scam intelligence about an activity relating to, connected with, or using a regulated service of the entity. (2) The regulated entity is not liable in a civil action or civil proceeding for taking action to disrupt the activity if the action: (a) is taken in good faith; and (b) is taken in compliance with the SPF provisions; and (c) is reasonably proportionate to the activity, and to information that would reasonably be expected to be available to the entity about the activity; and (d) is taken during the period: (i) starting on the day that the intelligence becomes actionable scam intelligence for the entity; and (ii) ending when the entity reasonably believes that the activity is or is not a scam, or after 28 days, whichever is the earlier; and (e) is promptly reversed if: (i) the entity identifies that the activity is not a scam; and (ii) it is reasonably practicable to reverse the action. Note: Assume the regulated entity temporarily blocks an SPF consumer's website while investigating whether an activity relating to the website is a scam. This subsection protects the regulated entity from civil actions brought by the consumer when the regulated entity is acting appropriately. (3) For the purposes of paragraph (2)(c), matters relevant to whether the action is reasonably proportionate to the activity include: (a) the potential loss or damage to SPF consumers, or to persons carrying on the activity, if the action is not taken; and (b) the potential loss or damage to SPF consumers, or to persons carrying on the activity, if the action is taken and the activity is not a scam. Subdivision G—SPF principle 6: Respond 58BZB Simplified outline of this Subdivision Each regulated entity must have an accessible mechanism for its consumers to report activities that are or may be scams. The entity must have an accessible and transparent internal dispute resolution mechanism for its consumers to complain about: (a) activities that are or may be scams; or (b) the entity's conduct relating to such activities. The entity must publish information about these mechanisms. When undertaking such internal dispute resolution about a complaint, the entity must give a statement, relevant to the complaint, about whether it has complied with its obligations. When undertaking such internal dispute resolution, the entity must have regard to: (a) any processes prescribed by the SPF rules; and (b) any guidelines prescribed by the SPF rules for apportioning any liability. The entity must become a member of an authorised external dispute resolution scheme for dealing with complaints about scams if the entity provides services regulated by the Scams Prevention Framework. The SPF code for the sector may include sector‑specific provisions for this principle. 58BZC Enabling SPF consumers to easily report activities that are or may be scams—civil penalty provision (1) A regulated entity contravenes this subsection if the entity does not have an accessible mechanism for a person to report to the entity an activity that: (a) is or may be a scam; and (b) relates to, is connected with, or uses a regulated service of the entity; and (c) impacts the person at a time when the person is an SPF consumer of the service. Note: The reporting mechanism will need to extend to scams impacting the person at a time when the regulated service is only purportedly being provided to the person (see subsection 58AH(1) (about the meaning of SPF consumer)). (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BZD Having an accessible and transparent internal dispute resolution mechanism—civil penalty provision (1) A regulated entity contravenes this subsection if the entity does not have an accessible and transparent internal dispute resolution mechanism to deal with a person's complaint about: (a) an activity that: (i) is or may be a scam; and (ii) relates to, is connected with, or uses a regulated service of the entity; and (iii) impacts the person at a time when the person is an SPF consumer of the service; or (b) the entity's conduct relating to an activity of a kind described in paragraph (a). (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BZDA Giving a statement of compliance—civil penalty provision (1) A regulated entity contravenes this subsection if the entity: (a) is undertaking internal dispute resolution in dealing with a person's complaint of a kind described in paragraph 58BZD(1)(a) or (b); and (b) does not give the person a statement of compliance in accordance with subsection (2). Note: This subsection only applies to the entity when the SPF rules prescribe matters for paragraphs (2)(b), (d) and (e) that are relevant to the complaint. (2) For the purposes of paragraph (1)(b), the statement of compliance must: (a) include a statement by the regulated entity about whether, based on information reasonably available to the entity at the time of making the statement, it has complied with its obligations under the SPF provisions that are relevant to the complaint; and (b) contain the kinds of information prescribed by the SPF rules that are relevant to the complaint; and (c) not contain the kinds of information (if any) prescribed by the SPF rules that are relevant to the complaint; and (d) be in writing and signed by a person who is an authorised representative of the entity of a kind prescribed by the SPF rules; and (e) be given in accordance with the timeframes, and in the manner and form, prescribed by the SPF rules. (3) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). (4) A statement of compliance given by the entity under this section is admissible, in any proceeding that: (a) relates to the complaint; and (b) is under or relates to an SPF EDR scheme; as prima facie evidence of the entity's position, at the time of making the statement, on the matters in the statement. (5) Nothing in this section limits or affects the admissibility in a proceeding of any other statement or evidence. 58BZE Having regard to processes and guidelines when undertaking internal dispute resolution—civil penalty provision (1) A regulated entity contravenes this subsection if the entity: (a) is undertaking internal dispute resolution in dealing with a person's complaint of a kind described in paragraph 58BZD(1)(a) or (b); and (b) in doing so, the entity fails to have regard to: (i) any process prescribed by the SPF rules for undertaking internal dispute resolution; or (ii) any guidelines prescribed by the SPF rules for apportioning any liability arising from the complaint. (1A) To avoid doubt, guidelines prescribed for the purposes of subparagraph (1)(b)(ii) do not have to be consistent with sections 58FZD to 58FZK (about proportionate liability for concurrent wrongdoers in actions for damages). (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BZF Publishing information about reporting and dispute resolution mechanisms—civil penalty provision (1) A regulated entity for a regulated sector contravenes this subsection if the entity fails to make publicly accessible information about the rights of SPF consumers of the entity's regulated services for the sector under: (a) the reporting mechanism required by subsection 58BZC(1); or (b) the internal dispute resolution mechanism required by subsection 58BZD(1); or (c) if the entity is a member of an SPF EDR scheme for the sector—the SPF EDR scheme. (2) Subsection (1) is a civil penalty provision. Note: This means subsection (1) is a civil penalty provision of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BZG SPF external dispute resolution schemes—civil penalty provisions Regulated entity must not provide a regulated service if the entity is not a member of an SPF EDR scheme (1) A regulated entity for a regulated sector contravenes this subsection if the entity: (a) provides a regulated service for the sector that has one or more SPF consumers; and (b) is not a member of an SPF EDR scheme for the sector. Regulated entity that is a member of an SPF EDR scheme must give reasonable assistance to, and cooperate with, the scheme operator (2) A regulated entity for a regulated sector contravenes this subsection if the entity: (a) is a member of an SPF EDR scheme for the sector; and (b) fails to give reasonable assistance to, or cooperate with, the operator of the scheme. Regulated entity that is a member of an SPF EDR scheme must comply with related obligations in an SPF code (3) A regulated entity for a regulated sector contravenes this subsection if the entity: (a) is a member of an SPF EDR scheme for the sector; and (b) fails to comply with an obligation in the SPF code for the sector that relates to the scheme. Civil penalty provisions (4) Subsections (1), (2) and (3) are civil penalty provisions. Note: This means these subsections are civil penalty provisions of an SPF principle for the purposes of section 58FJ (about civil penalties). 58BZH Sector‑specific details can be set out in SPF codes For the purposes of (but without limiting) subsection 58CC(1), the SPF code for a regulated sector may include sector‑specific provisions setting out: (a) conditions that must be met for a reporting mechanism required by subsection 58BZC(1); or (b) conditions (such as standards and requirements) that must be met for an internal dispute resolution mechanism required by subsection 58BZD(1); or (c) obligations that must be met in relation to an SPF EDR scheme for the sector by a regulated entity for the sector that is a member of the scheme. Division 3—Sector‑specific codes for the Scams Prevention Framework 58CA Simplified outline of this Division The Minister may make a code for each regulated sector. Each code is to include sector‑specific provisions for the following overarching principles of the Scams Prevention Framework (see Subdivisions B, C, D, F and G of Division 2): (a) SPF principle 1—governance; (b) SPF principle 2—prevent; (c) SPF principle 3—detect; (d) SPF principle 5—disrupt; (e) SPF principle 6—respond. Requirements in a code can be civil penalty provisions. The relevant SPF sector regulator will monitor, investigate and enforce compliance with these provisions. Division 6 sets out remedies for non‑compliance with these provisions. 58CB Sector‑specific codes (SPF codes) The Minister may, by legislative instrument, make a code (an SPF code) for a regulated sector. 58CC Content of SPF codes Main rule about the content of SPF codes (1) An SPF code must: (a) be consistent with the SPF principles; and (b) deal with only: (i) the themes or matters covered by Subdivisions B, C, D, F and G of Division 2; and (ii) related or incidental matters; and (c) subject to paragraphs (a) and (b), include provisions about matters of a kind (if any) prescribed by the SPF rules. Related or incidental matters in SPF codes (2) Without limiting subparagraph (1)(b)(ii), an SPF code for a regulated sector may include the following: (a) provisions relating to only certain kinds of regulated services for the sector; (b) provisions relating to only certain kinds of SPF consumers of regulated services for the sector; (c) provisions dealing with the circumstances in which entities are, or may be, relieved from complying with requirements in the SPF code that would otherwise apply to them; (d) a provision that: (i) confers powers on the SPF sector regulator for the sector or on another person; or (ii) depends on the SPF sector regulator for the sector, or another person, being satisfied of one or more specified matters; (e) provisions for the making of applications for internal review, or of applications to the Administrative Review Tribunal for review, of decisions of a person under the SPF code; (f) provisions about the manner or form in which persons or bodies: (i) may exercise powers under the SPF code; or (ii) must comply with requirements imposed by the SPF code; which could include requiring the use of a form approved by the SPF sector regulator for the sector or by the SPF general regulator; (g) provisions about the following matters: (i) whether a regulated entity for the sector may charge (or cause to be charged) a fee for a matter covered by the SPF code; (ii) the manner in which such a fee may be charged; (iii) the time for paying such a fee; (iv) giving notice of, or publicising, such a fee or matters about such a fee; (h) provisions requiring agents of a regulated entity for the sector to do or not to do specified things when acting on behalf of the regulated entity and within the scope of the agent's actual or apparent authority; (i) provisions authorising a regulated entity for the sector to use or disclose SPF personal information to the extent necessary to comply with the entity's obligations under the code; (j) provisions about any other matters that the provisions of this Part provide may be included, or otherwise dealt with, in the SPF code. Civil penalty provisions of the SPF code (3) An SPF code may provide that specified provisions of the SPF code are civil penalty provisions (within the meaning of the Regulatory Powers Act). Note: Division 6 of this Part deals with enforcing the civil penalty provisions. Adopting matters in instruments as in force from time to time etc. (4) An SPF code may make provision in relation to a matter by applying, adopting or incorporating (with or without modification) any matter contained in any other instrument or writing: (a) as in force or existing at a particular time; or (b) as in force or existing from time to time. (5) Subsection (4) has effect despite subsection 14(2) of the Legislation Act 2003. 58CD Delegation The Minister may, in writing, delegate the Minister's power under section 58CB to make a code for a regulated sector to: (a) another Minister; or (b) the Commission; or (c) the entity that is, or is to be, the SPF sector regulator for the sector. Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations. Division 4—External dispute resolution for the Scams Prevention Framework 58DA Simplified outline of this Division One or more external dispute resolution schemes may be authorised for dealing with consumer complaints about scams relating to, connected with, or using regulated services. An existing scheme like the AFCA scheme could be authorised for this purpose, or new schemes could be developed and authorised. 58DB Minister may authorise external dispute resolution schemes for a regulated sector (1) The Minister may, by legislative instrument, authorise an external dispute resolution scheme (an SPF EDR scheme) for the purposes of this Part and one or more regulated sectors if: (a) the scheme is already authorised under a Commonwealth law for another purpose; or (b) the Minister is satisfied that the requirements prescribed by the SPF rules for the purposes of subsection 58DC(1) are met for the scheme. Note 1: For paragraph (a), the Minister could, for example, authorise the AFCA scheme (within the meaning of the Corporations Act 2001) to apply for the purposes of this Part and a regulated sector. If that happens, ASIC's functions and powers relating to the AFCA scheme (for example, under section 1052A of that Act) will also apply for the purposes of this Part and the regulated sector. Note 2: For variation and repeal, see subsection 33(3) of the Acts Interpretation Act 1901. (2) Before authorising a scheme, the Minister must consider: (a) the accessibility of the scheme; and (b) the independence of the scheme; and (c) the fairness of the scheme; and (d) the accountability of the scheme; and (e) the efficiency of the scheme; and (f) the effectiveness of the scheme; and (g) any other matters the Minister considers relevant. A failure to comply with this subsection does not invalidate an instrument made under subsection (1) authorising the scheme. (3) An instrument made under subsection (1) may make the authorisation of the scheme subject to specified conditions. (4) An instrument made under subsection (1) authorising a scheme for which paragraph (1)(b) applies must set out the scheme. (5) More than one scheme may be authorised under subsection (1). 58DC Content, including requirements, of a scheme that is not already authorised under a Commonwealth law (1) The SPF rules may prescribe the following requirements for a scheme for which paragraph 58DB(1)(b) is to apply: (a) organisational requirements for membership of the scheme; (b) requirements for the operator (the operator) of the scheme; (c) requirements for how the scheme is to operate; (d) requirements to be complied with by members of the scheme; (e) requirements for making changes to the scheme. (2) A scheme for which paragraph 58DB(1)(b) is to apply may also include provisions dealing with the following: (a) powers of one or more of the following under the scheme: (i) the Minister; (ii) an SPF regulator; (iii) a Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013); (b) powers of the operator under the scheme, including powers to: (i) seek information; and (ii) make determinations of complaints; and (iii) make determinations imposing financial and non‑financial remedies; and (c) appeals to the Federal Court from such determinations by the operator; (d) information sharing and reporting; (e) a provision that depends on the operator or another person being satisfied of one or more specified matters; (f) provisions about the following matters: (i) the manner in which the operator may charge (or cause to be charged) a fee under the scheme; (ii) the time for paying such a fee; (iii) giving notice of, or publicising, such a fee or matters about such a fee; (g) provisions about any other matters that the provisions of this Part provide may be specified, or otherwise dealt with, in the scheme. 58DD Scheme operator to report to SPF regulators Referring contraventions, failures and systemic issues (1) If the operator of an SPF EDR scheme for a regulated sector becomes aware that: (a) a serious contravention of any law may have occurred in connection with a complaint under the scheme; or (b) a party to a complaint under the scheme may have failed to give effect to a determination by the operator relating to the complaint; or (c) there is a systemic issue arising from the consideration of complaints under the scheme; the operator must give particulars of the contravention, failure or issue to the SPF general regulator and to the SPF sector regulator for the sector. Referring settled complaints (2) If: (a) the parties to a complaint made under an SPF EDR scheme for a regulated sector agree to a settlement of the complaint; and (b) the operator of the scheme thinks the settlement may require investigation; the operator may give particulars of the settlement to the SPF general regulator and to the SPF sector regulator for the sector. De‑identifying any SPF personal information (3) If any SPF personal information is to be given under subsection (1) or (2) by the operator of the scheme, the operator must de‑identify the information unless the operator reasonably believes that doing so would not achieve the object of this Part. 58DE Disclosing information to the operator of an SPF EDR scheme (1) An SPF regulator may disclose information to the operator of an SPF EDR scheme for the purposes of enabling or assisting the operator to perform any of the operator's functions or powers. (2) The SPF regulator may impose conditions to be complied with by the operator in relation to the information. (3) If an SPF regulator is to disclose SPF personal information under subsection (1), the SPF regulator must de‑identify the information unless the SPF regulator reasonably believes that doing so would not achieve the object of this Part. Division 5—Regulating the Scams Prevention Framework Subdivision A—Preliminary 58EA Simplified outline of this Division The Commission is the regulator (the SPF general regulator) of most aspects of the Scams Prevention Framework, in particular of the overarching principles of the Framework. Other Commonwealth entities may be selected to be regulators (SPF sector regulators) of each of the SPF codes. The SPF general regulator must enter into arrangements with the SPF sector regulators about the regulation and enforcement of the Framework. These regulators may disclose relevant information and documents to each other for this purpose. Subdivision B—Regulators of the Scams Prevention Framework 58EB General regulator of the Scams Prevention Framework (1) The Commission is the SPF general regulator for all SPF provisions apart from the provisions of SPF codes. (2) The functions and powers of the SPF general regulator include: (a) reviewing, and advising the Minister about, the operation of the SPF provisions; and (b) the Commission's functions and powers under section 155 to the extent that section 155 relates to: (i) the SPF provisions, other than the provisions of SPF codes; or (ii) a designated scams prevention framework matter (within the meaning of that section), other than the performance of a function, or the exercise of a power, conferred by or under an SPF code; and (c) developing and publishing non‑binding guidance material relating to the SPF p