Scams Prevention Framework: What Australian Banks, Telcos, and Platforms Must Do by July 2026

The Scams Prevention Framework Act 2025 is Australia's most significant consumer protection legislation in a generation. Receiving Royal Assent on 21 February 2025, the SPF amends the Competition and Consumer Act 2010 to create legally enforceable obligations for banks, telecommunications providers, and digital platforms — with penalties that dwarf anything the ACCC has wielded before.

If your organisation falls within one of these three sectors, this guide covers everything you need to know before the 1 July 2026 commencement date.

What Is the Scams Prevention Framework?

The SPF establishes a "whole-of-ecosystem" approach to scam prevention. Rather than placing the burden solely on consumers to detect scams, the framework requires the institutions that facilitate scam communications and scam payments to take active responsibility for preventing, detecting, and disrupting scam activity.

The framework is built on the recognition that scams are a systemic problem. A single scam typically traverses multiple sectors: a scam message originates on a digital platform, is delivered via a telecommunications network, and results in a payment through a bank. The SPF creates obligations at every link in this chain.

The Six Principles

The SPF is structured around six overarching principles that apply to all regulated entities across all three sectors. These principles form the backbone of every compliance obligation.

1. Govern

Regulated entities must establish and maintain governance arrangements for scam prevention. This includes:

• Designating a senior officer responsible for scam prevention compliance
• Developing and maintaining a scam prevention strategy
• Conducting regular risk assessments
• Providing annual certification of compliance to the relevant regulator

The Govern principle ensures scam prevention is treated as a board-level responsibility, not an afterthought delegated to a fraud team.

2. Prevent

Entities must take reasonable steps to prevent scams from reaching consumers in the first place. The specific obligations vary by sector:

• Banks: Consumer warnings at point of transaction, Confirmation of Payee systems, real-time transaction alerts
• Telcos: Sender ID verification through the Australian Sender ID Registry, blocking known scam numbers
• Digital platforms: Advertiser credential verification, new account verification, removal of scam content

3. Detect

Entities must implement internal detection mechanisms and consume external Actionable Scam Intelligence (ASI) to identify scam activity. This includes:

• Real-time transaction monitoring algorithms (banks)
• Scam content detection in calls and messages (telcos)
• Automated scanning of advertisements and listings (digital platforms)
• Consuming and acting on ASI from external sources, including third-party threat intelligence feeds

The Detect principle creates direct demand for external scam intelligence providers — entities cannot rely solely on internal detection.

4. Report

Regulated entities must report Actionable Scam Intelligence to the ACCC within 24 hours. They must also share intelligence cross-sector to enable coordinated disruption. Key requirements:

• Report confirmed scam indicators (URLs, phone numbers, email addresses, bank accounts) to the ACCC
• Share intelligence with other regulated entities where doing so could prevent consumer harm
• Maintain records of all reports made and received
• Participate in intelligence-sharing arrangements as required by sector codes

5. Disrupt

Once a scam is detected, entities must take active steps to disrupt it:

• Banks: Delay or block suspicious transactions, freeze mule accounts, recall payments where possible
• Telcos: Block confirmed scam numbers, suspend fraudulent sender IDs
• Digital platforms: Suspend scam accounts, remove scam content, disable fraudulent advertisements

6. Respond

When a consumer is affected by a scam, entities must:

• Provide an internal dispute resolution process
• Furnish a statement of compliance within 30 days of receiving a scam complaint
• Cooperate with AFCA (Australian Financial Complaints Authority) external dispute resolution
• Participate in cross-sector liability apportionment where a scam traversed multiple entities

Obligations by Sector

Banks and Financial Institutions (ASIC-regulated ADIs)

The banking sector faces the most detailed obligations because banks are typically the final link in the scam chain — where money actually leaves the victim's account.

Key obligations:

Obligation	Detail
Confirmation of Payee	Verify payee name matches the account before processing first-time payments
Real-time transaction alerts	Notify consumers of unusual or high-risk transactions before completion
Suspicious transaction algorithms	Deploy and maintain ML/AI-based transaction monitoring
Payment recall	Attempt to recall scam payments within prescribed timeframes
Mule account detection	Identify and freeze accounts receiving proceeds of scams
ASI consumption	Consume external scam intelligence feeds and integrate into detection systems
24-hour reporting	Report confirmed scam indicators to the ACCC within 24 hours

Regulator: ASIC (Australian Securities and Investments Commission)

Telecommunications Providers (ACMA-regulated)

Telcos are the delivery mechanism for the majority of scam communications — phone calls, SMS messages, and increasingly, RCS messages.

Key obligations:

Obligation	Detail
Scam content monitoring	Monitor calls and messages for scam indicators using automated systems
Sender ID verification	Verify sender IDs through the Australian Sender ID Registry
Scam number blocking	Block confirmed scam phone numbers and suspend fraudulent sender IDs
Call authentication	Implement STIR/SHAKEN or equivalent caller ID authentication
ASI sharing	Share confirmed scam phone numbers and sender IDs with other telcos and regulators

Regulator: ACMA (Australian Communications and Media Authority)

Digital Platforms (ACCC-regulated)

Digital platforms — including social media, online marketplaces, and messaging services — are where many scams originate or are advertised.

Key obligations:

Obligation	Detail
Advertiser verification	Verify the identity and credentials of advertisers before publishing ads
Account verification	Verify new accounts to prevent creation of scam profiles
Scam content removal	Detect and remove scam content, including fraudulent listings and ads
Consumer reporting mechanisms	Provide accessible, responsive scam reporting tools for users
ASI consumption	Consume external scam intelligence to proactively identify scam content

Regulator: ACCC (Australian Competition and Consumer Commission)

The Penalty Framework

The SPF introduces a penalty regime that makes non-compliance existentially dangerous for most regulated entities.

Private Right of Action

The SPF creates a private right of action allowing consumers to sue regulated entities directly for damages arising from non-compliance. This creates significant class-action risk, particularly for banks and digital platforms where large numbers of consumers may be affected by a single compliance failure.

AFCA External Dispute Resolution

The SPF authorises AFCA to hear scam-related complaints from 1 September 2026, with formal complaint acceptance beginning 1 January 2027.

Key features of the AFCA scheme:

• Current compensation cap: $631,500 per claim (indexed annually)
• AFCA can name non-compliant businesses publicly
• AFCA can apportion liability across multiple entities where a scam traversed multiple sectors
• Systemic issues identified by AFCA may be referred to regulators for enforcement action

Actionable Scam Intelligence (ASI)

Section 58AI of the amended Competition and Consumer Act defines Actionable Scam Intelligence through an objective "reasonable grounds to suspect" test. ASI explicitly includes:

• URLs and domain names
• Email addresses
• Phone numbers
• Social media profiles and account identifiers
• Digital wallet addresses
• Bank account information (BSB and account numbers)

Third-Party Data Gateways

Critically, the SPF Rules — still being drafted as of early 2026 — will formally authorise third-party data gateways, portals, or websites that provide access to ASI. This provision creates a regulatory framework for external threat intelligence providers to serve as authorised ASI sources for regulated entities.

Safe Harbour Provision

Section 58BZA provides safe harbour protection for entities that take disruption actions based on ASI. Key features:

• Protection from civil liability for disruption actions taken in good faith
• Protection lasts for up to 28 days from the disruption action
• Applies to actions such as blocking transactions, freezing accounts, suspending numbers, and removing content
• Requires that the action was taken based on ASI that met the "reasonable grounds to suspect" threshold

The safe harbour provision creates a strong incentive for regulated entities to maintain robust, diverse ASI sources — including third-party threat intelligence feeds — and to act decisively when scam indicators are received.

Compliance Checklist

For Banks and ADIs

• Appoint a senior officer responsible for SPF compliance
• Develop and document a scam prevention strategy
• Implement Confirmation of Payee verification
• Deploy real-time transaction monitoring with scam detection algorithms
• Establish payment recall and mule account detection processes
• Source external ASI feeds (third-party threat intelligence)
• Build 24-hour ASI reporting pipeline to the ACCC
• Establish internal dispute resolution for scam complaints
• Prepare compliance statement templates (30-day deadline)
• Train staff on scam identification and escalation procedures
• Conduct tabletop exercises simulating scam scenarios
• Register for AFCA scam complaint handling (from 1 September 2026)

For Telecommunications Providers

• Appoint a senior officer responsible for SPF compliance
• Implement automated scam content detection in calls and SMS
• Register and verify sender IDs through the Australian Sender ID Registry
• Deploy scam number blocking infrastructure
• Implement STIR/SHAKEN or equivalent caller authentication
• Source external ASI feeds for known scam phone numbers
• Build cross-sector intelligence sharing pipeline
• Establish internal dispute resolution processes
• Prepare compliance documentation and reporting templates

For Digital Platforms

• Appoint a senior officer responsible for SPF compliance
• Implement advertiser credential verification
• Deploy automated scam content detection in listings and ads
• Build accessible consumer scam reporting tools
• Establish account verification for new users
• Source external ASI feeds for known scam URLs, emails, and profiles
• Build ASI reporting pipeline to the ACCC
• Establish content removal workflows with audit trails
• Prepare compliance documentation and dispute resolution processes

How Ask Arthur Enables SPF Compliance

Ask Arthur's Threat Intelligence API is purpose-built for SPF compliance across all three sectors. Here is how our capabilities map to the framework's requirements:

Detect

Our Threat API provides real-time access to Actionable Scam Intelligence derived from 16 threat feeds, 5 external enrichment sources (AbuseIPDB, HIBP, crt.sh, Twilio Lookup, URLScan.io), and community-sourced scam reports. ASI entities include URLs, phone numbers, email addresses, IP addresses, and cryptocurrency wallet addresses — all enriched with WHOIS, SSL, and reputation data.

Six API endpoints enable integration into any detection pipeline:

Endpoint	Use Case
Batch Entity Lookup	Bulk-check URLs, phones, emails, and IPs against the threat database
URL Lookup	Full enrichment for a specific URL (WHOIS, SSL, reputation, risk score)
Domain Aggregation	Domain-level threat intelligence with WHOIS data
Threat Trending	Trending scam types by period and region
Trending URLs	Most-reported domains with aggregation
Aggregate Statistics	Platform-wide threat statistics for risk calibration

Report

Ask Arthur maintains government-ready data export views aligned with Scamwatch categories. Structured data exports include entity type, risk score, first and last seen timestamps, source feeds, and enrichment data — ready for 24-hour ACCC reporting requirements.

Disrupt

Entity intelligence with risk scores enables automated blocking decisions. When a URL, phone number, or email address exceeds a configurable risk threshold, your systems can automatically block, flag, or quarantine the associated communication or transaction — protected by the safe harbour provision.

Key Dates Timeline

Date	Event
21 February 2025	SPF Act 2025 receives Royal Assent
28 Nov 2025 – 5 Jan 2026	Sector designation instrument consultation
1 July 2026	SPF commences — overarching principles take effect
1 September 2026	AFCA authorised to hear SPF complaints
1 January 2027	AFCA begins formally accepting SPF complaints
Mid-2027 (expected)	Sector-specific codes finalised and enforceable

Conclusion

The Scams Prevention Framework represents a fundamental shift in how Australia approaches scam prevention. For the first time, the institutions that facilitate scam communications and payments bear legally enforceable obligations to protect consumers — backed by penalties severe enough to command board-level attention.

Compliance is not optional, and the deadline is approaching fast. Entities that invest now in governance frameworks, detection capabilities, and external intelligence sources will be best positioned to meet their obligations, defend against penalties and private actions, and — most importantly — protect their customers from the $2.18 billion annual scam crisis.

---

Ask Arthur's Threat Intelligence API provides SPF-ready Actionable Scam Intelligence for banks, telcos, and digital platforms. Start a free evaluation at askarthur.au or contact hello@askarthur.au for enterprise enquiries.