For most of the last decade, how hard a firm worked to prevent scams was a matter of choice. A bank decided how much to invest in detection, how clearly to warn its customers, and how generous to be when someone was deceived into authorising a payment. Some firms did a great deal. Others did less. A customer's protection depended heavily on who they happened to bank with.

Australia has decided that this is no longer good enough and has acted on it. The Scams Prevention Framework puts scam prevention on a statutory footing. It is an early attempt to build a whole-of-economy legal framework for scams, reaching beyond banks to the telecommunications networks and digital platforms through which many scams now travel.

This article explains what the framework does, the timeline that matters, and what it asks of any firm that has treated scam prevention as discretionary.

Why the framework exists

Scams have changed in character. They are no longer the work of opportunists. They are run by organised criminal groups operating at an industrial scale, often across borders, using professional technology, call centres, and money-mule networks to move stolen funds. The returns are high, the physical risk is low, and the operations are resilient.

Against that, the previous model placed most of the responsibility on the individual. A customer who authorised a payment had, in legal terms, made their choice and generally bore the loss. The difficulty is that a modern scam is an engineered deception. The customer is not making a careless mistake. They are being manipulated by a professional operation that understands how to move people to act. Expecting the individual to outthink that operation in the moment is unrealistic.

The framework reflects a different judgement: that the firms in the chain, with their data, their systems and their view across many customers and many transactions, are far better placed to detect and disrupt a scam than the person being deceived. Responsibility, in other words, should sit where the capability to act sits.

What the framework does

The framework rests on the Scams Prevention Framework Act 2025, which passed the Australian Parliament on 13 February 2025, received Royal Assent on 20 February 2025, and commenced on 21 February 2025. Its main operative effect was to insert Part IVF into the Competition and Consumer Act 2010. The Act establishes the legal architecture. The detailed obligations are then developed through sector designation, rules, codes and related dispute resolution arrangements.

The framework is commonly described as resting on six overarching principles: Governance, Prevent, Detect, Report, Disrupt and Respond.

The word carrying the weight is reasonable. The framework sets a standard of conduct, not a checklist. A firm is not asked to complete a set of defined tasks and treat its duty as discharged. It is asked whether the steps it took were reasonable, given what it knew and what it could have done. That is a higher and less comfortable bar than a checklist. It is deliberately so because scam typologies change faster than any prescribed list could be sensibly maintained.

The framework is designed to work across sectors. Government materials have consistently identified banks, telecommunications providers and parts of the digital platform ecosystem as the intended initial focus. That matters because a single scam commonly crosses all three. It may begin with a fraudulent advertisement or message on a digital service, pass through a telecommunications network, and end in a payment moved through the banking system. A regime that addressed only one point in that chain would leave the rest of the scam pathway largely untouched.

The timeline that matters

A few dates can be stated firmly. Beyond those, firms should check the current designation instruments, codes, rules and authorisations rather than rely on a fixed timetable set out in a secondary article.

• 13 February 2025. The Scams Prevention Framework Act 2025 was passed by the Australian Parliament.
• 20 February 2025. The Act received Royal Assent.
• 21 February 2025. The Act commenced.
• 12 March 2026. The Australian Financial Complaints Authority published updated Rules and Operational Guidelines, and its jurisdiction expanded to allow it to consider scam-related complaints involving receiving banks, including where the affected person is not a customer of that bank.
• After that. The wider operation of the framework depends on current designation instruments, sector codes, rules and dispute resolution arrangements. Those implementation steps should be checked against the latest official material before firms rely on them.

The receiving-bank point deserves particular attention, because it signals the direction of travel. Responsibility for a scam is no longer treated as sitting solely with the victim's own bank. The bank that received the funds may now be answerable too, even where the defrauded person was never its customer. A firm can find itself exposed to a scam it did not originate because stolen money passed through an account it held. Once that principle is accepted, scam prevention stops being something a firm does only for its own customers and becomes part of what it owes the wider system.

What ‘reasonable steps’ actually asks for

The phrase ‘reasonable steps’ does a great deal of quiet work, and any firm within scope needs to be clear about what it asks for.

Reasonable is assessed after the event, with the benefit of knowing what happened. When a scam succeeds, and a loss is examined, the question is not whether the firm had a scam-prevention programme in the abstract. It is whether the specific steps the firm took, in this case, were reasonable given what the firm knew or ought to have known. A programme that exists on paper is not the same as reasonable steps taken in the instance that caused the loss.

Reasonable also moves over time. A control that was reasonable two years ago may not be reasonable now because the typologies have evolved, better controls have become available, and the rest of the industry has moved on. A firm that built a sound set of controls and then left them untouched is not holding a line. It is slowly falling behind a standard that keeps rising.

And reasonable is comparative. When a regulator or a dispute resolution scheme assesses whether a firm did enough, the practical reference point is what a competent peer would have done. A firm that has fallen behind what comparable firms now consider ordinary practice will find that position hard to defend, however reasonable its controls may have looked when they were first designed.

What firms should be doing

For a firm likely to fall within scope, the implementation path is already clear enough to justify preparation now, even as some of the detailed instruments continue to be developed.

Internal dispute resolution should already be capable of handling scam complaints with discipline and speed, because external scrutiny is tightening, and complaint handling will remain the first formal test of whether a firm responded properly. Firms in banking should understand their position as both sending and receiving institutions, because AFCA's receiving-bank jurisdiction is already live, and exposure no longer depends on the affected person being the firm's own customer.

Governance and accountability for scam outcomes need to be clear and demonstrable, because the framework is built around effectiveness rather than paperwork. Controls should also be tested honestly against the six overarching principles: Governance, Prevent, Detect, Report, Disrupt and Respond, with gaps identified and owned before they are examined in a complaint, supervisory process or enforcement action.

None of this is unfamiliar work for a firm that already takes financial crime seriously. The shift is one of status. Scam prevention has moved from a service a firm provides to an obligation a firm carries, with regulators and dispute resolution schemes now positioned to ask whether the obligation was met.

Final thought

Australia has chosen to legislate, and to do so broadly, across the whole chain through which scams travel rather than only at the point of the victim's bank. Whatever view a firm takes of that choice, the practical question is now simple. When a scam succeeds, and someone examines what happened, could the firm show that the steps it took were those a responsible firm should have taken?

That is the standard the framework sets. A firm that can already answer that question honestly has little to fear from it. A firm that cannot should treat the current implementation period as an opportunity to close the gap.