Five penalties, one rejected code, sixty-four days: why every Australian telco except Telstra is a buyer of scam intelligence

Key takeaways

• Six ACMA telco penalties in 12 months, totalling A$6.36M, all variations on the same audit finding (missing identity-verification step at customer-account-modification trigger).
• ACMA rejected the industry's draft consumer code twice (24 Oct 2025, 27 Mar 2026). Self-regulation has been formally exhausted; ACMA is now drafting a mandatory standard.
• The SPF Act commences 1 July 2026. Maximum Tier 1 penalty is the greater of A$52.7M, 3× benefit derived, or 30% of adjusted turnover.
• Telstra is the only Australian telco that builds scam intelligence in-house. Every other telco is structurally a buyer.
• The vendor-selection conversation needs to happen by July, not December.

---

On 7 April 2026, the Australian Communications and Media Authority and the National Anti-Scam Centre did something they almost never do: they put their names to a single press release. The subject was mobile number fraud, and the message was that criminals are now routinely taking control of Australian phone numbers to drain bank accounts, hijack myGov, and impersonate their victims to friends and family. The advice to consumers was to call IDCARE on 1800 595 160 — the same advice ACMA had already given when fining Lycamobile, Optus, Southern Phone, Telstra, Exetel, and Circles.Life over the previous twelve months.

A joint alert is a small thing. A joint alert from two regulators about an enforcement pattern that has produced six telco penalties is a much larger thing. And it lands at exactly the moment when the Scams Prevention Framework Act 2025 is about to commence, on 1 July 2026, with civil penalties of up to A$52.7 million per contravention.

This post is for Australian telco compliance, legal, risk, and trust-and-safety leaders who already know the SPF Act exists and want a concrete read on what changes on 1 July, what it actually costs, and — the part nobody is saying out loud — why every Australian telco except Telstra is going to be a buyer, not a builder, of scam intelligence between now and then.

---

The fines, in chronological order

The case for urgency is not theoretical. It is on the public record, in instalments, signed by ACMA Chair Nerida O'Loughlin and Authority Member Samantha Yorke. The shape of the dataset matters more than any individual entry, so here is the dataset.

Telstra — A$1,551,000 (July 2024). Two-year court-enforceable undertaking. 168,000 high-risk customer interactions over an eight-month window where Telstra failed to use the required ID authentication. Yorke: "It is unacceptable that Telstra did not have proper systems in place when the rules came into force."

Telstra — A$626,000 (March 2025). Spam Act, not the anti-scam rules — but same regulator, same failure mode. 10.4 million SMS sent in breach of unsubscribe arrangements over twenty-one months.

Circles.Life — A$413,160 (May 2025). Court-enforceable undertaking, three years. Twenty-six contraventions, A$45,000 in consumer losses. Second offence in three years (the first was A$199,800 in 2022). Yorke: "Telcos should be aware they cannot outsource their legal obligations to protect Australian consumers." Circles.Life subsequently exited Australia and migrated customers to Amaysim.

Exetel — A$694,860 (June 2025). Seventy-three contraventions over two months, A$412,000 in consumer losses.

Southern Phone — A$2,500,560 (September 2025). 168 occasions of failed identity checks during number-porting. A$393,000 in consumer losses. The largest individual penalty in the series.

Optus Mobile (Coles Mobile) — A$826,320 (November 2025). Forty-four contraventions in a two-month window. Four customers had their bank accounts accessed. Yorke described this as the "maximum financial penalty the ACMA was able to give in this matter."

Lycamobile — A$376,200 (February 2026). 131 contraventions over three months, at least A$175,000 in consumer losses. Eighteen-month court-enforceable undertaking. O'Loughlin: "This is the fifth time this year the ACMA has found breaches of these rules and all telcos are on notice that their ID verification systems must not have vulnerabilities that scammers can target."

The pattern is so consistent it reads like a single audit finding repeated across the industry: a telco's identity-verification system has a documented gap, scammers find it, customers lose money, ACMA arrives. The remedies are also consistent — money, an undertaking, an independent consultant. The independent consultant is, in a way, the most interesting part of this. ACMA is not just penalising failure. It is mandating that an outside set of eyes look at the systems that produced the failure, and that ACMA receive periodic reports on what those eyes find. Compliance is becoming continuous and externally observed.

If you read these notices in sequence, the regulator's voice changes around the middle of the series. Yorke's "unacceptable" of July 2024 is procedural disappointment. O'Loughlin's "all telcos are on notice" of February 2026 is something else. It is the language a regulator uses immediately before it stops asking and starts requiring.

---

What the regulator did next

On 27 March 2026 — a calendar month before this article was written — ACMA formally rejected the draft Telecommunications Consumer Protections Code that the Australian Telecommunications Alliance had submitted on behalf of the industry. This was the second such rejection (the first was 24 October 2025). ACMA's response was to commence the process of determining an industry standard under section 125 of the Telecommunications Act 1997, which is regulator-speak for "you had your chance, we'll write the rules now."

O'Loughlin's statement is worth reading in full because it is the closest thing the Australian telco sector has had to a formal admission of regulatory failure: "the ACMA still does not have before it a code capable of registration. We have also considered the contemporary expectations of consumers and decided that moving to an industry standard is now necessary."

Read together, the chronology is unambiguous. Industry self-regulation has been formally exhausted. The regulator is now drafting binding rules. This is happening in the same calendar quarter that the SPF Act commences. And it is happening in a sector where, over twelve months, six different providers have been penalised for variations on the same compliance gap.

---

What 1 July 2026 actually changes

The SPF Act commences on 1 July 2026. From that date, three designated sectors — banks, telcos, and certain digital platforms — have legally enforceable obligations across six principles: Govern, Prevent, Detect, Report, Disrupt, Respond. AFCA is authorised as the SPF external dispute resolution scheme on 1 September 2026 and begins accepting complaints on 1 January 2027. The reporting and disrupt rules are due to be finalised by 31 March 2027. Full implementation across the three designated sectors is targeted for end of 2027.

The penalty regime is what gets the attention. A Tier 1 contravention — failure to comply with a core obligation under Prevent, Detect, Disrupt, or Respond — exposes a regulated entity to the greater of:

• 159,745 penalty units (currently A$52,715,850, with the penalty unit indexed on 1 July 2026 — the same day SPF commences)
• three times any benefit derived from the contravention
• 30% of adjusted turnover during the contravention period

The third option is the one that should focus telco minds. Thirty per cent of adjusted turnover is not a fine, it is a balance-sheet event. For an entity the size of TPG or Optus, the upper bound of a single Tier 1 contravention is, depending on how the period is calculated, theoretically capable of producing a penalty in the hundreds of millions. Even allowing for the very wide gap between theoretical maxima and what courts actually impose, the regulatory ceiling has been raised by an order of magnitude compared to ACMA's existing infringement-notice toolkit.

There is also a new dispute architecture. AFCA has appointed Dr David Lacey as inaugural Chief Scams Officer, effective 31 March 2026. Lacey is the founder of IDCARE — the same hotline the joint ACMA/NASC alert directs consumers to call. AFCA has explicitly described its new function as "the world's first multi-party dispute resolution scheme for scams," meaning that from January 2027 a single consumer complaint can simultaneously implicate a bank, a telco, and a digital platform, with the EDR body led by someone who has spent a decade as Australia's most-cited scam-victim advocate. That is not a regulator a telco wants to discover unprepared.

If you are a sector code drafter, the Treasury position paper from November 2025 outlines what the binding obligations look like in operational terms. Telcos must continuously generate and act on Actionable Scam Intelligence — defined as a reasonable belief that activity is or may be a scam. Detection obligations are time-bound; the Prevent and Disrupt obligations have an immediately requirement attached to certain trigger events. Compliance certificates are an annual mandatory artefact. Internal Dispute Resolution must produce a Statement of Compliance each financial year. Compensation rules now extend across the chain — receiving banks are now in scope, and although the detail is deferred, the direction of travel is clear.

The single most important phrase in all of this, if you are reading it as a telco engineering or trust-and-safety leader, is Actionable Scam Intelligence. It is the term the regulator has chosen to describe the data substrate that everything else runs on. Without ASI, you cannot demonstrate a reasonable belief. Without a reasonable belief, you cannot meet the time-bound Prevent and Detect obligations. Without those, you have a Tier 1 exposure on every customer interaction.

---

And on the same day, the SMS Sender ID Register

Under the Telecommunications Amendment (SMS Sender ID Register) Act 2024, telcos that participate in alphanumeric sender ID messaging to Australian numbers have been onboarding to the Sender ID Register since late 2025. From 1 July 2026 — the same day SPF commences — all alphanumeric sender IDs sent to Australian numbers must be registered or they will be displayed to consumers as Unverified. Non-participating telcos cannot send, transit, or terminate sender ID messages.

The simultaneity is not an accident. The SPF Act is the principles-and-penalty layer. The Sender ID Register is the technical enforcement substrate underneath it. ACMA's mandatory industry standard, when it lands later in 2026, will be the rules layer. By the end of this calendar year, every Australian telco will be operating inside a three-tier regulatory cage that did not exist when most of them last reviewed their scam-prevention architecture.

---

Telstra, the only Australian telco that builds

Here is where I am going to say something that nobody who works in Australian telco strategy will say in writing, even though everyone who works on the buying side of trust-and-safety knows it.

Telstra is the only Australian telco that has built scam-intelligence intellectual property. Cleaner Pipes blocks an average of ten million scam or unwanted calls a month. Quantium Telstra — the joint venture with Quantium — has productised two genuinely original products: Scam Indicator (phone-call detection, joint with CommBank, switched on nationally October 2023, expanded to landlines November 2024) and Fraud Indicator (identity-theft detection via mobile-usage pattern analysis, launched February 2025, lifts CommBank's fraud-detection rate by over 25% for joint customers). Telstra's reasoning for building, rather than buying, is the obvious one: at Telstra's scale, a fraction of a basis point of fraud loss avoided pays for an in-house joint venture. Telstra also has the further advantage that it can sell its in-house IP back to the ecosystem, which is exactly what Quantium Telstra now does to all four major banks.

Every other Australian telco is, structurally, a buyer.

TPG Telecom buys CallShield and SpamShield from Mavenir (announced October 2024, 280% increase in fraudulent calls blocked, 19 million calls and 213 million SMS intercepted in the first half of 2024 alone). TPG is also a deployment customer for Apate.ai — the Macquarie University spin-out that raised A$2.5 million in seed funding from OIF Ventures and Investible in August 2025, has diverted 280,000+ scam calls from TPG's network, identified 20,000+ impersonated organisations, and prevented an estimated A$7.6 million in customer losses. TPG was a contributing participant in the NASC Investment Scam Fusion Cell. TPG's careers page, on the day this article is being written, advertises a Senior Engineer — Scam and Fraud Management role, a Principal Architect focused on the management of scam and fraud, a Scam Monitoring Officer, and a Fraud Monitoring Analyst. The buying signals are not subtle.

Vocus operates Tollring's Scam Protect at the network layer (Vocus has been Tollring's foundation customer since 2021). Vocus's October 2025 Dodo / iPrimus breach — 1,600 email accounts compromised, 34 unauthorised SIM swaps reversed — sent affected customers to IDCARE for restoration. Vocus's CCO Matt Walsh, CPO Michele Mauger, and CEO Andrés Irlando (started July 2025, ex-Zayo) are all in their first strategic-vendor cycle.

Optus is mid-leadership-rebuild after multiple senior C-suite changes through late 2025 and early 2026, has paid A$826,320 in maximum penalties for the Coles Mobile incident, and its identity-verification gap was a third-party vendor failure — the vendor relationship itself is the buying decision.

Aussie Broadband, Pivotel, Felix, iiNet (under TPG), and the long tail of MVNOs do not have the budget or the customer base to build. They will buy or they will be penalised.

The implication is structural rather than rhetorical. If you are anywhere in Australian telco except Telstra HQ, the question between today and 1 July 2026 is not whether you buy scam intelligence. It is which vendor, for which SPF principle, and with what evidence trail for ACMA, AFCA, and the inevitable AFR follow-up after the first SPF prosecution.

---

Where AskArthur sits

Full disclosure: I run AskArthur. The remainder of this article is a description of how AskArthur fits the buyer-not-builder gap, written in language that a telco compliance lead can take to a vendor-selection committee without re-explaining anything. If you want a pure regulatory analysis, the Ashurst, KWM, and Norton Rose Fulbright explainers are excellent and free.

AskArthur is an Australian-built, Australian-hosted scam-intelligence platform. Seven consumer surfaces — Next.js web app, Chrome and Firefox extensions, iOS and Android mobile apps, Telegram, WhatsApp, Slack, and Messenger bots — all return a three-tier verdict (SAFE, SUSPICIOUS, HIGH_RISK) on submitted text, URLs, images, and QR codes. Six B2B API endpoints expose the same intelligence at scale, with OpenAPI 3.0 documentation, sub-200ms p95 latency, sub-A$0.001 marginal cost per check, and a pricing structure that puts a Pro tier at A$2,000/month and an Enterprise tier between A$5,000 and A$15,000/month. Sixteen threat feeds are ingested continuously. Five external intelligence integrations (AbuseIPDB, Have I Been Pwned, Certificate Transparency, Twilio Lookup, URLScan) enrich every entity. Hosting is Australian (Supabase ap-southeast, Vercel Sydney edge). The architecture is zero-knowledge — there are no user accounts on the consumer side, PII is scrubbed before storage, and every check is re-derivable from the threat database without identifying the submitter.

For a telco that is buying, not building, the architecture maps directly to the SPF principles. Govern: per-endpoint usage tracking and audit trails for annual compliance certification. Prevent: consumer scam checker complementing the Sender ID Register, plus phone intelligence with carrier, line type, and VoIP detection. Detect: trending scam types by period and region; entity risk scoring across phone, URL, email, and IP; cluster detection that identifies coordinated campaigns sharing infrastructure. Report: government export views structured to NASC reporting requirements, Scamwatch-aligned categories, provider reporting RPCs. Disrupt: phone and URL entity intelligence with risk levels and cluster membership, exposing multi-entity scam campaigns. Respond: timestamped entity history and verdict distribution providing the evidence trail AFCA will require for SPF dispute resolution from January 2027.

The consumer surface is not a separate product. It is the data-acquisition layer for the B2B API. Every consumer check enriches a PII-scrubbed threat database. Every reported phone, URL, email, and crypto-wallet address is automatically clustered and risk-scored. The B2B intelligence a telco consumes is generated, in part, by the same Australians the telco serves — a community-data-network advantage that a global vendor starting today would need 24+ months to replicate locally.

---

What to do this quarter, if you are a telco

Three things, in order. None of them require AskArthur specifically, and all of them require something.

Get a verdict layer before the Sender ID Register goes live. From 1 July 2026, alphanumeric sender IDs without registration will display as Unverified. That is a UX change visible to every customer holding an Android or iPhone. Customer-service call volume will move on day one. Whoever handles the inbound — your IVR, your SMS-aware support flow, your in-app chat — needs a real-time verdict on suspect content. Not a quarterly report. Not a dashboard. A verdict, returned in milliseconds, that a frontline agent or an automated workflow can act on.

Document your Actionable Scam Intelligence pipeline. ACMA's mandatory industry standard, when it lands, will require evidence of how a regulated entity forms a reasonable belief that activity is or may be a scam. That evidence trail is going to be auditable. Continuous threat-feed ingestion, multi-source enrichment, three-tier verdict, timestamped entity history — these are not features, they are the audit artefact. The earlier you specify the pipeline, the lower the marginal cost of compliance. Telcos that arrive at 1 July 2026 with a folder full of vendor PDFs are going to have a different conversation with their first AFCA case than telcos that arrive with a queryable evidence database.

Decide on the vendor by July, not December. SPF compliance work that lands in Q4 2026 is going to be running into the AFCA EDR commencement (1 January 2027) and the first wave of public ASI reporting obligations. The smaller Australian telcos that sign vendor contracts in May–July 2026 will have a six-month head start over the ones that wait until they read about the first SPF prosecution in the AFR. Vendor selection is not a Q4 budget exercise this year. It is a Q2 risk-reduction exercise.

If AskArthur is the right shape for that conversation, you can book twenty minutes at askarthur.au, or email me directly at brendan@askarthur.au. If a different vendor is the right shape, that is also a productive outcome — every Australian telco that buys something before 1 July is one that ACMA will not have to write a press release about.

The most expensive vendor decision in 2026 is the one that does not get made.

---

FAQ

When does the SPF Act actually commence? 1 July 2026. AFCA EDR begins 1 September 2026; AFCA accepts SPF complaints from 1 January 2027. The reporting and disrupt rules are due to be finalised by 31 March 2027. Full implementation across the three designated sectors is targeted for end of 2027.

What's the actual maximum penalty? The greater of three numbers per Tier 1 contravention: 159,745 penalty units (A$52,715,850, indexing on 1 July 2026), three times the benefit derived from the contravention, or 30% of adjusted turnover during the contravention period. The 30% turnover option is the one that should focus telco minds — for an entity the size of TPG or Optus, it can run into the hundreds of millions.

Is my telco actually designated under SPF? The initial designation covers banks, telecommunications providers, and certain digital platforms. If you operate a telecommunications service in Australia — including MVNOs and wholesale providers — you are likely designated. Final designation instruments were consulted between 28 November 2025 and 5 January 2026; check the ACCC's published list.

Can we rely on our existing Mavenir / Tollring / network-layer vendor for SPF compliance? Network-layer vendors handle the call layer. SPF Detect requires Actionable Scam Intelligence at the content layer (the inbound text, link, image, QR code) too. Most telcos will need both layers; the question is which vendor for which layer.

What happens if we miss the 1 July 2026 deadline? SPF obligations apply from day one of commencement. Tier 1 contraventions expose the entity to civil proceedings by the ACCC as SPF General Regulator, with the penalty maxima above. AFCA's EDR scheme accepts complaints from 1 January 2027, with David Lacey as inaugural Chief Scams Officer (started 31 March 2026) — formerly the founder of IDCARE.

---

Brendan Milton is the founder of AskArthur. AskArthur Pty Ltd, ABN 72 695 772 313, is an Australian Pty Ltd based in Sydney.

Footnoted sources: ACMA enforcement notices (acma.gov.au), the joint 7 April 2026 alert (acma.gov.au/articles/2026-04/scam-alert-protect-yourself-mobile-number-fraud), Treasury SPF position paper (treasury.gov.au), Ashurst "Operationalising the SPF" (ashurst.com), KWM SPF analysis (kwm.com), Norton Rose Fulbright SPF Part 2 (nortonrosefulbright.com), AFCA Lacey appointment (afca.org.au), Mavenir-TPG release (mavenir.com), Apate.ai investment notes (investible.com), Telstra-Quantium Scam Indicator and Fraud Indicator releases (commbank.com.au, telstra.com.au, mi-3.com.au).