Australia’s world-leading scams prevention framework is nearing implementation

August 2026  |  SPOTLIGHT | BANKING & FINANCE

Financier Worldwide Magazine

August 2026 Issue


In 2025, Australia passed into law a world-leading approach to scam prevention – world-leading in that it focuses on prevention, while other regimes focus on compensation or do not focus on all scam types or have a ‘whole of ecosystem’ approach.

Although the regime is not due to substantively come into force until 31 March 2027, Australia’s securities and conduct regulator – the Australian Securities & Investments Commission (ASIC) – has already secured an AU$35m penalty from an Australian retail bank for failings in scam prevention.

As Sarah Court, chair of the ASIC, noted in June 2026: “This is one of the first cases of its kind globally and sends a clear message that protecting customers from scams is a core responsibility of banks.”

This article explores Australia’s new regime and compares it to key regimes globally.

Australia’s scams prevention framework

Australia’s scams prevention framework works by having relevant sectors designated by the government as being in scope of the framework. The government has initially designated banks, telcos and digital platforms (such as social media platforms), with effect from 31 March 2027.

Once the designation takes effect, in-scope entities then become subject to complying with a principles-based framework in Australia’s Competition and Consumer Act 2010. This framework contains six principles around the themes of governance, prevention, detection, disruption, response and reporting of scams.

Three of these principles require that an in-scope entity takes ‘reasonable steps’ to comply with relevant obligations, and all principles attract significant civil penalties if breached.

Separate industry Codes for each relevant sector contain more specific steps that an in-scope entity must take to meet the ‘reasonable steps’ requirement in the principles, tailored to that sector.

Again, most of these requirements in the Codes attract significant civil penalties if breached. The Codes are currently under consultation but are proposed to take effect for banks, telcos and digital platforms on 31 March 2027 or later.

Complying with the Code represents the ‘minimum standards’ that an in-scope entity must meet. Separately, an in-scope entity must assess the scale of its operations and its risk profile for scams and determine if it must take additional steps in order to comply with the ‘reasonable steps’ requirement.

Being designated also means that in-scope entities need to have internal dispute resolution arrangements in place to allow a scam victim to raise a complaint. In addition, in-scope entities need to become a member of Australia’s financial services external dispute resolution (EDR) body, the Australian Financial Complaints Authority (AFCA), so that scam victims can escalate their complaint to this body for a binding determination.

While the AFCA has been recently designated as the framework’s EDR body, the rules under which the AFCA will operate when considering scam complaints have yet to be written and will need to be in place by 31 March 2027.

The framework therefore applies to key entities involved in the lifecycle of a scam – telcos for when scammers call or message victims, digital platforms that might allow a scammer to advertise an investment scam and banks that are involved in facilitating the scam payment.

The aim of the framework is that by focusing on the whole of ecosystem, the government can make Australia the hardest place for scammers to target. Further sectors are being earmarked for consideration for future designation including crypto exchanges and the superannuation sector.

In-scope scams. As well as applying to the scam lifecycle and having a whole of ecosystem approach, the framework also applies to all scam types. A scam is defined as a direct or indirect attempt (whether or not successful) to engage a scam victim of an in-scope service from an in-scope entity where it would be reasonable to conclude that the attempt involves deception and would, if successful, cause loss or harm (including obtaining personal information of the scam victim or their associates). The framework is currently consulting on excluding certain scam types from being a relevant scam.

In-scope scam victims. The framework allows a scam victim to not only include natural persons but also small businesses and it has extraterritorial effect provided certain requirements are met. A small business scam victim is defined based on where it has its principal base of business, how many employees it has at the time the scam is perpetrated on it and whether its annual turnover in the previous year is over the required threshold. This definition is not welcome by the Australian market as it results in yet another definition of ‘small business’ that exists under Australian law (which already contains more than 10 definitions of small business for financial services laws).

World’s first penalty

Notwithstanding that the regime is not yet in force, last week the ASIC secured its first penalty against an Australian retail bank for admitted serious failings in protecting customers from scams. The proceedings were brought under existing general obligations that apply to those holding financial service licences such as the obligation to have adequate systems and controls and to provide financial services efficiently, honestly and fairly.

This action is consistent with the ASIC’s enforcement playbook in relation to areas of concern. The ASIC typically conducts one or more thematic reviews providing feedback to the market on its expectations on good and poor practice – the ASIC has conducted two thematic reviews into scam prevention and made its findings public.

The ASIC then typically sends a more targeted warning to a sector or sectors of concern – sending a ‘Dear CEO’ letter to the super industry. The ASIC then seeks to take an example case – this case represents that action.

These more general obligations are how the ASIC is able to focus on new areas of concern even without a specific legislative regime – for example, this is how the ASIC was able to bring its various actions in relation to greenwashing and cyber security failings, and its focus has recently turned to artificial intelligence.

How does Australia’s regime compare to other regimes?

Prevention not compensation. The aim of the framework is that entities need to focus on prevention, not compensation. The policy driver is that prevention is the way to ensure that Australia is a hard place for scammers to target.

When a victim raises a complaint with whichever entity they wish to do so (for example their bank, the bank that received the payment or a telco provider or digital platform if relevant), that entity needs to liaise with the other entities involved and each of them needs to confirm whether it complied with all of its requirements (such as whether it took reasonable steps to comply with the principles) by issuing a ‘compliance statement’.

If all entities have complied with their requirements, then the scam victim may not get any compensation – that will be a discretionary decision for the entities involved. There is currently, however, a consultation underway for small amount scams to be automatically compensated to ensure that scam victims receive prompt and consistent outcomes. As the average scam loss is approximately AU$400, the current proposal is for any verified scam loss under AU$3000 to be automatically compensated with each entity involved in the scam sharing the cost equally (unless of course they have not complied with their requirements). This aspect is the subject of fierce market debate and may not represent the final position.

If one or more entities in the scam lifecycle did not comply with everything that it was required to, then it may be required to compensate the victim with the percentage share of compensation changing depending on how many entities did not comply and their level of non-compliance. If the scam victim is not happy with their outcome, they can escalate their complaint to the AFCA.

If we compare this to the UK regime, under the mandatory reimbursement model, the regime focuses on mandatory compensation and contribution as between most paying and receiving banks (unless a scam victim has acted fraudulently or with gross negligence).

This approach to scams is unique to the UK and is intended to ensure consumers do not lose out while firms are properly incentivised to improve their systems and controls to prevent authorised payment scams. The Australian government did not favour the UK’s regime, considering that it did not focus on the whole scam ecosystem, that scam victims might become less vigilant if they were always reimbursed, and that by only requiring banks to contribute they become the ‘honeypot’ despite typically being at the end of the scam lifecycle.

There are, of course, other measures being implemented at a European Union level relating to digital platforms and diligence over those who advertise on their platforms. The picture in the UK is of an industry seeking, with only some success, to battle scams that increase in value and volume year on year with scam losses rising by 19 percent in 2025. The Australian government will hope that the different approach that is being taken in Australia will tackle the issue further and faster than in the UK.

Whole of ecosystem and all scam type focus. Australia also considered the approach that Singapore has taken to scam prevention. Singapore has implemented a shared responsibility model which, while focusing on all entities involved in a scam, only applies to one scam type – a specific type of online phishing scam.

The responsibility model then has a waterfall approach to compensation with a defined order to determine liability – first by the bank, then the telco, then the victim. This means that as long as a bank had not fulfilled any of its obligations, it would be expected to undertake the compensation burden (regardless of whether the telco or the victim had met their respective obligations). Australia did not favour this approach given that online phishing scams are only one scam type.

Australia’s ‘whole of ecosystem’ approach has been admired by other jurisdictions and is now being adopted by other regimes. The American Bankers Association (ABA) has adopted the whole of ecosystem approach with Paul Benda, its executive vice president of risk, fraud & cybersecurity, calling the Australian approach “superior” when speaking at the Australian Banking Association’s annual conference on 17 June 2026.

Indeed, Canada has recently consulted on a proposed framework which closely mirrors Australia’s approach. It is a whole of ecosystem and all scam type approach. Called the National Anti-Fraud Strategy, like Australia’s approach, it seeks to initially require banks, telcos and digital platforms to be subject to the regime. It also implements a principles-based regime centred around four principles which, in substance, cover all of Australia’s six principles. It also proposes that there will be a central regulator together with industry-specific regulators, and that there will be a single EDR for the scheme.

Typically, Australia likes to follow developments in the world, rather than lead them. It observes and takes the time necessary to carefully contemplate other regimes so that it can cherry-pick the best ideas and approaches.

However, every now and then, Australia takes a bold step to do something different. This approach to scam prevention follows another world first for Australia, namely the social media ban for under 16s which is also being considered for adoption in other countries.

 

Charlotte Henry and Chris Ninan are partners and Chee Hian Kwah is a director at Herbert Smith Freehills Kramer. Ms Henry can be contacted on +61 (2) 9225 5733 or by email: charlotte.henry@hsfkramer.com. Mr Kwah can be contacted on +65 6812 1352 or by email: cheehian.kwah@hsfkramer.com. Mr Ninan can be contacted on +44 (0)20 7466 2490 or by email: chris.ninan@hsfkramer.com.

© Financier Worldwide


BY

Charlotte Henry, Chris Ninan and Chee Hian Kwah

Herbert Smith Freehills Kramer


©2001-2026 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.